Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search Results Redirected


  • This topic is locked This topic is locked
22 replies to this topic

#1 Shizoku

Shizoku

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 30 November 2009 - 12:41 AM

Hello,

Lately when I click on a search result from google I'll be redirected to a questionable site, and it will continue loading additional sites in the same window.

I have run Malwarebytes Anti-malware, SAS, ComboFix, Rootrepeal, MGtools and SpywareDoctor with no luck.

I ran all these programs in normal startup mode because when I try to start in safemode I get a blue screen.
Stop: 0x0000007E (0xC0000005, 0x80537009, 0xF78BE508, 0xF78BE204)

The only other problem with my computer is occasional blue screen (various stop errors) during playing 3D games. This problem started before the google problem and I've not detected any virus/spyware, updated all the drivers numerous times, and cleaned out my computer case with compressed air.

I do not have the stop errors anymore but some messages were: IRQL_NOT_LESS_OR_EQUAL, BAD_POOL_CALLER, NTFS_FILE_SYSTEM and a few others I can't remember.

I pretty much have given up on that issue, but thought I should mention it in case its linked.

I use Windows XP Media Center, 2.0 AMD64x2 Processor, 2GB RAM. Problem occurs with yahoo and google in Firefox and Google Chrome.

Thanks for your assistance.


DDS (Ver_09-11-29.01) - NTFSx86
Run by Owner at 0:13:11.75 on 11/30/2009 Mon
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1918.1423 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
svchost.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Apache\Apache 2.2\bin\httpd.exe
C:\Program Files\Apache\Apache 2.2\bin\httpd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner.SHIZOKU\My Documents\Downloads\dds.scr
C:\WINDOWS\system32\conime.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
BHO: PC Tools Browser Guard BHO: {2a0f3d1b-0909-4ff4-b272-609cce6054e7} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: PC Tools Browser Guard: {472734ea-242a-422b-adf8-83d1e48cc825} - c:\program files\spyware doctor\bdt\PCTBrowserDefender.dll
TB: {00000000-0000-0000-0000-000000000000} - No File
uRun: [Google Update] "c:\documents and settings\owner.shizoku\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [Reminder] %WINDIR%\Creator\Remind_XP.exe
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /install
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [Power2GoExpress] NA
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\owner.shizoku\start menu\programs\imvu\Run IMVU.lnk
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://ctcive.ap.org/dana-cached/setup/JuniperSetupSP1.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner~1.shi\applic~1\mozilla\firefox\profiles\z106uuzy.default\
FF - plugin: c:\documents and settings\owner.shizoku\local settings\application data\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\veoh networks\veohwebplayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-11-29 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-29 207792]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-11-6 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
R2 Apache2.2;Apache2.2;c:\program files\apache\apache 2.2\bin\httpd.exe [2007-9-5 24635]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2009-2-6 2789672]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2009-9-18 15656]
S2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\spyware doctor\bdt\BDTUpdateService.exe [2009-11-29 112592]
S2 WebrootSpySweeperService;Webroot Spy Sweeper ウェブルート スパイ スウィーパー エンジン;c:\program files\webroot\webrootsecurity\SpySweeper.exe [2009-11-6 4048240]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-11-29 359624]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-11-29 1141712]

=============== Created Last 30 ================

2009-11-30 05:05:51 0 d-----w- c:\program files\Trend Micro
2009-11-30 02:43:39 0 d-----w- c:\documents and settings\owner.shizoku\DoctorWeb
2009-11-30 02:32:19 3720 ----a-w- c:\windows\system32\tmp.reg
2009-11-29 18:44:53 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-29 13:46:25 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-29 13:46:24 882 ----a-w- c:\windows\RegSDImport.xml
2009-11-29 13:46:24 880 ----a-w- c:\windows\RegISSImport.xml
2009-11-29 13:46:24 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-29 13:46:24 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-29 13:46:24 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-29 13:46:24 131 ----a-w- c:\windows\IDB.zip
2009-11-29 13:46:24 1152444 ----a-w- c:\windows\UDB.zip
2009-11-29 13:45:40 7387 ----a-w- c:\windows\system32\drivers\pctgntdi.cat
2009-11-29 13:45:40 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 13:45:34 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 13:45:34 7412 ----a-w- c:\windows\system32\drivers\PCTAppEvent.cat
2009-11-29 13:45:34 7383 ----a-w- c:\windows\system32\drivers\pctcore.cat
2009-11-29 13:45:34 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 13:45:27 7383 ----a-w- c:\windows\system32\drivers\pctplsg.cat
2009-11-29 13:45:27 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 13:45:20 0 d-----w- c:\program files\Spyware Doctor
2009-11-29 13:45:20 0 d-----w- c:\program files\common files\PC Tools
2009-11-29 13:45:20 0 d-----w- c:\docume~1\owner~1.shi\applic~1\PC Tools
2009-11-29 13:45:20 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2009-11-29 13:17:45 0 d-----w- c:\program files\MSSOAP
2009-11-29 13:17:12 1563008 ----a-w- c:\windows\WRSetup.dll
2009-11-29 13:17:12 0 d-----w- c:\program files\Webroot
2009-11-29 13:17:12 0 d-----w- c:\docume~1\owner~1.shi\applic~1\Webroot
2009-11-29 13:17:12 0 d-----w- c:\docume~1\alluse~1\applic~1\Webroot
2009-11-29 13:13:47 164 ----a-w- c:\windows\install.dat
2009-11-29 11:59:34 0 d-sha-r- C:\cmdcons
2009-11-29 11:54:59 77312 ----a-w- c:\windows\MBR.exe
2009-11-29 08:49:39 8350 ----a-w- c:\documents and settings\owner.shizoku\ncmd.cfxxe
2009-11-29 08:49:39 439 ----a-w- c:\documents and settings\owner.shizoku\rkill.reg
2009-11-29 08:49:39 236544 ----a-w- c:\documents and settings\owner.shizoku\pev.exe
2009-11-29 03:13:01 32768 ------w- c:\windows\system32\IJRMF.exe
2009-11-22 07:10:55 2255 ----a-w- c:\documents and settings\owner.shizoku\.recently-used.xbel
2009-11-06 17:00:36 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 17:00:36 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 17:00:34 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-11-04 18:08:24 0 d-----w- c:\program files\Wayward Gamers
2009-11-01 11:02:30 274288 ----a-w- c:\windows\system32\mucltui.dll
2009-11-01 11:02:30 215920 ----a-w- c:\windows\system32\muweb.dll
2009-11-01 11:02:30 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2009-10-31 20:17:58 0 d-----w- c:\documents and settings\owner.shizoku\Contacts
2009-10-31 20:16:54 0 d-----w- c:\docume~1\alluse~1\applic~1\WindowsLiveInstaller
2009-10-31 18:25:09 0 d-----w- c:\program files\Messenger Plus! 4
2009-10-31 17:32:04 0 d-----w- c:\program files\Windows Journal Viewer
2009-10-31 16:18:14 0 d-----w- c:\docume~1\alluse~1\applic~1\Messenger Plus!

==================== Find3M ====================

2009-11-29 15:09:43 129291 ----a-w- C:\MGlogs.zip
2009-11-29 11:53:22 2385076 ----a-w- C:\MGtools.exe
2009-11-14 06:47:57 260608 ----a-w- c:\windows\PEV.exe
2009-10-11 09:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-11 14:18:39 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 21:44:40 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2009-09-04 21:44:40 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2009-09-04 21:44:40 238936 ----a-w- c:\windows\system32\xactengine3_5.dll
2009-09-04 21:29:34 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2009-09-04 21:29:34 235344 ----a-w- c:\windows\system32\d3dx11_42.dll
2009-09-04 21:29:32 5501792 ----a-w- c:\windows\system32\d3dcsx_42.dll
2009-09-04 21:29:32 1974616 ----a-w- c:\windows\system32\D3DCompiler_42.dll
2009-09-04 21:29:30 1892184 ----a-w- c:\windows\system32\D3DX9_42.dll
2009-09-04 21:03:36 58880 ----a-w- c:\windows\system32\msasn1.dll
2008-09-08 18:56:18 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090820080909\index.dat

============= FINISH: 0:14:51.46 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 13 December 2009 - 11:27 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#3 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 13 December 2009 - 01:16 PM

Okay, I just ran DDS.

Attached Files



#4 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 14 December 2009 - 01:26 PM

Hello, Shizoku and again
Welcome to the Bleeping Computer Forums. My name is Thomas (Tom is fine), and I will be helping you fixing your problems.

If you do not make a reply in 5 days, we will have to close your topic.

You may want to keep the link to this topic in your favourites. Alternatively, you can click the Posted Image button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.
  • Please set your system to show all files.
    Click Start, open My Computer, select the Tools menu and click Folder Options.
    Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
    Uncheck: Hide file extensions for known file types
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.




Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#5 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 14 December 2009 - 06:06 PM

Hi Tom,
Here is the Gmer log.
Shizoku

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-14 18:03:42
Windows 5.1.2600 Service Pack 3
Running: 14dr0fh1.exe; Driver: C:\DOCUME~1\OWNER~1.SHI\LOCALS~1\Temp\ufrdypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8A781E08 ZwAllocateVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB7E0BE52]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB7DECCDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB7DECED0]
SSDT 8A74EA60 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB7E0C640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB7E0C8F4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB7E0AB44]
SSDT 8A781E80 ZwQueueApcThread
SSDT 8A7C27F0 ZwReadVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB7E0CD60]
SSDT 8A7C25B8 ZwSetContextThread
SSDT 8A74E0A8 ZwSetInformationKey
SSDT 8A79A260 ZwSetInformationProcess
SSDT 8A74EE50 ZwSetInformationThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB7E0C112]
SSDT 8A781268 ZwSuspendProcess
SSDT 8A7C2540 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB7DEC984]
SSDT 8A74EEC8 ZwTerminateThread
SSDT 8A7C2868 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C98 80504534 4 Bytes JMP 664E8A74
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB51C2380, 0x3DF545, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[1036] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0266000A

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8A647020
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8A647020
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8A647020
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8A647020
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8A647020
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 8A647020
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8A7AEE40
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8A647020

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 89A1E6E8
Device \Driver\Tcpip \Device\Tcp 89A1E6E8
Device \Driver\Tcpip \Device\Udp 89A1E6E8
Device \Driver\Tcpip \Device\RawIp 89A1E6E8
Device \Driver\Tcpip \Device\IPMULTICAST 89A1E6E8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A627618

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}@abakooacgjojdfljbhheenpibnehpdkopn 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}@bbakooacgjojdfljbhgejchjjloeaeenmocc 0x61 0x61 0x00 0x00

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

#6 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 16 December 2009 - 12:17 PM

Hi,


Please go here and have a look how you can disable your security software.

Please download ComboFix from here.



* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#7 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 16 December 2009 - 02:16 PM

Hi Tom,
Here is my ComboFix Log.
Thanks

ComboFix 09-11-28.03 - Owner 6/2009 Wed 13:25.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1918.1265 [GMT -5:00]
Running from: c:\documents and settings\Owner.SHIZOKU\Desktop\ComboFix.exe
.
- REDUCED FUNCTIONALITY MODE -
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2009-11-16 to 2009-12-16 )))))))))))))))))))))))))))))))
.

2009-12-10 14:12 . 2009-12-10 14:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 14:15 . 2009-12-09 07:00 -------- d-----w- c:\program files\IceWarp
2009-12-06 22:41 . 2009-12-06 22:41 -------- d-----w- c:\program files\Windows Journal Viewer
2009-12-03 08:00 . 2009-12-03 08:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-02 23:53 . 2006-03-27 05:00 73728 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MP160 Printer\LanguageModules\0409\CNMsr83.dll
2009-12-02 23:53 . 2006-03-27 05:00 69632 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MP160 Printer\LanguageModules\0411\CNMlr83.dll
2009-12-02 23:53 . 2006-03-27 05:00 42496 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MP160 Printer\LanguageModules\0411\CNMsr83.dll
2009-12-02 23:53 . 2006-03-27 05:00 322048 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MP160 Printer\LanguageModules\0409\CNMur83.dll
2009-12-02 23:53 . 2006-03-27 05:00 241152 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MP160 Printer\LanguageModules\0411\CNMur83.dll
2009-12-02 23:53 . 2006-03-27 05:00 122368 ----a-w- c:\documents and settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon MP160 Printer\LanguageModules\0409\CNMlr83.dll
2009-12-02 23:49 . 2009-12-02 23:49 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-12-02 23:49 . 2009-12-02 23:49 -------- d-----w- c:\program files\ScanSoft
2009-12-02 23:47 . 2009-12-02 23:47 -------- d-----w- c:\program files\ArcSoft
2009-12-02 23:47 . 1995-08-01 09:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-12-02 23:39 . 2009-12-02 23:39 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-12-02 23:38 . 2009-12-02 23:38 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-12-02 23:38 . 2006-02-17 15:44 106496 ----a-w- c:\windows\system32\cnco160.dll
2009-12-02 23:38 . 2006-03-24 15:29 135168 ----a-w- c:\windows\system32\CNCL160.DLL
2009-12-02 23:38 . 2006-03-15 15:27 57344 ----a-w- c:\windows\system32\CNCI160.DLL
2009-12-02 23:38 . 2006-03-15 15:27 1134592 ----a-w- c:\windows\system32\CNCC160.DLL
2009-12-02 23:38 . 2009-12-02 23:38 -------- d--h--w- c:\program files\CanonBJ
2009-11-30 05:05 . 2009-11-30 05:05 -------- d-----w- c:\program files\Trend Micro
2009-11-30 02:43 . 2009-11-30 02:43 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\DoctorWeb
2009-11-29 18:44 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-29 13:51 . 2009-11-29 13:51 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Threat Expert
2009-11-29 13:46 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-29 13:46 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-29 13:46 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-29 13:46 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-29 13:46 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2009-11-29 13:46 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2009-11-29 13:45 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 13:45 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 13:45 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 13:45 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 13:45 . 2009-12-05 00:14 -------- d-----w- c:\program files\Spyware Doctor
2009-11-29 13:45 . 2009-11-29 13:46 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 13:45 . 2009-11-29 13:45 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\PC Tools
2009-11-29 13:45 . 2009-11-29 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\program files\MSSOAP
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\program files\Webroot
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\Webroot
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-11-29 13:17 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2009-11-29 13:13 . 2009-11-29 13:43 164 ----a-w- c:\windows\install.dat
2009-11-29 09:20 . 2009-11-29 09:20 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-29 08:49 . 2009-11-29 08:49 439 ----a-w- c:\documents and settings\Owner.SHIZOKU\rkill.reg
2009-11-29 08:49 . 2009-11-29 08:49 236544 ----a-w- c:\documents and settings\Owner.SHIZOKU\pev.exe
2009-11-29 08:37 . 2009-11-29 08:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-29 08:25 . 2009-11-29 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-29 08:20 . 2009-11-29 09:07 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\fjisqy
2009-11-29 03:13 . 2006-03-29 14:05 32768 ------w- c:\windows\system32\IJRMF.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-16 11:13 . 2009-02-06 20:27 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\WTablet
2009-12-16 11:12 . 2008-05-03 20:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-16 07:26 . 2006-09-05 03:15 -------- d-----w- c:\program files\Trillian
2009-12-08 22:22 . 2008-05-03 20:48 -------- d-----w- c:\program files\Fraps
2009-12-02 23:58 . 2007-03-13 02:27 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\Canon
2009-12-02 23:49 . 2007-03-01 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-12-02 23:47 . 2006-05-12 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-02 23:47 . 2007-03-01 02:25 -------- d-----w- c:\program files\Canon
2009-11-29 15:09 . 2009-07-23 20:00 129291 ----a-w- C:\MGlogs.zip
2009-11-29 15:03 . 2009-03-19 14:10 117760 -c--a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-29 11:53 . 2009-07-23 09:48 2385076 ----a-w- C:\MGtools.exe
2009-11-29 09:20 . 2009-01-06 04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 03:33 . 2009-03-06 01:36 -------- d-----w- c:\program files\Google
2009-11-29 03:07 . 2009-08-06 18:05 -------- d-----w- c:\program files\Firefox
2009-11-25 07:07 . 2008-07-31 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-11-11 02:10 . 2009-11-11 02:10 15086 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{06729064-8D7A-4C72-962C-D771F2E5A665}\_97F7EF4DB601D3F5FA0F5C.exe
2009-11-11 02:10 . 2009-11-11 02:10 15086 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{06729064-8D7A-4C72-962C-D771F2E5A665}\_6FEFF9B68218417F98F549.exe
2009-11-11 02:10 . 2009-11-11 02:10 15086 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{06729064-8D7A-4C72-962C-D771F2E5A665}\_69F2F331F6E2E3905E1842.exe
2009-11-11 02:10 . 2009-11-11 02:10 10134 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{06729064-8D7A-4C72-962C-D771F2E5A665}\_27D2D9A3E02C8B834FE48A.exe
2009-11-06 17:00 . 2009-11-06 17:00 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 17:00 . 2009-11-06 17:00 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 17:00 . 2009-11-06 17:00 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-11-04 19:02 . 2009-07-23 09:05 -------- d-----w- c:\program files\Java
2009-11-04 19:01 . 2009-11-04 19:01 152576 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-11-04 18:08 . 2009-11-04 18:08 -------- d-----w- c:\program files\Wayward Gamers
2009-10-31 20:17 . 2009-10-31 20:16 -------- d-----w- c:\program files\Windows Live
2009-10-31 20:17 . 2009-10-31 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WindowsLiveInstaller
2009-10-31 20:16 . 2009-10-31 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\program files\Messenger Plus! 4
2009-10-29 07:45 . 2005-01-09 23:48 916480 ----a-w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-01-09 23:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-01-09 23:48 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-01-09 23:48 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-01-09 23:48 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-01-09 23:48 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-07-23 09:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 23:37 . 2009-07-21 08:58 228 ----a-w- c:\windows\system32\bcdfbf2.dat
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-12 98304]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-26 90112]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave7"=Echo3GWrap.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/29/2009 1:44 PM 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/29/2009 8:45 AM 207792]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 10:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 10:43 AM 55024]
R2 Apache2.2;Apache2.2;c:\program files\Apache\Apache 2.2\bin\httpd.exe [9/5/2007 8:59 AM 24635]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/29/2009 8:46 AM 112592]
R2 IceWarpCalendar;IceWarp GroupWare Server;c:\program files\IceWarp\cal.exe [12/8/2009 9:15 AM 2216280]
R2 IceWarpControl;IceWarp Web / RCP / FTP;c:\program files\IceWarp\control.exe [12/8/2009 9:15 AM 2728792]
R2 IceWarpIM;IceWarp IM / VoIP;c:\program files\IceWarp\im.exe [12/8/2009 9:15 AM 1817432]
R2 IceWarpPOP3;IceWarp POP3 / IMAP;c:\program files\IceWarp\pop3.exe [12/8/2009 9:15 AM 1916760]
R2 IceWarpSMTP;IceWarp SMTP;c:\program files\IceWarp\smtp.exe [12/8/2009 9:15 AM 1782104]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/6/2009 3:27 PM 2789672]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [9/18/2009 5:09 PM 15656]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 10:43 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/29/2009 8:45 AM 359624]
.
Contents of the 'Scheduled Tasks' folder

2009-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3880739418-187157816-220240927-1006Core.job
- c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-13 02:14]

2009-12-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3880739418-187157816-220240927-1006UA.job
- c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-01-13 02:14]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner.SHIZOKU\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner.SHIZOKU\Application Data\Mozilla\Firefox\Profiles\z106uuzy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-CanonMyPrinter - c:\program files\Canon\MyPrinter\uninst.exe uninst.ini
AddRemove-Easy-PhotoPrint - c:\program files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini
AddRemove-HijackThis - c:\mgtools\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-16 13:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys PCTCore.sys ACPI.sys hal.dll >>UNKNOWN [0x8A73A618]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb818cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f5fcb8
\Driver\atapi -> atapi.sys @ 0xb7e7e852
IoDeviceObjectType -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3880739418-187157816-220240927-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abakooacgjojdfljbhheenpibnehpdkopn"=hex:61,61,00,00
"bbakooacgjojdfljbhgejchjjloeaeenmocc"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'lsass.exe'(820)
c:\windows\system32\WININET.dll
.
Completion time: 2009-12-16 13:34
ComboFix-quarantined-files.txt 2009-12-16 18:34
ComboFix2.txt 2009-11-29 12:17
ComboFix3.txt 2009-07-23 13:48

Pre-Run: 78,792,757,248 bytes free
Post-Run: 79,168,700,416 bytes free

- - End Of File - - A7787C30C1E310BCBED660422E549414

#8 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 17 December 2009 - 02:08 PM

Hi,

Did you download a fresh copy of Combofix from the link I posted above? Please delete your copy from the desktop and download the fresh one.

Edited by schrauber, 17 December 2009 - 02:08 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#9 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 17 December 2009 - 02:48 PM

New log:


ComboFix 09-12-16.05 - Owner 7/2009 Thu 14:20:44.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.932.81.1033.18.1918.1466 [GMT -5:00]
Running from: c:\documents and settings\Owner.SHIZOKU\My Documents\Downloads\KittyFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :(
.
((((((((((((((((((((((((( Files Created from 2009-11-17 to 2009-12-17 )))))))))))))))))))))))))))))))
.

2009-12-10 14:12 . 2009-12-10 14:12 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-12-08 14:15 . 2009-12-09 07:00 -------- d-----w- c:\program files\IceWarp
2009-12-06 22:41 . 2009-12-06 22:41 -------- d-----w- c:\program files\Windows Journal Viewer
2009-12-03 08:00 . 2009-12-03 08:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-12-02 23:49 . 2009-12-02 23:49 -------- d-----w- c:\program files\Common Files\ScanSoft Shared
2009-12-02 23:49 . 2009-12-02 23:49 -------- d-----w- c:\program files\ScanSoft
2009-12-02 23:47 . 2009-12-02 23:47 -------- d-----w- c:\program files\ArcSoft
2009-12-02 23:47 . 1995-08-01 09:44 212480 ----a-w- c:\windows\PCDLIB32.DLL
2009-12-02 23:39 . 2009-12-02 23:39 -------- d--h--w- c:\documents and settings\All Users\Application Data\CanonBJ
2009-12-02 23:38 . 2009-12-02 23:38 -------- d--h--w- c:\windows\system32\CanonIJ Uninstaller Information
2009-12-02 23:38 . 2006-02-17 15:44 106496 ----a-w- c:\windows\system32\cnco160.dll
2009-12-02 23:38 . 2006-03-24 15:29 135168 ----a-w- c:\windows\system32\CNCL160.DLL
2009-12-02 23:38 . 2006-03-15 15:27 57344 ----a-w- c:\windows\system32\CNCI160.DLL
2009-12-02 23:38 . 2006-03-15 15:27 1134592 ----a-w- c:\windows\system32\CNCC160.DLL
2009-12-02 23:38 . 2009-12-02 23:38 -------- d--h--w- c:\program files\CanonBJ
2009-11-30 05:05 . 2009-11-30 05:05 -------- d-----w- c:\program files\Trend Micro
2009-11-30 02:43 . 2009-11-30 02:43 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\DoctorWeb
2009-11-29 18:44 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-11-29 13:51 . 2009-11-29 13:51 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Threat Expert
2009-11-29 13:46 . 2009-11-10 15:26 767952 ----a-w- c:\windows\BDTSupport.dll
2009-11-29 13:46 . 2009-11-10 15:28 149456 ----a-w- c:\windows\SGDetectionTool.dll
2009-11-29 13:46 . 2009-11-10 15:28 165840 ----a-w- c:\windows\PCTBDRes.dll
2009-11-29 13:46 . 2009-11-10 15:28 1640400 ----a-w- c:\windows\PCTBDCore.dll
2009-11-29 13:46 . 2009-10-28 06:36 1152444 ----a-w- c:\windows\UDB.zip
2009-11-29 13:46 . 2008-11-26 17:08 131 ----a-w- c:\windows\IDB.zip
2009-11-29 13:45 . 2009-10-30 16:11 233136 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-11-29 13:45 . 2009-11-09 16:20 207792 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-11-29 13:45 . 2009-10-06 21:31 87784 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-11-29 13:45 . 2009-09-03 14:45 70408 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-11-29 13:45 . 2009-12-05 00:14 -------- d-----w- c:\program files\Spyware Doctor
2009-11-29 13:45 . 2009-11-29 13:46 -------- d-----w- c:\program files\Common Files\PC Tools
2009-11-29 13:45 . 2009-11-29 13:45 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\PC Tools
2009-11-29 13:45 . 2009-11-29 13:45 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\program files\MSSOAP
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\program files\Webroot
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\Webroot
2009-11-29 13:17 . 2009-11-29 13:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Webroot
2009-11-29 13:17 . 2009-11-06 20:19 1563008 ----a-w- c:\windows\WRSetup.dll
2009-11-29 13:13 . 2009-11-29 13:43 164 ----a-w- c:\windows\install.dat
2009-11-29 08:49 . 2009-11-29 08:49 439 ----a-w- c:\documents and settings\Owner.SHIZOKU\rkill.reg
2009-11-29 08:49 . 2009-11-29 08:49 236544 ----a-w- c:\documents and settings\Owner.SHIZOKU\pev.exe
2009-11-29 08:37 . 2009-11-29 08:37 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-11-29 08:25 . 2009-11-29 08:25 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-11-29 08:20 . 2009-11-29 09:07 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\fjisqy
2009-11-29 03:13 . 2006-03-29 14:05 32768 ------w- c:\windows\system32\IJRMF.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-17 19:38 . 2009-02-06 20:27 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\WTablet
2009-12-17 19:37 . 2008-05-03 20:48 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-12-17 19:15 . 2006-09-05 03:15 -------- d-----w- c:\program files\Trillian
2009-12-17 17:43 . 2009-04-12 19:33 -------- d-----w- c:\program files\KParser
2009-12-17 17:40 . 2009-12-17 17:40 15086 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{E87380C6-A1E3-4EF1-91DF-82CD5800FB7C}\_6FEFF9B68218417F98F549.exe
2009-12-17 17:40 . 2009-12-17 17:40 15086 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{E87380C6-A1E3-4EF1-91DF-82CD5800FB7C}\_4C82029E555291FACD330D.exe
2009-12-17 17:40 . 2009-12-17 17:40 15086 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{E87380C6-A1E3-4EF1-91DF-82CD5800FB7C}\_38BD1B0BF98F7C182D9B39.exe
2009-12-17 17:40 . 2009-12-17 17:40 10134 ----a-r- c:\documents and settings\Owner.SHIZOKU\Application Data\Microsoft\Installer\{E87380C6-A1E3-4EF1-91DF-82CD5800FB7C}\_CF73B0D53A12F718889C25.exe
2009-12-08 22:22 . 2008-05-03 20:48 -------- d-----w- c:\program files\Fraps
2009-12-02 23:58 . 2007-03-13 02:27 -------- d-----w- c:\documents and settings\Owner.SHIZOKU\Application Data\Canon
2009-12-02 23:49 . 2007-03-01 02:31 -------- d-----w- c:\documents and settings\All Users\Application Data\ScanSoft
2009-12-02 23:47 . 2006-05-12 20:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-12-02 23:47 . 2007-03-01 02:25 -------- d-----w- c:\program files\Canon
2009-11-29 15:09 . 2009-07-23 20:00 129291 ----a-w- C:\MGlogs.zip
2009-11-29 15:03 . 2009-03-19 14:10 117760 -c--a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-11-29 11:53 . 2009-07-23 09:48 2385076 ----a-w- C:\MGtools.exe
2009-11-29 09:20 . 2009-01-06 04:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-29 09:20 . 2009-11-29 09:20 4045527 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-11-29 03:33 . 2009-03-06 01:36 -------- d-----w- c:\program files\Google
2009-11-29 03:07 . 2009-08-06 18:05 -------- d-----w- c:\program files\Firefox
2009-11-25 07:07 . 2008-07-31 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Soulseek
2009-11-06 17:00 . 2009-11-06 17:00 23152 ----a-w- c:\windows\system32\drivers\sshrmd.sys
2009-11-06 17:00 . 2009-11-06 17:00 176752 ----a-w- c:\windows\system32\drivers\ssidrv.sys
2009-11-06 17:00 . 2009-11-06 17:00 29808 ----a-w- c:\windows\system32\drivers\ssfs0bbc.sys
2009-11-04 19:02 . 2009-07-23 09:05 -------- d-----w- c:\program files\Java
2009-11-04 19:01 . 2009-11-04 19:01 152576 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-10-31 20:17 . 2009-10-31 20:16 -------- d-----w- c:\program files\Windows Live
2009-10-31 20:17 . 2009-10-31 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WindowsLiveInstaller
2009-10-31 20:16 . 2009-10-31 20:16 -------- d-----w- c:\documents and settings\All Users\Application Data\WLInstaller
2009-10-31 18:25 . 2009-10-31 18:25 -------- d-----w- c:\program files\Messenger Plus! 4
2009-10-29 07:45 . 2005-01-09 23:48 916480 ------w- c:\windows\system32\wininet.dll
2009-10-21 05:38 . 2005-01-09 23:48 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38 . 2005-01-09 23:48 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 16:20 . 2004-08-04 06:00 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-13 10:30 . 2005-01-09 23:48 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-12 13:38 . 2005-01-09 23:48 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38 . 2005-01-09 23:48 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-11 09:17 . 2009-07-23 09:05 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-10 23:37 . 2009-07-21 08:58 228 ----a-w- c:\windows\system32\bcdfbf2.dat
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-09-27 23:38 . 2009-09-27 23:38 290816 ----a-w- c:\documents and settings\Owner.SHIZOKU\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-02-08 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-06 64512]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2004-08-10 44032]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 483328]
"SoundMan"="SOUNDMAN.EXE" [2005-09-26 90112]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2005-02-26 966656]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 155648]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-03-21 69632]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-05-12 98304]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2009-08-13 1657376]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-17 13877248]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-17 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 15:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave7"=Echo3GWrap.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [11/29/2009 1:44 PM 28552]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/29/2009 8:45 AM 207792]
R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [11/6/2009 12:00 PM 29808]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 10:43 AM 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 10:43 AM 55024]
R2 Apache2.2;Apache2.2;c:\program files\Apache\Apache 2.2\bin\httpd.exe [9/5/2007 8:59 AM 24635]
R2 Browser Defender Update Service;Browser Defender Update Service;c:\program files\Spyware Doctor\BDT\BDTUpdateService.exe [11/29/2009 8:46 AM 112592]
R2 IceWarpCalendar;IceWarp GroupWare Server;c:\program files\IceWarp\cal.exe [12/8/2009 9:15 AM 2216280]
R2 IceWarpControl;IceWarp Web / RCP / FTP;c:\program files\IceWarp\control.exe [12/8/2009 9:15 AM 2728792]
R2 IceWarpIM;IceWarp IM / VoIP;c:\program files\IceWarp\im.exe [12/8/2009 9:15 AM 1817432]
R2 IceWarpPOP3;IceWarp POP3 / IMAP;c:\program files\IceWarp\pop3.exe [12/8/2009 9:15 AM 1916760]
R2 IceWarpSMTP;IceWarp SMTP;c:\program files\IceWarp\smtp.exe [12/8/2009 9:15 AM 1782104]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2/6/2009 3:27 PM 2789672]
R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [9/18/2009 5:09 PM 15656]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 10:43 AM 7408]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [11/29/2009 8:45 AM 359624]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\Owner.SHIZOKU\Start Menu\Programs\IMVU\Run IMVU.lnk
FF - ProfilePath - c:\documents and settings\Owner.SHIZOKU\Application Data\Mozilla\Firefox\Profiles\z106uuzy.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-17 14:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3880739418-187157816-220240927-1006\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"abakooacgjojdfljbhheenpibnehpdkopn"=hex:61,61,00,00
"bbakooacgjojdfljbhgejchjjloeaeenmocc"=hex:61,61,00,00

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC

- - - - - - - > 'explorer.exe'(4832)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\windows\IME\IMJP8_1\Dicts\IMJPCD.DIC
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
c:\program files\SUPERAntiSpyware\SASSEH.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\conime.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\SOUNDMAN.EXE
c:\windows\eHome\ehSched.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\IceWarp\spam\commtouch\ctasd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Webroot\WebrootSecurity\SpySweeper.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-12-17 14:46:44 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-17 19:46
ComboFix2.txt 2009-12-16 18:34
ComboFix3.txt 2009-11-29 12:17
ComboFix4.txt 2009-07-23 13:48

Pre-Run: 78,593,826,816 bytes free
Post-Run: 78,593,089,536 bytes free

- - End Of File - - 5740AE66A174C7C6602F6AAD2A1B594A

#10 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 17 December 2009 - 02:48 PM

Looks better :(

Please post back with a fresh Gmer logfile.

Edited by schrauber, 17 December 2009 - 02:49 PM.

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#11 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 17 December 2009 - 02:50 PM

The google thing is fixed, Thank you. I'll run the GMER scan now.

#12 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 17 December 2009 - 03:03 PM

Ok :(
regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#13 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 17 December 2009 - 05:28 PM

Okay, here is the new GMER log.

Also, Safe Mode is working again.

Edit: I got a blue screen while playing a game again. I was thinking overheating or video card...

GMER 1.0.15.15279 - http://www.gmer.net
Rootkit scan 2009-12-17 17:28:11
Windows 5.1.2600 Service Pack 3
Running: 14dr0fh1.exe; Driver: C:\DOCUME~1\OWNER~1.SHI\LOCALS~1\Temp\ufrdypoc.sys


---- System - GMER 1.0.15 ----

SSDT 8A6F8490 ZwAllocateVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB7DF9E52]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB7DDACDE]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB7DDAED0]
SSDT 8A7760D8 ZwCreateThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB7DFA640]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB7DFA8F4]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB7DF8B44]
SSDT 8A75DDA0 ZwQueueApcThread
SSDT 8A6F83A0 ZwReadVirtualMemory
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB7DFAD60]
SSDT 8A774088 ZwSetContextThread
SSDT 8A773FA8 ZwSetInformationKey
SSDT 8A75D860 ZwSetInformationProcess
SSDT 8A774100 ZwSetInformationThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB7DFA112]
SSDT 8A760020 ZwSuspendProcess
SSDT 8A75DE18 ZwSuspendThread
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB7DDA984]
SSDT 8A75F238 ZwTerminateThread
SSDT 8A6F8418 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB61CA380, 0x3DF545, 0xE8000020]
? C:\KittyFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230
IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230
IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230
IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230
IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] 8A6F8328
IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] 8A6F8230

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))

Device \Driver\Tcpip \Device\Ip 89B446E8
Device \Driver\Tcpip \Device\Tcp 89B446E8
Device \Driver\Tcpip \Device\Udp 89B446E8
Device \Driver\Tcpip \Device\RawIp 89B446E8
Device \Driver\Tcpip \Device\IPMULTICAST 89B446E8

AttachedDevice \FileSystem\Fastfat \Fat ssfs0bbc.sys (Spy Sweeper FileSystem Filter Driver/Webroot Software, Inc. (www.webroot.com))
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@Installed 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI@NoChange 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS@Installed 1
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo@EncoderType 1
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}@abakooacgjojdfljbhheenpibnehpdkopn 0x61 0x61 0x00 0x00
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{A22F8741-669F-1B6D-E905-06669C0B4B86}@bbakooacgjojdfljbhgejchjjloeaeenmocc 0x61 0x61 0x00 0x00

---- EOF - GMER 1.0.15 ----

Edited by Shizoku, 18 December 2009 - 12:13 PM.


#14 schrauber

schrauber

    Mr.Mechanic


  • Malware Response Team
  • 24,794 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Munich,Germany
  • Local time:12:39 PM

Posted 18 December 2009 - 01:39 PM

Hi,

Looks good :(



Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.




  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<info.txt (<

regards,
schrauber

Posted Image
Posted Image

If I've not posted back within 48 hrs., feel free to send a PM with your topic link. Thank you!

If I have helped you then please consider donating to continue the fight against malware Posted Image

#15 Shizoku

Shizoku
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:39 AM

Posted 18 December 2009 - 10:29 PM

Hello Tom

Malwarebytes Log:

Malwarebytes' Anti-Malware 1.42
Database version: 3392
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/18/2009 10:22:26 PM
mbam-log-2009-12-18 (22-22-26).txt

Scan type: Quick Scan
Objects scanned: 116316
Time elapsed: 7 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


RSIT Log:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Owner at 2009-12-18 22:25:04
Microsoft Windows XP Professional Service Pack 3
System drive C: has 75 GB (32%) free of 234 GB
Total RAM: 1918 MB (59% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:08 PM, on 12/18/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Apache\Apache 2.2\bin\httpd.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\Apache\Apache 2.2\bin\httpd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\IceWarp\cal.exe
C:\Program Files\IceWarp\control.exe
C:\Program Files\PlayOnline\SquareEnix\PlayOnlineViewer\pol.exe
C:\Program Files\IceWarp\im.exe
C:\Program Files\IceWarp\spam\commtouch\ctasd.exe
C:\Program Files\IceWarp\pop3.exe
C:\Program Files\IceWarp\smtp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner.SHIZOKU\My Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Owner.exe

O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner.SHIZOKU\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://*.update.microsoft.com
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://ctcive.ap.org/dana-cached/setup/JuniperSetupSP1.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Program Files\LSI SoftModem\agrsmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - C:\Program Files\Apache\Apache 2.2\bin\httpd.exe
O23 - Service: Browser Defender Update Service - Threat Expert Ltd. - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: IceWarp GroupWare Server (IceWarpCalendar) - IceWarp Ltd. - C:\Program Files\IceWarp\cal.exe
O23 - Service: IceWarp Web / RCP / FTP (IceWarpControl) - IceWarp Ltd. - C:\Program Files\IceWarp\control.exe
O23 - Service: IceWarp IM / VoIP (IceWarpIM) - IceWarp Ltd. - C:\Program Files\IceWarp\im.exe
O23 - Service: IceWarp POP3 / IMAP (IceWarpPOP3) - IceWarp Ltd. - C:\Program Files\IceWarp\pop3.exe
O23 - Service: IceWarp SMTP (IceWarpSMTP) - IceWarp Ltd. - C:\Program Files\IceWarp\smtp.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Webroot Spy Sweeper ?E?F?u???[?g ?X?p?C ?X?E?B?[?p?[ ?G??W? (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe

--
End of file - 10247 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3880739418-187157816-220240927-1006Core.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-3880739418-187157816-220240927-1006UA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A0F3D1B-0909-4FF4-B272-609CCE6054E7}]
PC Tools Browser Guard BHO - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll [2009-11-10 395216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]
EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-04-18 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-11 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]
{472734EA-242A-422B-ADF8-83D1E48CC825} - PC Tools Browser Guard - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll [2009-11-10 395216]
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-04-18 552960]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray"=C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE [2002-09-14 212992]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-10 208952]
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE [2004-08-10 44032]
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe [2004-08-10 59392]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-10 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-10 455168]
"Acrobat Assistant 7.0"=C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]
"SoundMan"=C:\WINDOWS\SOUNDMAN.EXE [2005-09-26 90112]
"Reminder"=C:\WINDOWS\Creator\Remind_XP.exe [2005-02-25 966656]
"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-12-03 1394000]
"CanonMyPrinter"=C:\Program Files\Canon\MyPrinter\BJMyPrt.exe [2006-03-21 1191936]
"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2003-09-30 155648]
"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-03-21 69632]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2006-05-12 98304]
"nwiz"=C:\Program Files\NVIDIA Corporation\nView\nwiz.exe [2009-08-12 1657376]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-08-17 13877248]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-08-17 86016]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2009-12-03 429392]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Documents and Settings\Owner.SHIZOKU\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-02-07 133104]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2008-12-22 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoDriveAutoRun"=
"NoDriveTypeAutoRun"=
"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:?ETorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"="C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe:*:Enabled:Veoh Web Player "
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======List of files/folders created in the last 1 months======

2009-12-18 22:25:04 ----D---- C:\rsit
2009-12-17 17:30:56 ----A---- C:\WINDOWS\ntbtlog.txt
2009-12-17 14:46:45 ----A---- C:\ComboFix.txt
2009-12-09 03:05:06 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2009-12-09 03:04:56 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2009-12-09 03:04:14 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2009-12-09 03:04:05 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2009-12-09 03:03:01 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2009-12-08 09:15:02 ----D---- C:\Program Files\IceWarp
2009-12-06 17:41:17 ----D---- C:\Program Files\Windows Journal Viewer
2009-12-03 03:00:44 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2009-12-03 03:00:38 ----D---- C:\Config.Msi
2009-12-02 18:49:39 ----A---- C:\WINDOWS\MAXLINK.INI
2009-12-02 18:49:27 ----D---- C:\Program Files\Common Files\ScanSoft Shared
2009-12-02 18:49:00 ----D---- C:\Program Files\ScanSoft
2009-12-02 18:47:54 ----D---- C:\Program Files\ArcSoft
2009-12-02 18:47:54 ----A---- C:\WINDOWS\PCDLIB32.DLL
2009-12-02 18:39:04 ----HD---- C:\Documents and Settings\All Users\Application Data\CanonBJ
2009-12-02 18:38:57 ----HD---- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2009-12-02 18:38:53 ----A---- C:\WINDOWS\system32\cnco160.dll
2009-12-02 18:38:52 ----A---- C:\WINDOWS\system32\CNCL160.DLL
2009-12-02 18:38:52 ----A---- C:\WINDOWS\system32\CNCI160.DLL
2009-12-02 18:38:52 ----A---- C:\WINDOWS\system32\CNCC160.DLL
2009-12-02 18:38:48 ----HD---- C:\Program Files\CanonBJ
2009-12-02 09:53:47 ----A---- C:\WINDOWS\imsins.BAK
2009-11-30 00:05:51 ----D---- C:\Program Files\Trend Micro
2009-11-29 21:32:20 ----A---- C:\WINDOWS\system32\tmp.txt
2009-11-29 21:32:07 ----A---- C:\rapport.txt
2009-11-29 08:46:25 ----A---- C:\WINDOWS\BDTSupport.dll
2009-11-29 08:46:24 ----A---- C:\WINDOWS\SGDetectionTool.dll
2009-11-29 08:46:24 ----A---- C:\WINDOWS\PCTBDRes.dll
2009-11-29 08:46:24 ----A---- C:\WINDOWS\PCTBDCore.dll
2009-11-29 08:45:20 ----D---- C:\Program Files\Spyware Doctor
2009-11-29 08:45:20 ----D---- C:\Program Files\Common Files\PC Tools
2009-11-29 08:45:20 ----D---- C:\Documents and Settings\Owner.SHIZOKU\Application Data\PC Tools
2009-11-29 08:45:20 ----D---- C:\Documents and Settings\All Users\Application Data\PC Tools
2009-11-29 08:17:45 ----D---- C:\Program Files\MSSOAP
2009-11-29 08:17:12 ----D---- C:\Program Files\Webroot
2009-11-29 08:17:12 ----D---- C:\Documents and Settings\Owner.SHIZOKU\Application Data\Webroot
2009-11-29 08:17:12 ----D---- C:\Documents and Settings\All Users\Application Data\Webroot
2009-11-29 08:17:12 ----A---- C:\WINDOWS\WRSetup.dll
2009-11-29 06:59:48 ----A---- C:\Boot.bak
2009-11-29 06:59:34 ----RASHD---- C:\cmdcons
2009-11-29 06:54:59 ----A---- C:\WINDOWS\MBR.exe
2009-11-29 03:16:52 ----D---- C:\Program Files\Mozilla Firefox
2009-11-28 22:33:03 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-11-28 22:13:01 ----N---- C:\WINDOWS\system32\IJRMF.exe
2009-11-26 03:01:36 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$
2009-11-26 03:01:28 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$

======List of files/folders modified in the last 1 months======

2009-12-18 22:16:37 ----D---- C:\Program Files\Trillian
2009-12-18 22:14:33 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-12-18 22:14:30 ----D---- C:\WINDOWS\system32\drivers
2009-12-18 21:27:58 ----D---- C:\WINDOWS\Temp
2009-12-18 20:28:17 ----D---- C:\WINDOWS\system32\CatRoot2
2009-12-18 20:28:14 ----A---- C:\WINDOWS\ModemLog_Agere Systems PCI-SV92PP Soft Modem.txt
2009-12-18 20:28:06 ----D---- C:\WINDOWS\Registration
2009-12-18 20:27:50 ----D---- C:\Documents and Settings\Owner.SHIZOKU\Application Data\WTablet
2009-12-18 20:27:20 ----D---- C:\WINDOWS
2009-12-18 20:27:14 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-12-18 20:27:02 ----D---- C:\WINDOWS\Minidump
2009-12-18 12:29:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-12-18 03:01:33 ----SHD---- C:\WINDOWS\Installer
2009-12-18 03:01:32 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2009-12-18 03:01:32 ----D---- C:\WINDOWS\system32
2009-12-18 03:01:32 ----D---- C:\Program Files\Common Files\Microsoft Shared
2009-12-17 20:16:02 ----D---- C:\Documents and Settings\All Users\Application Data\Soulseek
2009-12-17 14:46:48 ----D---- C:\Qoobox
2009-12-17 14:37:54 ----A---- C:\WINDOWS\system.ini
2009-12-17 14:26:29 ----D---- C:\WINDOWS\AppPatch
2009-12-17 14:26:24 ----D---- C:\Program Files\Common Files
2009-12-17 14:20:48 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-12-17 12:43:03 ----D---- C:\Program Files\KParser
2009-12-17 12:39:07 ----RD---- C:\Program Files
2009-12-17 12:17:03 ----D---- C:\WINDOWS\Help
2009-12-17 12:16:00 ----HD---- C:\WINDOWS\inf
2009-12-17 12:15:50 ----D---- C:\WINDOWS\system32\CatRoot
2009-12-16 13:19:38 ----SHD---- C:\System Volume Information
2009-12-16 13:19:38 ----D---- C:\WINDOWS\system32\Restore
2009-12-09 22:54:07 ----A---- C:\WINDOWS\PEV.exe
2009-12-09 03:26:32 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-12-09 03:04:44 ----D---- C:\Program Files\Internet Explorer
2009-12-09 03:04:35 ----D---- C:\WINDOWS\ie8updates
2009-12-09 03:04:28 ----HD---- C:\WINDOWS\$hf_mig$
2009-12-09 03:00:22 ----D---- C:\WINDOWS\Debug
2009-12-08 17:22:21 ----D---- C:\Program Files\Fraps
2009-12-02 18:58:55 ----D---- C:\Documents and Settings\Owner.SHIZOKU\Application Data\Canon
2009-12-02 18:49:36 ----D---- C:\WINDOWS\WinSxS
2009-12-02 18:49:31 ----D---- C:\Documents and Settings\All Users\Application Data\ScanSoft
2009-12-02 18:47:54 ----HD---- C:\Program Files\InstallShield Installation Information
2009-12-02 18:47:28 ----D---- C:\Program Files\Canon
2009-12-02 18:38:56 ----D---- C:\WINDOWS\twain_32
2009-12-02 18:03:27 ----D---- C:\Program Files\msn
2009-12-01 15:06:19 ----A---- C:\WINDOWS\system32\MRT.exe
2009-11-29 10:09:43 ----D---- C:\MGtools
2009-11-29 07:14:39 ----D---- C:\WINDOWS\ERDNT
2009-11-29 06:59:49 ----RASH---- C:\boot.ini
2009-11-29 06:53:22 ----A---- C:\MGtools.exe
2009-11-29 03:38:45 ----D---- C:\WINDOWS\Prefetch
2009-11-29 03:15:40 ----D---- C:\Documents and Settings\Owner.SHIZOKU\Application Data\Mozilla
2009-11-28 22:33:03 ----D---- C:\Program Files\Google
2009-11-28 22:33:02 ----SD---- C:\WINDOWS\Tasks
2009-11-28 22:07:13 ----D---- C:\Program Files\Firefox

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2005-03-09 36352]
R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-10-19 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-10-19 9464]
R1 FsVga;FsVga; C:\WINDOWS\system32\DRIVERS\fsvga.sys [2004-08-10 12160]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-05-12 8552]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2008-10-29 1204128]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-09-26 3644800]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-08-17 7729568]
R3 NVENETFD;NVIDIA nForce 10/100 Mbps Ethernet ; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2008-08-01 54784]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2008-08-01 22016]
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2004-04-01 10368]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 wacmoumonitor;Wacom Mode Helper; C:\WINDOWS\system32\DRIVERS\wacmoumonitor.sys [2008-10-06 15656]
R3 wacommousefilter;Wacom Mouse Filter Driver; C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11312]
R3 wacomvhid;Wacom Virtual Hid Driver; C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2008-07-11 13352]
R3 WacomVKHid;Virtual Keyboard Driver; C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 11440]
S1 P3;Intel PentiumIII Processor Driver; C:\WINDOWS\system32\DRIVERS\p3.sys [2008-04-13 42752]
S3 catchme;catchme; \??\C:\KittyFix\catchme.sys []
S3 dsNcAdpt;Juniper Network Connect Adapter; C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys []
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 mxnic;Macronix MX987xx Family Fast Ethernet NT Driver; C:\WINDOWS\system32\DRIVERS\mxnic.sys [2001-08-17 19968]
S3 SASENUM;SASENUM; \??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AgereModemAudio;Agere Modem Call Progress Audio; C:\Program Files\LSI SoftModem\agrsmsvc.exe [2008-08-26 14336]
R2 Apache2.2;Apache2.2; C:\Program Files\Apache\Apache 2.2\bin\httpd.exe [2007-09-05 24635]
R2 Browser Defender Update Service;Browser Defender Update Service; C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe [2009-11-10 112592]
R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 IceWarpCalendar;IceWarp GroupWare Server; C:\Program Files\IceWarp\cal.exe [2009-12-08 2216280]
R2 IceWarpControl;IceWarp Web / RCP / FTP; C:\Program Files\IceWarp\control.exe [2009-12-08 2728792]
R2 IceWarpIM;IceWarp IM / VoIP; C:\Program Files\IceWarp\im.exe [2009-12-08 1817432]
R2 IceWarpPOP3;IceWarp POP3 / IMAP; C:\Program Files\IceWarp\pop3.exe [2009-12-08 1916760]
R2 IceWarpSMTP;IceWarp SMTP; C:\Program Files\IceWarp\smtp.exe [2009-12-08 1782104]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-11 153376]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 nvsvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-08-17 168004]
R2 PrismXL;PrismXL; C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS [2006-05-12 172032]
R2 TabletServiceWacom;TabletServiceWacom; C:\WINDOWS\system32\Wacom_Tablet.exe [2009-03-26 2789672]
R2 WebrootSpySweeperService;Webroot Spy Sweeper ウェブルート スパイ スウィーパー エンジン; C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe [2009-11-06 4048240]
S2 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt --defaults-file=C:\Program Files\MySQL\MySQL Server 5.0\my.ini MySQL []
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2006-09-24 72704]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 Macromedia Licensing Service;Macromedia Licensing Service; C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe [2006-09-22 68096]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
S3 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-11-06 1141712]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-05-17 98672]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-05-16 228208]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2008-05-26 439808]

-----------------EOF-----------------


RSIT Info:

info.txt logfile of random's system information tool 1.06 2009-12-18 22:25:12

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-100000000002}
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-1033-0000-0000-000000000001}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Illustrator CS2-->msiexec /I {B2F5D08C-7E79-4FCD-AAF4-57AD35FF0601}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 7.0-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70000000000}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Apache HTTP Server 2.2.6-->MsiExec.exe /I{85262A06-2D8C-4BC1-B6ED-5A705D09CFFC}
ArcSoft PhotoStudio 5.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{85309D89-7BE9-4094-BB17-24999C6118FC}\SETUP.EXE" -l0x9
ASCOM Platform 4.1-->C:\PROGRA~1\COMMON~1\ASCOM\TELESC~1\UNWISE.EXE C:\PROGRA~1\COMMON~1\ASCOM\TELESC~1\INSTALL.LOG
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9
Audacity 1.2.4-->"C:\Program Files\Audacity\unins000.exe"
Audacity 1.3.8 (Unicode)-->"C:\Program Files\Audacity 1.3\unins000.exe"
Browser Defender 2.0.6.11-->"C:\Program Files\Spyware Doctor\BDT\unins000.exe"
Canon MP Navigator 3.0-->"C:\Program Files\Canon\MP Navigator 3.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 3.0\uninst.ini
Canon MP160 User Registration-->C:\Program Files\Canon\IJEREG\MP160\UNINST.EXE
Canon MP160-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP160 /L0x0009
CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"
Combined Community Codec Pack 2009-09-09-->"C:\Program Files\CCCP\unins000.exe"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
DivX Codec-->C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
Drumsite 1.3 (demo)-->"C:\Program Files\Drumsite\Uninstall.exe" "C:\Program Files\Drumsite\install.log"
DVD Solution-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"
Echo3G Windows Driver-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{0E84F066-452E-4CCC-BA79-660C61B3DE71}
FINAL FANTASY XI: Chains of Promathia-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{3C0619B4-4A2C-4244-8077-488E420DF907}
FINAL FANTASY XI: Rise of the Zilart-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{6FC76C41-8C1D-4B43-85E7-0BAA2002F1BE}
FINAL FANTASY XI: Treasures of Aht Urhgan-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{A606C6FF-12E7-40BE-B777-D8F360FF00CD}
FINAL FANTASY XI: Wings of the Goddess-->C:\Program Files\InstallShield Installation Information\{5B037ED7-0755-48D4-9554-808E5AF50F17}\setup.exe -runfromtemp -l0x0409
FINAL FANTASY XI-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{678F6475-D227-432A-94FF-806178A34520}
FL Studio 6-->C:\Program Files\Fruity Loops\uninstall.exe
Fraps (remove only)-->"C:\Program Files\Fraps\uninstall.exe"
Free Mp3 Wma Converter V 1.4.0-->"C:\Program Files\Audio Converter\unins000.exe"
GIMP 2.6.6-->"C:\Program Files\GIMP-2.0\setup\unins000.exe"
Guitar Pro 5.0-->"C:\Program Files\Guitar Pro\unins000.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB910393)-->"C:\WINDOWS\$NtUninstallKB910393$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB915800-v4)-->"C:\WINDOWS\$NtUninstallKB915800-v4$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
IceWarp Server 10.0.4-->C:\Program Files\IceWarp\uninstall.exe /UNINSTALL
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216014FF}
jv16 PowerTools 2009-->"C:\Program Files\jv16 PowerTools 2009\unins000.exe"
KParser-->MsiExec.exe /I{E87380C6-A1E3-4EF1-91DF-82CD5800FB7C}
Macromedia Dreamweaver MX 2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{05BB2EC5-6BEF-4DDC-9E75-BEE7B161157A}\Setup.exe" -l0x9 mmUninstall
Macromedia Extension Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A5BA14E0-7384-11D4-BAE7-00409631A2C8}\setup.exe" -l0x9 mmUninstall
Macromedia Flash MX 2004-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2F353D44-73BB-4971-B31D-F7642E9E9531}\Setup.exe" -l0x9 UNINSTALL
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.0 Hotfix (KB953295)-->"C:\WINDOWS\$NtUninstallKB953295$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SQL Server Compact 3.5 SP1 English-->MsiExec.exe /I{E59113EB-0285-4BFD-A37A-B79EAC6B8F4B}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Mozilla Firefox (3.5.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 and SOAP Toolkit 3.0-->MsiExec.exe /I{32343DB6-9A52-40C9-87E4-5E7C79791C87}
MSXML 6.0 Parser (KB925673)-->MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
msxml4-->MsiExec.exe /X{5AE3D9F1-9E9E-4015-8787-E22705AA32C5}
MySQL Server 5.0-->MsiExec.exe /I{2FEB25F8-C3CB-49A2-AE79-DE17FFAFB5D9}
Napster Burn Engine-->MsiExec.exe /I{8DCE550C-CA43-4E82-92DF-FFC4A48F5BE1}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA nView Desktop Manager-->C:\Program Files\NVIDIA Corporation\nView\nViewSetup.exe -uninstall
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PHP 5.2.5-->MsiExec.exe /I{00FA2C30-C2BB-45A2-B0C3-769541E8F6A2}
PlayOnline Viewer and Tetra Master-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{47004155-7376-403E-89E9-4C9F44AAF0D0}
Power2Go 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
QuickTime-->C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Quintessential Media Player-->"C:\Program Files\Quintessential Media Player\uninst.exe"
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Rhapsody Player Engine-->MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
ScanSoft OmniPage SE 4.0-->MsiExec.exe /I{29D851C2-048C-4B5E-8D1F-25D473342BB5}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB972260)-->"C:\WINDOWS\ie7updates\KB972260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB974455)-->"C:\WINDOWS\ie7updates\KB974455-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows Search 4 - KB963093-->"C:\WINDOWS\$NtUninstallKB963093$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Skype 2.5-->"C:\Program Files\Skype\Phone\unins000.exe"
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sony Vegas Pro 8.0-->MsiExec.exe /X{B7E2A724-2774-4AC2-9F0A-B58C7319B6E6}
SoulSeek 157 NS 13b-->"C:\Program Files\Soulseek\uninstall.exe"
Spy Sweeper Core-->MsiExec.exe /I{3F5B6210-0903-4DC6-8034-8F488AA3A782}
Spyware Doctor 7.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Trillian-->C:\Program Files\Trillian\Trillian.exe /uninstall
Unlocker 1.8.7-->C:\Program Files\Unlocker\uninst.exe
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB953356)-->"C:\WINDOWS\$NtUninstallKB953356$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Veoh Web Player-->"C:\Program Files\Veoh Networks\VeohWebPlayer\uninst.exe"
Version 6.7.1-->"C:\Program Files\FFXIP\unins000.exe"
VideoLAN VLC media player 0.8.5-->C:\Program Files\VLC\uninstall.exe
Wacom Tablet-->C:\Program Files\Tablet\Wacom\Remove.exe /u
Windows Backup Utility-->MsiExec.exe /I{76EFFC7C-17A6-479D-9E47-8E658C1695AE}
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live installer-->MsiExec.exe /I{621AF8B2-75D2-4074-BA44-79178A617255}
Windows Live Messenger-->MsiExec.exe /X{33F8EAD4-B6EC-498B-B487-696B973D1C0C}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Search 4.0-->"C:\WINDOWS\$NtUninstallKB940157$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB973768-->"C:\WINDOWS\$NtUninstallKB973768$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======System event log======

Computer Name: SHIZOKU
Event Code: 20
Message: Installation Failure: Windows failed to install the following update with error 0x80070643: Office XP Service Pack 3.

Record Number: 90
Source Name: Windows Update Agent
Time Written: 20091124030213.000000-300
Event Type: error
User:

Computer Name: SHIZOKU
Event Code: 7034
Message: The MySQL service terminated unexpectedly. It has done this 1 time(s).

Record Number: 65
Source Name: Service Control Manager
Time Written: 20091123203000.000000-300
Event Type: error
User:

Computer Name: SHIZOKU
Event Code: 7034
Message: The MySQL service terminated unexpectedly. It has done this 1 time(s).

Record Number: 37
Source Name: Service Control Manager
Time Written: 20091123132548.000000-300
Event Type: error
User:

Computer Name: SHIZOKU
Event Code: 20
Message: Installation Failure: Windows failed to install the following update with error 0x80070643: Office XP Service Pack 3.

Record Number: 28
Source Name: Windows Update Agent
Time Written: 20091123030153.000000-300
Event Type: error
User:

Computer Name: SHIZOKU
Event Code: 7034
Message: The MySQL service terminated unexpectedly. It has done this 1 time(s).

Record Number: 6
Source Name: Service Control Manager
Time Written: 20091123021607.000000-300
Event Type: error
User:

=====Application event log=====

Computer Name: SHIZOKU
Event Code: 11402
Message: Product: Microsoft Office XP Professional with FrontPage -- Error 1402. Setup cannot open the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL. Verify that you have sufficient permissions to access the registry or contact your Information Technology department for assistance.

Record Number: 2212
Source Name: MsiInstaller
Time Written: 20091101070741.000000-240
Event Type: error
User: SHIZOKU\Owner

Computer Name: SHIZOKU
Event Code: 12001
Message: The Messenger Sharing USN Journal Reader service started successfully.

Record Number: 2190
Source Name: usnjsvc
Time Written: 20091031161814.000000-240
Event Type:
User:

Computer Name: SHIZOKU
Event Code: 1517
Message: Windows saved user SHIZOKU\Owner registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use.


This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Record Number: 2174
Source Name: Userenv
Time Written: 20091031143529.000000-240
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: SHIZOKU
Event Code: 10005
Message: Product: Windows Live Communications Platform -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2762. The arguments are: , ,

Record Number: 2168
Source Name: MsiInstaller
Time Written: 20091031132631.000000-240
Event Type: error
User: SHIZOKU\Owner

Computer Name: SHIZOKU
Event Code: 10005
Message: Product: Windows Live Communications Platform -- The installer has encountered an unexpected error installing this package. This may indicate a problem with this package. The error code is 2762. The arguments are: , ,

Record Number: 2167
Source Name: MsiInstaller
Time Written: 20091031132631.000000-240
Event Type: error
User: SHIZOKU\Owner

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\PHP;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\The Gimp\GTK 2.0\bin
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 35 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2302
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"LANG"=C

-----------------EOF-----------------




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users