Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News:    VORACLE Attack Can Recover HTTP Data From VPN Connections

Featured Deal: Get 91% off a SitePoint Premium Courses: Lifetime Subscription Deal

Photo

Please Help, Reformatted and Happened Again

Started by suprafreak6 , Jan 11 2010 06:37 PM

  • Please log in to reply
24 replies to this topic

#1 suprafreak6

suprafreak6

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 11 January 2010 - 06:37 PM

Please help, i was infected and reformatted then I put some old files back on the new format and its symptoms are back. here is my hijackthis log. I have cut off its internet access.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:20 PM, on 1/11/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\nwiz.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\WINDOWS\system32\ctfmon.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Program Files\DAEMON Tools Lite\DTLite.exe
D:\windows\temp\k.exe
d:\windows\system32\soundman .exe
d:\documents and settings\home\local settings\application data\google\update\googleupdate .exe
d:\program files\daemon tools lite\dtlite .exe
d:\program files\internet explorer\wmpscfgs.exe
d:\program files\internet explorer\wmpscfgs.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\msiexec.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKCU\..\Run: [D9Q071WKGS] D:\WINDOWS\TEMP\j.exe
O4 - HKCU\..\Run: [AAK8K3J4FL] d:\windows\temp\k .exe
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4360 bytes

Edited by suprafreak6, 11 January 2010 - 10:13 PM.

BC AdBot (Login to Remove)

 

#2 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 16 January 2010 - 09:20 PM

hi,

Your log is a few days old. If you still need help simply reply to my post.

How Can I Reduce My Risk to Malware?

#3 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 17 January 2010 - 01:16 PM

i do need help,
Logfile of random's system information tool 1.06 (written by random/random)
Run by Home at 2010-01-16 19:22:37
Microsoft Windows XP Professional Service Pack 3
System drive D: has 22 GB (71%) free of 31 GB
Total RAM: 958 MB (55% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:22:41 PM, on 1/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
D:\WINDOWS\system32\nvsvc32.exe
D:\WINDOWS\system32\RUNDLL32.EXE
D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
D:\WINDOWS\System32\alg.exe
D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\system32\wuauclt.exe
D:\Program Files\Medisoft\Bin\MAPA.EXE
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Home\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
D:\Documents and Settings\Home\Desktop\RSIT.exe
D:\WINDOWS\system32\wbem\wmiprvse.exe
D:\Program Files\Trend Micro\HijackThis\Home.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - D:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE D:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE D:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SpyHunter Security Suite] D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [ISUSPM Startup] D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\DragonNaturallySpeaking9\Ereg\Ereg.exe" -r "D:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini
O4 - HKLM\..\Run: [egui] "D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [MSConfig] D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Adobe_Reader] d:\program files\internet explorer\wmpscfgs.exe
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [DAEMON Tools Lite] "d:\program files\daemon tools lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [IE8] rundll32 advpack.dll,LaunchINFSection IE8.INF,FirstUserStart (User 'Default user')
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Office\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - D:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - D:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - D:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7003 bytes

======Scheduled tasks folder======

D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1957994488-1177238915-1003Core.job
D:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-1957994488-1177238915-1003UA.job
D:\WINDOWS\tasks\Malwarebytes' Scheduled Update for Home.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - D:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-01-12 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - D:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-01-12 73728]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=D:\WINDOWS\system32\NvCpl.dll [2005-09-18 7204864]
"nwiz"=nwiz.exe /install []
"NvMediaCenter"=D:\WINDOWS\system32\NvMcTray.dll [2005-09-18 86016]
"SpyHunter Security Suite"=D:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe [2009-12-09 866200]
"Malwarebytes' Anti-Malware"=D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-01-16 40448]
"SunJavaUpdateSched"=D:\Program Files\Java\jre6\bin\jusched.exe [2010-01-16 40448]
"Adobe Reader Speed Launcher"=D:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-01-16 40448]
"Adobe ARM"=D:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-01-16 40448]
"SSBkgdUpdate"=D:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2010-01-16 40448]
"ISUSPM Startup"=D:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2010-01-16 40448]
"ISUSScheduler"=D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2010-01-16 40448]
"DNS7reminder"=C:\Program Files\Nuance\DragonNaturallySpeaking9\Ereg\Ereg.exe [2010-01-16 40448]
"egui"=D:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2009-11-16 2054360]
"MSConfig"=D:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-14 169984]
"Adobe_Reader"=d:\program files\internet explorer\wmpscfgs.exe [2010-01-16 40448]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=D:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"Google Update"=D:\Documents and Settings\Home\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-01-16 40448]
"DAEMON Tools Lite"=d:\program files\daemon tools lite\DTLite.exe [2010-01-16 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AAK8K3J4FL]
d:\windows\temp\k .exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D9Q071WKGS]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
D:\WINDOWS\system32\SOUNDMAN.EXE [2010-01-11 40448]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
D:\Program Files\SUPERAntiSpyware\SASWINLO.dll [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
D:\WINDOWS\system32\WgaLogon.dll [2009-03-10 190464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\wpdshserviceobj.dll [2009-11-05 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=D:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoActiveDesktopChanges"=0
"NoSetActiveDesktop"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=
"NoActiveDesktopChanges"=
"NoSetActiveDesktop"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"D:\Program Files\Skype\Phone\Skype.exe"="D:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"D:\Program Files\Skype\Plugin Manager\skypePM.exe"="D:\Program Files\Skype\Plugin Manager\skypePM.exe:*:Enabled:Skype Extras Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.reg - open - regedit.exe "%1" %*
.scr - open - "%1" %*

======List of files/folders created in the last 1 months======

2010-01-16 19:22:37 ----D---- D:\rsit
2010-01-15 20:01:08 ----D---- D:\Program Files\MSXML 4.0
2010-01-15 18:22:43 ----D---- D:\!KillBox
2010-01-15 14:45:44 ----D---- D:\Program Files\ESET
2010-01-15 14:45:44 ----D---- D:\Documents and Settings\All Users\Application Data\ESET
2010-01-13 19:46:54 ----A---- D:\WINDOWS\ODBC.INI
2010-01-13 19:46:48 ----A---- D:\WINDOWS\system32\mdimon.dll
2010-01-13 19:45:59 ----D---- D:\Program Files\Microsoft ActiveSync
2010-01-13 19:45:39 ----D---- D:\Program Files\Common Files\DESIGNER
2010-01-13 19:44:48 ----D---- D:\WINDOWS\SHELLNEW
2010-01-13 19:42:57 ----D---- D:\Program Files\Microsoft Office
2010-01-13 19:42:55 ----D---- D:\Program Files\Microsoft.NET
2010-01-13 19:14:51 ----D---- D:\Documents and Settings\All Users\Application Data\InstallShield
2010-01-13 19:10:32 ----D---- D:\Documents and Settings\Home\Application Data\Nuance
2010-01-13 19:10:10 ----D---- D:\Program Files\Common Files\ScanSoft Shared
2010-01-13 19:10:10 ----D---- D:\Documents and Settings\All Users\Application Data\ScanSoft
2010-01-13 19:10:08 ----D---- D:\Program Files\Common Files\Nuance
2010-01-13 18:57:26 ----D---- D:\Documents and Settings\All Users\Application Data\Nuance
2010-01-13 18:57:25 ----D---- D:\WINDOWS\speech
2010-01-12 21:34:26 ----D---- D:\Program Files\Common Files\Adobe
2010-01-12 21:33:57 ----D---- D:\Documents and Settings\All Users\Application Data\Adobe
2010-01-12 21:33:56 ----D---- D:\Program Files\Common Files\Adobe AIR
2010-01-12 21:32:57 ----D---- D:\Documents and Settings\All Users\Application Data\NOS
2010-01-12 19:27:50 ----A---- D:\WINDOWS\system32\javaws.exe
2010-01-12 19:27:50 ----A---- D:\WINDOWS\system32\javaw.exe
2010-01-12 19:27:50 ----A---- D:\WINDOWS\system32\java.exe
2010-01-12 19:27:50 ----A---- D:\WINDOWS\system32\deploytk.dll
2010-01-12 19:27:43 ----D---- D:\Program Files\Java
2010-01-12 19:25:13 ----D---- D:\Documents and Settings\Home\Application Data\Sun
2010-01-12 19:15:19 ----HDC---- D:\WINDOWS\$NtUninstallKB972270$
2010-01-12 19:15:19 ----HD---- D:\WINDOWS\$hf_mig$
2010-01-12 19:06:58 ----D---- D:\Documents and Settings\Home\Application Data\skypePM
2010-01-12 19:04:11 ----D---- D:\Documents and Settings\Home\Application Data\Skype
2010-01-12 19:04:04 ----D---- D:\Program Files\Common Files\Skype
2010-01-12 19:04:03 ----RD---- D:\Program Files\Skype
2010-01-12 19:03:59 ----D---- D:\Documents and Settings\All Users\Application Data\Skype
2010-01-12 18:50:07 ----D---- D:\Program Files\Enigma Software Group
2010-01-12 16:57:21 ----D---- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-12 16:57:15 ----D---- D:\Program Files\SUPERAntiSpyware
2010-01-12 16:57:15 ----D---- D:\Documents and Settings\Home\Application Data\SUPERAntiSpyware.com
2010-01-12 16:57:07 ----D---- D:\Program Files\Common Files\Wise Installation Wizard
2010-01-12 14:04:25 ----D---- D:\Program Files\Dell_HostCD
2010-01-12 14:04:25 ----A---- D:\WINDOWS\system32\lexlog.dll
2010-01-12 14:04:24 ----A---- D:\WINDOWS\DKAAY2DD.ini
2010-01-12 14:04:23 ----RA---- D:\WINDOWS\system32\softcoin.dll
2010-01-12 14:04:23 ----RA---- D:\WINDOWS\system32\gencoin.dll
2010-01-12 01:43:43 ----D---- D:\Program Files\InCode Solutions
2010-01-12 01:34:22 ----D---- D:\WINDOWS\pss
2010-01-12 01:04:44 ----D---- D:\WINDOWS\CSC
2010-01-12 01:04:39 ----A---- D:\WINDOWS\ntbtlog.txt
2010-01-11 21:12:15 ----D---- D:\Program Files\Trend Micro
2010-01-11 21:12:05 ----D---- D:\WINDOWS\system32\appmgmt
2010-01-11 17:23:06 ----D---- D:\Program Files\TrendMicro
2010-01-11 17:13:56 ----D---- D:\VundoFix Backups
2010-01-11 17:13:56 ----A---- D:\VundoFix.txt
2010-01-11 17:12:28 ----D---- D:\Documents and Settings\Home\Application Data\Macromedia
2010-01-11 17:12:12 ----D---- D:\Documents and Settings\Home\Application Data\Malwarebytes
2010-01-11 17:12:02 ----D---- D:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-01-11 17:12:01 ----D---- D:\Program Files\Malwarebytes' Anti-Malware
2010-01-11 17:06:00 ----A---- D:\WINDOWS\system32\soundman.exe
2010-01-11 17:06:00 ----A---- D:\WINDOWS\system32\soundman .exe
2010-01-11 17:05:43 ----D---- D:\WINDOWS\Minidump
2010-01-11 16:58:58 ----D---- D:\Program Files\Adobe
2010-01-11 14:54:03 ----D---- D:\Program Files\DAEMON Tools Lite
2010-01-11 14:53:48 ----D---- D:\Documents and Settings\Home\Application Data\DAEMON Tools Lite
2010-01-11 14:53:46 ----D---- D:\Documents and Settings\All Users\Application Data\DAEMON Tools Lite
2010-01-11 14:09:28 ----D---- D:\Documents and Settings\All Users\Application Data\Medisoft
2010-01-11 14:09:26 ----D---- D:\Documents and Settings\All Users\Application Data\Eligibility
2010-01-11 14:07:13 ----D---- D:\Program Files\Medisoft
2010-01-11 14:07:12 ----D---- D:\Program Files\Medisoft_ClaimMgr
2010-01-11 13:59:35 ----A---- D:\WINDOWS\system32\Medisoft.ini
2010-01-11 13:52:12 ----D---- D:\WINDOWS\nview
2010-01-11 13:52:11 ----A---- D:\WINDOWS\system32\nvudisp.exe
2010-01-11 13:39:54 ----A---- D:\WINDOWS\iltwain.ini
2010-01-11 13:36:35 ----D---- D:\Program Files\Common Files\Crystal Reports 10 Support Files
2010-01-11 13:36:35 ----D---- D:\Program Files\Common Files\Crystal Decisions
2010-01-11 13:35:03 ----RSD---- D:\WINDOWS\assembly
2010-01-11 13:34:42 ----D---- D:\WINDOWS\Microsoft.NET
2010-01-11 13:31:33 ----A---- D:\WINDOWS\system32\CapabilityTable.exe
2010-01-11 13:31:27 ----N---- D:\WINDOWS\system32\nvuide.exe
2010-01-11 13:31:26 ----D---- D:\WINDOWS\system32\ReinstallBackups
2010-01-11 13:31:01 ----A---- D:\WINDOWS\system32\nvunrm.exe
2010-01-11 13:31:00 ----A---- D:\WINDOWS\system32\nvusmb.exe
2010-01-11 13:30:51 ----A---- D:\WINDOWS\system32\NVUNINST.EXE
2010-01-11 13:23:59 ----SHD---- D:\RECYCLER
2010-01-11 13:23:09 ----A---- D:\WINDOWS\system32\ChCfg.exe
2010-01-11 13:22:52 ----D---- D:\Program Files\Realtek AC97
2010-01-11 13:22:52 ----A---- D:\WINDOWS\system32\RTLCPL.exe
2010-01-11 13:22:51 ----A---- D:\WINDOWS\system32\RtlCPAPI.dll
2010-01-11 13:22:51 ----A---- D:\WINDOWS\soundman.exe
2010-01-11 13:22:50 ----A---- D:\WINDOWS\alcupd.exe
2010-01-11 13:22:50 ----A---- D:\WINDOWS\Alcrmv.exe
2010-01-11 13:18:38 ----D---- D:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2010-01-11 13:08:39 ----D---- D:\Documents and Settings\Home\Application Data\Adobe
2010-01-11 13:08:25 ----A---- D:\WINDOWS\system32\mucltui.dll.mui
2010-01-11 13:08:25 ----A---- D:\WINDOWS\system32\mucltui.dll
2010-01-11 13:08:24 ----D---- D:\WINDOWS\system32\SoftwareDistribution
2010-01-11 13:07:01 ----HD---- D:\Program Files\InstallShield Installation Information
2010-01-11 13:06:24 ----D---- D:\temp
2010-01-11 13:06:18 ----D---- D:\Program Files\Common Files\InstallShield
2010-01-11 12:57:37 ----D---- D:\Documents and Settings\Home\Application Data\Identities
2010-01-11 12:57:35 ----HD---- D:\Program Files\Uninstall Information
2010-01-11 12:57:31 ----SD---- D:\Documents and Settings\Home\Application Data\Microsoft
2010-01-11 12:57:31 ----ASH---- D:\Documents and Settings\Home\Application Data\desktop.ini
2010-01-11 12:56:44 ----SD---- D:\WINDOWS\system32\Microsoft
2010-01-11 12:56:44 ----D---- D:\WINDOWS\Prefetch
2010-01-11 12:56:43 ----A---- D:\WINDOWS\SchedLgU.Txt
2010-01-11 12:53:11 ----D---- D:\WINDOWS\system32\xircom
2010-01-11 12:53:11 ----D---- D:\Program Files\xerox
2010-01-11 12:53:11 ----D---- D:\Program Files\microsoft frontpage
2010-01-11 12:52:47 ----A---- D:\WINDOWS\system32\MRT.exe
2010-01-11 12:52:35 ----N---- D:\WINDOWS\system32\spmsg.dll
2010-01-11 12:52:23 ----A---- D:\WINDOWS\control.ini
2010-01-11 12:52:11 ----A---- D:\WINDOWS\OEWABLog.txt
2010-01-11 12:52:07 ----A---- D:\WINDOWS\system32\mapi32.dll
2010-01-11 12:51:22 ----RAH---- D:\WINDOWS\system32\logonui.exe.manifest
2010-01-11 12:51:19 ----RAH---- D:\WINDOWS\system32\cdplayer.exe.manifest
2010-01-11 12:51:15 ----HD---- D:\Program Files\WindowsUpdate
2010-01-11 12:50:58 ----D---- D:\WINDOWS\system32\DirectX
2010-01-11 12:50:53 ----A---- D:\WINDOWS\system32\atrace.dll
2010-01-11 12:50:51 ----A---- D:\WINDOWS\system32\desktop.ini
2010-01-11 12:50:51 ----A---- D:\WINDOWS\desktop.ini
2010-01-11 12:50:46 ----A---- D:\WINDOWS\system32\nmevtmsg.dll
2010-01-11 12:50:45 ----D---- D:\Program Files\Common Files\Services
2010-01-11 12:50:45 ----A---- D:\WINDOWS\system32\acctres.dll
2010-01-11 12:50:43 ----SD---- D:\WINDOWS\Tasks
2010-01-11 12:50:43 ----A---- D:\WINDOWS\system32\icfgnt5.dll
2010-01-11 12:50:42 ----D---- D:\Program Files\Common Files\MSSoap
2010-01-11 12:50:39 ----D---- D:\WINDOWS\srchasst
2010-01-11 12:50:37 ----N---- D:\WINDOWS\system32\wuauclt.exe
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wuweb.dll
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wups.dll
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wucltui.dll
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wuauserv.dll
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wuaueng1.dll
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wuaueng.dll
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wuauclt1.exe
2010-01-11 12:50:37 ----A---- D:\WINDOWS\system32\wuapi.dll
2010-01-11 12:50:36 ----A---- D:\WINDOWS\system32\qmgrprxy.dll
2010-01-11 12:50:36 ----A---- D:\WINDOWS\system32\qmgr.dll
2010-01-11 12:50:36 ----A---- D:\WINDOWS\system32\bitsprx4.dll
2010-01-11 12:50:36 ----A---- D:\WINDOWS\system32\bitsprx3.dll
2010-01-11 12:50:36 ----A---- D:\WINDOWS\system32\bitsprx2.dll
2010-01-11 12:50:33 ----D---- D:\Program Files\Movie Maker
2010-01-11 12:50:20 ----A---- D:\WINDOWS\system32\safrslv.dll
2010-01-11 12:50:20 ----A---- D:\WINDOWS\system32\safrdm.dll
2010-01-11 12:50:20 ----A---- D:\WINDOWS\system32\safrcdlg.dll
2010-01-11 12:50:20 ----A---- D:\WINDOWS\system32\racpldlg.dll
2010-01-11 12:50:17 ----D---- D:\WINDOWS\system32\Restore
2010-01-11 12:50:17 ----A---- D:\WINDOWS\system32\srsvc.dll
2010-01-11 12:50:17 ----A---- D:\WINDOWS\system32\srrstr.dll
2010-01-11 12:50:17 ----A---- D:\WINDOWS\system32\srclient.dll
2010-01-11 12:50:17 ----A---- D:\WINDOWS\system32\fltMc.exe
2010-01-11 12:50:17 ----A---- D:\WINDOWS\system32\fltlib.dll
2010-01-11 12:50:16 ----A---- D:\WINDOWS\system32\nmmkcert.dll
2010-01-11 12:50:16 ----A---- D:\WINDOWS\system32\msconf.dll
2010-01-11 12:50:16 ----A---- D:\WINDOWS\system32\mnmsrvc.exe
2010-01-11 12:50:16 ----A---- D:\WINDOWS\system32\mnmdd.dll
2010-01-11 12:50:16 ----A---- D:\WINDOWS\system32\isrdbg32.dll
2010-01-11 12:50:16 ----A---- D:\WINDOWS\system32\ils.dll
2010-01-11 12:50:14 ----D---- D:\Program Files\NetMeeting
2010-01-11 12:50:14 ----A---- D:\WINDOWS\system32\msoert2.dll
2010-01-11 12:50:14 ----A---- D:\WINDOWS\system32\msoeacct.dll
2010-01-11 12:50:13 ----A---- D:\WINDOWS\system32\inetres.dll
2010-01-11 12:50:13 ----A---- D:\WINDOWS\system32\inetcomm.dll
2010-01-11 12:50:12 ----D---- D:\Program Files\Outlook Express
2010-01-11 12:50:12 ----A---- D:\WINDOWS\system32\schedsvc.dll
2010-01-11 12:50:11 ----A---- D:\WINDOWS\system32\mstinit.exe
2010-01-11 12:50:11 ----A---- D:\WINDOWS\system32\mstask.dll
2010-01-11 12:50:11 ----A---- D:\WINDOWS\system32\isign32.dll
2010-01-11 12:50:11 ----A---- D:\WINDOWS\system32\inetcfg.dll
2010-01-11 12:50:11 ----A---- D:\WINDOWS\system32\icwphbk.dll
2010-01-11 12:50:11 ----A---- D:\WINDOWS\system32\icwdial.dll
2010-01-11 12:50:07 ----D---- D:\Program Files\Common Files\System
2010-01-11 12:49:34 ----D---- D:\Program Files\ComPlus Applications
2010-01-11 12:49:32 ----A---- D:\WINDOWS\vbaddin.ini
2010-01-11 12:49:32 ----A---- D:\WINDOWS\vb.ini
2010-01-11 12:49:29 ----D---- D:\WINDOWS\Registration
2010-01-11 12:49:22 ----D---- D:\Program Files\Online Services
2010-01-11 12:49:11 ----D---- D:\Program Files\Windows Media Connect 2
2010-01-11 12:49:10 ----SD---- D:\WINDOWS\Offline Web Pages
2010-01-11 12:49:10 ----D---- D:\Program Files\Windows Media Player
2010-01-11 12:49:09 ----SD---- D:\WINDOWS\Downloaded Program Files
2010-01-11 12:49:09 ----A---- D:\WINDOWS\system32\msrating.dll.mui
2010-01-11 12:49:09 ----A---- D:\WINDOWS\system32\mshta.exe.mui
2010-01-11 12:49:06 ----A---- D:\WINDOWS\system32\ieframe.dll.mui
2010-01-11 12:49:06 ----A---- D:\WINDOWS\system32\iedkcs32.dll.mui
2010-01-11 12:49:05 ----D---- D:\Program Files\Internet Explorer
2010-01-11 12:49:05 ----A---- D:\WINDOWS\system32\ie4uinit.exe.mui
2010-01-11 12:49:03 ----D---- D:\Program Files\Messenger
2010-01-11 12:49:00 ----D---- D:\Program Files\MSN Gaming Zone
2010-01-11 12:49:00 ----A---- D:\WINDOWS\system32\write.exe
2010-01-11 12:48:53 ----A---- D:\WINDOWS\system32\sndvol32.exe
2010-01-11 12:48:53 ----A---- D:\WINDOWS\system32\hticons.dll
2010-01-11 12:48:53 ----A---- D:\WINDOWS\system32\avwav.dll
2010-01-11 12:48:53 ----A---- D:\WINDOWS\system32\avtapi.dll
2010-01-11 12:48:53 ----A---- D:\WINDOWS\system32\avmeter.dll
2010-01-11 12:48:52 ----A---- D:\WINDOWS\system32\winchat.exe
2010-01-11 12:48:48 ----A---- D:\WINDOWS\system32\getuname.dll
2010-01-11 12:48:47 ----A---- D:\WINDOWS\system32\winmine.exe
2010-01-11 12:48:47 ----A---- D:\WINDOWS\system32\sol.exe
2010-01-11 12:48:47 ----A---- D:\WINDOWS\system32\mshearts.exe
2010-01-11 12:48:47 ----A---- D:\WINDOWS\system32\charmap.exe
2010-01-11 12:48:47 ----A---- D:\WINDOWS\system32\calc.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\usrlogon.cmd
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\tsshutdn.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\tslabels.ini
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\tskill.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\tsdiscon.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\tscon.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\shadow.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\rwinsta.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\reset.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\regini.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\rdpcfgex.dll
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\qwinsta.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\qappsrv.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\msg.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\logoff.exe
2010-01-11 12:48:46 ----A---- D:\WINDOWS\system32\freecell.exe
2010-01-11 12:48:45 ----A---- D:\WINDOWS\system32\msdtcprf.ini
2010-01-11 12:48:45 ----A---- D:\WINDOWS\system32\cdmodem.dll
2010-01-11 12:48:41 ----A---- D:\WINDOWS\system32\wmimgmt.msc
2010-01-11 12:48:33 ----D---- D:\Program Files\MSN
2010-01-11 12:48:32 ----A---- D:\WINDOWS\system32\sndrec32.exe
2010-01-11 12:48:32 ----A---- D:\WINDOWS\system32\mplay32.exe
2010-01-11 12:48:32 ----A---- D:\WINDOWS\system32\hypertrm.dll
2010-01-11 12:48:32 ----A---- D:\WINDOWS\system32\accwiz.exe
2010-01-11 12:48:31 ----D---- D:\Program Files\Windows NT
2010-01-11 12:48:31 ----A---- D:\WINDOWS\system32\spider.exe
2010-01-11 12:48:31 ----A---- D:\WINDOWS\system32\mspaint.exe
2010-01-11 12:48:31 ----A---- D:\WINDOWS\system32\clipbrd.exe
2010-01-11 12:48:30 ----D---- D:\WINDOWS\system32\en-US
2010-01-11 12:48:30 ----A---- D:\WINDOWS\system32\tsgqec.dll
2010-01-11 12:48:30 ----A---- D:\WINDOWS\system32\tscfgwmi.dll
2010-01-11 12:48:30 ----A---- D:\WINDOWS\system32\rhttpaa.dll
2010-01-11 12:48:30 ----A---- D:\WINDOWS\system32\aaclient.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\termsrv.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\sessmgr.exe
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\remotepg.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\rdshost.exe
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\rdsaddin.exe
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\rdpwsx.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\rdpsnd.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\rdpclip.exe
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\rdchost.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\qprocess.exe
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\mstscax.dll
2010-01-11 12:48:29 ----A---- D:\WINDOWS\system32\mstsc.exe
2010-01-11 12:48:28 ----D---- D:\WINDOWS\system32\MsDtc
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\xolehlp.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\mtxoci.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\msdtcuiu.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\msdtctm.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\msdtcprx.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\msdtclog.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\msdtc.exe
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\icaapi.dll
2010-01-11 12:48:28 ----A---- D:\WINDOWS\system32\cfgbkend.dll
2010-01-11 12:48:27 ----D---- D:\WINDOWS\system32\Com
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\stclient.dll
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\mtxlegih.dll
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\mtxex.dll
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\mtxdm.dll
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\dcomcnfg.exe
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\comrepl.dll
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\comaddin.dll
2010-01-11 12:48:27 ----A---- D:\WINDOWS\system32\colbact.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\comuid.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\comsvcs.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\comsnap.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\clbcatex.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\catsrvut.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\catsrvps.dll
2010-01-11 12:48:26 ----A---- D:\WINDOWS\system32\catsrv.dll
2010-01-11 12:48:25 ----A---- D:\WINDOWS\system32\clbcatq.dll
2010-01-11 12:48:21 ----A---- D:\WINDOWS\system32\servdeps.dll
2010-01-11 12:48:21 ----A---- D:\WINDOWS\system32\mmfutil.dll
2010-01-11 12:48:21 ----A---- D:\WINDOWS\system32\licwmi.dll
2010-01-11 12:48:20 ----A---- D:\WINDOWS\system32\cmprops.dll
2010-01-11 06:47:29 ----A---- D:\WINDOWS\system32\h323log.txt
2010-01-11 06:45:25 ----A---- D:\WINDOWS\system32\ksuser.dll
2010-01-11 06:44:29 ----A---- D:\WINDOWS\system32\usbui.dll
2010-01-11 06:43:30 ----A---- D:\WINDOWS\imsins.BAK
2010-01-11 06:43:27 ----SHD---- D:\WINDOWS\Installer
2010-01-11 06:43:27 ----A---- D:\WINDOWS\system32\PerfStringBackup.INI
2010-01-11 06:43:26 ----D---- D:\Program Files\Common Files\ODBC
2010-01-11 06:43:26 ----A---- D:\WINDOWS\ODBCINST.INI
2010-01-11 06:43:24 ----D---- D:\Program Files\Common Files\SpeechEngines
2010-01-11 06:43:23 ----RD---- D:\Program Files
2010-01-11 06:43:23 ----D---- D:\Program Files\Common Files\Microsoft Shared
2010-01-11 06:43:23 ----D---- D:\Program Files\Common Files
2010-01-11 06:43:21 ----RA---- D:\WINDOWS\system32\kbdtuq.dll
2010-01-11 06:43:21 ----RA---- D:\WINDOWS\system32\kbdtuf.dll
2010-01-11 06:43:21 ----RA---- D:\WINDOWS\system32\kbdazel.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdycc.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbduzb.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdur.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdtat.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdmon.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdkyr.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdkaz.dll
2010-01-11 06:43:20 ----RA---- D:\WINDOWS\system32\kbdaze.dll
2010-01-11 06:43:19 ----RA---- D:\WINDOWS\system32\kbdru1.dll
2010-01-11 06:43:19 ----RA---- D:\WINDOWS\system32\kbdru.dll
2010-01-11 06:43:19 ----RA---- D:\WINDOWS\system32\kbdbu.dll
2010-01-11 06:43:19 ----RA---- D:\WINDOWS\system32\kbdblr.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdhept.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdhela3.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdhela2.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdhe319.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdhe220.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdhe.dll
2010-01-11 06:43:18 ----RA---- D:\WINDOWS\system32\kbdgkl.dll
2010-01-11 06:43:17 ----RA---- D:\WINDOWS\system32\kbdlv1.dll
2010-01-11 06:43:17 ----RA---- D:\WINDOWS\system32\kbdlv.dll
2010-01-11 06:43:17 ----RA---- D:\WINDOWS\system32\kbdlt1.dll
2010-01-11 06:43:17 ----RA---- D:\WINDOWS\system32\kbdlt.dll
2010-01-11 06:43:17 ----RA---- D:\WINDOWS\system32\kbdest.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdycl.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdsl1.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdsl.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdro.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdpl1.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdpl.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdhu1.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdhu.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdcz2.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdcz1.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdcz.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\kbdcr.dll
2010-01-11 06:43:16 ----RA---- D:\WINDOWS\system32\KBDAL.DLL
2010-01-11 06:43:12 ----A---- D:\WINDOWS\system32\spxcoins.dll
2010-01-11 06:43:12 ----A---- D:\WINDOWS\system32\irclass.dll
2010-01-11 06:43:12 ----A---- D:\WINDOWS\system32\EqnClass.Dll
2010-01-11 06:43:12 ----A---- D:\WINDOWS\system32\dgsetup.dll
2010-01-11 06:43:12 ----A---- D:\WINDOWS\system32\dgrpsetu.dll
2010-01-11 06:43:10 ----N---- D:\WINDOWS\system32\CONFIG.TMP
2010-01-11 06:43:10 ----A---- D:\WINDOWS\TASKMAN.EXE
2010-01-11 06:43:10 ----A---- D:\WINDOWS\system32\batt.dll
2010-01-11 06:43:09 ----A---- D:\WINDOWS\system32\storprop.dll
2010-01-11 06:43:09 ----A---- D:\WINDOWS\NOTEPAD.EXE
2010-01-11 06:43:03 ----ASH---- D:\Documents and Settings\All Users\Application Data\desktop.ini
2010-01-11 06:42:57 ----RA---- D:\WINDOWS\SET8.tmp
2010-01-11 06:42:55 ----RA---- D:\WINDOWS\SET4.tmp
2010-01-11 06:42:54 ----RA---- D:\WINDOWS\SET3.tmp
2010-01-11 06:42:49 ----D---- D:\WINDOWS\system32\CatRoot2
2010-01-11 06:42:49 ----D---- D:\WINDOWS\system32\CatRoot
2010-01-11 06:42:43 ----SD---- D:\Documents and Settings\All Users\Application Data\Microsoft
2010-01-11 06:42:29 ----A---- D:\WINDOWS\setuplog.txt
2010-01-11 06:42:26 ----D---- D:\Documents and Settings
2010-01-11 06:42:25 ----SHD---- D:\System Volume Information
2010-01-11 06:38:44 ----RSHDC---- D:\WINDOWS\system32\dllcache
2010-01-11 06:38:44 ----RSD---- D:\WINDOWS\Fonts
2010-01-11 06:38:44 ----RD---- D:\WINDOWS\Web
2010-01-11 06:38:44 ----HD---- D:\WINDOWS\inf
2010-01-11 06:38:44 ----D---- D:\WINDOWS\WinSxS
2010-01-11 06:38:44 ----D---- D:\WINDOWS\twain_32
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Temp
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\wins
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\wbem
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\usmt
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\spool
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\ShellExt
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\Setup
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\scripting
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\ras
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\PreInstall
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\oobe
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\npp
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\mui
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\Macromed
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\inetsrv
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\IME
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\icsxml
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\ias
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\export
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\en
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\drivers
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\dhcp
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\config
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\3com_dmi
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\3076
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\2052
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1054
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1042
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1041
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1037
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1033
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1031
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1028
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32\1025
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system32
2010-01-11 06:38:44 ----D---- D:\WINDOWS\system
2010-01-11 06:38:44 ----D---- D:\WINDOWS\SoftwareDistribution
2010-01-11 06:38:44 ----D---- D:\WINDOWS\security
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Resources
2010-01-11 06:38:44 ----D---- D:\WINDOWS\repair
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Provisioning
2010-01-11 06:38:44 ----D---- D:\WINDOWS\PeerNet
2010-01-11 06:38:44 ----D---- D:\WINDOWS\pchealth
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Network Diagnostic
2010-01-11 06:38:44 ----D---- D:\WINDOWS\mui
2010-01-11 06:38:44 ----D---- D:\WINDOWS\msapps
2010-01-11 06:38:44 ----D---- D:\WINDOWS\msagent
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Media
2010-01-11 06:38:44 ----D---- D:\WINDOWS\L2Schemas
2010-01-11 06:38:44 ----D---- D:\WINDOWS\java
2010-01-11 06:38:44 ----D---- D:\WINDOWS\ime
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Help
2010-01-11 06:38:44 ----D---- D:\WINDOWS\ehome
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Driver Cache
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Debug
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Cursors
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Connection Wizard
2010-01-11 06:38:44 ----D---- D:\WINDOWS\Config
2010-01-11 06:38:44 ----D---- D:\WINDOWS\AppPatch
2010-01-11 06:38:44 ----D---- D:\WINDOWS\addins
2010-01-11 06:38:44 ----D---- D:\WINDOWS
2010-01-04 00:00:00 ----A---- D:\WINDOWS\vmdcr.dll
2010-01-04 00:00:00 ----A---- D:\WINDOWS\amcdr.dll
2009-12-19 00:00:00 ----A---- D:\WINDOWS\system32\jrdgl.dll
2009-12-19 00:00:00 ----A---- D:\WINDOWS\system32\emlks.dll

======List of files/folders modified in the last 1 months======

2010-01-16 18:23:53 ----A---- D:\WINDOWS\win.ini
2010-01-16 18:23:53 ----A---- D:\WINDOWS\system.ini
2010-01-11 17:06:25 ----A---- D:\WINDOWS\system32\nwiz.exe
2010-01-11 17:06:03 ----A---- D:\WINDOWS\system32\rundll32.exe.tmp
2010-01-11 17:06:01 ----A---- D:\WINDOWS\system32\rundll32.exe.delme45

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 ehdrv;ehdrv; D:\WINDOWS\system32\DRIVERS\ehdrv.sys [2009-11-16 108792]
R1 epfwtdir;epfwtdir; D:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2009-11-16 96408]
R1 SASDIFSV;SASDIFSV; \??\D:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\D:\Program Files\SUPERAntiSpyware\SASKUTIL.sys []
R2 eamon;eamon; D:\WINDOWS\system32\DRIVERS\eamon.sys [2009-11-16 116520]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); D:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-12-02 3841856]
R3 AR5211;Atheros Wireless Network Adapter Service; D:\WINDOWS\system32\DRIVERS\ar5211.sys [2005-05-25 465952]
R3 MBAMProtector;MBAMProtector; \??\D:\WINDOWS\system32\drivers\mbam.sys []
R3 nv;nv; D:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2005-09-18 3493984]
R3 nvnetbus;NVIDIA Network Bus Enumerator; D:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]
R3 usbhub;USB2 Enabled Hub; D:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]
R3 usbprint;Microsoft USB PRINTER Class; D:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 ae1q8j1y;ae1q8j1y; D:\WINDOWS\system32\drivers\ae1q8j1y.sys []
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; D:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
S3 SASENUM;SASENUM; \??\D:\Program Files\SUPERAntiSpyware\SASENUM.SYS []
S3 usbaudio;USB Audio Driver (WDM); D:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]
S3 USBSTOR;USB Mass Storage Driver; D:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; D:\WINDOWS\system32\DRIVERS\WudfPf.sys [2009-11-05 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; D:\WINDOWS\system32\DRIVERS\wudfrd.sys [2009-11-05 82944]
S4 IntelIde;IntelIde; D:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; D:\WINDOWS\system32\DRIVERS\sr.sys [2008-04-14 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
R2 ekrn;ESET Service; D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2009-11-16 735960]
R2 JavaQuickStarterService;Java Quick Starter; D:\Program Files\Java\jre6\bin\jqs.exe [2010-01-12 153376]
R2 MBAMService;MBAMService; D:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-01-07 236368]
R2 NVSvc;NVIDIA Display Driver Service; D:\WINDOWS\system32\nvsvc32.exe [2005-09-18 131139]
S3 aspnet_state;ASP.NET State Service; D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 EhttpSrv;ESET HTTP Server; D:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2009-11-16 20680]
S3 IDriverT;InstallDriver Table Manager; D:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 ose;Office Source Engine; D:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; D:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; D:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2010-01-16 19:22:43

======Uninstall list======

-->MsiExec.exe /X{7D889B41-EABF-4D6E-8F84-BB16C786F776}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 D:\WINDOWS\INF\PCHealth.inf
Acrobat.com-->msiexec /qb /x {6421F085-1FAA-DE13-D02A-CFB412C522A4}
Acrobat.com-->MsiExec.exe /I{6421F085-1FAA-DE13-D02A-CFB412C522A4}
Adobe AIR-->d:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->D:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 9 ActiveX-->D:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Crystal Reports 10 Support Files-->MsiExec.exe /I{A3AE0EFB-C8C2-4AF5-9841-459DB1C138CF}
Dell Software Uninstall-->D:\Program Files\Dell_HostCD\Install\x86\Uninstall.exe
Dragon NaturallySpeaking 9-->MsiExec.exe /I{DDDD90B2-80F2-413A-8A8E-38C5076A7DBA}
HijackThis 2.0.2-->"D:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
Malwarebytes' Anti-Malware-->"D:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Medisoft Advanced Patient Accounting 12-->D:\PROGRA~1\Medisoft\Bin\UNWISE.EXE "D:\Program Files\Medisoft\Bin\imapasu.log"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
NVIDIA Drivers-->D:\WINDOWS\system32\nvudisp.exe UninstallGUI
Realtek AC'97 Audio-->RunDll32 D:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "D:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Security Update for Windows XP (KB972270)-->"D:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Sereby's Updatepack - IE8 Addon Version 1.0.7-->msiexec.exe
Skype™ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SpyHunter-->"D:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "D:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}

======Hosts File======

127.0.0.1 localhost

======Security center information======

AV: ESET NOD32 Antivirus 4.0

=====Application event log=====

Computer Name: AMIN
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 15
Source Name: WinMgmt
Time Written: 20100111124957.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: AMIN
Event Code: 5603
Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 14
Source Name: WinMgmt
Time Written: 20100111124957.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: AMIN
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13
Source Name: WinMgmt
Time Written: 20100111124957.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: AMIN
Event Code: 63
Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12
Source Name: WinMgmt
Time Written: 20100111124957.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

Computer Name: AMIN
Event Code: 63
Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11
Source Name: WinMgmt
Time Written: 20100111124955.000000-360
Event Type: warning
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

#4 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 17 January 2010 - 09:27 PM

For now do this:
To help show all files:

FOr XP: on the desktop double click my computer,at the top click on> tools>folder options>view> then select "show hidden files and folders", then UNcheck "hide protected operating system files " also UNcheck "hide extensions for known file types" click apply to all folders, apply then ok.

Navigate to d:\windows\temp and delete everything you can in the Temp folder.
update and scan with your ESET antivirus

next:
start HJT, click the "Scan" button. check the items below, close any open windows, then click "Fixed checked"

F2 - REG:system.ini: Shell=Explorer.exe
O4 - HKCU\..\Run: [D9Q071WKGS] D:\WINDOWS\TEMP\j.exe
O4 - HKCU\..\Run: [AAK8K3J4FL] d:\windows\temp\k .exe

reboot machine and do a on line scan here:
ESET online scanner:


http://www.eset.com/onlinescan/


uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt

please copy/paste that log in next reply.

How Can I Reduce My Risk to Malware?

#5 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 17 January 2010 - 10:16 PM

my eset wont open it says restricted by administrator or such

#6 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 18 January 2010 - 11:56 AM

Could you delete whats in the Temp folder? Try the online scan.

How Can I Reduce My Risk to Malware?

#7 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 18 January 2010 - 08:07 PM

i did a scan online and here is the log


ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# IEXPLORE.EXE=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=73cd1c0d1328284fb79fe0ee46fe5607
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-01-19 12:59:26
# local_time=2010-01-18 06:59:26 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8199 22379861 100 100 187281 4560703 0 0
# scanned=21249
# found=29
# cleaned=29
# scan_time=696
# nod_component=V3 Build:0x30000000
C:\Program Files\Nuance\DragonNaturallySpeaking9\Ereg\ereg.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Nuance\DragonNaturallySpeaking9\Ereg\ereg.exe.delme27 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\RECYCLER\S-1-5-21-1220945662-1957994488-1177238915-1003\Dc4.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\RECYCLER\S-1-5-21-1220945662-1957994488-1177238915-1003\Dc9.exe a variant of Win32/Refpron.ED trojan (deleted - quarantined) 00000000000000000000000000000000 C
D:\!KillBox\wmpscfgs.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Home\nwiz .exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Home\rundll32 .exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Home\rundll32.exe.delme28496 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Home\soundman .exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Documents and Settings\Home\Local Settings\Temp\wmpscfgs.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe.delme73 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Common Files\Adobe\ARM\1.0\adobearm.exe.delme34 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Common Files\InstallShield\UpdateService\issch.exe.delme37 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe.delme76 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Common Files\ScanSoft Shared\SSBkgdUpdate\ssbkgdupdate.exe.delme75 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\DAEMON Tools Lite\dtlite.exe.delme64 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Internet Explorer\wmpscfgs .exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Internet Explorer\wmpscfgs.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Java\jre6\bin\jusched.exe.delme32 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Malwarebytes' Anti-Malware\mbam.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe.delme70 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Spybot - Search & Destroy\teatimer.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\Spybot - Search & Destroy\teatimer.exe.delme60 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\Program Files\SUPERAntiSpyware\superantispyware.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\system32\nwiz.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\system32\rundll32.exe.delme45 Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\system32\rundll32.exe.tmp Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\system32\soundman .exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
D:\WINDOWS\system32\soundman.exe Win32/TrojanDownloader.Unruy.AZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

#8 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 19 January 2010 - 06:09 PM

QUOTE
reformatted then I put some old files back on the new format


One way malware can spread is by USB flash drives and external hard drives. If either of these were inserted into a machine that had malware it possible the malware could infect the dirve, then you reuse them on a reformatted machine and the computer becomes infected again.
Seeing all those files that the on line scan found isnt good. Looks like a virus thats capable of infecting .exe. Maybe the scan got them all. One option is to reformat again, or another scan. If you want to scan then i would suggest you use Dr Web:

Download Dr.Web CureIt to the desktop:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

* Doubleclick the drweb-cureit icon to start the program.

* press start

* Allow the program to run the initial express scan

* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.

Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.

* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.

* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)

* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.

Note:(If the file cannot be cured, Dr.Web will automatically delete the file)

* Once the scan is complete, on the menu bar, click file and choose report list.

* Save the report to your desktop. The report will be called DrWeb.csv

* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.

* Close Dr.Web Cureit.

* Please post the Dr.Web.txt report in your next reply


How Can I Reduce My Risk to Malware?

#9 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 19 January 2010 - 06:29 PM

I need a few files from it how do i get it if i cannot put them on a flash drive. Files are about a gig or two in size total

#10 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 20 January 2010 - 07:13 PM

QUOTE
if i cannot put them on a flash drive


Do you mean installing Dr. Web? You would download the file directly to your desktop.

How Can I Reduce My Risk to Malware?

#11 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 20 January 2010 - 07:47 PM

no i mean the files i need from the old partition that are required on the new partition how would I use them if you think its cause it was on the flash drive

#12 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 21 January 2010 - 09:28 PM

Your Antivirus and antimalware should, during a normal scan be able to access all the partitions on your hard drive. Do you normally have them scan all the partitions on your drive?
I dont know if you got re-infected from a USB flash dirve but that is one way for it to happen. Malware can infect other partitions on a single hard drive and also other hard drives if you have more than one internal drive.
Based on what you said it looked like you re-infected the computer after reformatting.

How Can I Reduce My Risk to Malware?

#13 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 21 January 2010 - 09:48 PM

thats exactly what happened, i reformatted and i copied over the few select files from the flash drive and it became infected once again. I have my antivirus always checking all partitions, so how do i get those files without getting infected

#14 shelf life

shelf life

  • Malware Response Team
  • 2,651 posts
  • OFFLINE
    •  
  • Gender:Male
  • Location:@localhost
  • Local time:09:43 PM

Posted 23 January 2010 - 04:58 PM

If you think you have a USB flash drive that is infected and you have files on it you need to transfer to a computer you can try this method but i cant make any guarantees.
It will prevent the auto run feature of drives when they are connected to a computer.
The idea is the malware wont execute (auto run) Then you can scan the drive with your AV and antimalware first before transfer of any files.
You can read this link for more info:

Panda

How Can I Reduce My Risk to Malware?

#15 suprafreak6

suprafreak6
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
    •  
  • Local time:09:43 PM

Posted 24 January 2010 - 07:47 PM

thank you ill give it all a whirl and report back
Back to Virus, Trojan, Spyware, and Malware Removal Help


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users


  1. BleepingComputer.com
  2. Security
  3. Virus, Trojan, Spyware, and Malware Removal Help
  4. Privacy Policy
  5. Rules ·