Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer is Slow/Lag when loading Windows XP


  • This topic is locked This topic is locked
42 replies to this topic

#1 kerrylin16

kerrylin16

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 02 March 2010 - 04:33 AM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:25:34, on 02/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Norton Ghost\Agent\VProTray.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Thunder Network\Thunder\Program\Thunder.exe
C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.61\ThunderService.exe
C:\Documents and Settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - D:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - D:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: 使用迅雷下载 - d:\Program Files\Thunder Network\Thunder\Program\GetUrl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - d:\Program Files\Thunder Network\Thunder\Program\GetAllUrl.htm
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E18A1B8-AF81-4F35-8B38-4B41580DF855}: NameServer = 202.188.0.133,202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10023 bytes

Hi All

I'm a newbie here. Please could anyone take a look at the log generated from HijackThis above?
I suspect there are loads of unnecessary entries which slow down the time from switching on the pc to loading the windows xp...
Please help.





BC AdBot (Login to Remove)

 


#2 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:59 PM

Posted 06 March 2010 - 07:16 PM

Hello and and Welcome to Bleepingcomputer

Please note we are very busy, so if I don't hear from you within 5 days the topic will be closed, If you have since resolved your issues I
would appreciate if you would let me no so I can close this topic.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


  1. Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  2. Disconnect from the Internet and close all running programs, as this process may crash your computer.
  3. Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  4. Double click on Gmer to run it.
  5. Allow the gmer.sys driver to load if asked.
  6. You may see a rootkit warning window, If you do, click No.
  7. Untick the following boxes on the right side of the Gmer screen.
    Sections
    IAT/EAT
    Files
    Show All
  8. Click on and wait for the scan to finish.
  9. If you see a rootkit warning window, click OK.
  10. Push and save the logfile to your desktop.
  11. Copy and Paste the contents of that file in your next post.



Then please post back here with the following:
  • log.txt
  • info.txt
  • Gmer log

Thanks

unite.jpg


#3 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 10:44 AM

Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2010-03-07 23:12:56
Microsoft Windows XP Professional Service Pack 2
System drive C: has 67 GB (84%) free of 80 GB
Total RAM: 3327 MB (85% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:06, on 07/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\rsit\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E18A1B8-AF81-4F35-8B38-4B41580DF855}: NameServer = 202.188.0.133,202.188.1.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7319 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-920026266-725345543-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C08DF07A-3E49-4E25-9AB0-D3882835F153}]
QUICKfind BHO Object - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll [2003-06-30 337920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-28 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-28 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-10-30 16269312]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"nwiz"=nwiz.exe /install []
"SmcService"=C:\PROGRA~1\Sygate\SPF\smc.exe [2004-10-15 2577632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-03-07 8425472]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"Norton Ghost 12.0"=C:\Program Files\Norton Ghost\Agent\VProTray.exe [2007-03-28 2037352]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"E:\Torrentials\utorrent.exe"="E:\Torrentials\utorrent.exe:*:Enabled:礣orrent"
"D:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="D:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe"="C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe"="C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Documents and Settings\user\Desktop\Temp\utorrent.exe"="C:\Documents and Settings\user\Desktop\Temp\utorrent.exe:*:Enabled:礣orrent"
"E:\Torrentials\utorrent_1.8.1.exe"="E:\Torrentials\utorrent_1.8.1.exe:*:Enabled:礣orrent"
"E:\Torrentials\utorrent_1.8.2.exe"="E:\Torrentials\utorrent_1.8.2.exe:*:Enabled:礣orrent"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderService.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderService.exe:*:Enabled:ThunderService1.0.2.41"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderLiveUD.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD1.0.2.41"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\XLBugReport.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\XLBugReport.exe:*:Enabled:XLBugReport1.0.2.41"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderService.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderService.exe:*:Enabled:ThunderService1.0.2.56"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderLiveUD.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD1.0.2.56"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\XLBugReport.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\XLBugReport.exe:*:Enabled:XLBugReport1.0.2.56"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dda7619-453c-11de-be38-001a4d41fc4e}]
shell\Auto\command - backupuser.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL backupuser.exe


======List of files/folders created in the last 1 months======

2010-03-07 22:18:16 ----D---- C:\rsit
2010-03-07 18:31:10 ----D---- C:\WINDOWS\CSC
2010-03-03 22:09:17 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2010-03-03 22:08:52 ----D---- C:\Program Files\Common Files\Adobe Systems Shared
2010-03-03 20:35:07 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2010-03-03 20:28:31 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2010-03-03 20:28:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-03 16:43:53 ----D---- C:\Documents and Settings\user\Application Data\vlc
2010-03-03 16:43:39 ----D---- C:\Program Files\VideoLAN
2010-02-28 13:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-02-28 13:42:20 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-02-28 09:45:06 ----D---- C:\Documents and Settings\user\Application Data\AccurateRip

======List of files/folders modified in the last 1 months======

2010-03-07 23:13:05 ----D---- C:\WINDOWS\Prefetch
2010-03-07 23:11:31 ----D---- C:\WINDOWS\Temp
2010-03-07 23:11:13 ----D---- C:\WINDOWS
2010-03-07 23:10:59 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-07 23:09:19 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-07 14:05:36 ----D---- C:\Documents and Settings\user\Application Data\uTorrent
2010-03-07 11:42:10 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-07 11:35:11 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2010-03-07 06:07:55 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 05:29:42 ----D---- C:\WINDOWS\system32
2010-03-07 05:16:03 ----A---- C:\WINDOWS\win.ini
2010-03-07 04:56:30 ----D---- C:\DTOOLS
2010-03-07 04:56:28 ----A---- C:\WINDOWS\DTOOLS.INI
2010-03-03 22:08:52 ----D---- C:\Program Files\Common Files
2010-03-03 22:08:51 ----SHD---- C:\WINDOWS\Installer
2010-03-03 22:08:28 ----D---- C:\Program Files\Common Files\Adobe
2010-03-03 22:08:11 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-03-03 22:08:07 ----RSD---- C:\WINDOWS\Fonts
2010-03-03 22:07:18 ----D---- C:\Program Files\Adobe
2010-03-03 21:10:14 ----D---- C:\Documents and Settings\All Users\Application Data\Thunder Network
2010-03-03 20:35:15 ----HD---- C:\WINDOWS\inf
2010-03-03 20:35:12 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-03 20:35:12 ----D---- C:\WINDOWS\system32\mui
2010-03-03 20:28:28 ----D---- C:\WINDOWS\system32\drivers
2010-03-03 16:48:47 ----RD---- C:\Program Files
2010-03-03 16:40:48 ----D---- C:\Program Files\Xvid
2010-03-03 16:29:22 ----D---- C:\Program Files\Real Alternative
2010-03-03 16:16:28 ----D---- C:\WINDOWS\system32\ffdshow
2010-03-03 15:20:51 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-03-03 14:58:53 ----D---- C:\WINDOWS\security
2010-03-03 14:58:39 ----SHD---- C:\RECYCLER
2010-03-03 14:58:17 ----D---- C:\Documents and Settings
2010-03-03 14:18:02 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2010-03-03 10:48:45 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-02-28 13:42:34 ----D---- C:\Program Files\Common Files\Java
2010-02-28 13:42:10 ----A---- C:\WINDOWS\system32\javaws.exe
2010-02-28 13:42:10 ----A---- C:\WINDOWS\system32\javaw.exe
2010-02-28 13:42:10 ----A---- C:\WINDOWS\system32\java.exe
2010-02-28 13:42:07 ----D---- C:\Program Files\Java
2010-02-28 10:57:56 ----D---- C:\Documents and Settings\user\Application Data\HPAppData
2010-02-19 15:23:27 ----D---- C:\Program Files\Mozilla Firefox
2010-02-17 16:28:12 ----D---- C:\Program Files\MetaTrader - Alpari UK
2010-02-16 02:00:00 ----A---- C:\WINDOWS\system32\rmoc3260.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-08 25160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-06-10 28520]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2004-08-03 223616]
R1 wpsdrvnt;wpsdrvnt; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-07 56816]
R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 v2imount;Symantec V2i Mount Driver; C:\WINDOWS\system32\DRIVERS\v2imount.sys [2007-03-28 37864]
R2 wg3n;SyGate for NT, wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2004-10-15 14568]
R2 wg4n;SyGate for NT, wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2004-10-15 14568]
R2 wg5n;SyGate for NT, wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2004-10-15 14568]
R2 wg6n;SyGate for NT, wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2004-10-15 14568]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2002-11-28 15360]
R3 GEARAspiWDM;GearAspiWDM; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2007-03-28 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-03 4394496]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-03-07 6704096]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2004-08-04 12416]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 a8pnsmmr;a8pnsmmr; C:\WINDOWS\system32\drivers\a8pnsmmr.sys []
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BTHMODEM;Bluetooth Modem Communications Driver; C:\WINDOWS\system32\DRIVERS\bthmodem.sys [2004-08-03 38016]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2004-08-03 274304]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 EverestDriver;Lavalys EVEREST Kernel Driver; \??\K:\suhun\soft\Everest 4.50\kerneld.wnt []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
S3 NETMDUSB;Net MD; C:\WINDOWS\System32\Drivers\NETMDUSB.sys [2002-08-08 38951]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2004-08-03 25600]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-02-09 7808]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 VProEventMonitor;Symantec Event Monitor Driver; C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys [2007-03-28 14072]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
S3 WimFltr;WimFltr; C:\WINDOWS\system32\DRIVERS\wimfltr.sys [2007-03-28 128104]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-03 73472]
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 gearsec;gearsec; C:\WINDOWS\system32\gearsec.exe [2003-01-27 49152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-02-28 153376]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 Norton Ghost;Norton Ghost; C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2007-03-28 3290728]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-03-07 163908]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SmcService;Sygate Personal Firewall; C:\Program Files\Sygate\SPF\smc.exe [2004-10-15 2577632]
R2 UserAccess7;SecuROM User Access Service (V7); C:\WINDOWS\system32\UAService7.exe [2010-01-06 126976]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2010-03-03 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-24 137200]
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe [2003-12-09 65625]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe [2003-12-09 65622]
S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-09-07 503608]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------



info.txt logfile of random's system information tool 1.06 2010-03-07 23:13:07

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {926CC8AE-8414-43DF-8EB4-CF26D9C3C663}
-->MsiExec.exe /I{C4CBAD7E-DF4A-4FEC-AC17-8BC709AFB844}
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
ACF Controler v1.0-->d:\Program Files\Winamp\Plugins\gen_acf_uninst.exe
Adobe Acrobat 7.0 Professional-->msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Help Center 2.1-->MsiExec.exe /I{25569723-DC5A-4467-A639-79535BF01B71}
Adobe Photoshop Elements 5.0-->msiexec /I {A7B609FB-83D8-4FC3-8477-1BC65ECFE85B}
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Reader Chinese Traditional Fonts-->MsiExec.exe /I{AC76BA86-7AD7-2448-0000-705000000001}
Adobe Shockwave Player-->C:\WINDOWS\system32\Adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Advanced Crossfading 1.75-->d:\Program Files\Winamp\plugins\unout_sqr.exe
Advanced Office 97 Password Recovery-->D:\PROGRA~1\ao97pr\UNWISE.EXE D:\PROGRA~1\ao97pr\INSTALL.LOG
Advanced Registry Optimizer 5.1-->"d:\Program Files\Advanced Registry Optimizer\unins000.exe"
AFPL Ghostscript 7.03-->C:\gs\uninstgs.exe "C:\gs\gs7.03\uninstal.txt"
AFPL Ghostscript Fonts-->C:\gs\uninstgs.exe "C:\gs\fonts\uninstal.txt"
AoA Audio Extractor 1.0-->"d:\Program Files\AoA Audio Extractor\unins000.exe"
Avira AntiVir Personal - Free Antivirus-->C:\Program Files\Avira\AntiVir Desktop\setup.exe /REMOVE
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Batch Converter v1.0.7.178-->d:\Program Files\SqrSoft\Batch Converter\sqrbc-uinst.exe
CCleaner-->"d:\Program Files\CCleaner\uninst.exe"
CDCheck (remove only)-->"d:\Program Files\CDCheck\uninst.exe"
CloneCD-->"d:\Program Files\Elaborate Bytes\CloneCD\ccd-uninst.exe" /D="d:\Program Files\Elaborate Bytes\CloneCD"
CodeStuff Starter-->"d:\Program Files\CodeStuff\Starter\unStarter.exe"
DCS-->MsiExec.exe /I{FEEE0585-C5CA-42B2-ACE1-EDB882847859}
Defraggler-->"d:\Program Files\Defraggler\uninst.exe"
Disclib 2.0 [build: 50]-->"d:\Program Files\Disclib\unins000.exe"
DISKdata-->D:\PROGRA~1\DISKdata\UNWISE.EXE D:\PROGRA~1\DISKdata\INSTALL.LOG
DVD Creator Plus 2.0-->"d:\Program Files\DVD Creator Plus 2\unins000.exe"
DVD Flick-->"d:\Program Files\DVD Flick\unins000.exe"
DVD Shrink 3.2-->"d:\Program Files\DVD Shrink\unins000.exe"
Exact Audio Copy 0.99pb5-->d:\Program Files\Exact Audio Copy\uninst.exe
FLAC 1.1.4b (remove only)-->d:\Program Files\FLAC\uninstall.exe
FLV Player 2.0 (build 25)-->d:\Program Files\FLV Player\uninst.exe
Glean 7.3-->MsiExec.exe /I{323DE5CF-B774-4EB8-823E-A317FD15439C}
Google Photos Screensaver-->MsiExec.exe /X{481E9852-DA0C-403B-ADA4-05D86C8BF9A9}
Google Toolbar for Internet Explorer-->MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Hardlock Device Drivers-->C:\WINDOWS\system32\UNWISE.EXE C:\WINDOWS\system32\HLDRV.LOG
High Definition Audio Driver Package - KB888111-->"C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Icy Tower v1.4-->"D:\Program Files\icytower1.4\unins000.exe"
ImgBurn-->"d:\Program Files\ImgBurn\uninstall.exe"
InFlac 1.1.1-->"d:\Program Files\Winamp\InFlac-Uninstall.exe"
InstallShield Express 5.0 Visual FoxPro Limited Edition-->MsiExec.exe /I{C621DFA7-85D8-4CDF-89EA-B01001790038}
iTunes-->MsiExec.exe /I{B8A204BC-7177-470E-BBDD-47256D05B325}
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
Macromedia Flash Player 8-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\swflash.inf,DefaultUninstall,5
Malwarebytes' Anti-Malware-->"d:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MetaTrader 4.00-->"C:\Program Files\MetaTrader - Alpari UK\Uninstall.exe" "C:\Program Files\MetaTrader - Alpari UK\install.log"
Microsoft .NET Framework 2.0-->C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Microsoft .NET Framework 2.0\install.exe
Microsoft .NET Framework 3.0-->C:\WINDOWS\Microsoft.NET\Framework\v3.0\Microsoft .NET Framework 3.0\setup.exe
Microsoft .NET Framework 3.0-->MsiExec.exe /X{15095BF3-A3D7-4DDF-B193-3A496881E003}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Office XP Professional with FrontPage-->MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft SOAP Toolkit 3.0 Samples-->MsiExec.exe /I{437D9E8F-A8B0-4A5A-9137-6F624551D3F0}
Microsoft SOAP Toolkit 3.0-->MsiExec.exe /I{BCB4C18A-ACA6-4383-8688-E19933A705DD}
Microsoft User-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWudf01007$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual FoxPro 9.0 Professional - English-->C:\Program Files\Microsoft Visual FoxPro 9\setup\Visual FoxPro 9.0 Professional - English\setup.exe /MaintMode
MixMeister Pro 5-->MsiExec.exe /I{8B6B3A99-2469-4A77-9118-E63814AA72C2}
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Mp3tag v2.44-->d:\Program Files\Mp3tag\Mp3tagUninstall.EXE
MSVC80_x86-->MsiExec.exe /I{212748BB-0DA5-46DE-82A1-403736DC9F27}
MSXML 6.0 Parser-->MsiExec.exe /I{A43BF6A5-D5F0-4AAA-BF41-65995063EC44}
Music Visualizer Library 1.4.00-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\Setup.exe" -l0x9
Nero 7 Essentials-->MsiExec.exe /I{2F6C302E-5BD0-466C-BD54-1D284B611033}
NJStar Communicator-->d:\Program Files\NJStar Communicator\uninst.exe
Nokia Connectivity Cable Driver-->MsiExec.exe /I{52D02A2B-03D2-4E34-A358-DC5D951FD296}
Nokia PC Suite-->C:\Documents and Settings\All Users\Application Data\Installations\{3D39E775-DDDA-4327-B747-0BDC5F191331}\Nokia_PC_Suite_7_1_30_9_eng_web.exe
Nokia PC Suite-->MsiExec.exe /I{3D39E775-DDDA-4327-B747-0BDC5F191331}
Norton Ghost-->MsiExec.exe /I{B0255743-165B-4BD5-8DA8-37DFB9930012}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenMG Secure Module 3.4.00-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{657DD6DA-B07B-40FF-9DBD-2116F7E83CF6}\setup.exe" -l0x9 UNINSTALL
Oxford Advanced Learner's Dictionary - 7th edition-->"d:\Program Files\Oxford\OALD7\uninstall.exe"
Paint.NET v3.35-->MsiExec.exe /X{20AC583C-A6FB-410A-807D-25308225C201}
PC Connectivity Solution-->MsiExec.exe /I{0C973594-7DDF-4BD0-84ED-3517F7622037}
PC Inspector File Recovery-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}\Setup.exe" -l0x9
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
QUICKfind-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{593AFFA4-D08E-4272-BABB-420949D32A10}\Setup.exe" -l0x9
QuickTime-->MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
Real Alternative 2.0.2-->"C:\Program Files\Real Alternative\unins000.exe"
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\SETUP.EXE" -l0x9 -removeonly
Recuva-->"d:\Program Files\Recuva\uninst.exe"
RedMon - Redirection Port Monitor-->C:\WINDOWS\system32\unredmon.exe
Revo Uninstaller 1.85-->d:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Skype 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SonicStage 1.5.06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}\setup.exe" -l0x9 UNINSTALL
Spybot - Search & Destroy-->"d:\Program Files\Spybot - Search & Destroy\unins000.exe"
SqrSoft Advanced Crossfading (remove only)-->"d:\Program Files\Winamp\unout_mix2dsk.exe"
Switch Off-->"d:\Program Files\Switch Off\uninstall.exe"
Sygate Personal Firewall-->MsiExec.exe /I{F34D9A5F-484A-4E31-A9D3-908CB265B289}
VC80CRTRedist - 8.0.50727.762-->MsiExec.exe /I{767CC44C-9BBC-438D-BAD3-FD4595DD148B}
VideoLAN VLC media player 0.8.6c-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VobSub v2.23 (Remove Only)-->"d:\Program Files\VobSub\uninstall.exe"
Winamp-->"d:\Program Files\Winamp\UninstWA.exe"
Windows Communication Foundation-->MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Presentation Foundation-->MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation-->MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver-->d:\Program Files\WinRAR\uninstall.exe
Xvid 1.2.2 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

=====HijackThis Backups=====

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) [2010-03-02]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.xunlei.com/ [2010-03-02]
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.6972\swg.dll [2010-03-02]
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe [2010-03-02]
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2010-03-02]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com [2010-03-02]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-02]
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2010-03-02]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com [2010-03-02]
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll [2010-03-03]
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\WINDOWS\system32\shdocvw.dll [2010-03-03]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-03]
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab [2010-03-03]
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe [2010-03-03]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2010-03-03]
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file) [2010-03-03]
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200 [2010-03-03]
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2010-03-03]
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ? [2010-03-03]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-07]
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe [2010-03-07]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-07]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-07]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com [2010-03-07]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/.../search/ie.html [2010-03-07]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com [2010-03-07]
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file) [2010-03-07]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2010-03-07]
R3 - Default URLSearchHook is missing [2010-03-07]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL [2010-03-07]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-07]
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2010-03-07]
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2010-03-07]
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-03-07]
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2010-03-07]

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======Security center information======

AV: AntiVir Desktop
FW: Sygate Personal Firewall

======System event log======

Computer Name: SUHUN2
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 89909
Source Name: Tcpip
Time Written: 20100213034514.000000+480
Event Type: warning
User:

Computer Name: SUHUN2
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 89887
Source Name: Service Control Manager
Time Written: 20100213005546.000000+480
Event Type: error
User:

Computer Name: SUHUN2
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 89857
Source Name: Service Control Manager
Time Written: 20100212172030.000000+480
Event Type: error
User:

Computer Name: SUHUN2
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 89829
Source Name: Service Control Manager
Time Written: 20100212140828.000000+480
Event Type: error
User:

Computer Name: SUHUN2
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 89799
Source Name: Service Control Manager
Time Written: 20100212115846.000000+480
Event Type: error
User:

=====Application event log=====

Computer Name: SUHUN2
Event Code: 20
Message:
Record Number: 42770
Source Name: Google Update
Time Written: 20100207232651.000000+480
Event Type: error
User: SUHUN2\user

Computer Name: SUHUN2
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 42760
Source Name: Adobe Active File Monitor 5.0
Time Written: 20100207225612.000000+480
Event Type:
User:

Computer Name: SUHUN2
Event Code: 20
Message:
Record Number: 42759
Source Name: Google Update
Time Written: 20100207223613.000000+480
Event Type: error
User: SUHUN2\user

Computer Name: SUHUN2
Event Code: 20
Message:
Record Number: 42758
Source Name: Google Update
Time Written: 20100207213458.000000+480
Event Type: error
User: SUHUN2\user

Computer Name: SUHUN2
Event Code: 2570
Message: Adobe Active File Monitor Service has Started.

Record Number: 42748
Source Name: Adobe Active File Monitor 5.0
Time Written: 20100207204556.000000+480
Event Type:
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\Program Files\PC Connectivity Solution\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\DivX Shared\;C:\Program Files\Common Files\Thunder Network\KanKan\Codecs
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=0f06
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_01\lib\ext\QTJava.zip

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-07 23:23:23
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\user\LOCALS~1\Temp\aftdypob.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwAllocateVirtualMemory [0xBA97AB30]
SSDT BAFB872E ZwCreateKey
SSDT BAFB8724 ZwCreateThread
SSDT BAFB8733 ZwDeleteKey
SSDT BAFB873D ZwDeleteValueKey
SSDT sptd.sys ZwEnumerateKey [0xBA6C5E2C]
SSDT sptd.sys ZwEnumerateValueKey [0xBA6C61BA]
SSDT BAFB8742 ZwLoadKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwMapViewOfSection [0xBA97A470]
SSDT sptd.sys ZwOpenKey [0xBA6C00B0]
SSDT BAFB8710 ZwOpenProcess
SSDT BAFB8715 ZwOpenThread
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwProtectVirtualMemory [0xBA97AC50]
SSDT sptd.sys ZwQueryKey [0xBA6C6292]
SSDT sptd.sys ZwQueryValueKey [0xBA6C6112]
SSDT BAFB874C ZwReplaceKey
SSDT BAFB8747 ZwRestoreKey
SSDT BAFB8738 ZwSetValueKey
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwShutdownSystem [0xBA97A990]
SSDT BAFB871F ZwTerminateProcess
SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.) ZwWriteVirtualMemory [0xBA97AD60]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AF421E8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Fastfat \FatCdrom 89FAC1E8
Device \Driver\Tcpip \Device\Ip wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{6E18A1B8-AF81-4F35-8B38-4B41580DF855} 8AB1F7A0
Device \Driver\usbohci \Device\USBPDO-0 8ACAA7A0
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF441E8
Device \Driver\dmio \Device\DmControl\DmConfig 8AF441E8
Device \Driver\dmio \Device\DmControl\DmPnP 8AF441E8
Device \Driver\dmio \Device\DmControl\DmInfo 8AF441E8
Device \Driver\usbehci \Device\USBPDO-1 8AC7C7A0
Device \Driver\PCI_NTPNP2494 \Device\00000053 sptd.sys
Device \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom0 8AE065C0
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom1 8AE065C0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AED21E8
Device \Driver\atapi \Device\Ide\IdePort0 8AED21E8
Device \Driver\atapi \Device\Ide\IdePort1 8AED21E8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AED21E8
Device \Driver\nvata \Device\00000073 8AF431E8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Cdrom \Device\CdRom2 8AE065C0
Device \Driver\nvata \Device\00000074 8AF431E8
Device \Driver\Ftdisk \Device\HarddiskVolume5 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume6 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume7 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB1F7A0
Device \Driver\Ftdisk \Device\HarddiskVolume8 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume8 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume9 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume9 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\NetBT \Device\NetbiosSmb 8AB1F7A0
Device \Driver\Tcpip \Device\Udp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\usbohci \Device\USBFDO-0 8ACAA7A0
Device \Driver\usbehci \Device\USBFDO-1 8AC7C7A0
Device \Driver\nvata \Device\NvAta0 8AF431E8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A0271E8
Device \Driver\Tcpip \Device\IPMULTICAST wpsdrvnt.sys (wpsdrvnt/Sygate Technologies, Inc.)
Device \Driver\nvata \Device\NvAta1 8AF431E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A0271E8
Device \Driver\Ftdisk \Device\FtControl 8AED31E8
Device \Driver\Ftdisk \Device\HarddiskVolume10 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume10 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\Ftdisk \Device\HarddiskVolume11 8AED31E8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume11 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \Driver\a8pnsmmr \Device\Scsi\a8pnsmmr1Port4Path0Target0Lun0 8AC0D1E8
Device \Driver\a8pnsmmr \Device\Scsi\a8pnsmmr1Port4Path0Target1Lun0 8AC0D1E8
Device \Driver\a8pnsmmr \Device\Scsi\a8pnsmmr1 8AC0D1E8
Device \FileSystem\Fastfat \Fat 89FAC1E8

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)

Device \FileSystem\Cdfs \Cdfs 89FE01E8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081bc04991
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081bc04991@001fdf59bb5e 0xE6 0x0C 0x4C 0x28 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00081bc04991@00e0033a5596 0x7E 0x39 0x20 0x0C ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x39 0xD5 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x8B 0xA7 0x40 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0x3A 0xF3 0x2E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x18 0x2D 0x79 0x13 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081bc04991 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081bc04991@001fdf59bb5e 0xE6 0x0C 0x4C 0x28 ...
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00081bc04991@00e0033a5596 0x7E 0x39 0x20 0x0C ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x39 0xD5 0x4E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x0C 0x8B 0xA7 0x40 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBC 0x3A 0xF3 0x2E ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x18 0x2D 0x79 0x13 ...

---- EOF - GMER 1.0.15 ----


#4 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:59 PM

Posted 07 March 2010 - 11:05 AM

Your logs look ok to me, can you tell me if you are actually having any problems?

Download and Run FlashDisinfector
  • Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up those drives as well.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.


  • Go to Start >> Run, and type Notepad into the run box, then click Ok.
  • Copy and paste the following code into Notepad. ( Do not include the word "CODE")
CODE
REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dda7619-453c-11de-be38-001a4d41fc4e}]
  • Click on the File tab, and select Save.
  • In the box that opens type fix.reg for the File name.
  • Change the Save as type to All Files, then save it to your Desktop. (It should look like this )
  • Double click fix.reg, Select yes when it prompts you, then Ok.



TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.TFC(Temp File Cleaner):



Please download JavaRa and unzip it to your desktop.
Then Print these instructions as you won't have Internet access during this particular phase.

Close any instances of Internet Explorer before continuing
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English or the appropriate language...and click on Select.
  • JavaRa will open; Select Remove Older Versions, click yes, then ok.
  • A logfile will pop up, you can close it.
  • Now select Additional Tasks and check the following:
    Remove Useless JRE Files
    Remove Startup Entry
  • Click Go then ok to all the prompts, once done restart your computer.


Then please post back with a new Rsit log.

unite.jpg


#5 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 09:00 PM

Thanks Syler. I was suspicious about my computer but not 100% sure if there is a problem because my computer takes pretty long to load during its startup, i.e. during startup the computer was 'busy' running for a while and if I move the mouse pointer to the start-bar it shows as an hourglass...
Perhaps I will time startup time and let you know if it is considered ok...

Also during startup, sometimes not all the icons appear in the tray.

Edited by kerrylin16, 07 March 2010 - 09:05 PM.


#6 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 09:10 PM

The startup time is approximately 1 minute and 30 seconds.
So initially I thought there might be too many unnecessary or useless entries in the startup process that has made it slow...

Do you think the time is too slow to be indicative of presence of any malware, or too many unwanted/useless process etc?

#7 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:59 PM

Posted 07 March 2010 - 09:16 PM

That's quite a while to start up, but I have know it to take a lot longer on some machines, you have plenty of RAM and hard drive space so
that is not an issue, you don't appear to have that many startup entries so I don't think that's an issue. I would like to check one more
thing, if that doesn't turn up anything then I will point you in the rite direction of what you can check.


Download and Run MBR Rootkit Scan
  • Please download MBR Rootkit Detector and save it on your desktop.
  • Go to Start >> Run then copy and paste the following line into the run box
    "%userprofile%\desktop\mbr.exe" -t

  • Select Run when you recieve a Security Warning
  • The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
  • A log file will the be created on your desktop where you ran mbr.exe
  • Copy and paste the contents of mbr.log on your next reply.


Then please post back here with the following logs:
  • mbr.log
  • New Rsit log.txt

Thanks

unite.jpg


#8 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 09:52 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AED21E8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8aed21e8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !




Logfile of random's system information tool 1.06 (written by random/random)
Run by user at 2010-03-08 10:50:51
Microsoft Windows XP Professional Service Pack 2
System drive C: has 67 GB (84%) free of 80 GB
Total RAM: 3327 MB (82% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:01, on 08/03/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\gearsec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MetaTrader - Alpari UK\terminal.exe
C:\rsit\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\user.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: QUICKfind BHO Object - {C08DF07A-3E49-4E25-9AB0-D3882835F153} - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{6E18A1B8-AF81-4F35-8B38-4B41580DF855}: NameServer = 202.188.0.133,202.188.1.5
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: gearsec - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 7353 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-920026266-725345543-1003.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - D:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 63136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - D:\PROGRA~1\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
AcroIEToolbarHelper Class - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C08DF07A-3E49-4E25-9AB0-D3882835F153}]
QUICKfind BHO Object - C:\PROGRA~1\IDM\QUICKF~1\PlugIns\IEHelp.dll [2003-06-30 337920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-28 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-02-28 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - D:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 225280]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-10-30 16269312]
"SkyTel"=C:\WINDOWS\SkyTel.EXE [2006-05-16 2879488]
"nwiz"=nwiz.exe /install []
"SmcService"=C:\PROGRA~1\Sygate\SPF\smc.exe [2004-10-15 2577632]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-03-07 8425472]
"avgnt"=C:\Program Files\Avira\AntiVir Desktop\avgnt.exe [2009-03-02 209153]
"BluetoothAuthenticationAgent"=bthprops.cpl,,BluetoothAuthenticationAgent []
"Norton Ghost 12.0"=C:\Program Files\Norton Ghost\Agent\VProTray.exe [2007-03-28 2037352]
"Synchronization Manager"=C:\WINDOWS\system32\mobsync.exe [2004-08-04 143360]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
D:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe [2004-12-14 483328]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
UPnPMonitor - {e57ce738-33e8-4c51-8354-bb4de9d215d1} - C:\WINDOWS\system32\upnpui.dll [2004-08-04 239616]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\{1a3e09be-1e45-494b-9174-d7385b45bbf5}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG Free\avginet.exe"="C:\Program Files\Grisoft\AVG Free\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG Free\avgamsvr.exe"="C:\Program Files\Grisoft\AVG Free\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG Free\avgcc.exe"="C:\Program Files\Grisoft\AVG Free\avgcc.exe:*:Enabled:avgcc.exe"
"E:\Torrentials\utorrent.exe"="E:\Torrentials\utorrent.exe:*:Enabled:礣orrent"
"D:\Program Files\Veoh Networks\Veoh\VeohClient.exe"="D:\Program Files\Veoh Networks\Veoh\VeohClient.exe:*:Enabled:Veoh Client"
"D:\Program Files\iTunes\iTunes.exe"="D:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\uTorrent\uTorrent.exe"="C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:uTorrent"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe"="C:\Program Files\Nokia\Nokia Software Updater\nsu_ui_client.exe:*:Enabled:Nokia Software Updater"
"C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe"="C:\Program Files\Common Files\Nokia\Service Layer\A\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Documents and Settings\user\Desktop\Temp\utorrent.exe"="C:\Documents and Settings\user\Desktop\Temp\utorrent.exe:*:Enabled:礣orrent"
"E:\Torrentials\utorrent_1.8.1.exe"="E:\Torrentials\utorrent_1.8.1.exe:*:Enabled:礣orrent"
"E:\Torrentials\utorrent_1.8.2.exe"="E:\Torrentials\utorrent_1.8.2.exe:*:Enabled:礣orrent"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderService.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderService.exe:*:Enabled:ThunderService1.0.2.41"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderLiveUD.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD1.0.2.41"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\XLBugReport.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.41\XLBugReport.exe:*:Enabled:XLBugReport1.0.2.41"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderService.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderService.exe:*:Enabled:ThunderService1.0.2.56"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderLiveUD.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\ThunderLiveUD.exe:*:Enabled:ThunderLiveUD1.0.2.56"
"C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\XLBugReport.exe"="C:\Program Files\Common Files\Thunder Network\DS\Ver1\1.0.2.56\XLBugReport.exe:*:Enabled:XLBugReport1.0.2.56"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0dda7619-453c-11de-be38-001a4d41fc4e}]
shell\Auto\command - backupuser.exe
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL backupuser.exe


======List of files/folders created in the last 1 months======

2010-03-07 22:18:16 ----D---- C:\rsit
2010-03-07 18:31:10 ----D---- C:\WINDOWS\CSC
2010-03-03 22:09:17 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2010-03-03 22:08:52 ----D---- C:\Program Files\Common Files\Adobe Systems Shared
2010-03-03 20:35:07 ----HDC---- C:\WINDOWS\$NtUninstallKB942288-v3$
2010-03-03 20:28:31 ----D---- C:\Documents and Settings\user\Application Data\Malwarebytes
2010-03-03 20:28:26 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-03-03 16:43:53 ----D---- C:\Documents and Settings\user\Application Data\vlc
2010-03-03 16:43:39 ----D---- C:\Program Files\VideoLAN
2010-02-28 13:42:35 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-02-28 13:42:20 ----A---- C:\WINDOWS\system32\deploytk.dll
2010-02-28 09:45:06 ----D---- C:\Documents and Settings\user\Application Data\AccurateRip

======List of files/folders modified in the last 1 months======

2010-03-08 10:45:13 ----D---- C:\WINDOWS\Prefetch
2010-03-08 10:04:08 ----D---- C:\WINDOWS\Temp
2010-03-08 10:03:15 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-08 10:01:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-03-07 23:11:13 ----D---- C:\WINDOWS
2010-03-07 14:05:36 ----D---- C:\Documents and Settings\user\Application Data\uTorrent
2010-03-07 11:42:10 ----A---- C:\WINDOWS\NeroDigital.ini
2010-03-07 11:35:11 ----SD---- C:\Documents and Settings\user\Application Data\Microsoft
2010-03-07 06:07:55 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-07 05:29:42 ----D---- C:\WINDOWS\system32
2010-03-07 05:16:03 ----A---- C:\WINDOWS\win.ini
2010-03-07 04:56:30 ----D---- C:\DTOOLS
2010-03-07 04:56:28 ----A---- C:\WINDOWS\DTOOLS.INI
2010-03-03 22:08:52 ----D---- C:\Program Files\Common Files
2010-03-03 22:08:51 ----SHD---- C:\WINDOWS\Installer
2010-03-03 22:08:28 ----D---- C:\Program Files\Common Files\Adobe
2010-03-03 22:08:11 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2010-03-03 22:08:07 ----RSD---- C:\WINDOWS\Fonts
2010-03-03 22:07:18 ----D---- C:\Program Files\Adobe
2010-03-03 21:10:14 ----D---- C:\Documents and Settings\All Users\Application Data\Thunder Network
2010-03-03 20:35:15 ----HD---- C:\WINDOWS\inf
2010-03-03 20:35:12 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-03-03 20:35:12 ----D---- C:\WINDOWS\system32\mui
2010-03-03 20:28:28 ----D---- C:\WINDOWS\system32\drivers
2010-03-03 16:48:47 ----RD---- C:\Program Files
2010-03-03 16:40:48 ----D---- C:\Program Files\Xvid
2010-03-03 16:29:22 ----D---- C:\Program Files\Real Alternative
2010-03-03 16:16:28 ----D---- C:\WINDOWS\system32\ffdshow
2010-03-03 15:20:51 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-03-03 14:58:53 ----D---- C:\WINDOWS\security
2010-03-03 14:58:39 ----SHD---- C:\RECYCLER
2010-03-03 14:58:17 ----D---- C:\Documents and Settings
2010-03-03 14:18:02 ----D---- C:\Documents and Settings\All Users\Application Data\HP
2010-03-03 10:48:45 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-02-28 13:42:34 ----D---- C:\Program Files\Common Files\Java
2010-02-28 13:42:10 ----A---- C:\WINDOWS\system32\javaws.exe
2010-02-28 13:42:10 ----A---- C:\WINDOWS\system32\javaw.exe
2010-02-28 13:42:10 ----A---- C:\WINDOWS\system32\java.exe
2010-02-28 13:42:07 ----D---- C:\Program Files\Java
2010-02-28 10:57:56 ----D---- C:\Documents and Settings\user\Application Data\HPAppData
2010-02-19 15:23:27 ----D---- C:\Program Files\Mozilla Firefox
2010-02-17 16:28:12 ----D---- C:\Program Files\MetaTrader - Alpari UK
2010-02-16 02:00:00 ----A---- C:\WINDOWS\system32\rmoc3260.dll

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 avgio;avgio; \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys []
R1 avipbb;avipbb; C:\WINDOWS\system32\DRIVERS\avipbb.sys [2009-03-30 96104]
R1 ElbyCDIO;ElbyCDIO Driver; C:\WINDOWS\System32\Drivers\ElbyCDIO.sys [2007-08-08 25160]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-03 36096]
R1 ssmdrv;ssmdrv; C:\WINDOWS\system32\DRIVERS\ssmdrv.sys [2009-06-10 28520]
R1 Tcpip6;Microsoft IPv6 Protocol Driver; C:\WINDOWS\system32\DRIVERS\tcpip6.sys [2004-08-03 223616]
R1 wpsdrvnt;wpsdrvnt; \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys []
R2 avgntflt;avgntflt; C:\WINDOWS\system32\DRIVERS\avgntflt.sys [2009-12-07 56816]
R2 Hardlock;Hardlock; \??\C:\WINDOWS\system32\drivers\hardlock.sys []
R2 v2imount;Symantec V2i Mount Driver; C:\WINDOWS\system32\DRIVERS\v2imount.sys [2007-03-28 37864]
R2 wg3n;SyGate for NT, wg3n; C:\WINDOWS\SYSTEM32\Drivers\wg3n.sys [2004-10-15 14568]
R2 wg4n;SyGate for NT, wg4n; C:\WINDOWS\SYSTEM32\Drivers\wg4n.sys [2004-10-15 14568]
R2 wg5n;SyGate for NT, wg5n; C:\WINDOWS\SYSTEM32\Drivers\wg5n.sys [2004-10-15 14568]
R2 wg6n;SyGate for NT, wg6n; C:\WINDOWS\SYSTEM32\Drivers\wg6n.sys [2004-10-15 14568]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2004-08-04 60800]
R3 ElbyCDFL;ElbyCDFL; C:\WINDOWS\System32\Drivers\ElbyCDFL.sys [2002-11-28 15360]
R3 GEARAspiWDM;GearAspiWDM; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2007-03-28 15664]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-11-03 4394496]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-03-07 6704096]
R3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\WINDOWS\system32\DRIVERS\NVENETFD.sys [2006-02-17 34176]
R3 nvnetbus;NVIDIA Network Bus Enumerator; C:\WINDOWS\system32\DRIVERS\nvnetbus.sys [2006-02-17 13056]
R3 ROOTMODEM;Microsoft Legacy Modem Driver; C:\WINDOWS\System32\Drivers\RootMdm.sys [2001-08-23 5888]
R3 tunmp;Microsoft Tun Miniport Adapter Driver; C:\WINDOWS\system32\DRIVERS\tunmp.sys [2004-08-04 12416]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2004-08-03 17024]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 a119anxr;a119anxr; C:\WINDOWS\system32\drivers\a119anxr.sys []
S3 BthEnum;Bluetooth Request Block Driver; C:\WINDOWS\system32\DRIVERS\BthEnum.sys [2004-08-03 17024]
S3 BTHMODEM;Bluetooth Modem Communications Driver; C:\WINDOWS\system32\DRIVERS\bthmodem.sys [2004-08-03 38016]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\WINDOWS\system32\DRIVERS\bthpan.sys [2004-08-03 100992]
S3 BTHPORT;Bluetooth Port Driver; C:\WINDOWS\System32\Drivers\BTHport.sys [2004-08-03 274304]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\WINDOWS\System32\Drivers\BTHUSB.sys [2004-08-03 18944]
S3 EverestDriver;Lavalys EVEREST Kernel Driver; \??\K:\suhun\soft\Everest 4.50\kerneld.wnt []
S3 gdrv;gdrv; \??\C:\WINDOWS\gdrv.sys []
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
S3 mbr;mbr; \??\C:\DOCUME~1\user\LOCALS~1\Temp\mbr.sys []
S3 NETMDUSB;Net MD; C:\WINDOWS\System32\Drivers\NETMDUSB.sys [2002-08-08 38951]
S3 nmwcd;Nokia USB Phone Parent; C:\WINDOWS\system32\drivers\ccdcmb.sys [2009-02-09 17664]
S3 nmwcdc;Nokia USB Generic; C:\WINDOWS\system32\drivers\ccdcmbo.sys [2009-02-09 22016]
S3 pccsmcfd;PCCS Mode Change Filter Driver; C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys [2008-08-26 18816]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\WINDOWS\system32\DRIVERS\rfcomm.sys [2004-08-03 59648]
S3 upperdev;upperdev; C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys [2009-02-09 7808]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 usbser;USB Modem Driver; C:\WINDOWS\system32\drivers\usbser.sys [2004-08-03 25600]
S3 UsbserFilt;UsbserFilt; C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys [2009-02-09 7808]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 VProEventMonitor;Symantec Event Monitor Driver; C:\WINDOWS\system32\DRIVERS\vproeventmonitor.sys [2007-03-28 14072]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2008-03-27 503008]
S3 WimFltr;WimFltr; C:\WINDOWS\system32\DRIVERS\wimfltr.sys [2007-03-28 128104]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2008-01-18 83328]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\system32\DRIVERS\sr.sys [2004-08-03 73472]
S4 vsdatant;vsdatant; C:\WINDOWS\system32\drivers\vsdatant.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 6to4;IPv6 Helper Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 AdobeActiveFileMonitor5.0;Adobe Active File Monitor V5; D:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe [2006-09-14 102400]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler; C:\Program Files\Avira\AntiVir Desktop\sched.exe [2009-06-10 108289]
R2 AntiVirService;Avira AntiVir Guard; C:\Program Files\Avira\AntiVir Desktop\avguard.exe [2009-08-05 185089]
R2 BthServ;Bluetooth Support Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
R2 gearsec;gearsec; C:\WINDOWS\system32\gearsec.exe [2003-01-27 49152]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-02-28 153376]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 Norton Ghost;Norton Ghost; C:\Program Files\Norton Ghost\Agent\VProSvc.exe [2007-03-28 3290728]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-03-07 163908]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
R2 SmcService;Sygate Personal Firewall; C:\Program Files\Sygate\SPF\smc.exe [2004-10-15 2577632]
R2 UserAccess7;SecuROM User Access Service (V7); C:\WINDOWS\system32\UAService7.exe [2010-01-06 126976]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2010-03-03 69632]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2005-09-23 29896]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2005-09-23 66240]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2006-10-20 36864]
S3 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-08-24 137200]
S3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2006-10-30 741376]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe [2003-12-09 65625]
S3 ServiceLayer;ServiceLayer; C:\Program Files\PC Connectivity Solution\ServiceLayer.exe [2009-06-02 637952]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe [2003-12-09 65622]
S4 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2007-09-07 503608]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2006-10-30 122880]

-----------------EOF-----------------


#9 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:59 PM

Posted 07 March 2010 - 09:57 PM

Ah their we go, now I see something.

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed, click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

unite.jpg


#10 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 10:17 PM

ComboFix 10-03-07.02 - user 08/03/2010 11:09:00.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.3327.2896 [GMT 8:00]
Running from: c:\documents and settings\user\Desktop\Temp\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: Sygate Personal Firewall *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\LOG.TXT
c:\windows\system32\sySInfo.ocx
c:\windows\xobglu16.dll

.
((((((((((((((((((((((((( Files Created from 2010-02-08 to 2010-03-08 )))))))))))))))))))))))))))))))
.

2010-03-07 14:18 . 2010-03-07 15:13 -------- d-----w- C:\rsit
2010-03-06 21:33 . 2010-03-06 21:33 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Symantec_Corporation
2010-03-06 21:33 . 2010-03-06 21:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\Symantec
2010-03-06 21:31 . 2010-03-06 21:31 102968 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 14:09 . 2010-03-03 14:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Adobe Systems
2010-03-03 14:08 . 2010-03-03 14:08 -------- d-----w- c:\program files\Common Files\Adobe Systems Shared
2010-03-03 12:28 . 2010-03-03 12:28 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-03-03 12:28 . 2010-01-07 08:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-03 12:28 . 2010-03-03 12:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-03-03 12:28 . 2010-01-07 08:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-03 08:43 . 2010-03-03 08:43 -------- d-----w- c:\documents and settings\user\Application Data\vlc
2010-03-03 08:43 . 2010-03-03 08:43 -------- d-----w- c:\program files\VideoLAN
2010-02-28 05:42 . 2010-02-28 05:42 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-59cca25a-n\msvcp71.dll
2010-02-28 05:42 . 2010-02-28 05:42 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-59cca25a-n\jmc.dll
2010-02-28 05:42 . 2010-02-28 05:42 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-59cca25a-n\msvcr71.dll
2010-02-28 05:42 . 2010-02-28 05:42 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19a9f020-n\decora-sse.dll
2010-02-28 05:42 . 2010-02-28 05:42 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-19a9f020-n\decora-d3d.dll
2010-02-28 05:42 . 2010-02-28 05:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-28 01:45 . 2010-02-28 02:18 -------- d-----w- c:\documents and settings\user\Application Data\AccurateRip

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-07 06:05 . 2007-06-10 09:35 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2010-03-06 22:07 . 2007-06-10 01:54 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-03 15:57 . 2007-06-09 04:51 102968 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-03 14:08 . 2007-06-10 01:49 -------- d-----w- c:\program files\Common Files\Adobe
2010-03-03 13:10 . 2009-09-25 13:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Thunder Network
2010-03-03 08:40 . 2007-09-16 12:59 -------- d-----w- c:\program files\Xvid
2010-03-03 08:29 . 2007-09-16 10:34 -------- d-----w- c:\program files\Real Alternative
2010-03-03 06:18 . 2009-12-16 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-03-03 02:48 . 2007-09-14 13:23 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-02-28 05:42 . 2007-06-10 06:33 -------- d-----w- c:\program files\Common Files\Java
2010-02-28 05:42 . 2007-06-10 06:36 -------- d-----w- c:\program files\Java
2010-02-28 02:57 . 2009-12-17 16:21 -------- d-----w- c:\documents and settings\user\Application Data\HPAppData
2010-02-17 08:28 . 2009-11-13 03:27 -------- d-----w- c:\program files\MetaTrader - Alpari UK
2010-01-24 11:34 . 2010-01-24 11:34 -------- d-----w- c:\documents and settings\All Users\Application Data\TSLOG
2010-01-06 10:15 . 2009-12-06 10:52 126976 ----a-w- c:\windows\system32\UAService7.exe
2010-01-03 11:48 . 2007-08-18 08:26 59 ----a-w- c:\windows\popcinfo.dat
2009-09-24 10:04 . 2009-09-25 13:38 75568 ----a-w- c:\program files\mozilla firefox\components\ThunderComponent.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2008-01-12 10:48 . 2008-01-12 10:48 24 --sh--w- c:\windows\SE22510B0.tmp
.

------- Sigcheck -------

[-] 2007-06-10 . 3F7F33CE20775DE95E17005532E51298 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2007-06-10 . 3F7F33CE20775DE95E17005532E51298 . 359040 . . [5.1.2600.2180] . . c:\windows\system32\dllcache\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 16269312]
"SkyTel"="SkyTel.EXE" [2006-05-16 2879488]
"nwiz"="nwiz.exe" [2007-03-07 1622016]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-03-07 8425472]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 110592]
"Norton Ghost 12.0"="c:\program files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 2037352]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2004-08-03 143360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-13 18:12 483328 ----a-w- d:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"e:\\Torrentials\\utorrent.exe"=
"d:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"e:\\Torrentials\\utorrent_1.8.1.exe"=
"e:\\Torrentials\\utorrent_1.8.2.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [02/05/2009 15:32 108289]
S0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [18/08/2007 14:37 682232]
S2 gearsec;gearsec;c:\windows\system32\gearsec.exe [27/01/2003 17:40 49152]
S3 EverestDriver;Lavalys EVEREST Kernel Driver;k:\suhun\Soft\Everest 4.50\kerneld.wnt [14/08/2009 01:17 23152]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-03-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1957994488-920026266-725345543-1003.job
- c:\documents and settings\user\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-05-29 14:13]
.
.
------- Supplementary Scan -------
.
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - d:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: ?????? - d:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: ?????????? - d:\program files\Thunder Network\Thunder\Program\getallurl.htm
TCP: {6E18A1B8-AF81-4F35-8B38-4B41580DF855} = 202.188.0.133,202.188.1.5
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\a8ubbr94.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start2.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\documents and settings\user\Local Settings\Application Data\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(221).dll
FF - plugin: c:\program files\Windows Media Player\np-mswmp.dll
FF - plugin: d:\program files\iTunes\Mozilla Plugins\npitunes.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-08 11:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\EverestDriver]
"ImagePath"="\??\k:\suhun\soft\Everest 4.50\kerneld.wnt"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2010-03-08 11:13:06
ComboFix-quarantined-files.txt 2010-03-08 03:13

Pre-Run: 69,964,206,080 bytes free
Post-Run: 69,929,844,736 bytes free

- - End Of File - - 924D4AE9AB78439CFD7F043EC27E2CC4


#11 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 10:21 PM

Combofix appeared to proceed with the scanning when it failed to download the Microsoft Recovery Console.

#12 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:59 PM

Posted 07 March 2010 - 10:32 PM

I have had the recovery console fail to download in a few topics today, I think the infection must be stopping it, don't worry about that for now.
  • Go to Kaspersky and Download TDSSKiller.zip.
  • Extract the contents of TDSSKiller.zip to your Desktop.
  • Double click on TDSSKiller.exe to run it.
  • If it finds something and asks you what to do, follow the instructions to type in "delete".
  • When done, a log file should be created on your C: drive called TDSSKiller.txt please post this log in your next reply.
Then please run MBR Rootkit Scan again and post the new mbr log, along with TDSSKiller.txt.

Thanks

Edited by syler, 07 March 2010 - 10:43 PM.

unite.jpg


#13 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 10:42 PM

I think you forgot to write down the line which I should copy and paste in the "run" box before double-clicking TDSSKiller.exe

#14 syler

syler

  • Malware Response Team
  • 8,150 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Warrington, UK
  • Local time:07:59 PM

Posted 07 March 2010 - 10:45 PM

Sorry, I changed that speech earlier and didn't do it rite, I have edited my post it should be ok now smile.gif

unite.jpg


#15 kerrylin16

kerrylin16
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:59 AM

Posted 07 March 2010 - 10:47 PM

11:45:02:421 2108 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
11:45:02:421 2108 ================================================================================
11:45:02:421 2108 SystemInfo:

11:45:02:421 2108 OS Version: 5.1.2600 ServicePack: 2.0
11:45:02:421 2108 Product type: Workstation
11:45:02:421 2108 ComputerName: SUHUN2
11:45:02:421 2108 UserName: user
11:45:02:421 2108 Windows directory: C:\WINDOWS
11:45:02:421 2108 Processor architecture: Intel x86
11:45:02:421 2108 Number of processors: 2
11:45:02:421 2108 Page size: 0x1000
11:45:02:421 2108 Boot type: Normal boot
11:45:02:421 2108 ================================================================================
11:45:02:421 2108 UnloadDriverW: NtUnloadDriver error 2
11:45:02:421 2108 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
11:45:02:437 2108 Initialize success
11:45:02:437 2108
11:45:02:437 2108 Scanning Services ...
11:45:02:437 2108 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
11:45:02:437 2108 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:45:02:437 2108 wfopen_ex: Trying to KLMD file open
11:45:02:437 2108 wfopen_ex: File opened ok (Flags 2)
11:45:02:437 2108 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
11:45:02:437 2108 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
11:45:02:437 2108 wfopen_ex: Trying to KLMD file open
11:45:02:437 2108 wfopen_ex: File opened ok (Flags 2)
11:45:02:484 2108 GetAdvancedServicesInfo: Raw services enum returned 366 services
11:45:02:484 2108 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
11:45:02:484 2108 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
11:45:02:484 2108
11:45:02:484 2108 Scanning Kernel memory ...
11:45:02:484 2108 Devices to scan: 14
11:45:02:484 2108
11:45:02:484 2108 Driver Name: Disk
11:45:02:484 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:484 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:484 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:484 2108 IRP_MJ_READ : BA908D9B
11:45:02:484 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:484 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:484 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:484 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:484 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:484 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:484 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:484 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:484 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:484 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:484 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:484 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:484 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:484 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:484 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:484 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:484 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:484 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:484 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:484 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:484 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:484 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:484 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:500 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:500 2108 sion
11:45:02:500 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:500 2108
11:45:02:500 2108 Driver Name: Disk
11:45:02:500 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:500 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:500 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:500 2108 IRP_MJ_READ : BA908D9B
11:45:02:500 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:500 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:500 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:500 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:500 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:500 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:500 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:500 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:500 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:500 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:500 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:500 2108 sion
11:45:02:500 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:500 2108
11:45:02:500 2108 Driver Name: Disk
11:45:02:500 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:500 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:500 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:500 2108 IRP_MJ_READ : BA908D9B
11:45:02:500 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:500 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:500 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:500 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:500 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:500 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:500 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:500 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:500 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:500 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:500 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:500 2108 sion
11:45:02:500 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:500 2108
11:45:02:500 2108 Driver Name: Disk
11:45:02:500 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:500 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:500 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:500 2108 IRP_MJ_READ : BA908D9B
11:45:02:500 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:500 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:500 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:500 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:500 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:500 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:500 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:500 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:500 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:500 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:500 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:500 2108 sion
11:45:02:500 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:500 2108
11:45:02:500 2108 Driver Name: Disk
11:45:02:500 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:500 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:500 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:500 2108 IRP_MJ_READ : BA908D9B
11:45:02:500 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:500 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:500 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:500 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:500 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:500 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:500 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:500 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:500 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:500 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:500 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:500 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:500 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:500 2108 sion
11:45:02:500 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:500 2108
11:45:02:500 2108 Driver Name: Disk
11:45:02:500 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:500 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:500 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:500 2108 IRP_MJ_READ : BA908D9B
11:45:02:500 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:500 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:500 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:500 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:515 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:515 2108 sion
11:45:02:515 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:515 2108
11:45:02:515 2108 Driver Name: Disk
11:45:02:515 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:515 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:515 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:515 2108 IRP_MJ_READ : BA908D9B
11:45:02:515 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:515 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:515 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:515 2108 sion
11:45:02:515 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:515 2108
11:45:02:515 2108 Driver Name: Disk
11:45:02:515 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:515 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:515 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:515 2108 IRP_MJ_READ : BA908D9B
11:45:02:515 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:515 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:515 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:515 2108 sion
11:45:02:515 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:515 2108
11:45:02:515 2108 Driver Name: Disk
11:45:02:515 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:515 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:515 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:515 2108 IRP_MJ_READ : BA908D9B
11:45:02:515 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:515 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:515 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:515 2108 sion
11:45:02:515 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:515 2108
11:45:02:515 2108 Driver Name: Disk
11:45:02:515 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:515 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:515 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:515 2108 IRP_MJ_READ : BA908D9B
11:45:02:515 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:515 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:515 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:515 2108 sion
11:45:02:515 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:515 2108
11:45:02:515 2108 Driver Name: Disk
11:45:02:515 2108 IRP_MJ_CREATE : BA90EC30
11:45:02:515 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:515 2108 IRP_MJ_CLOSE : BA90EC30
11:45:02:515 2108 IRP_MJ_READ : BA908D9B
11:45:02:515 2108 IRP_MJ_WRITE : BA908D9B
11:45:02:515 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA909366
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA90944D
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA90CFC3
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA909366
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:515 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:515 2108 IRP_MJ_POWER : BA90AEF3
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA90FA24
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:515 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:515 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:515 2108 sion
11:45:02:515 2108 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
11:45:02:515 2108
11:45:02:515 2108 Driver Name: nvata
11:45:02:515 2108 IRP_MJ_CREATE : BA6F2894
11:45:02:515 2108 IRP_MJ_CREATE_NAMED_PIPE : BA6F2874
11:45:02:515 2108 IRP_MJ_CLOSE : BA6F2894
11:45:02:515 2108 IRP_MJ_READ : BA6F2874
11:45:02:515 2108 IRP_MJ_WRITE : BA6F2874
11:45:02:515 2108 IRP_MJ_QUERY_INFORMATION : BA6F2874
11:45:02:515 2108 IRP_MJ_SET_INFORMATION : BA6F2874
11:45:02:515 2108 IRP_MJ_QUERY_EA : BA6F2874
11:45:02:515 2108 IRP_MJ_SET_EA : BA6F2874
11:45:02:515 2108 IRP_MJ_FLUSH_BUFFERS : BA6F2874
11:45:02:515 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : BA6F2874
11:45:02:515 2108 IRP_MJ_SET_VOLUME_INFORMATION : BA6F2874
11:45:02:515 2108 IRP_MJ_DIRECTORY_CONTROL : BA6F2874
11:45:02:515 2108 IRP_MJ_FILE_SYSTEM_CONTROL : BA6F2874
11:45:02:515 2108 IRP_MJ_DEVICE_CONTROL : BA6F28AE
11:45:02:515 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA6F2D4E
11:45:02:515 2108 IRP_MJ_SHUTDOWN : BA6F2874
11:45:02:515 2108 IRP_MJ_LOCK_CONTROL : BA6F2874
11:45:02:515 2108 IRP_MJ_CLEANUP : BA6F2874
11:45:02:515 2108 IRP_MJ_CREATE_MAILSLOT : BA6F2874
11:45:02:515 2108 IRP_MJ_QUERY_SECURITY : BA6F2874
11:45:02:515 2108 IRP_MJ_SET_SECURITY : BA6F2874
11:45:02:515 2108 IRP_MJ_POWER : BA6F2CEE
11:45:02:515 2108 IRP_MJ_SYSTEM_CONTROL : BA6F2A7C
11:45:02:515 2108 IRP_MJ_DEVICE_CHANGE : BA6F2874
11:45:02:515 2108 IRP_MJ_QUERY_QUOTA : BA6F2874
11:45:02:515 2108 IRP_MJ_SET_QUOTA : BA6F2874
11:45:02:531 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:531 2108 sion
11:45:02:531 2108 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Clean
11:45:02:531 2108
11:45:02:531 2108 Driver Name: nvata
11:45:02:531 2108 IRP_MJ_CREATE : BA6F2894
11:45:02:531 2108 IRP_MJ_CREATE_NAMED_PIPE : BA6F2874
11:45:02:531 2108 IRP_MJ_CLOSE : BA6F2894
11:45:02:531 2108 IRP_MJ_READ : BA6F2874
11:45:02:531 2108 IRP_MJ_WRITE : BA6F2874
11:45:02:531 2108 IRP_MJ_QUERY_INFORMATION : BA6F2874
11:45:02:531 2108 IRP_MJ_SET_INFORMATION : BA6F2874
11:45:02:531 2108 IRP_MJ_QUERY_EA : BA6F2874
11:45:02:531 2108 IRP_MJ_SET_EA : BA6F2874
11:45:02:531 2108 IRP_MJ_FLUSH_BUFFERS : BA6F2874
11:45:02:531 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : BA6F2874
11:45:02:531 2108 IRP_MJ_SET_VOLUME_INFORMATION : BA6F2874
11:45:02:531 2108 IRP_MJ_DIRECTORY_CONTROL : BA6F2874
11:45:02:531 2108 IRP_MJ_FILE_SYSTEM_CONTROL : BA6F2874
11:45:02:531 2108 IRP_MJ_DEVICE_CONTROL : BA6F28AE
11:45:02:531 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA6F2D4E
11:45:02:531 2108 IRP_MJ_SHUTDOWN : BA6F2874
11:45:02:531 2108 IRP_MJ_LOCK_CONTROL : BA6F2874
11:45:02:531 2108 IRP_MJ_CLEANUP : BA6F2874
11:45:02:531 2108 IRP_MJ_CREATE_MAILSLOT : BA6F2874
11:45:02:531 2108 IRP_MJ_QUERY_SECURITY : BA6F2874
11:45:02:531 2108 IRP_MJ_SET_SECURITY : BA6F2874
11:45:02:531 2108 IRP_MJ_POWER : BA6F2CEE
11:45:02:531 2108 IRP_MJ_SYSTEM_CONTROL : BA6F2A7C
11:45:02:531 2108 IRP_MJ_DEVICE_CHANGE : BA6F2874
11:45:02:531 2108 IRP_MJ_QUERY_QUOTA : BA6F2874
11:45:02:531 2108 IRP_MJ_SET_QUOTA : BA6F2874
11:45:02:546 2108 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
11:45:02:546 2108 sion
11:45:02:546 2108 C:\WINDOWS\system32\DRIVERS\nvata.sys - Verdict: Clean
11:45:02:546 2108
11:45:02:546 2108 Driver Name: atapi
11:45:02:546 2108 IRP_MJ_CREATE : BA715572
11:45:02:546 2108 IRP_MJ_CREATE_NAMED_PIPE : 804F4282
11:45:02:546 2108 IRP_MJ_CLOSE : BA715572
11:45:02:546 2108 IRP_MJ_READ : 804F4282
11:45:02:546 2108 IRP_MJ_WRITE : 804F4282
11:45:02:546 2108 IRP_MJ_QUERY_INFORMATION : 804F4282
11:45:02:546 2108 IRP_MJ_SET_INFORMATION : 804F4282
11:45:02:546 2108 IRP_MJ_QUERY_EA : 804F4282
11:45:02:546 2108 IRP_MJ_SET_EA : 804F4282
11:45:02:546 2108 IRP_MJ_FLUSH_BUFFERS : 804F4282
11:45:02:546 2108 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4282
11:45:02:546 2108 IRP_MJ_SET_VOLUME_INFORMATION : 804F4282
11:45:02:546 2108 IRP_MJ_DIRECTORY_CONTROL : 804F4282
11:45:02:546 2108 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4282
11:45:02:546 2108 IRP_MJ_DEVICE_CONTROL : BA715592
11:45:02:546 2108 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA7117B4
11:45:02:546 2108 IRP_MJ_SHUTDOWN : 804F4282
11:45:02:546 2108 IRP_MJ_LOCK_CONTROL : 804F4282
11:45:02:546 2108 IRP_MJ_CLEANUP : 804F4282
11:45:02:546 2108 IRP_MJ_CREATE_MAILSLOT : 804F4282
11:45:02:546 2108 IRP_MJ_QUERY_SECURITY : 804F4282
11:45:02:546 2108 IRP_MJ_SET_SECURITY : 804F4282
11:45:02:546 2108 IRP_MJ_POWER : BA7155BC
11:45:02:546 2108 IRP_MJ_SYSTEM_CONTROL : BA71C164
11:45:02:546 2108 IRP_MJ_DEVICE_CHANGE : 804F4282
11:45:02:546 2108 IRP_MJ_QUERY_QUOTA : 804F4282
11:45:02:546 2108 IRP_MJ_SET_QUOTA : 804F4282
11:45:02:546 2108 siohd: 0
11:45:02:546 2108 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Clean
11:45:02:546 2108
11:45:02:546 2108 Completed
11:45:02:546 2108
11:45:02:546 2108 Results:
11:45:02:546 2108 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
11:45:02:546 2108 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
11:45:02:546 2108 File objects infected / cured / cured on reboot: 0 / 0 / 0
11:45:02:546 2108
11:45:02:546 2108 KLMD(ARK) unloaded successfully



Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users