Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Mkolea virus, I think


  • This topic is locked This topic is locked
10 replies to this topic

#1 jokerspath

jokerspath

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 11 March 2010 - 02:54 PM

Hello. My name is Andrew. Thanks for taking a look.

I was trying to install some codec for Windows Media Player after trying to open a video and I think I contracted some nasty virus called Mkolea that is slowing me down considerably and giving me the blue screen every time I try to run GMER. Ran it in safe mode to get the results, which follow the DDS stuff. THANX

Here's my DDS:


DDS (Ver_09-12-01.01) - NTFSx86
Run by Andrew at 10:23:15.50 on Wed 03/10/2010
Internet Explorer: 7.0.6002.18005
Microsoft® Windows Vistaāā€˛¢ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1426 [GMT -8:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Windows\system32\lsm.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\Program Files\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\AVG\AVG9\avgemc.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Users\Andrew\AppData\Local\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\notepad.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\AVG\AVG9\avgscanx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\iTunes\iTunes.exe
C:\Windows\system32\mcbuilder.exe
C:\Windows\system32\taskeng.exe
C:\Users\Andrew\AppData\Local\Temp\Mrp.exe
C:\Windows\system32\ctfmon.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\SyncServer.exe
C:\Users\Andrew\Documents\Downloads\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
mDefault_Page_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Microsoft Live Search Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Microsoft Live Search Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.0541.0\msneshellx.dll
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
uRun: [LightScribe Control Panel] c:\program files\common files\lightscribe\LightScribeControlPanel.exe -hidden
uRun: [Google Update] "c:\users\andrew\appdata\local\google\update\GoogleUpdate.exe" /c
uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe"
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [TOY5KNQ8OC] c:\users\andrew\appdata\local\temp\Mrp.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QPService] "c:\program files\hp\quickplay\QPService.exe"
mRun: [UpdateLBPShortCut] "c:\program files\cyberlink\labelprint\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\labelprint" updatewithcreateonce "software\cyberlink\labelprint\2.5"
mRun: [UpdatePSTShortCut] "c:\program files\cyberlink\dvd suite\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\dvd suite" updatewithcreateonce "software\cyberlink\PowerStarter"
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [QlbCtrl.exe] c:\program files\hewlett-packard\hp quick launch buttons\QlbCtrl.exe /Start
mRun: [UpdateP2GoShortCut] "c:\program files\cyberlink\power2go\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\power2go" updatewithcreateonce "software\cyberlink\power2go\6.0"
mRun: [UpdatePDIRShortCut] "c:\program files\cyberlink\powerdirector\muitransfer\muistartmenu.exe" "c:\program files\cyberlink\powerdirector" updatewithcreateonce "software\cyberlink\powerdirector\7.0"
mRun: [HP Health Check Scheduler] c:\program files\hewlett-packard\hp health check\HPHC_Scheduler.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpWirelessAssistant] c:\program files\hewlett-packard\hp wireless assistant\HPWAMain.exe
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
TCP: NameServer = 93.188.162.23,93.188.161.52
TCP: {705F09E2-C31B-4BE5-B8FD-B98333A1B7F2} = 93.188.162.23,93.188.161.52
TCP: {CE038F87-44A1-4970-AD93-91CFFF26CBB5} = 93.188.162.23,93.188.161.52
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: avgrsstx.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-15 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-15 28424]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-15 360584]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\avg\avg9\avgemc.exe [2009-11-14 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2009-11-14 285392]
R2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\sminst\BLService.exe [2008-10-23 365952]
R3 Com4QLBEx;Com4QLBEx;c:\program files\hewlett-packard\hp quick launch buttons\Com4QLBEx.exe [2008-10-23 193840]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-6-29 112128]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [2010-2-17 84832]
S3 FontCache;Windows Font Cache Service;c:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation [2008-1-20 21504]

=============== Created Last 30 ================

2010-03-10 18:19:59 0 ----a-w- c:\users\andrew\defogger_reenable
2010-03-10 18:08:19 0 d-----w- c:\program files\Trend Micro
2010-03-10 17:50:05 0 d-----w- c:\program files\TrendMicro
2010-03-09 19:08:48 152064 ----a-w- c:\windows\Mkolea.exe
2010-02-24 21:52:41 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 21:52:40 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-24 21:52:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 21:52:31 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 21:52:30 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 21:52:24 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 21:52:22 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 21:52:22 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 21:52:22 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 21:52:22 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 21:52:22 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 21:52:22 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 21:51:09 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-18 17:50:27 45360330 ----a-w- c:\users\andrew\Balene a Phantom Sea.pdf
2010-02-17 21:09:33 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-02-17 21:09:33 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-02-17 21:09:29 0 d-----w- c:\program files\Free DVD Ripper
2010-02-17 20:57:38 0 d-----w- c:\users\andrew\stairs
2010-02-10 07:31:50 98816 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-02-10 07:31:50 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-02-10 07:31:28 3600456 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-10 07:31:27 3548216 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 07:30:55 212992 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-02-10 07:30:55 105984 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-10 07:28:16 904776 ----a-w- c:\windows\system32\drivers\tcpip.sys
2010-02-10 07:28:15 30720 ----a-w- c:\windows\system32\drivers\tcpipreg.sys
2010-02-10 07:28:11 82944 ----a-w- c:\windows\system32\mciavi32.dll
2010-02-10 07:28:11 50176 ----a-w- c:\windows\system32\iyuv_32.dll
2010-02-10 07:28:11 31744 ----a-w- c:\windows\system32\msvidc32.dll
2010-02-10 07:28:11 22528 ----a-w- c:\windows\system32\msyuv.dll
2010-02-10 07:28:11 13312 ----a-w- c:\windows\system32\msrle32.dll
2010-02-10 07:28:11 1314816 ----a-w- c:\windows\system32\quartz.dll
2010-02-10 07:28:11 123904 ----a-w- c:\windows\system32\msvfw32.dll
2010-02-10 07:28:11 12288 ----a-w- c:\windows\system32\tsbyuv.dll
2010-02-10 07:28:10 91136 ----a-w- c:\windows\system32\avifil32.dll
2010-02-09 02:24:58 312696 ----a-w- c:\users\andrew\2009TaxReturn.PDF

==================== Find3M ====================

2009-12-18 13:01:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-12-16 11:44:23 834048 ----a-w- c:\windows\system32\wininet.dll
2009-11-18 23:07:55 665600 ----a-w- c:\windows\inf\drvindex.dat
2009-11-18 23:07:55 51200 ----a-w- c:\windows\inf\infpub.dat
2009-11-18 23:07:54 86016 ----a-w- c:\windows\inf\infstor.dat
2009-11-18 23:07:54 143360 ----a-w- c:\windows\inf\infstrng.dat
2008-01-21 02:43:21 174 --sha-w- c:\program files\desktop.ini
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42:02 30674 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42:02 287440 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2008-10-23 10:05:14 8192 --sha-w- c:\windows\users\default\NTUSER.DAT

============= FINISH: 10:25:59.96 ===============

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-12 07:55:52
Windows 6.0.6002 Service Pack 2
Running: gmer.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\uwryqpob.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\Windows\system32\drivers\atapi.sys entry point in ".rsrc" section [0x822DC000]

---- Files - GMER 1.0.15 ----

File C:\Windows\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by jokerspath, 12 March 2010 - 11:02 AM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:46 PM

Posted 13 March 2010 - 04:18 PM

Hello, jokerspath.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 jokerspath

jokerspath
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 March 2010 - 03:27 PM

Thanks so much for your reply, aonmaster. I should note that I was unable to find the option for wordwrap text.

I've been tryign to complete a GMER scan for days and it keeps going to Blue screen. When I finally completed a scan it said "the system has not been modified" or something along those lines and then crashed moments later. I saved what was on teh screen but it only gave me a blank notepad text.

Here is the RSIT scans:

LOG:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Andrew at 2010-03-13 18:14:22
Microsoft® Windows Vistaā„¢ Home Premium Service Pack 2
System drive C: has 35 GB (12%) free of 294 GB
Total RAM: 3002 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:14:35 PM, on 3/13/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Users\Andrew\AppData\Local\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\taskeng.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Andrew\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Adobe\Updater6\Adobe_Updater.exe
C:\Windows\Mkolea.exe
C:\Users\Andrew\Documents\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\Andrew.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Google Update] "C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [TOY5KNQ8OC] C:\Users\Andrew\AppData\Local\Temp\Mrp.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{705F09E2-C31B-4BE5-B8FD-B98333A1B7F2}: NameServer = 93.188.162.23,93.188.161.52
O17 - HKLM\System\CCS\Services\Tcpip\..\{CE038F87-44A1-4970-AD93-91CFFF26CBB5}: NameServer = 93.188.162.23,93.188.161.52
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.162.23,93.188.161.52
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.162.23,93.188.161.52
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9916 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4126933885-1256812762-2208962939-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4126933885-1256812762-2208962939-1000UA.job
C:\Windows\tasks\HPCeeScheduleForAndrew.job
C:\Windows\tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
C:\Windows\tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-12-21 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2009-12-11 1484056]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d2ce3e00-f94a-4740-988e-03dc2f38c34f}]
Microsoft Live Search Toolbar Helper - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll [2008-08-28 86032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - Microsoft Live Search Toolbar - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll [2008-08-28 86032]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-04-17 1049896]
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2008-07-10 150040]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2008-07-10 170520]
"Persistence"=C:\Windows\system32\igfxpers.exe [2008-07-10 145944]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2008-09-23 468264]
"UpdateLBPShortCut"=C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe [2008-06-13 210216]
"UpdatePSTShortCut"=C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe [2008-10-06 210216]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"QlbCtrl.exe"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2008-08-01 202032]
"UpdateP2GoShortCut"=C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe [2008-06-13 210216]
"UpdatePDIRShortCut"=C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe [2008-06-13 210216]
"HP Health Check Scheduler"=c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe [2008-10-09 75008]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2007-05-08 54840]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2008-04-15 488752]
"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2009-12-31 2033432]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-11 149280]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-10 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-01-22 141608]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-12-22 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2009-12-11 948672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"=C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe [2008-06-09 2363392]
"Google Update"=C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 133104]
"uTorrent"=C:\Program Files\uTorrent\uTorrent.exe [2010-02-22 319280]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"TOY5KNQ8OC"=C:\Users\Andrew\AppData\Local\Temp\Mrp.exe []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="avgrsstx.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2008-07-06 208896]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======List of files/folders created in the last 1 months======

2010-03-13 18:14:22 ----D---- C:\rsit
2010-03-13 18:10:29 ----D---- C:\Windows\Sun
2010-03-11 12:11:08 ----A---- C:\Windows\ntbtlog.txt
2010-03-10 10:08:19 ----D---- C:\Program Files\Trend Micro
2010-03-10 09:50:05 ----D---- C:\Program Files\TrendMicro
2010-03-09 11:08:48 ----A---- C:\Windows\Mkolea.exe
2010-02-24 13:52:41 ----A---- C:\Windows\system32\gameux.dll
2010-02-24 13:52:40 ----A---- C:\Windows\system32\GameUXLegacyGDFs.dll
2010-02-24 13:52:40 ----A---- C:\Windows\system32\Apphlpdm.dll
2010-02-24 13:52:31 ----A---- C:\Windows\system32\secproc_isv.dll
2010-02-24 13:52:30 ----A---- C:\Windows\system32\secproc.dll
2010-02-24 13:52:24 ----A---- C:\Windows\system32\RMActivate_isv.exe
2010-02-24 13:52:22 ----A---- C:\Windows\system32\secproc_ssp_isv.dll
2010-02-24 13:52:22 ----A---- C:\Windows\system32\secproc_ssp.dll
2010-02-24 13:52:22 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe
2010-02-24 13:52:22 ----A---- C:\Windows\system32\RMActivate_ssp.exe
2010-02-24 13:52:22 ----A---- C:\Windows\system32\RMActivate.exe
2010-02-24 13:52:22 ----A---- C:\Windows\system32\msdrm.dll
2010-02-24 13:51:09 ----A---- C:\Windows\system32\tzres.dll
2010-02-17 13:09:33 ----A---- C:\Windows\system32\WNASPI32.DLL
2010-02-17 13:09:29 ----D---- C:\Program Files\Free DVD Ripper

======List of files/folders modified in the last 1 months======

2010-03-13 18:14:20 ----D---- C:\Windows\Temp
2010-03-13 18:14:03 ----D---- C:\Windows\system32\Tasks
2010-03-13 18:14:01 ----D---- C:\Windows\Tasks
2010-03-13 18:10:29 ----D---- C:\Windows
2010-03-13 18:09:19 ----D---- C:\Users\Andrew\AppData\Roaming\uTorrent
2010-03-12 08:58:10 ----HD---- C:\$AVG
2010-03-12 08:00:03 ----A---- C:\ProgramData\hpqp.ini
2010-03-12 07:59:24 ----D---- C:\Windows\Minidump
2010-03-11 12:00:51 ----D---- C:\Users\Andrew\AppData\Roaming\vlc
2010-03-10 10:30:05 ----D---- C:\Windows\rescache
2010-03-10 10:08:19 ----RD---- C:\Program Files
2010-03-10 10:02:17 ----D---- C:\Windows\Prefetch
2010-03-10 09:50:08 ----SHD---- C:\Windows\Installer
2010-03-10 09:49:22 ----SHD---- C:\System Volume Information
2010-03-09 11:09:05 ----HD---- C:\ProgramData
2010-03-09 11:09:04 ----HD---- C:\Windows\system32\GroupPolicy
2010-03-03 22:13:59 ----D---- C:\Users\Andrew\AppData\Roaming\dvdcss
2010-02-26 11:32:42 ----D---- C:\Users\Andrew\AppData\Roaming\Skype
2010-02-26 11:01:43 ----D---- C:\Users\Andrew\AppData\Roaming\skypePM
2010-02-25 11:01:10 ----D---- C:\Program Files\uTorrent
2010-02-25 10:47:56 ----D---- C:\Windows\system32\en-US
2010-02-25 10:47:56 ----D---- C:\Windows\System32
2010-02-25 10:47:50 ----D---- C:\Windows\AppPatch
2010-02-25 10:47:47 ----RSD---- C:\Windows\Fonts
2010-02-25 10:45:44 ----D---- C:\Windows\winsxs
2010-02-25 10:41:53 ----D---- C:\Windows\system32\catroot
2010-02-24 13:52:04 ----D---- C:\Windows\system32\catroot2
2010-02-24 10:22:29 ----D---- C:\Users\Andrew\AppData\Roaming\Hewlett-Packard
2010-02-24 10:21:15 ----D---- C:\ProgramData\Hewlett-Packard
2010-02-22 13:03:49 ----D---- C:\ProgramData\Adobe
2010-02-22 13:03:49 ----D---- C:\Program Files\Common Files\Adobe
2010-02-22 13:03:45 ----D---- C:\Program Files\Adobe
2010-02-17 13:09:33 ----D---- C:\Windows\system32\drivers
2010-02-17 13:09:30 ----D---- C:\Windows\inf
2010-02-15 11:55:25 ----SD---- C:\Users\Andrew\AppData\Roaming\Microsoft
2010-02-14 12:31:53 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-02-14 10:08:49 ----D---- C:\Users\Andrew\AppData\Roaming\Mozilla

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\Windows\System32\Drivers\avgldx86.sys [2009-11-14 333192]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\Windows\System32\Drivers\avgmfx86.sys [2009-11-14 28424]
R1 AvgTdiX;AVG Free8 Network Redirector; C:\Windows\System32\Drivers\avgtdix.sys [2009-11-14 360584]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-18 12672]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-17 8704]
R3 athr;Atheros Extensible Wireless LAN device driver; C:\Windows\system32\DRIVERS\athr.sys [2008-04-27 909824]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\CHDRT32.sys [2008-06-05 222208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HpqKbFiltr;HpqKbFilter Driver; C:\Windows\system32\DRIVERS\HpqKbFiltr.sys [2007-06-18 16768]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\HSX_DPV.sys [2007-10-31 985600]
R3 HSXHWAZL;HSXHWAZL; C:\Windows\system32\DRIVERS\HSXHWAZL.sys [2007-10-31 208896]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2008-07-06 2378752]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI; C:\Windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-06-10 123904]
R3 RTSTOR;Realtek USB 2.0 Card Reader; C:\Windows\system32\drivers\RTSTOR.SYS [2008-09-19 61952]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-04-17 199344]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-20 134016]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\HSX_CNXT.sys [2007-10-31 661504]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-20 11264]
S3 ASPI;Advanced SCSI Programming Interface Driver; \??\C:\Windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-01 235520]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-20 2225664]
S3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-20 88576]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2009-08-28 40448]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 40448]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller; C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-01 194048]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-07-09 144712]
R2 avg9emc;AVG Free E-mail Scanner; C:\Program Files\AVG\AVG9\avgemc.exe [2009-11-14 906520]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2009-11-14 285392]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2008-10-09 94208]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2008-06-09 73728]
R2 Recovery Service for Windows;Recovery Service for Windows; C:\Program Files\SMINST\BLService.exe [2008-10-06 365952]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared files\RichVideo.exe [2008-09-15 241734]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio.exe [2007-10-17 386560]
R3 Com4QLBEx;Com4QLBEx; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2008-05-01 165192]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-01-22 545576]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 GameConsoleService;GameConsoleService; C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe [2008-05-05 165416]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]

-----------------EOF-----------------


INFO:

info.txt logfile of random's system information tool 1.06 2010-03-13 18:14:38

======Uninstall list======

-->"C:\Program Files\HP Games\Agatha Christie - Death on the Nile\Uninstall.exe"
-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Big City Adventures San Francisco\Uninstall.exe"
-->"C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\HP Games\Build-a-lot 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Diner Dash Hometown Hero\Uninstall.exe"
-->"C:\Program Files\HP Games\Dream Chronicles 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Family Feud 3\Uninstall.exe"
-->"C:\Program Files\HP Games\FATE\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest Solitaire 2\Uninstall.exe"
-->"C:\Program Files\HP Games\JoJo's Fashion Show\Uninstall.exe"
-->"C:\Program Files\HP Games\Luxor 3\Uninstall.exe"
-->"C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
-->"C:\Program Files\HP Games\Mystery P.I. - The Vegas Heist\Uninstall.exe"
-->"C:\Program Files\HP Games\Peggle\Uninstall.exe"
-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\HP Games\Poker Superstars III\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Pool\Uninstall.exe"
-->"C:\Program Files\HP Games\Slingo Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\SPORE Creature Creator Trial Edition\Uninstall.exe"
-->"C:\Program Files\HP Games\The Hidden Object Game Show\Uninstall.exe"
-->"C:\Program Files\HP Games\The Price is Right\Uninstall.exe"
-->"C:\Program Files\HP Games\Tradewinds Legends\Uninstall.exe"
-->"C:\Program Files\HP Games\Virtual Villagers - A New Home\Uninstall.exe"
-->"C:\Program Files\HP Games\Virtual Villagers - The Secret City\Uninstall.exe"
-->"C:\Program Files\HP Games\Wedding Dash\Uninstall.exe"
-->"C:\Program Files\HP Games\Wheel of Fortune 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
-->C:\Program Files\Conexant\SmartAudio\SETUP.EXE -U -ISmartAudio -SM=SMAUDIO.EXE,1801
Acrobat.com-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Application Installer.exe -uninstall com.adobe.mauby 4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Acrobat.com-->MsiExec.exe /I{77DCDCE3-2DED-62F3-8154-05E745472D07}
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{174892B1-CBE7-44F5-86FF-AB555EFD73A3}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
ActiveCheck component for HP Active Support Library-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Adobe AIR-->C:\Program Files\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{00203668-8170-44A0-BE44-B632FA4D780F}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Adobe Shockwave Player-->MsiExec.exe /X{AD72CFB4-C2BF-424E-9DF0-C7BAD1F30A11}
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Atheros Driver Installation Program-->C:\Program Files\InstallShield Installation Information\{C3A32068-8AB1-4327-BB16-BED9C6219DC7}\setup.exe -runfromtemp -l0x0009
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
BookSmart® 2.5.1 2.5.1-->C:\Program Files\BookSmart\uninstall.exe
Cisco EAP-FAST Module-->MsiExec.exe /I{415B2719-AD3A-4944-B404-C472DB6085B3}
Cisco LEAP Module-->MsiExec.exe /I{83770D14-21B9-44B3-8689-F7B523F94560}
Cisco PEAP Module-->MsiExec.exe /I{669C7BD8-DAA2-49B6-966C-F1E2AAE6B17E}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Conexant HD Audio-->C:\Program Files\CONEXANT\CNXT_AUDIO_HDA\UIU32a.exe -U -IWAHerza.INF
CyberLink DVD Suite-->"C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\Setup.exe" /z-uninstall
CyberLink DVD Suite-->"C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\Setup.exe" /z-uninstall
ESU for Microsoft Vista-->MsiExec.exe /I{3877C901-7B90-4727-A639-B6ED2DD59D43}
Flickr Uploadr 3.2.1-->"C:\Program Files\Flickr Uploadr\uninstall.exe"
Free DVD Ripper Version 2.25-->"C:\Program Files\Free DVD Ripper\unins000.exe"
Google Talk Plugin-->MsiExec.exe /I{BBF6D0CD-A081-369F-B0B8-F168594CBB6B}
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_HERMOSA_HSF\UIU32m.exe -U -IHPQHERzm.inf
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HiJackThis-->MsiExec.exe /X{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HP Active Support Library-->"C:\Program Files\InstallShield Installation Information\{CE7E3BE0-2DD3-4416-A690-F9E4A99A8CFF}\setup.exe" -runfromtemp -l0x0409 -removeonly
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{57A5AEC1-97FC-474D-92C4-908FCC2253D4}\setup.exe" -l0x9 -removeonly
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP DVD Play 3.7-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\Setup.exe" -uninstall
HP Help and Support-->MsiExec.exe /I{0054A0F6-00C9-4498-B821-B5C9578F433E}
HP Quick Launch Buttons 6.40 H2-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP Total Care Advisor-->MsiExec.exe /X{154A4184-1A3D-4BF9-A5AE-4FA1660445F3}
HP Update-->MsiExec.exe /X{C8FD5BC1-92EF-4C15-92A9-F9AC7F61985F}
HP User Guides 0118-->MsiExec.exe /I{B6D0B141-B2BE-4DD0-B08F-B9186F3E36B3}
HP Wireless Assistant-->MsiExec.exe /I{9ADABDDE-9644-461B-9E73-83FA3EFCAB50}
HPAsset component for HP Active Support Library-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
HPTCSSetup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{846DDADA-0239-4B67-A6B1-33658863793B}\setup.exe" -l0x9 -removeonly
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
iPhone Configuration Utility-->MsiExec.exe /I{FA54AFB1-5745-4389-B8C1-9F7509672ED1}
iTunes-->MsiExec.exe /I{F439D7AF-03F3-4F8E-AEC4-571BFE977C61}
Java™ 6 Update 17-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}
Java™ 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Juno Preloader-->MsiExec.exe /X{6423EF83-6E1D-4D22-A36F-689CD19FD4D2}
LabelPrint-->"C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe" /z-uninstall
LabelPrint-->"C:\Program Files\InstallShield Installation Information\{C59C179C-668D-49A9-B6EA-0121CCFC1243}\Setup.exe" /z-uninstall
LightScribe System Software 1.14.17.1-->MsiExec.exe /X{0E7DBD52-B097-4F2B-A7C7-F105B0D20FDB}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Live Search Toolbar-->MsiExec.exe /X{96384578-C6A2-4EC6-92CD-B62A60713040}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Works-->MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
muvee Reveal-->MsiExec.exe /X{DD35C328-F115-BEDA-6EEE-E00C5AACCCBC}
My HP Games-->"C:\Program Files\HP Games\Uninstall.exe"
NetWaiting-->C:\Program Files\InstallShield Installation Information\{3F92ABBB-6BBF-11D5-B229-002078017FBF}\setup.exe -runfromtemp -l0x0009 -removeonly
NetZero Preloader-->MsiExec.exe /X{352310C3-E46B-42D3-8F32-54721FDD72D9}
OGA Notifier 2.0.0048.0-->MsiExec.exe /I{B2544A03-10D0-4E5E-BA69-0362FFC20D18}
OpenOffice.org 3.1-->MsiExec.exe /I{E6B87DC4-2B3D-4483-ADFF-E483BF718991}
Power2Go-->"C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" /z-uninstall
Power2Go-->"C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\Setup.exe" /z-uninstall
PowerDirector-->"C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" /z-uninstall
PowerDirector-->"C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\Setup.exe" /z-uninstall
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Realtek 8169 8168 8101E 8102E Ethernet Driver-->C:\Program Files\InstallShield Installation Information\{8833FFB6-5B0C-4764-81AA-06DFEED9A476}\setup.exe -runfromtemp -l0x0009 -removeonly
Realtek USB 2.0 Card Reader-->C:\Program Files\InstallShield Installation Information\{DC24971E-1946-445D-8A82-CE685433FA7D}\setup.exe -runfromtemp -l0x0009 -removeonly
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB973704)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {E626DC89-A787-4553-9BB3-DC2EC7E1593F}
Security Update for Microsoft Office Excel 2007 (KB973593)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7D6255E3-3423-4D8B-A328-F6F8D28DD5FE}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Skypeā„¢ 4.1-->MsiExec.exe /X{D103C4BA-F905-437A-8049-DB24763BBE36}
SPORE Creature Creator Trial Edition-->"C:\Program Files\HP Games\SPORE Creature Creator Trial Edition\Uninstall.exe"
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 (KB974561)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0CDDBAA2-2111-4A0E-A1B0-76C40C635331}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
VLC media player 1.0.1-->C:\Program Files\VideoLAN\VLC\uninstall.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: Andrew-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB948609(Update) into Install Requested(Install Requested) state
Record Number: 9263
Source Name: Microsoft-Windows-Servicing
Time Written: 20090809165823.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Andrew-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB948609(Update) into Install Requested(Install Requested) state
Record Number: 9163
Source Name: Microsoft-Windows-Servicing
Time Written: 20090809165823.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Andrew-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB948609(Update) into Install Requested(Install Requested) state
Record Number: 9158
Source Name: Microsoft-Windows-Servicing
Time Written: 20090809165822.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Andrew-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB948609(Update) into Install Requested(Install Requested) state
Record Number: 9155
Source Name: Microsoft-Windows-Servicing
Time Written: 20090809165822.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Andrew-PC
Event Code: 4376
Message: Servicing has required reboot to complete the operation of setting package KB948609(Update) into Install Requested(Install Requested) state
Record Number: 9151
Source Name: Microsoft-Windows-Servicing
Time Written: 20090809165822.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: Andrew-PC
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Record Number: 259
Source Name: Microsoft-Windows-CAPI2
Time Written: 20090805012831.000000-000
Event Type: Error
User:

Computer Name: Andrew-PC
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Record Number: 258
Source Name: Microsoft-Windows-CAPI2
Time Written: 20090805012830.000000-000
Event Type: Error
User:

Computer Name: Andrew-PC
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Record Number: 257
Source Name: Microsoft-Windows-CAPI2
Time Written: 20090805012816.000000-000
Event Type: Error
User:

Computer Name: Andrew-PC
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Record Number: 256
Source Name: Microsoft-Windows-CAPI2
Time Written: 20090805012756.000000-000
Event Type: Error
User:

Computer Name: Andrew-PC
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.
.
Record Number: 255
Source Name: Microsoft-Windows-CAPI2
Time Written: 20090805012752.000000-000
Event Type: Error
User:

=====Security event log=====

Computer Name: Andrew-PC
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-J3JLLOF4QOG$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x234
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 567
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090805014352.589394-000
Event Type: Audit Success
User:

Computer Name: Andrew-PC
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: WIN-J3JLLOF4QOG$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x234
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that accountā€™s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 566
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090805014352.589394-000
Event Type: Audit Success
User:

Computer Name: Andrew-PC
Event Code: 4905
Message: An attempt was made to unregister a security event source.

Subject
Security ID: S-1-5-18
Account Name: WIN-J3JLLOF4QOG$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Process:
Process ID: 0xfa0
Process Name: C:\Windows\System32\VSSVC.exe

Event Source:
Source Name: VSSAudit
Event Source ID: 0xc175c
Record Number: 565
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090805002905.286166-000
Event Type: Audit Success
User:

Computer Name: Andrew-PC
Event Code: 4904
Message: An attempt was made to register a security event source.

Subject :
Security ID: S-1-5-18
Account Name: WIN-J3JLLOF4QOG$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Process:
Process ID: 0xfa0
Process Name: C:\Windows\System32\VSSVC.exe

Event Source:
Source Name: VSSAudit
Event Source ID: 0xc175c
Record Number: 564
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090805002905.286166-000
Event Type: Audit Success
User:

Computer Name: Andrew-PC
Event Code: 1102
Message: The audit log was cleared.
Subject:
Security ID: S-1-5-21-4126933885-1256812762-2208962939-1000
Account Name: Andrew
Domain Name: Andrew-PC
Logon ID: 0x43ecf
Record Number: 563
Source Name: Microsoft-Windows-Eventlog
Time Written: 20090805002849.249366-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\CyberLink\Power2Go;C:\Program Files\QuickTime\QTSystem\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel
"PROCESSOR_REVISION"=170a
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"OnlineServices"=Online Services
"Platform"=MCD
"PCBRAND"=Pavilion
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------

Edited by jokerspath, 15 March 2010 - 03:28 PM.


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:46 PM

Posted 15 March 2010 - 03:34 PM

Hello, jokerspath.
P2P Program Warning!

uTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.




We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 jokerspath

jokerspath
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 March 2010 - 07:29 PM

This took a while. Kept crashing. How's it look now?

ComboFix 10-03-15.02 - Andrew 03/16/2010 17:12:09.3.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3002.1930 [GMT -7:00]
Running from: c:\users\Andrew\Desktop\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job

.
((((((((((((((((((((((((( Files Created from 2010-02-17 to 2010-03-17 )))))))))))))))))))))))))))))))
.

2010-03-17 00:21 . 2010-03-17 00:21 -------- d-----w- c:\users\Andrew\AppData\Local\temp
2010-03-17 00:21 . 2010-03-17 00:21 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-03-17 00:21 . 2010-03-17 00:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-03-15 22:47 . 2010-03-15 22:47 -------- d-----w- c:\users\Andrew\AppData\Roaming\AVG9
2010-03-14 02:14 . 2010-03-14 02:14 -------- d-----w- C:\rsit
2010-03-14 02:10 . 2010-03-14 02:10 -------- d-----w- c:\windows\Sun
2010-03-12 07:50 . 2010-03-12 07:50 93056 ----a-w- C:\uwryqpob.sys
2010-03-10 18:08 . 2010-03-10 18:08 -------- d-----w- c:\program files\Trend Micro
2010-03-10 17:50 . 2010-03-10 17:50 388096 ----a-r- c:\users\Andrew\AppData\Roaming\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-03-10 17:50 . 2010-03-10 17:50 -------- d-----w- c:\program files\TrendMicro
2010-03-09 19:08 . 2010-03-09 19:08 152064 ----a-w- c:\windows\Mkolea.exe
2010-02-24 21:52 . 2010-01-06 15:39 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-02-24 21:52 . 2010-01-06 15:38 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-02-24 21:52 . 2010-01-06 13:30 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-02-24 21:52 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc_isv.dll
2010-02-24 21:52 . 2010-01-25 12:00 471552 ----a-w- c:\windows\system32\secproc.dll
2010-02-24 21:52 . 2010-01-25 08:21 526336 ----a-w- c:\windows\system32\RMActivate_isv.exe
2010-02-24 21:52 . 2010-01-25 12:00 152576 ----a-w- c:\windows\system32\secproc_ssp_isv.dll
2010-02-24 21:52 . 2010-01-25 12:00 152064 ----a-w- c:\windows\system32\secproc_ssp.dll
2010-02-24 21:52 . 2010-01-25 11:58 332288 ----a-w- c:\windows\system32\msdrm.dll
2010-02-24 21:52 . 2010-01-25 08:21 346624 ----a-w- c:\windows\system32\RMActivate_ssp_isv.exe
2010-02-24 21:52 . 2010-01-25 08:21 518144 ----a-w- c:\windows\system32\RMActivate.exe
2010-02-24 21:52 . 2010-01-25 08:21 347136 ----a-w- c:\windows\system32\RMActivate_ssp.exe
2010-02-24 21:51 . 2010-01-23 09:26 2048 ----a-w- c:\windows\system32\tzres.dll
2010-02-17 21:09 . 2002-07-17 23:23 45056 ----a-w- c:\windows\system32\WNASPI32.DLL
2010-02-17 21:09 . 2002-07-17 23:20 84832 ----a-w- c:\windows\system32\drivers\ASPI32.SYS
2010-02-17 21:09 . 2010-02-17 21:09 -------- d-----w- c:\program files\Free DVD Ripper
2010-02-17 20:57 . 2010-02-17 20:57 -------- d-----w- c:\users\Andrew\stairs

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-15 21:11 . 2009-08-12 01:21 -------- d-----w- c:\program files\uTorrent
2010-03-11 20:00 . 2009-08-07 04:03 -------- d-----w- c:\users\Andrew\AppData\Roaming\vlc
2010-03-04 06:13 . 2009-12-11 04:45 -------- d-----w- c:\users\Andrew\AppData\Roaming\dvdcss
2010-02-26 19:32 . 2009-08-30 03:08 -------- d-----w- c:\users\Andrew\AppData\Roaming\Skype
2010-02-26 19:01 . 2009-08-30 03:10 -------- d-----w- c:\users\Andrew\AppData\Roaming\skypePM
2010-02-25 19:04 . 2009-08-05 00:33 80008 ----a-w- c:\users\Andrew\AppData\Local\GDIPFONTCACHEV1.DAT
2010-02-24 18:22 . 2009-08-05 00:37 -------- d-----w- c:\users\Andrew\AppData\Roaming\Hewlett-Packard
2010-02-24 18:21 . 2008-10-23 09:40 -------- d-----w- c:\programdata\Hewlett-Packard
2010-02-22 21:28 . 2010-03-10 07:12 1282824 ----a-w- c:\windows\Help\OEM\scripts\SamsungHDDFW1HC.exe
2010-02-22 21:03 . 2008-10-23 10:42 -------- d-----w- c:\program files\Common Files\Adobe
2010-02-11 11:20 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-02-05 18:39 . 2010-02-05 18:39 251376 ----a-w- c:\users\Andrew\AppData\Roaming\Mozilla\plugins\npgoogletalk.dll
2010-02-05 18:03 . 2010-02-05 18:02 -------- d-----w- c:\program files\iTunes
2010-02-05 18:02 . 2010-02-05 18:02 -------- d-----w- c:\program files\iPod
2010-02-05 18:02 . 2009-08-06 00:55 -------- d-----w- c:\program files\Common Files\Apple
2010-02-05 18:00 . 2010-02-05 17:59 -------- d-----w- c:\program files\QuickTime
2010-02-05 17:57 . 2010-02-05 17:57 72488 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-02-05 00:51 . 2010-03-10 07:12 49152 ----a-w- c:\windows\Help\OEM\scripts\Interop.TaskScheduler.dll
2010-01-25 05:47 . 2010-01-25 05:47 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-01-25 05:45 . 2008-10-23 10:52 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-06 15:38 . 2010-02-24 21:52 173056 ----a-w- c:\windows\AppPatch\AcXtrnal.dll
2010-01-06 15:38 . 2010-02-24 21:52 542720 ----a-w- c:\windows\AppPatch\AcLayers.dll
2010-01-06 15:38 . 2010-02-24 21:52 458752 ----a-w- c:\windows\AppPatch\AcSpecfc.dll
2010-01-06 15:38 . 2010-02-24 21:52 2159616 ----a-w- c:\windows\AppPatch\AcGenral.dll
2010-01-06 04:08 . 2009-10-15 15:31 5972 ----a-w- c:\users\Andrew\AppData\Local\d3d9caps.dat
2009-12-18 13:01 . 2010-01-22 17:13 78336 ----a-w- c:\windows\system32\ieencode.dll
2008-10-23 10:05 . 2008-10-23 09:55 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-03-15_23.03.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-03-17 00:08 . 2010-02-20 23:12 24064 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.22343_none_dce43630c143fd87\wbhstipm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:12 22528 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.22343_none_dce43630c143fd87\wbhst_pm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:12 48128 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.22343_none_dce43630c143fd87\w3wphost.dll
+ 2010-03-17 00:08 . 2010-02-20 23:12 15872 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.22343_none_dce43630c143fd87\w3tp.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 24064 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.18210_none_dc78084ba810bde5\wbhstipm.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 22528 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.18210_none_dc78084ba810bde5\wbhst_pm.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 47616 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.18210_none_dc78084ba810bde5\w3wphost.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 15872 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.18210_none_dc78084ba810bde5\w3tp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 24064 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.22638_none_db0d95a6c4110b25\wbhstipm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 22528 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.22638_none_db0d95a6c4110b25\wbhst_pm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 46592 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.22638_none_db0d95a6c4110b25\w3wphost.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 15872 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.22638_none_db0d95a6c4110b25\w3tp.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 24064 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.18428_none_da8ec6e1aaeb5243\wbhstipm.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 22528 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.18428_none_da8ec6e1aaeb5243\wbhst_pm.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 46592 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.18428_none_da8ec6e1aaeb5243\w3wphost.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 15872 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.18428_none_da8ec6e1aaeb5243\w3tp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:36 25088 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.21227_none_d930fcdec6e37b07\wbhstipm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:36 22016 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.21227_none_d930fcdec6e37b07\wbhst_pm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:36 39424 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.21227_none_d930fcdec6e37b07\w3wphost.dll
+ 2010-03-17 00:08 . 2010-02-20 23:36 15360 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.21227_none_d930fcdec6e37b07\w3tp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 25088 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.17022_none_d8a25cbbadca5f63\wbhstipm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 22016 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.17022_none_d8a25cbbadca5f63\wbhst_pm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 39424 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.17022_none_d8a25cbbadca5f63\w3wphost.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 15360 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.17022_none_d8a25cbbadca5f63\w3tp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:10 24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6002.22343_none_75f500438adc1033\nshhttp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:06 24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6002.18210_none_7588d25e71a8d091\nshhttp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6001.22638_none_741e5fb98da91dd1\nshhttp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:39 24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6001.18428_none_739f90f4748364ef\nshhttp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:35 24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6000.21227_none_7241c6f1907b8db3\nshhttp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:54 24064 c:\windows\winsxs\x86_microsoft-windows-nshhttp_31bf3856ad364e35_6.0.6000.17022_none_71b326ce7762720f\nshhttp.dll
+ 2010-03-17 00:08 . 2010-02-20 23:12 10752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\wamregps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:11 38912 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\rscaext.dll
+ 2010-03-17 00:08 . 2010-02-20 23:11 26624 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\rsca.dll
+ 2010-03-17 00:08 . 2010-02-20 23:08 59392 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iissyspr.dll
+ 2010-03-17 00:08 . 2010-02-20 21:21 31232 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisrstas.exe
+ 2010-03-17 00:08 . 2010-02-20 21:21 14848 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisreset.exe
+ 2010-03-17 00:08 . 2010-02-20 23:08 89088 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisreg.dll
+ 2010-03-17 00:08 . 2010-02-20 23:07 27136 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\ahadmin.dll
+ 2010-03-17 00:08 . 2010-02-20 23:06 51712 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\admwprox.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 10752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\wamregps.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 38912 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\rscaext.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 26624 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\rsca.dll
+ 2009-12-11 11:04 . 2009-11-09 12:30 59392 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iissyspr.dll
+ 2009-12-11 11:04 . 2009-11-09 10:48 31232 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisrstas.exe
+ 2009-12-11 11:04 . 2009-11-09 10:48 14848 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisreset.exe
+ 2009-12-11 11:04 . 2009-11-09 12:30 89088 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisreg.dll
+ 2009-12-11 11:04 . 2009-11-09 12:28 27136 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\ahadmin.dll
+ 2009-12-11 11:04 . 2009-11-09 12:28 51712 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\admwprox.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 10752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\wamregps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 38912 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\rscaext.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 26624 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\rsca.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 59392 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iissyspr.dll
+ 2010-03-17 00:08 . 2010-02-20 21:35 31232 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisrstas.exe
+ 2010-03-17 00:08 . 2010-02-20 21:35 14848 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisreset.exe
+ 2010-03-17 00:08 . 2010-02-20 23:29 89088 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisreg.dll
+ 2010-03-17 00:08 . 2010-02-20 23:26 27136 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\ahadmin.dll
+ 2010-03-17 00:08 . 2010-02-20 23:26 51712 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\admwprox.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 10752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\wamregps.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 38912 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\rscaext.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 26624 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\rsca.dll
+ 2009-12-11 11:04 . 2009-11-09 13:20 59392 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iissyspr.dll
+ 2009-12-11 11:04 . 2009-11-09 11:21 31232 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisrstas.exe
+ 2009-12-11 11:04 . 2009-11-09 11:21 14848 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisreset.exe
+ 2009-12-11 11:04 . 2009-11-09 13:20 89088 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisreg.dll
+ 2009-12-11 11:04 . 2009-11-09 13:18 27136 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\ahadmin.dll
+ 2009-12-11 11:04 . 2009-11-09 13:18 51712 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\admwprox.dll
+ 2010-03-17 00:08 . 2010-02-20 23:36 10752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\wamregps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:35 26624 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\rsca.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 31232 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iissyspr.dll
+ 2010-03-17 00:08 . 2010-02-20 21:31 30720 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisrstas.exe
+ 2010-03-17 00:08 . 2010-02-20 21:31 14848 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisreset.exe
+ 2010-03-17 00:08 . 2010-02-20 23:31 89088 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisreg.dll
+ 2010-03-17 00:08 . 2010-02-20 23:30 51200 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\admwprox.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 10752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\wamregps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 26624 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\rsca.dll
+ 2010-03-17 00:08 . 2010-02-20 23:52 31232 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iissyspr.dll
+ 2010-03-17 00:08 . 2010-02-20 21:46 30720 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisrstas.exe
+ 2010-03-17 00:08 . 2010-02-20 21:46 14848 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisreset.exe
+ 2010-03-17 00:08 . 2010-02-20 23:52 89088 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisreg.dll
+ 2010-03-17 00:08 . 2010-02-20 23:50 51200 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\admwprox.dll
+ 2010-03-17 00:08 . 2010-02-20 23:12 23552 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6002.22343_none_d1f1e1863fa65f97\w3dt.dll
+ 2010-03-17 00:08 . 2010-02-20 23:08 12800 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6002.22343_none_d1f1e1863fa65f97\hwebcore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:07 23552 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6002.18210_none_d185b3a126731ff5\w3dt.dll
+ 2009-12-11 11:04 . 2009-11-09 12:30 12800 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6002.18210_none_d185b3a126731ff5\hwebcore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 23552 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6001.22638_none_d01b40fc42736d35\w3dt.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 12800 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6001.22638_none_d01b40fc42736d35\hwebcore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:40 23552 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6001.18428_none_cf9c7237294db453\w3dt.dll
+ 2009-12-11 11:04 . 2009-11-09 13:20 12800 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6001.18428_none_cf9c7237294db453\hwebcore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:36 23552 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6000.21227_none_ce3ea8344545dd17\w3dt.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 12288 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6000.21227_none_ce3ea8344545dd17\hwebcore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 23552 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6000.17022_none_cdb008112c2cc173\w3dt.dll
+ 2010-03-17 00:08 . 2010-02-20 23:51 12288 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6000.17022_none_cdb008112c2cc173\hwebcore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:07 43520 c:\windows\winsxs\x86_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.0.6002.22343_none_22e5433d125cc342\authsspi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:04 43520 c:\windows\winsxs\x86_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.0.6002.18210_none_22791557f92983a0\authsspi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:27 43520 c:\windows\winsxs\x86_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.0.6001.22638_none_210ea2b31529d0e0\authsspi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:35 43520 c:\windows\winsxs\x86_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.0.6001.18428_none_208fd3edfc0417fe\authsspi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:30 36352 c:\windows\winsxs\x86_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.0.6000.21227_none_1f3209eb17fc40c2\authsspi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:50 36352 c:\windows\winsxs\x86_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_6.0.6000.17022_none_1ea369c7fee3251e\authsspi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:08 30720 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6002.22343_none_f7f4165eb3ad7c4d\httpapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:05 30720 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6002.18210_none_f787e8799a7a3cab\httpapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6001.22638_none_f61d75d4b67a89eb\httpapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:37 31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6001.18428_none_f59ea70f9d54d109\httpapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6000.21227_none_f440dd0cb94cf9cd\httpapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:51 31232 c:\windows\winsxs\x86_microsoft-windows-http-api_31bf3856ad364e35_6.0.6000.17022_none_f3b23ce9a033de29\httpapi.dll
+ 2008-01-21 01:58 . 2010-03-17 00:02 44534 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2010-03-17 00:02 86148 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-08-05 00:28 . 2010-03-17 00:02 10688 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-4126933885-1256812762-2208962939-1000_UserData.bin
- 2009-08-05 00:27 . 2010-03-14 02:12 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-05 00:27 . 2010-03-17 00:10 16384 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-08-05 00:27 . 2010-03-14 02:12 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-05 00:27 . 2010-03-17 00:10 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-08-05 00:27 . 2010-03-14 02:12 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-08-05 00:27 . 2010-03-17 00:10 16384 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2010-03-17 00:08 . 2010-02-20 23:12 9216 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\w3ctrlps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:08 8192 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisrstap.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 9216 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\w3ctrlps.dll
+ 2009-12-11 11:04 . 2009-11-09 12:30 8192 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisrstap.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 9216 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\w3ctrlps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 8192 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisrstap.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 9216 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\w3ctrlps.dll
+ 2009-12-11 11:04 . 2009-11-09 13:20 8192 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisrstap.dll
+ 2010-03-17 00:08 . 2010-02-20 23:35 9216 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\w3ctrlps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 8192 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisrstap.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 9216 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\w3ctrlps.dll
+ 2010-03-17 00:08 . 2010-02-20 23:52 8192 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisrstap.dll
+ 2010-03-17 00:03 . 2010-03-17 00:14 1532 c:\windows\SoftwareDistribution\EventCache\{0698B88D-B8D3-48E6-98CF-19AC727BE57E}.bin
- 2010-03-15 22:35 . 2010-03-15 22:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-03-17 00:00 . 2010-03-17 00:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2010-03-17 00:00 . 2010-03-17 00:00 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2010-03-15 22:35 . 2010-03-15 22:35 2048 c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2010-03-17 00:08 . 2010-02-20 23:08 374272 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.22343_none_dce43630c143fd87\iisw3adm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:05 373760 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6002.18210_none_dc78084ba810bde5\iisw3adm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 371712 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.22638_none_db0d95a6c4110b25\iisw3adm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:37 371712 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6001.18428_none_da8ec6e1aaeb5243\iisw3adm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 322560 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.21227_none_d930fcdec6e37b07\iisw3adm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:52 322560 c:\windows\winsxs\x86_microsoft-windows-processmodellibraries_31bf3856ad364e35_6.0.6000.17022_none_d8a25cbbadca5f63\iisw3adm.dll
+ 2010-03-17 00:08 . 2010-02-20 23:10 333312 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\nativerd.dll
+ 2010-03-17 00:08 . 2010-02-20 23:08 202752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisutil.dll
+ 2010-03-17 00:08 . 2010-02-20 21:22 228864 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iissetup.exe
+ 2010-03-17 00:08 . 2010-02-20 23:08 153600 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisRtl.dll
+ 2010-03-17 00:08 . 2010-02-20 21:22 193024 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iisres.dll
+ 2010-03-17 00:08 . 2010-02-20 23:11 209408 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\iismig.dll
+ 2010-03-17 00:08 . 2010-02-20 21:22 182784 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\aspnetca.exe
+ 2010-03-17 00:08 . 2010-02-20 23:07 311808 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\appobj.dll
+ 2010-03-17 00:08 . 2010-02-20 21:22 154112 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.22343_none_13314c23cb33f9c6\appcmd.exe
+ 2009-12-11 11:04 . 2009-11-09 12:31 331264 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\nativerd.dll
+ 2009-12-11 11:04 . 2009-11-09 12:30 202752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisutil.dll
+ 2009-12-11 11:04 . 2009-11-09 10:49 228864 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iissetup.exe
+ 2009-12-11 11:04 . 2009-11-09 12:30 153600 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisRtl.dll
+ 2009-12-11 11:04 . 2009-11-09 10:48 193024 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iisres.dll
+ 2009-12-11 11:04 . 2009-11-09 12:32 209408 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\iismig.dll
+ 2009-12-11 11:04 . 2009-11-09 10:49 182784 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\aspnetca.exe
+ 2009-12-11 11:04 . 2009-11-09 12:28 311808 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\appobj.dll
+ 2009-12-11 11:04 . 2009-11-09 10:48 154112 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6002.18210_none_12c51e3eb200ba24\appcmd.exe
+ 2010-03-17 00:08 . 2010-02-20 23:30 331776 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\nativerd.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 202752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisutil.dll
+ 2010-03-17 00:08 . 2010-02-20 21:35 228864 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iissetup.exe
+ 2010-03-17 00:08 . 2010-02-20 23:29 153600 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisRtl.dll
+ 2010-03-17 00:08 . 2010-02-20 21:35 193024 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iisres.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 209408 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\iismig.dll
+ 2010-03-17 00:08 . 2010-02-20 21:35 182784 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\aspnetca.exe
+ 2010-03-17 00:08 . 2010-02-20 23:26 311808 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\appobj.dll
+ 2010-03-17 00:08 . 2010-02-20 21:35 154112 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.22638_none_115aab99ce010764\appcmd.exe
+ 2009-12-11 11:04 . 2009-11-09 13:22 326656 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\nativerd.dll
+ 2009-12-11 11:04 . 2009-11-09 13:20 202752 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisutil.dll
+ 2009-12-11 11:04 . 2009-11-09 11:22 228864 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iissetup.exe
+ 2009-12-11 11:04 . 2009-11-09 13:20 153600 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisRtl.dll
+ 2009-12-11 11:04 . 2009-11-09 11:21 193024 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iisres.dll
+ 2009-12-11 11:04 . 2009-11-09 13:23 209408 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\iismig.dll
+ 2009-12-11 11:04 . 2009-11-09 11:22 182784 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\aspnetca.exe
+ 2009-12-11 11:04 . 2009-11-09 13:18 311296 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\appobj.dll
+ 2009-12-11 11:04 . 2009-11-09 11:21 154112 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6001.18428_none_10dbdcd4b4db4e82\appcmd.exe
+ 2010-03-17 00:08 . 2010-02-20 23:34 236032 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\nativerd.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 189952 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisutil.dll
+ 2010-03-17 00:08 . 2010-02-20 21:31 195072 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iissetup.exe
+ 2010-03-17 00:08 . 2010-02-20 23:31 148480 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisRtl.dll
+ 2010-03-17 00:08 . 2010-02-20 20:21 183808 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iisres.dll
+ 2010-03-17 00:08 . 2010-02-20 23:35 128512 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\iismig.dll
+ 2010-03-17 00:08 . 2010-02-20 21:31 178176 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\aspnetca.exe
+ 2010-03-17 00:08 . 2010-02-20 23:30 297472 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\appobj.dll
+ 2010-03-17 00:08 . 2010-02-20 21:31 150528 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.21227_none_0f7e12d1d0d37746\appcmd.exe
+ 2010-03-17 00:08 . 2010-02-20 23:54 236032 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\nativerd.dll
+ 2010-03-17 00:08 . 2010-02-20 23:52 189952 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisutil.dll
+ 2010-03-17 00:08 . 2010-02-20 21:47 195072 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iissetup.exe
+ 2010-03-17 00:08 . 2010-02-20 23:52 148480 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisRtl.dll
+ 2010-03-17 00:08 . 2010-02-20 20:30 183808 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iisres.dll
+ 2010-03-17 00:08 . 2010-02-20 23:55 128512 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\iismig.dll
+ 2010-03-17 00:08 . 2010-02-20 21:47 178176 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\aspnetca.exe
+ 2010-03-17 00:08 . 2010-02-20 23:50 297472 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\appobj.dll
+ 2010-03-17 00:08 . 2010-02-20 21:47 150528 c:\windows\winsxs\x86_microsoft-windows-iis-sharedlibraries_31bf3856ad364e35_6.0.6000.17022_none_0eef72aeb7ba5ba2\appcmd.exe
+ 2010-03-17 00:08 . 2010-02-20 23:08 107008 c:\windows\winsxs\x86_microsoft-windows-iis-isapiextensions_31bf3856ad364e35_6.0.6002.22343_none_6bd150839a36b650\isapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:05 107008 c:\windows\winsxs\x86_microsoft-windows-iis-isapiextensions_31bf3856ad364e35_6.0.6002.18210_none_6b65229e810376ae\isapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 107008 c:\windows\winsxs\x86_microsoft-windows-iis-isapiextensions_31bf3856ad364e35_6.0.6001.22638_none_69faaff99d03c3ee\isapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:37 107008 c:\windows\winsxs\x86_microsoft-windows-iis-isapiextensions_31bf3856ad364e35_6.0.6001.18428_none_697be13483de0b0c\isapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:32 107008 c:\windows\winsxs\x86_microsoft-windows-iis-isapiextensions_31bf3856ad364e35_6.0.6000.21227_none_681e17319fd633d0\isapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:52 107008 c:\windows\winsxs\x86_microsoft-windows-iis-isapiextensions_31bf3856ad364e35_6.0.6000.17022_none_678f770e86bd182c\isapi.dll
+ 2010-03-17 00:08 . 2010-02-20 23:08 190976 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6002.22343_none_d1f1e1863fa65f97\iiscore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:05 190976 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6002.18210_none_d185b3a126731ff5\iiscore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:29 190976 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6001.22638_none_d01b40fc42736d35\iiscore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:37 189952 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6001.18428_none_cf9c7237294db453\iiscore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:31 164864 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6000.21227_none_ce3ea8344545dd17\iiscore.dll
+ 2010-03-17 00:08 . 2010-02-20 23:52 164864 c:\windows\winsxs\x86_microsoft-windows-iis-corewebengine_31bf3856ad364e35_6.0.6000.17022_none_cdb008112c2cc173\iiscore.dll
+ 2010-03-17 00:08 . 2010-02-20 21:06 411648 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6002.22343_none_af08d5a82f3c8f92\http.sys
+ 2010-03-17 00:08 . 2010-02-20 20:53 411648 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6002.18210_none_ae9ca7c316094ff0\http.sys
+ 2010-03-17 00:08 . 2010-02-20 21:20 411136 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6001.22638_none_ad32351e32099d30\http.sys
+ 2010-03-17 00:08 . 2010-02-20 21:18 411136 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6001.18428_none_acb3665918e3e44e\http.sys
+ 2010-03-17 00:08 . 2010-02-20 21:16 398848 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6000.21227_none_ab559c5634dc0d12\http.sys
+ 2010-03-17 00:08 . 2010-02-20 21:30 396800 c:\windows\winsxs\x86_microsoft-windows-http_31bf3856ad364e35_6.0.6000.17022_none_aac6fc331bc2f16e\http.sys
+ 2009-08-06 12:36 . 2010-03-16 23:29 287170 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
- 2006-11-02 10:33 . 2010-03-15 22:42 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-03-17 00:06 595684 c:\windows\System32\perfh009.dat
+ 2006-11-02 10:33 . 2010-03-17 00:06 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:33 . 2010-03-15 22:42 101350 c:\windows\System32\perfc009.dat
- 2006-11-02 10:22 . 2010-02-25 18:48 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2006-11-02 10:22 . 2010-03-17 00:09 6553600 c:\windows\System32\SMI\Store\Machine\SCHEMA.DAT
+ 2010-03-17 00:10 . 2010-03-17 00:10 6434816 c:\windows\ERDNT\Hiv-backup\SCHEMA.DAT
+ 2009-08-06 10:57 . 2010-03-17 00:09 220380054 c:\windows\winsxs\ManifestCache\6.0.6002.18005_001c11ba_blobs.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2008-06-09 2363392]
"Google Update"="c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" [2009-08-05 133104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-21 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-07-10 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-07-10 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-07-10 145944]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2008-09-24 468264]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2008-10-07 210216]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"QlbCtrl.exe"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2008-08-01 202032]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"UpdatePDIRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-06-14 210216]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2008-10-09 75008]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-23 141608]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:e2,b8,76,02,38,4a,ca,01

R3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\System32\DRIVERS\ASPI32.sys [2002-07-17 84832]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-11-15 333192]
S1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-11-15 360584]
S2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2009-11-15 906520]
S2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2009-11-15 285392]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI;c:\windows\system32\drivers\IntcHdmi.sys [2008-06-29 112128]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 17:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder

2010-03-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4126933885-1256812762-2208962939-1000Core.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 23:48]

2010-03-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-4126933885-1256812762-2208962939-1000UA.job
- c:\users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe [2009-08-05 23:48]

2010-03-10 c:\windows\Tasks\HPCeeScheduleForAndrew.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2008-10-23 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=en_us&c=91&bd=Pavilion&pf=cnnb
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-16 17:21
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x877E28C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0x8220ad24
\Driver\ACPI -> acpi.sys @ 0x8069ed68
\Driver\atapi -> atapi.sys @ 0x822d89b0
IoDeviceObjectType ->\Device\Harddisk0\DR0 ->user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2010-03-16 17:25:11
ComboFix-quarantined-files.txt 2010-03-17 00:25
ComboFix2.txt 2010-03-15 23:06

Pre-Run: 36,216,991,744 bytes free
Post-Run: 36,188,295,168 bytes free

- - End Of File - - FE3A5C1F9C85132181E625D870B91C70

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:25:40 PM, on 3/16/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v7.00 (7.00.6002.18005)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Users\Andrew\AppData\Local\Google\Update\1.2.183.17\GoogleCrashHandler.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\explorer.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...ion&pf=cnnb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Microsoft Live Search Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Microsoft Live Search Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - c:\Program Files\MSN\Toolbar\3.0.0541.0\msneshellx.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdateLBPShortCut] "C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\LabelPrint" UpdateWithCreateOnce "Software\CyberLink\LabelPrint\2.5"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Google Update] "C:\Users\Andrew\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\System32\avgrsstx.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7658 bytes


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:46 PM

Posted 16 March 2010 - 08:44 PM

Hello, jokerspath.
Looks good! Are you having any other problems?

We have a few things left to do, just to make sure you really are clean:
Please uninstall Java™ 6 Update 7, since you already have update 17 installed.

NEXT:

We need to run a Panda Active Scan
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the Export to button, Post the contents of the ActiveScan report

NEXT:

We need to run an MBAM Scan
  1. Please download Malwarebytes Anti-Malware and save it to your desktop.
    alternate download link 1
    alternate download link 2
  2. Make sure you are connected to the Internet.
  3. Double-click on Download_mbam-setup.exe to install the application.
  4. When the installation begins, follow the prompts and do not make any changes to default settings.
  5. When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  6. Then click Finish.
  7. Run MBAM and you will be asked to update the program before performing a scan.
    If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If you encounter any problems while downloading the updates, manually download them from here
    and just double-click on mbam-rules.exe to install.
  8. On the Scanner tab:
    • Make sure the "Perform Quick Scan" option is selected.
    • Then click on the Scan button.
  9. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  10. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  11. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  12. Click OK to close the message box and continue with the removal process.
  13. Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  14. Make sure that everything is checked, and click Remove Selected.
  15. When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  16. The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  17. Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.



In your next reply, please include the following:
  • ActiveScan Report
  • MBAM Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 jokerspath

jokerspath
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 17 March 2010 - 10:54 AM

Strange, thought I posted my results last night. Here they are:

ACTIVESCAN

;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-03-16 22:43:10
PROTECTIONS: 1
MALWARE: 27
SUSPECTS: 1
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG Anti-Virus Free No Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139059 Cookie/Traffic Marketplace TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@trafficmp[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@casalemedia[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@doubleclick[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\low\andrew@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\low\andrew@atdmt[1].txt
00145405 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@247realmedia[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@fastclick[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@tribalfusion[1].txt
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@mediaplex[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@yadro[1].txt
00167747 Cookie/Azjmp TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@azjmp[2].txt
00167749 Cookie/Toplist TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@toplist[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@statcounter[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@burstnet[1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@serving-sys[2].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@bs.serving-sys[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\low\andrew@server.iad.liveperson[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@advertising[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@overture[1].txt
00170556 Cookie/RealMedia TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@realmedia[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@questionmarket[1].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@zedo[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@ads.addynamix[1].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No c:\users\andrew\appdata\roaming\microsoft\windows\cookies\andrew@enhance[2].txt
06106281 Generic Trojan Virus/Trojan No 0 Yes No c:\windows\mkolea.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
No c:\qoobox\quarantine\c\windows\system32\spool\prtprocs\w32x86\00004e5d.tmp.vir
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
;===================================================================================================================================================================================


MBAM

Malwarebytes' Anti-Malware 1.44
Database version: 3875
Windows 6.0.6002 Service Pack 2
Internet Explorer 7.0.6002.18005

3/16/2010 8:13:07 PM
mbam-log-2010-03-16 (20-13-07).txt

Scan type: Quick Scan
Objects scanned: 106322
Time elapsed: 5 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\WEK9EMDHI9 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.


#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:46 PM

Posted 17 March 2010 - 01:34 PM

Hello, jokerspath.
Looks good!

Please navigate through and delete the following file:
c:\windows\mkolea.exe

NEXT:

We need to uninstall Combofix
  1. Click on your Start Menu, then Run....
  2. Now type combofix /uninstall in the runbox and click OK. Notice the space between the "x" and "/".




Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif

There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  4. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  5. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 jokerspath

jokerspath
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 17 March 2010 - 02:35 PM

I'll download some of those other programs and continue to run AVG and Malware Bytes. Do you still think, though, that my computer could be forever compromised? The idea of reformatting it, at this point, sounds like a huge step I'm terrified to take unless I have to.

Also, I couldn't find that Java update you mentioned.

YIKES, it just blue-screened again. Any idea how to figure out whats up with that? I was just using google chrome to upload a picture.

Edited by jokerspath, 17 March 2010 - 02:57 PM.


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:46 PM

Posted 17 March 2010 - 04:14 PM

Hi!

Well, if you have a read at the links I posted up, you'll find that once a computer has been compromised with a trojan, there's always a small chance that even with the computer clean, the 'scar', if you will, still remains.

As for the blue screen, did you manage to get the error code? Does it always happen when using chrome to upload a picture?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:02:46 PM

Posted 18 March 2010 - 11:04 PM

Since this problem appears to be resolved, this thread will now be closed. If you need this topic reopened, please send me a PM with the address of this thread. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users