Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit removal assistance please


  • This topic is locked This topic is locked
39 replies to this topic

#1 Ken Mitnick

Ken Mitnick

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 15 March 2010 - 10:36 PM

For several months, I have had to use my computer in safe mode with networking. I believe I was struck originally by the zeus virus. I removed a couple of named files from the registry, but always got a blue screen whenever I tried starting in normal mode. So I have been using safe mode with networking ever since.

I discovered bleepingcomputer and used Malwarebytes to get rid of virtumonde which was picked up last week. Then I found the tutorial for checking to see if my problem with the blue screen might be solved as well. I was directed to this thread and have followed the instructions.

Here is the DDS text:

DDS (Ver_09-12-01.01) - NTFSx86 NETWORK
Run by Ken Mitnick at 17:23:01.64 on Mon 03/15/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.642 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Dr. Guard *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ken Mitnick\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
mWinlogon: Shell=Explorer.exe
BHO: {536ec8a9-7327-49bf-b748-f53ae61a2c71} - tehisuvo.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C8C0204E-F720-4EC9-96F2-DF6C33C1E3CB} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {F2570A0D-001D-477D-93D1-D05EF5EB95CD} - No File
TB: {7754C418-F62E-44AA-B169-E719E718BCFD} - No File
TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
EB: &Yahoo! Messenger: {4528bbe0-4e08-11d5-ad55-00010333d0ad} - c:\program files\yahoo!\messenger\yhexbmes0411.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRunOnce: [SpybotDeletingB5130] command.com /c del "c:\documents and settings\ken mitnick\local settings\temp\taskmgr.exe_old"
uRunOnce: [SpybotDeletingD3834] cmd.exe /c del "c:\documents and settings\ken mitnick\local settings\temp\taskmgr.exe_old"
uRunOnce: [SpybotDeletingB7755] command.com /c del "c:\documents and settings\ken mitnick\local settings\temp\login.exe_old"
uRunOnce: [SpybotDeletingD5836] cmd.exe /c del "c:\documents and settings\ken mitnick\local settings\temp\login.exe_old"
uRunOnce: [SpybotDeletingB6757] command.com /c del "c:\windows\system32\app_dll.dll"
uRunOnce: [SpybotDeletingD7118] cmd.exe /c del "c:\windows\system32\app_dll.dll"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\ghWrDpxA5.exe" /runcleanupscript
mRun: [yojayideku] Rundll32.exe "suwumuwo.dll",s
mRunOnce: [Spybot - Search & Destroy] "c:\program files\spybot - search & destroy\SpybotSD.exe" /autocheck
mRunOnce: [SpybotDeletingA5114] command.com /c del "c:\documents and settings\ken mitnick\local settings\temp\taskmgr.exe_old"
mRunOnce: [SpybotDeletingC3527] cmd.exe /c del "c:\documents and settings\ken mitnick\local settings\temp\taskmgr.exe_old"
mRunOnce: [SpybotDeletingA730] command.com /c del "c:\documents and settings\ken mitnick\local settings\temp\login.exe_old"
mRunOnce: [SpybotDeletingC9151] cmd.exe /c del "c:\documents and settings\ken mitnick\local settings\temp\login.exe_old"
mRunOnce: [SpybotDeletingA5328] command.com /c del "c:\windows\system32\app_dll.dll"
mRunOnce: [SpybotDeletingC1263] cmd.exe /c del "c:\windows\system32\app_dll.dll"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRunOnce: [WUAppSetup] c:\program files\common files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f audio -m logitech -d 10.5.1.2023
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel
IE: {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - c:\program files\paltalk messenger\Paltalk.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - {4C171D40-8277-11D5-AD55-00010333D0AD} - c:\program files\yahoo!\messenger\yhexbmes0411.dll
IE: {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - {F834F29F-717D-41ba-9ABF-14DA1BBE6147} - c:\windows\system32\mscoree.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - {FDEB4153-68B1-43bc-A112-BEEFF096F335} - c:\windows\system32\mscoree.DLL
DPF: PUFLITE - hxxp://vickymontgomery.point2agent.com/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} - hxxp://www.pcpitstop.com/internet/pcpConnCheck.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://ispe.sdc.hp.com/awebui/jsp/answerweb/applets/HPISWebManager.CAB
DPF: {735A7AB7-90C5-4753-8DE1-88DCE554E780} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} - hxxps://media.pineconeresearch.com/ActiveX/downloadcontrol.cab
DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} - hxxps://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0015-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_03-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - hxxp://3dlifeplayer.dl.3dvia.com/player/install/installer.exe
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://rms2.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://www.popcap.com/webgames/popcaploader_v10.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: app_dll.dll,lavufanu.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SSODL: vusavegov - {365bab98-3c82-4964-81c4-61a16943a297} - No File
SSODL: tofododud - {7a8bba17-92d9-48ca-95e3-8e9b8c6bae44} - No File
STS: {365bab98-3c82-4964-81c4-61a16943a297} - No File
STS: {7a8bba17-92d9-48ca-95e3-8e9b8c6bae44} - No File
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
LSA: Authentication Packages = msv1_0 relog_ap
LSA: Notification Packages = scecli scecli lavufanu.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\kenmit~1\applic~1\mozilla\firefox\profiles\cjl7tqru.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.nytimes.com/
FF - plugin: c:\documents and settings\ken mitnick\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1508.6312\npCIDetect13.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - plugin: c:\program files\opera\program\plugins\npdivx32.dll
FF - plugin: c:\program files\opera\program\plugins\npqtplugin8.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: d:\program files\reader\browser\nppdf32.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

S0 iuaq;iuaq;c:\windows\system32\drivers\uopwhng.sys --> c:\windows\system32\drivers\uopwhng.sys [?]
S0 klbyg;klbyg;c:\windows\system32\drivers\lgilfqso.sys --> c:\windows\system32\drivers\lgilfqso.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-5-31 325896]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-5-31 27784]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-5-31 298776]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [2004-10-29 40064]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys [2005-1-6 24653]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\hpuata.sys [2001-9-24 75776]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2009-5-4 29584]
S3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [2004-8-4 47360]
S3 utg3mzy4;AVZ Kernel Driver;\??\c:\windows\system32\drivers\utg3mzy4.sys --> c:\windows\system32\drivers\utg3mzy4.sys [?]

=============== Created Last 30 ================

2010-03-15 21:22:00 0 ----a-w- c:\documents and settings\ken mitnick\defogger_reenable
2010-03-15 19:48:37 0 d-----w- c:\program files\NirSoft
2010-03-15 14:31:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 14:31:25 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-14 00:01:02 452 --sha-r- c:\documents and settings\ken mitnick\ntuser.pol
2010-03-13 22:51:54 0 d-----w- c:\windows\LastGood.Tmp
2010-03-13 22:25:18 2330 ----a-w- c:\windows\system32\tmp.reg
2010-03-13 16:22:33 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-12 18:40:39 0 d-----w- c:\docume~1\kenmit~1\applic~1\AVG8
2010-03-12 18:02:09 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-03-12 17:19:51 94208 ------w- c:\windows\system32\app_dll.dll_old

==================== Find3M ====================

2009-10-05 18:08:00 17920 --sha-w- c:\program files\Thumbs.db
2009-09-14 02:05:35 12522 ----a-w- c:\program files\irunin.xml
2009-09-14 02:05:24 96408 ----a-w- c:\program files\irunin.dat
2009-09-14 02:02:25 61270 ----a-w- c:\program files\IRIMG4.JPG
2009-09-14 02:02:25 31678 ----a-w- c:\program files\IRIMG2.JPG
2009-09-14 02:02:25 25532 ----a-w- c:\program files\IRIMG1.JPG
2009-09-14 02:02:25 11435 ----a-w- c:\program files\IRIMG3.JPG
2009-08-05 16:19:00 11537920 ----a-w- c:\program files\paltalk.exe
2009-08-05 16:06:39 1285120 ----a-w- c:\program files\PalTextCtl.dll
2009-08-05 16:05:45 2393088 ----a-w- c:\program files\WebVideo.dll
2009-08-05 16:04:43 961536 ----a-w- c:\program files\palsound.dll
2009-08-05 16:02:36 95744 ----a-w- c:\program files\gsmproj.dll
2009-08-05 16:01:23 171008 ----a-w- c:\program files\spexproj.dll
2009-08-05 16:01:17 419328 ----a-w- c:\program files\n2p.dll
2009-08-05 16:00:48 113152 ----a-w- c:\program files\pallauncher.dll
2009-08-05 16:00:14 282624 ----a-w- c:\program files\PalVideoCapture.dll
2009-08-05 15:59:50 414208 ----a-w- c:\program files\AviFileCtrl.dll
2009-08-05 15:59:27 289792 ----a-w- c:\program files\ftpclient.dll
2009-07-28 21:33:00 887248 ----a-w- c:\program files\askBarSetup-4.1.0.7.exe
2009-07-28 21:33:00 54664 ----a-w- c:\program files\AskInstallChecker.exe
2009-07-28 21:33:00 15086 ----a-w- c:\program files\upgrade.ico
2009-07-28 21:32:59 85504 ----a-w- c:\program files\License.doc
2009-07-28 21:32:59 22528 ----a-w- c:\program files\shfolder.dll
2009-07-28 21:32:59 2238 ----a-w- c:\program files\eFax3.ico
2009-07-28 21:32:59 202016 ----a-w- c:\program files\StmOCX.dll
2009-07-28 21:25:27 64 ----a-w- c:\program files\calleng.lic
2009-07-28 21:25:27 2056192 ----a-w- c:\program files\CALLENG.dll
2009-07-28 21:25:27 180224 ----a-w- c:\program files\ijl11.dll
2005-05-26 15:51:18 93 -c--a-w- c:\program files\ppunistall.bat
2003-08-27 19:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
2009-05-04 20:29:49 2 --shatr- c:\windows\winstart.bat
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\suwumuwo.dll
1601-01-01 00:03:52 65536 --sha-w- c:\windows\system32\tehisuvo.dll
1601-01-01 00:03:28 7400 --sha-w- c:\windows\system32\zajifali.exe
2008-05-12 22:18:43 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051220080513\index.dat
2009-06-07 13:04:59 57673760 --sha-w- c:\windows\system32\drivers\fidbox.dat

============= FINISH: 17:24:34.12 ===============

I have attached as directed the following:
attach.txt

Finally, the following is from the gmer file which I was instructed to attach. (When the scan was finished, it alerted me that a rootkit was found.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-15 23:21:56
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\KENMIT~1\LOCALS~1\Temp\pxtdqpow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI \Device\0000009c 855125F8
Device \Driver\ACPI \Device\0000008f 855125F8
Device \Driver\ACPI \Device\0000009d 855125F8
Device \Driver\ACPI \Device\0000009e 855125F8
Device \Driver\ACPI \Device\0000009f 855125F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\ACPI \Device\000000b0 855125F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\ACPI \Device\000000b1 855125F8
Device \Driver\ACPI \Device\000000a5 855125F8
Device \Driver\ACPI \Device\00000090 855125F8
Device \Driver\ACPI \Device\000000c3 855125F8
Device \Driver\ACPI \Device\00000091 855125F8
Device \Driver\ACPI \Device\000000c4 855125F8
Device \Driver\ACPI \Device\00000095 855125F8
Device \Driver\ACPI \Device\00000096 855125F8
Device \Driver\ACPI \Device\00000097 855125F8
Device \Driver\ACPI \Device\000000aa 855125F8
Device \Driver\ACPI \Device\000000ab 855125F8
Device \Driver\ACPI \Device\000000ad 855125F8
Device \Driver\ACPI \Device\000000ae 855125F8
Device \FileSystem\Cdfs \Cdfs F6655400
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [436] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [448] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [816] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [912] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\savedump.exe [924] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [932] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [1036] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1152] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1256] 0x10000000
Library C:\WINDOWS\System32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1364] 0x10000000
Library C:\WINDOWS\System32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1440] 0x10000000
Library C:\WINDOWS\System32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1500] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [1800] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [1816] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [1824] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Program Files\Outlook Express\msimn.exe [2044] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Desktop\gmer\gmer.exe [2124] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.cs\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.mdb\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.pps\PersistentHandler@ {98de59a0-d175-11cd-a7bd-00006b827d94}
Reg HKLM\SOFTWARE\Classes\.rtf\PersistentHandler@ {2e2294a9-50d7-4fe7-a09f-e6492e185884}
Reg HKLM\SOFTWARE\Classes\.tiff\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.xslt\PersistentHandler@ {7E9D8D44-6926-426F-AA2B-217A819A5CCE}
Reg HKLM\SOFTWARE\Classes\mapi\Shell@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\tehisuvo.dll 65536 bytes
File C:\WINDOWS\system32\suwumuwo.dll 65536 bytes
File C:\WINDOWS\system32\lavufanu.dll 65536 bytes
File C:\WINDOWS\system32\gojevebo 6456 bytes

---- EOF - GMER 1.0.15 ----


Thank you all for the assistance you provide. It is much appreciated.
Ken Mitnick

Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 18 March 2010 - 08:50 PM

Hello, Ken Mitnick.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 12:49 AM

Hi aomaster,

Thanks for the reply. As requsted, here are the following files:

rsit logfile:

Logfile of random's system information tool 1.06 (written by random/random)
Run by Ken Mitnick at 2010-03-18 22:23:41
Microsoft Windows XP Professional Service Pack 3
System drive C: has 11 GB (38%) free of 30 GB
Total RAM: 959 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:10, on 3/18/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Ken Mitnick\Desktop\RSIT.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\trend micro\Ken Mitnick.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {536ec8a9-7327-49bf-b748-f53ae61a2c71} - tehisuvo.dll (file missing)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\ghWrDpxA5.exe" /runcleanupscript
O4 - HKLM\..\Run: [yojayideku] Rundll32.exe "suwumuwo.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA5114] command.com /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3527] cmd.exe /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA730] command.com /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9151] cmd.exe /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5328] command.com /c del "C:\WINDOWS\system32\app_dll.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1263] cmd.exe /c del "C:\WINDOWS\system32\app_dll.dll"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\RunOnce: [SpybotDeletingB5130] command.com /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3834] cmd.exe /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7755] command.com /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5836] cmd.exe /c del "C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6757] command.com /c del "C:\WINDOWS\system32\app_dll.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7118] cmd.exe /c del "C:\WINDOWS\system32\app_dll.dll"
O4 - HKUS\S-1-5-18\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f audio -m logitech -d 10.5.1.2023 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [WUAppSetup] C:\Program Files\Common Files\logishrd\WUApp32.exe -v 0x046d -p 0x08b2 -f audio -m logitech -d 10.5.1.2023 (User 'Default user')
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE - http://vickymontgomery.point2agent.com/Col...rol/PUFLITE.CAB
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {735A7AB7-90C5-4753-8DE1-88DCE554E780} - http://rms2.invokesolutions.com/events/bin...1448/MILive.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} (Invoke Solutions Compatibility Test Control) - http://rms2.invokesolutions.com/events/bin...iveCompTest.ocx
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - http://rms2.invokesolutions.com/events/bin...1448/MILive.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/webgames/popcaploader_v10.cab
O18 - Protocol: bw+0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: app_dll.dll,lavufanu.dll
O20 - Winlogon Notify: !SASWinLogon - C:\WINDOWS\
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O20 - Winlogon Notify: cbxvw - C:\WINDOWS\
O21 - SSODL: vusavegov - {365bab98-3c82-4964-81c4-61a16943a297} - (no file)
O21 - SSODL: tofododud - {7a8bba17-92d9-48ca-95e3-8e9b8c6bae44} - (no file)
O22 - SharedTaskScheduler: kupuhivus - {365bab98-3c82-4964-81c4-61a16943a297} - (no file)
O22 - SharedTaskScheduler: jugezatag - {7a8bba17-92d9-48ca-95e3-8e9b8c6bae44} - (no file)
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\system32\PDFCreatorMessages.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - file:///C:/Program%20Files/Common%20Files/Microsoft%20Shared/Stationery/Malinda_Vera_Cruz_eStationery_Header.jpg
O24 - Desktop Component 2: (no name) - file:///C:/Documents%20and%20Settings/Ken%20Mitnick/Desktop/DTES%20Files/Paul%20Indrigo/indrigo_top_banner1.jpg

--
End of file - 24646 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1585308623-2092770326-810153994-1005.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{536ec8a9-7327-49bf-b748-f53ae61a2c71}]
C:\WINDOWS\system32\tehisuvo.dll [65535-65535-31889 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Windows Live Toolbar - C:\Program Files\Windows Live Toolbar\msntb.dll [2007-10-19 546320]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"=C:\WINDOWS\system32\dumprep 0 -k []
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\ghWrDpxA5.exe [2010-03-15 1394000]
"yojayideku"=suwumuwo.dll,s []

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Spybot - Search & Destroy"=C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe [2009-01-26 5365592]
"SpybotDeletingA5114"=command.com /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old []
"SpybotDeletingC3527"=cmd.exe /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old []
"SpybotDeletingA730"=command.com /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old []
"SpybotDeletingC9151"=cmd.exe /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old []
"SpybotDeletingA5328"=command.com /c del C:\WINDOWS\system32\app_dll.dll []
"SpybotDeletingC1263"=cmd.exe /c del C:\WINDOWS\system32\app_dll.dll []
"Malwarebytes' Anti-Malware"=C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe [2010-01-07 429392]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingB5130"=command.com /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old []
"SpybotDeletingD3834"=cmd.exe /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\taskmgr.exe_old []
"SpybotDeletingB7755"=command.com /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old []
"SpybotDeletingD5836"=cmd.exe /c del C:\Documents and Settings\Ken Mitnick\Local Settings\Temp\login.exe_old []
"SpybotDeletingB6757"=command.com /c del C:\WINDOWS\system32\app_dll.dll []
"SpybotDeletingD7118"=cmd.exe /c del C:\WINDOWS\system32\app_dll.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="app_dll.dll,lavufanu.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2003-12-20 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2009-05-31 11952]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cbxvw]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]
vusavegov - {365bab98-3c82-4964-81c4-61a16943a297}
tofododud - {7a8bba17-92d9-48ca-95e3-8e9b8c6bae44}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
kupuhivus - {365bab98-3c82-4964-81c4-61a16943a297}
jugezatag - {7a8bba17-92d9-48ca-95e3-8e9b8c6bae44}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= []
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
relog_ap
"notification packages"=
scecli
scecli
lavufanu.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Grisoft\AVG Free\avgw.exe"="C:\Program Files\Grisoft\AVG Free\avgw.exe:*:Enabled:AVG Free Edition for Windows"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Sony\VAIO Media 2.6\Vc.exe"="C:\Program Files\Sony\VAIO Media 2.6\Vc.exe:*:Enabled:VAIO Media 2.6"
"C:\Program Files\SmartFTP\SmartFTP.exe"="C:\Program Files\SmartFTP\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\WINDOWS\system32\dpvsetup.exe"="C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"
"C:\WINDOWS\system32\rundll32.exe"="C:\WINDOWS\system32\rundll32.exe:*:Enabled:Run a DLL as an App"
"C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe"="C:\Program Files\Verizon Wireless\VZAccess Manager\VZAccess Manager.exe:*:Disabled:VZAccess Manager"
"C:\Program Files\AceBIT\WISE-FTP\wise_ftp.exe"="C:\Program Files\AceBIT\WISE-FTP\wise_ftp.exe:*:Disabled:WISE-FTP application executable"
"C:\Program Files\Opera\Opera.exe"="C:\Program Files\Opera\Opera.exe:*:Enabled:Opera Internet Browser"
"C:\Program Files\WinMX\WinMX.exe"="C:\Program Files\WinMX\WinMX.exe:*:Disabled:WinMX Application"
"D:\iSpQVideoChat72.exe"="D:\iSpQVideoChat72.exe:*:Disabled:iSpQ VideoChat"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Documents and Settings\Ken Mitnick\Desktop\FTP Downloads\cutftp32.exe"="C:\Documents and Settings\Ken Mitnick\Desktop\FTP Downloads\cutftp32.exe:*:Enabled:Winsock FTP Client"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Media Player\wmplayer.exe"="C:\Program Files\Windows Media Player\wmplayer.exe:*:Enabled:Windows Media Player"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Grisoft\AVG7\avginet.exe"="C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe"
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe"="C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\Program Files\Grisoft\AVG7\avgcc.exe"="C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\Program Files\Paltalk Messenger\paltalk.exe"="C:\Program Files\Paltalk Messenger\paltalk.exe:*:Enabled:Paltalk 9.1"
"C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\helpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\Program Files\Skype\Phone\Skype.exe"="C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype"
"C:\Program Files\Acronis\TrueImageHome\TrueImage.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImage.exe:*:Enabled:Acronis True Image Home"
"C:\Program Files\Palm\HOTSYNC.EXE"="C:\Program Files\Palm\HOTSYNC.EXE:*:Disabled:HotSync® Manager Application"
"C:\Palm\HOTSYNC.EXE"="C:\Palm\HOTSYNC.EXE:*:Disabled:HotSync® Manager Application"
"D:\Program Files\LimeWire\LimeWire.exe"="D:\Program Files\LimeWire\LimeWire.exe:*:Disabled:LimeWire"
"C:\StubInstaller.exe"="C:\StubInstaller.exe:*:Disabled:LimeWire swarmed installer"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:*:Disabled:Logitech Desktop Messenger"
"C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe"="C:\Program Files\Logitech\Desktop Messenger\8876480\Program\backWeb-8876480.exe:*:Disabled:Logitech Desktop Messenger"
"C:\WINDOWS\system32\CIMSVR.exe"="C:\WINDOWS\system32\CIMSVR.exe:*:Disabled:Logitech IM Video Companion Server"
"C:\Program Files\NetMeeting\conf.exe"="C:\Program Files\NetMeeting\conf.exe:*:Disabled:Windows® NetMeeting®"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Disabled:Yahoo! FT Server"
"C:\Program Files\Yahoo!\Messenger\YPager.exe"="C:\Program Files\Yahoo!\Messenger\YPager.exe:*:Disabled:Yahoo! Messenger"
"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"
"D:\paltalk.exe"="D:\paltalk.exe:*:Enabled:Paltalk Messenger 8.3"
"C:\Program Files\paltalk.exe"="C:\Program Files\paltalk.exe:*:Enabled:PaltalkScene"
"C:\WINDOWS\system32\lsass.exe"="C:\WINDOWS\system32\lsass.exe:*:Enabled:lsass"
"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Disabled:Microsoft Management Console"
"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Messenger\livecall.exe"="C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

======File associations======

.inf - install -

======List of files/folders created in the last 1 months======

65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\zokemohi.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\zohewigu.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\zajifali.exe
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\yegusaso.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\vupivino.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\vuhugeya.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\tehisuvo.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\suwumuwo.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\nazoluha.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\midevebi.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\luyiwiya.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\lewuseze.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\layuvedi.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\lawakuwi.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\jojilite.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\fekabota.dll
65535-65535-31889 411:31889:475 ----ASH---- C:\WINDOWS\system32\befeleko.dll
2010-03-18 22:23:42 ----D---- C:\Program Files\trend micro
2010-03-18 22:23:41 ----D---- C:\rsit
2010-03-15 15:48:37 ----D---- C:\Program Files\NirSoft
2010-03-13 20:28:09 ----A---- C:\WINDOWS\system32\Agent.OMZ.Fix.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\WS2Fix.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\VCCLSID.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\VACFix.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\swxcacls.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\swsc.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\swreg.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\SrchSTS.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\o4Patch.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\IEDFix.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\IEDFix.C.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\dumphive.exe
2010-03-13 20:28:08 ----A---- C:\WINDOWS\system32\404Fix.exe
2010-03-13 20:28:07 ----A---- C:\WINDOWS\system32\Process.exe
2010-03-13 18:51:54 ----D---- C:\WINDOWS\LastGood.Tmp
2010-03-13 18:25:18 ----A---- C:\WINDOWS\system32\tmp.txt
2010-03-13 18:24:57 ----A---- C:\rapport.txt
2010-03-12 14:40:39 ----D---- C:\Documents and Settings\Ken Mitnick\Application Data\AVG8
2010-03-12 14:02:09 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-03-12 13:19:51 ----N---- C:\WINDOWS\system32\app_dll.dll_old

======List of files/folders modified in the last 1 months======

2010-03-18 22:23:42 ----D---- C:\Program Files
2010-03-18 20:21:54 ----D---- C:\WINDOWS\system32
2010-03-18 09:54:36 ----D---- C:\WINDOWS
2010-03-18 09:54:35 ----D---- C:\WINDOWS\temp
2010-03-18 07:47:02 ----D---- C:\WINDOWS\system32\CatRoot2
2010-03-17 16:38:04 ----D---- C:\Program Files\Full Tilt Poker.Net
2010-03-16 07:35:59 ----SHD---- C:\WINDOWS\CSC
2010-03-15 19:26:34 ----D---- C:\WINDOWS\Minidump
2010-03-15 19:20:35 ----D---- C:\Program Files\Mozilla Firefox
2010-03-15 19:20:17 ----D---- C:\Documents and Settings\Ken Mitnick\Application Data\Mozilla
2010-03-15 17:45:24 ----D---- C:\Program Files\EasyZip
2010-03-15 10:31:27 ----D---- C:\WINDOWS\system32\drivers
2010-03-14 12:22:21 ----D---- C:\WINDOWS\Prefetch
2010-03-14 12:20:44 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-14 09:01:51 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-03-13 23:05:29 ----D---- C:\WINDOWS\security
2010-03-13 19:17:21 ----A---- C:\WINDOWS\system32\system_.ini
2010-03-13 18:51:56 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-03-13 18:51:54 ----HD---- C:\WINDOWS\inf
2010-03-13 18:30:05 ----AC---- C:\WINDOWS\wininit.ini
2010-03-13 17:39:21 ----SHD---- C:\WINDOWS\Installer
2010-03-13 17:36:23 ----D---- C:\Program Files\AVG
2010-03-13 17:36:19 ----D---- C:\Documents and Settings\All Users\Application Data\avg8
2010-03-13 15:25:19 ----D---- C:\WINDOWS\Debug
2010-03-13 15:12:25 ----ASH---- C:\boot.ini
2010-03-13 15:12:25 ----A---- C:\WINDOWS\win.ini
2010-03-13 15:12:25 ----A---- C:\WINDOWS\system.ini
2010-03-13 13:02:15 ----D---- C:\Program Files\Internet Explorer
2010-03-12 19:22:14 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-03-12 17:49:16 ----D---- C:\Program Files\Adobe
2010-03-12 13:49:51 ----D---- C:\WINDOWS\pss
2010-03-12 13:34:32 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2010-03-12 13:34:25 ----D---- C:\Program Files\SpywareBlaster
2010-03-11 17:35:44 ----D---- C:\WINDOWS\system32\en-US
2010-03-11 17:35:08 ----D---- C:\WINDOWS\system32\wbem
2010-03-11 17:35:08 ----D---- C:\WINDOWS\system32\Setup
2010-03-11 17:35:00 ----DC---- C:\WINDOWS\system32\dllcache
2010-03-11 17:29:19 ----D---- C:\Program Files\Common Files\System
2010-03-11 17:29:10 ----D---- C:\WINDOWS\Media
2010-03-11 17:29:10 ----D---- C:\WINDOWS\Help
2010-03-11 17:23:26 ----RSD---- C:\WINDOWS\Fonts
2010-03-11 17:23:26 ----D---- C:\WINDOWS\AppPatch
2010-03-11 17:19:42 ----HDC---- C:\WINDOWS\$NtServicePackUninstall$
2010-03-11 17:19:42 ----D---- C:\Program Files\Outlook Express
2010-03-11 10:41:49 ----D---- C:\Program Files\CCleaner
2010-03-04 13:17:11 ----D---- C:\Program Files\TurboNote
2010-02-27 14:49:42 ----D---- C:\Documents and Settings\Ken Mitnick\Application Data\SmartFTP

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 Cdr4_xp;Cdr4_xp; C:\WINDOWS\system32\drivers\Cdr4_xp.sys [2007-02-02 9336]
R1 Cdralw2k;Cdralw2k; C:\WINDOWS\system32\drivers\Cdralw2k.sys [2007-02-02 9464]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-12-03 13566]
R1 DVDVRRdr_xp;DVDVRRdr_xp; C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys [2004-04-13 140416]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 pwd_2k;pwd_2k; C:\WINDOWS\system32\drivers\pwd_2k.sys [2004-04-13 117248]
R1 UDFReadr;UDFReadr; C:\WINDOWS\system32\drivers\UDFReadr.sys [2004-04-13 198528]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2003-03-31 12032]
R3 AR5416;Atheros AR5008 Wireless Network Adapter Service; C:\WINDOWS\system32\DRIVERS\athw.sys [2008-04-03 1333152]
R3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2001-08-17 12160]
R3 Point32;Microsoft IntelliPoint Filter Driver; C:\WINDOWS\system32\DRIVERS\point32.sys [2006-11-04 22784]
R3 RTL8023xp;Realtek 10/100/1000 PCI NIC Family NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2008-02-25 105088]
R3 SNC;Sony Notebook Control Device; C:\WINDOWS\System32\Drivers\SonyNC.sys [2000-11-09 48896]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbohci.sys [2008-04-13 17152]
S1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2009-05-31 325896]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2009-05-31 27784]
S1 cdudf_xp;cdudf_xp; C:\WINDOWS\system32\drivers\cdudf_xp.sys [2004-04-13 285824]
S1 DMICall;Sony DMI Call service; C:\WINDOWS\System32\DRIVERS\DMICall.sys [2000-12-05 3952]
S1 intelppm;Intel Processor Driver; C:\WINDOWS\System32\DRIVERS\intelppm.sys [2008-04-13 36352]
S1 PQNTDrv;PQNTDrv; C:\WINDOWS\system32\drivers\PQNTDrv.sys [2004-05-05 4228]
S2 Aspi32;Aspi32; C:\WINDOWS\system32\drivers\Aspi32.sys [2002-08-14 17005]
S2 MDC8021X;AEGIS Protocol (IEEE 802.1x) v2.3.1.9; C:\WINDOWS\system32\DRIVERS\mdc8021x.sys [2004-10-04 15781]
S2 mdmxsdk;mdmxsdk; C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys [2003-04-09 11043]
S2 tifsfilter;Acronis True Image FS Filter; C:\WINDOWS\system32\DRIVERS\tifsfilt.sys [2008-06-25 44384]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-11-13 391680]
S3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2007-08-07 4108992]
S3 aliadwdm;ALi Audio Accelerator WDM driver; C:\WINDOWS\system32\drivers\ac97ali.sys [2002-08-28 231552]
S3 apusbsnt;AirPrime USB Modem Device Driver; C:\WINDOWS\System32\DRIVERS\apusbsnt.sys [2004-05-18 40064]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2003-12-20 641536]
S3 Bridge;MAC Bridge; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 BridgeMP;MAC Bridge Miniport; C:\WINDOWS\System32\DRIVERS\bridge.sys [2008-04-13 71552]
S3 CamDrL;Logitech QuickCam Pro 3000(CamDrl); C:\WINDOWS\system32\DRIVERS\Camdrl.sys [2007-02-03 1075360]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\System32\DRIVERS\CmBatt.sys [2008-04-13 13952]
S3 dptrackerd;CamTrack Webcam Driver; C:\WINDOWS\system32\drivers\dptrackerd.sys [2007-02-28 108752]
S3 dvd_2K;dvd_2K; C:\WINDOWS\system32\drivers\dvd_2K.sys [2004-04-13 23680]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver; C:\WINDOWS\System32\DRIVERS\el574nd4.sys [2001-08-17 24653]
S3 HPUATA;HP CD Writer Plus Controller Driver; C:\WINDOWS\system32\DRIVERS\HPUATA.sys [2001-09-24 75776]
S3 HSF_DP;HSF_DP; C:\WINDOWS\System32\DRIVERS\HSF_DP.sys [2003-12-11 1042432]
S3 HSFHWALI;HSFHWALI; C:\WINDOWS\System32\DRIVERS\HSFHWALI.sys [2003-12-11 196736]
S3 ICAM3NT5;Intel® PC Camera CS331; C:\WINDOWS\System32\Drivers\ICAM3D2.SYS [2001-12-03 145184]
S3 ICAM5USB;Intel® PC Camera CS110; C:\WINDOWS\System32\Drivers\ICAM5D2.sys [2001-12-03 105808]
S3 IPFilter;Microsoft IntelliPoint Features driver; C:\WINDOWS\System32\DRIVERS\IPFilter.sys [2002-04-11 11136]
S3 LEX_AS_NIC_SERVICE_YNOS;LAN-Express AS IEEE 802.11g Wireless Network Adapter Service; C:\WINDOWS\System32\DRIVERS\ExpasAG.sys [2003-12-03 330400]
S3 LHidUsbK;Logitech SetPoint USB Receiver device driver; C:\WINDOWS\System32\Drivers\LHidUsbK.Sys [2006-05-10 36736]
S3 LVMVDrv;Logitech Machine Vision Engine Loader; C:\WINDOWS\system32\DRIVERS\LVMVDrv.sys [2007-02-06 1964064]
S3 LVPr2Mon;Logitech LVPr2Mon Driver; C:\WINDOWS\system32\DRIVERS\LVPr2Mon.sys [2007-02-06 25632]
S3 LVUSBSta;Logitech USB Monitor Filter; C:\WINDOWS\system32\drivers\LVUSBSta.sys [2007-02-03 41504]
S3 mmc_2K;mmc_2K; C:\WINDOWS\system32\drivers\mmc_2K.sys [2004-04-13 23680]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\System32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\System32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 NuidFltr;NUID filter driver; C:\WINDOWS\system32\DRIVERS\NuidFltr.sys [2007-01-15 9728]
S3 PalmUSBD;PalmUSBD; C:\WINDOWS\system32\drivers\PalmUSBD.sys [2004-04-13 16509]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0); C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 236121]
S3 RegGuard;RegGuard; \??\C:\WINDOWS\system32\Drivers\regguard.sys []
S3 RTL8023;Realtek RTL8139/810x/8169/8110 all in one NDIS NT Driver; C:\WINDOWS\System32\DRIVERS\Rtlnic51.sys [2003-11-07 67712]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\System32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\System32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 tifmsony;tifmsony; C:\WINDOWS\system32\drivers\tifmsony.sys [2003-11-20 64128]
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 UsbdpFP;Fingerprint Reader Class Driver; C:\WINDOWS\system32\DRIVERS\UsbdpFP.sys [2006-09-16 47360]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbstor;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 utg3mzy4;AVZ Kernel Driver; \??\C:\WINDOWS\system32\Drivers\utg3mzy4.sys []
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 winachsf;winachsf; C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys [2003-12-11 681344]
S3 wlluc48;Wireless LAN PC Card Driver; C:\WINDOWS\System32\DRIVERS\wlluc48.sys [2002-08-28 154624]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\System32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 sr;System Restore Filter Driver; C:\WINDOWS\System32\DRIVERS\sr.sys [2008-04-13 73472]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

S2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2007-10-30 427288]
S2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2003-12-20 385024]
S2 avg8wd;AVG Free8 WatchDog; C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2009-05-31 298776]
S2 Ias;MicroSoft Visual Services; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
S2 LVPrcSrv;Process Monitor; c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe [2007-02-06 109344]
S2 LVSrvLauncher;LVSrvLauncher; C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe [2007-02-06 105248]
S2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
S2 PDFCreatorMessages;PDFCreatorMessages; C:\WINDOWS\system32\PDFCreatorMessages.exe [2003-07-10 135168]
S2 TryAndDecideService;Acronis Try And Decide Service; C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe [2007-10-30 492720]
S2 VAIOMediaPlatform-MusicServer-AppServer;VAIO Media Music Server; C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe [2003-10-21 503897]
S2 VAIOMediaPlatform-MusicServer-HTTP;VAIO Media Music Server (HTTP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2003-10-21 57344]
S2 VAIOMediaPlatform-MusicServer-UPnP;VAIO Media Music Server (UPnP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2003-10-21 712704]
S2 VAIOMediaPlatform-PhotoServer-AppServer;VAIO Media Photo Server; C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe [2003-10-21 925696]
S2 VAIOMediaPlatform-PhotoServer-HTTP;VAIO Media Photo Server (HTTP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2003-10-21 57344]
S2 VAIOMediaPlatform-PhotoServer-UPnP;VAIO Media Photo Server (UPnP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2003-10-21 712704]
S2 WSearch;Windows Search; C:\WINDOWS\system32\SearchIndexer.exe [2007-02-05 300032]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 MSCSPTISRV;MSCSPTISRV; C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe [2006-04-27 53337]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 PACSPTISVR;PACSPTISVR; C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe [2006-04-27 49241]
S3 SPTISRV;Sony SPTI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe [2006-04-27 69718]
S3 SSScsiSV;SonicStage SCSI Service; C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe [2006-05-08 69632]
S3 usnjsvc;Messenger Sharing Folders USN Journal Reader service; C:\Program Files\Windows Live\Messenger\usnsvc.exe [2007-10-18 98328]
S3 VAIOMediaPlatform-VideoServer-AppServer;VAIO Media Video Server; C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe [2003-10-21 1286144]
S3 VAIOMediaPlatform-VideoServer-HTTP;VAIO Media Video Server (HTTP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe [2003-10-21 57344]
S3 VAIOMediaPlatform-VideoServer-UPnP;VAIO Media Video Server (UPnP); C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe [2003-10-21 712704]
S3 WLSetupSvc;Windows Live Setup Service; C:\Program Files\Windows Live\installer\WLSetupSvc.exe [2007-10-25 266240]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


rsit info:

info.txt logfile of random's system information tool 1.06 2010-03-18 22:24:13

======Uninstall list======

-->"C:\Program Files\Common Files\Intel Shared\IP Video Telephony\Setup.exe" uninstall webclient clientid="CS5" clientpath="D:\Program Files\Intel\Createshare\VideoPhone\" inf="VSDKWSetup.inf"
-->"D:\Program Files\Intel\Createshare\Inetcam\uninstall.exe" /s
-->C:\WINDOWS\ISUNINST.EXE -a -f"C:\Program Files\Hewlett-Packard\HP Business Inkjet 2230_2280 Toolbox\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP Business Inkjet 2230_2280 Toolbox\hpwioi.dll" -i"tbxinst.ini" -h"HPZIOU00.DLL"
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->C:\WINDOWS\system32\\MSIEXEC.EXE /I {09DA4F91-2A09-4232-AB8C-6BC740096DE3} REMOVE=UpdateMgrFeature
-->C:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->Dummy
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C9DDCE0-66CF-11D4-9100-0090274FBE9A}\setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{68DC5968-0278-11D5-8EAA-00062973342B}\setup.exe" maintflag
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93B80FB1-7A23-11D3-B250-00105A1F4184}\setup.exe"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
1&1 EasyLogin-->C:\Program Files\1&1\1&1 EasyLogin\Uninstall.exe
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
3D-Album PicturePro-->C:\program files\3D-Album-PicturePro\uninstall.exe
3D-Album-->d:\program files\3D-Album\uninstall.exe
Acronis True Image Home-->MsiExec.exe /X{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}
activePDF Composer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB7B600D-A756-4C6C-A8FE-501E6A7723B4}\setup.exe" -Uninstall
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.2-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Apple Software Update-->MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
ATI - Software Uninstall Utility-->C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Display Driver-->rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Atory Password Generator-->"C:\Program Files\Atory\PasswordGenerator\unins000.exe"
AVG Free 8.5-->C:\Program Files\AVG\AVG8\setup.exe /UNINSTALL
Bejeweled Twist 1.0-->C:\Program Files\PopCap Games\Bejeweled Twist\PopUninstall.exe "C:\Program Files\PopCap Games\Bejeweled Twist\Install.log"
Belarc Advisor 6.1-->C:\PROGRA~1\Belarc\Advisor\Uninstall.exe C:\PROGRA~1\Belarc\Advisor\INSTALL.LOG
Bicycle Casino 2.0-->"D:\Program Files\Microsoft Games\Bicycle Casino 2.0\UNINSTAL.EXE" /runtemp /addremove
Broward County Public Schools eCalendar-->"C:\Program Files\Broward County Public Schools eCalendar\unins000.exe"
CamTrack-->"C:\Program Files\DigitalPeers\CamTrack\unins000.exe"
CCleaner-->"C:\Program Files\CCleaner\uninst.exe"
Click to DVD 1.3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7C2F71B2-6C73-11D6-B659-00C04F790F76}\setup.exe"
ClickArt 400,000-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4EABF2A9-961A-446A-83B1-98D9E53CF365}\setup.exe" -l0x9 anything
Copyit 2.8-->C:\Utility\Copyit\UNWISE.EXE C:\Utility\Copyit\INSTALL.LOG
CyberTweak Version 1.3 Final-->"C:\Program Files\CyberTweak\unins000.exe"
Cypress USB Mass Storage Driver Installation-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E0695EE-ED29-4D96-BD77-2A9A17EDF0D6}\Setup.exe" -l0x9 NotFirstInstall
Defraggler (remove only)-->"C:\Program Files\Defraggler\uninst.exe"
DeskTopAuthor-->MsiExec.exe /I{C27B94AA-60AB-4B50-9D63-0928CDC889C3}
Drag'n Drop CD+DVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDC146FA-73E0-4FA1-A353-841EA14BF600}\Setup.exe" -l0x9 deleteall
DVD Shrink 3.2-->"D:\Program Files\DVD Shrink\unins000.exe"
DVgate Plus-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{685BCC47-B8EC-45EC-BBCE-77DF2451502C}\setup.exe"
EasyZip-->C:\PROGRA~1\EasyZip\\UNINST.EXE
Full Tilt Poker.Net-->C:\Program Files\Full Tilt Poker.Net\uninstall.exe
Google Earth-->MsiExec.exe /I{1D14373E-7970-4F2F-A467-ACA4F0EA21E3}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hello Engines! Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14292520-03AE-47F7-BA50-D5DF1CB9EDFB}\setup.exe" -l0x9 -removeonly
Highlight Viewer (Windows Live Toolbar)-->MsiExec.exe /X{A5C4AD72-25FE-4899-B6DF-6D8DF63C93CF}
HighMAT Extension to Microsoft Windows XP CD Writing Wizard-->MsiExec.exe /X{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}
HijackThis 2.0.2-->"C:\Program Files\trend micro\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Internet Explorer 7 (KB947864)-->"C:\WINDOWS\ie7updates\KB947864-IE7\spuninst\spuninst.exe"
HotKey Utility-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BB311F54-39D6-4A03-8E18-053D1B2833D7}\setup.exe" -l0x9
HP Business Inkjet 2230/2280-->C:\WINDOWS\ISUNINST.EXE -a -f"C:\Program Files\Hewlett-Packard\HP Business Inkjet 2230_2280\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP Business Inkjet 2230_2280\HPWTVW.DLL" -u"comp.ini"
HP DVD Writer-->"D:\Program Files\HP DVD\Support\Uninstall.exe" /UNINSTALL
HP PrecisionScan LTX-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\Uninst.isu" -c"C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan LTX\HPUninstallIs.dll"
HP Share-to-Web-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{748F4870-8350-11D3-B0BF-080009FB4A19}\setup.exe" -uninst
Intel® Create & Share® Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{202D5EE1-81AC-11D5-87C9-00AA00C29E0A}\setup.exe" -l0009 maintflag
Intellisync® for MSN-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3D2778B5-AEB9-483C-AA7C-4857CA048C4A}\Setup.exe" -l0x9 MSNUninstall
InterVideo WinDVD 5 for VAIO-->"C:\Program Files\InstallShield Installation Information\{91810AFC-A4F8-4EBA-A5AA-B198BBC81144}\setup.exe" REMOVEALL
J2SE Runtime Environment 5.0 Update 3-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
J2SE Runtime Environment 5.0 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
Jarte 3.2-->"C:\Program Files\Jarte\unins000.exe"
Java 2 Runtime Environment, SE v1.4.2_01-->MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142010}
Java™ 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
LAN-Express AS IEEE 802.11 Wireless LAN-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FCCB0B43-7A6D-49A4-A5B3-B10F592F4EB6}\Setup.exe" -l0x9
Logitech Desktop Messenger-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\Setup.exe" -l0x9 UNINSTALL
Logitech IM Video Companion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{984F10FD-11FD-4BED-8163-92DB81E6A825}\Setup.exe" -l0x9 UNINSTALL
Logitech Print Service-->C:\PROGRA~1\Logitech\PRINTS~1\UNWISE.EXE C:\PROGRA~1\Logitech\PRINTS~1\INSTALL.LOG
Logitech QuickCam-->MsiExec.exe /X{7D2370AC-D8E6-4996-986A-19824F8A167C}
Macromedia Flash Player 8-->MsiExec.exe /X{6815FCDD-401D-481E-BA88-31B4754C2B46}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Map Button (Windows Live Toolbar)-->MsiExec.exe /X{7745B7A9-F323-4BB9-9811-01BF57A028DA}
Memory Stick Formatter-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{27337663-2619-11D4-99DC-0000F49094C7}\setup.exe" -l0x9 /UNINSTALL
Microsoft .NET Framework 1.1 Hotfix (KB928366)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M928366\M928366Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Data Access Components KB870669-->C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Digital Image Library 9-->C:\WINDOWS\System32\msiexec.exe /i {9F7FC79B-3059-4264-9450-39EB368E3225}
Microsoft Digital Image Pro 10-->C:\WINDOWS\system32\msiexec.exe /i {42756145-9997-4D28-809B-8756BFD00107}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office 2003 Web Components-->MsiExec.exe /I{90A40409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office FrontPage 2003-->MsiExec.exe /I{91170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote 2003-->MsiExec.exe /I{91A10409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint 2003 Template Pack 1-->MsiExec.exe /I{90AB0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint 2003 Template Pack 2-->MsiExec.exe /I{90AC0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint 2003 Template Pack 3-->MsiExec.exe /I{90AD0409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional Plus 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROPLUS /dll OSETUP.DLL
Microsoft Office Professional Plus 2007-->MsiExec.exe /X{90120000-0011-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Office Sounds-->MsiExec.exe /I{10CE1EA2-12E9-11D3-825E-00C04F6843FE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Plus! Digital Media Edition-->MsiExec.exe /I{C6A7AF96-4EB1-4AAE-8318-1AB393C64F88}
Microsoft Producer for Microsoft Office PowerPoint 2003-->MsiExec.exe /I{155FBB0D-0EE9-42D1-9E41-15E08F691033}
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs-->MsiExec.exe /X{90120000-00B2-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Text-to-Speech Engine 4.0 (English)-->RunDll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msTTSf22.inf, Uninstall
Microsoft USB Flash Drive Manager-->MsiExec.exe /I{3F8EB641-6AD2-45DE-A8DD-91D7BDD39CDE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Web Publishing Wizard 1.52-->RunDll32 ADVPACK.DLL,LaunchINFSection C:\WINDOWS\INF\wpie4x86.inf,WebPostUninstall
Microsoft Windows Journal Viewer-->MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
MoodLogic-->C:\WINDOWS\ml-uninstall-v10.exe
MSN Music Assistant-->rundll32 advpack.dll,LaunchINFSection C:\WINDOWS\INF\msninst.inf,Uninstall
MSXML 4.0 SP2 (KB925672)-->MsiExec.exe /I{A9CF9052-F4A0-475D-A00F-A8388C62DD63}
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
Music Visualizer Library 1.4.00-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3B24B725-D81F-442D-8CE5-2AF05A4A4CC9}\setup.exe" -l0x9
muvee autoProducer 6.1-->C:\Program Files\InstallShield Installation Information\{7B312BFD-6C04-4409-AB6F-DD41CCD67463}\setup.exe -runfromtemp -l0x0009 -removeonly
muvee corePack -->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1B0BD0D6-D7D1-4D49-9815-5A85081ECC45}\Setup.exe" -l0x9
Net MD Simple Burner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{47E09785-B2FB-11D5-B8EE-00B0D0D26B88}\setup.exe" -l0x9 UNINSTALL
NETGEAR WG111 Software-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{21B9CC18-8AB7-402F-B343-CD2127FC3CFC}\SETUP.EXE" -uninst
NirSoft BlueScreenView-->"C:\Program Files\NirSoft\BlueScreenView\uninst.exe"
Norton Ghost-->MsiExec.exe /I{6975E810-C92F-45F0-0BFD-187B312F10E8}
Norton PartitionMagic 8.0-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{21DBBDD6-93A5-4326-9A04-C9A5C9148502}
OpenMG AAC Add-on Module 1.0.00-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{23BE930B-6AC4-4D0D-B5C3-03062A2BF2A3} UNINSTALL
OpenMG Limited Patch 4.5-06-05-12-01-->C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix4.5-06-05-12-01\HotFixSetup\setup.exe /u
OpenMG Secure Module 4.5.01-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1150\INTEL3~1\IDriver.exe /M{3633BA28-67CE-4AC8-A677-3406CA84C3D8} UNINSTALL
Opera 9.64-->MsiExec.exe /X{A2A60894-E3ED-46FE-9A6A-7CF7A87572A0}
Paint Shop Pro 5.03 CD-->D:\PROGRA~1\PAINTS~1\Unwise.exe D:\PROGRA~1\PAINTS~1\INSTALL.LOG
Paint.NET v3.22-->MsiExec.exe /X{96C267DA-0926-4C11-B4E7-4D3EF85130D0}
Palm Desktop-->MsiExec.exe /X{E89D78B8-28F7-412F-8B26-C684739CBBDC}
PaltalkScene-->"C:\WINDOWS\PaltalkScene\uninstall.exe" "/U:C:\Program Files\Paltalk Messenger\irunin.xml"
PartyPoker-->"C:\Program Files\PartyGaming\PartyPoker\Uninstall.exe" "C:\Program Files\PartyGaming\PartyPoker\install.log"
PayPal Plug-In-->C:\Program Files\InstallShield Installation Information\{73317C31-2B6E-4B88-9865-B97C1331A39D}\setup.exe -runfromtemp -l0x0009 -removeonly
PcGuru Programs Install support-->C:\WINDOWS\st6unst.exe -n "C:\Program Files\Project1\ST6UNST.LOG"
Photo Story 3 for Windows-->MsiExec.exe /I{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}
Picasa 2-->"C:\Program Files\Picasa2\Uninstall.exe"
Poker Superstars II-->"C:\Program Files\Poker Superstars II\ReflexiveArcade\unins000.exe"
PokerStars.net-->"C:\Program Files\PokerStars.NET\PokerStarsUninstall.exe" /u:PokerStars.net
Post-it® Software Notes Lite-->"C:\Program Files\3M\PSNLite\Uninstall.exe" -Prog"C:\Program Files\3M\PSNLite\PsnLite.exe" -INI"C:\Program Files\3M\PSNLite\uninst.ini"
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
QuickTime-->MsiExec.exe /I{5B09BD67-4C99-46A1-8161-B7208CE18121}
Ranking Toolbox 4-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2388C625-9532-467F-ADEA-B92E027B85E3}\setup.exe" -l0x9 -removeonly
Realtek AC'97 Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB08F381-6533-4108-B7DD-039E11FBC27E}\setup.exe" -l0x9 -removeonly
Roxio Easy Media Creator 7-->MsiExec.exe /I{CB4544EA-C189-41FE-9E3A-76591DDB852B}
Screen Shot Deluxe 6.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F8F73ED6-4A68-4F9F-AF79-5D7F70C2FEAF}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB969679)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {C66E4A6C-6E07-4C63-8CCD-2493B5087C73}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB969682)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {C03803BD-745A-46F8-8557-817DED578780}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB969613)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {5ECEB317-CBE9-4E08-AB10-756CB6F0FB6C}
Security Update for Microsoft Office Word 2007 (KB969604)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {CF3D6499-709C-43D0-8908-BC5652656050}
Security Update for Visio 2007 (KB947590)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Security Update for Windows Internet Explorer 7 (KB928090)-->"C:\WINDOWS\ie7updates\KB928090-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB929969)-->"C:\WINDOWS\ie7updates\KB929969\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB931768)-->"C:\WINDOWS\ie7updates\KB931768-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB933566)-->"C:\WINDOWS\ie7updates\KB933566-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB937143)-->"C:\WINDOWS\ie7updates\KB937143-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB939653)-->"C:\WINDOWS\ie7updates\KB939653-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB942615)-->"C:\WINDOWS\ie7updates\KB942615-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB944533)-->"C:\WINDOWS\ie7updates\KB944533-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB963027)-->"C:\WINDOWS\ie7updates\KB963027-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB969897)-->"C:\WINDOWS\ie7updates\KB969897-IE7\spuninst\spuninst.exe"
Send to OneNote from IE Powertoy-->MsiExec.exe /I{CF3E217E-4661-4AE0-8CE0-11B7E74C2A94}
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\INSTALL.LOG
Sierra Wireless SDK for Smith Micro Common Client-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{DBB65E9A-BDFB-4524-9F7F-8DF1F5665DF1} UNINST
Skype™ 4.0-->MsiExec.exe /X{24D753CA-6AE9-4E30-8F5F-EFC93E08BF3D}
Smart Menus (Windows Live Toolbar)-->MsiExec.exe /X{F084395C-40FB-4DB3-981C-B51E74E1E83D}
SmartFTP Client-->MsiExec.exe /I{11C762F9-95EA-486A-A8E7-683A50C231C1}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Sonic Update Manager-->MsiExec.exe /I{09DA4F91-2A09-4232-AB8C-6BC740096DE3}
SonicStage 4.0-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A0EB195B-5876-48E6-879D-33D4B2102610}\setup.exe" -l0x9 UNINSTALL -removeonly
Sony Certificate PCH-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D0448678-1203-4158-A58F-B3D0B616BF9E}\setup.exe"
Sony Notebook Setup-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{936FADC9-C609-471A-B6F2-A33E2E660D1A}\setup.exe" -l0x9
Sony USB Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\Setup.exe" UNINSTALL
Sony USB Mouse-->Pmuninst.exe MouseSuite98
Sony Utilities DLL-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EF3D45BB-2260-4008-88EA-492E7744A9DF}\setup.exe" -l0x9
Sony Video Shared Library-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6990A2BF-D1D2-11D3-81BC-00609789C908}\setup.exe"
Spotmau WinCare 2007-->"D:\Program Files\Spotmau WinCares 2007\unins000.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster 4.2-->"C:\Program Files\SpywareBlaster\unins000.exe"
The Print Shop 12-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DD1FE66-5536-41E3-B786-70068887B3F4}\setup.exe" -l0x9 anything
TurboNote+ 6.6-->C:\Program Files\TurboNote\uninst.exe
Tweak UI-->"C:\WINDOWS\system32\mshta.exe" "res://C:\WINDOWS\system32\TweakUI.exe/uninstall.hta"
TypeItIn Network V2.7.5-->"D:\Program Files\TypeItIn\unins000.exe"
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Microsoft Office Outlook 2007 Help (KB957246)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {6F0E4983-E419-4591-B7DD-EFB0073D3E47}
Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D}
Update for Microsoft Office Publisher 2007 Help (KB957249)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4E140A5A-4A90-404A-B955-10C2D98CD3EE}
Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Outlook 2007 Junk Email Filter (kb970012)-->msiexec /package {90120000-0011-0000-0000-0000000FF1CE} /uninstall {DC4A962B-9EC2-469C-BC9C-87312ADAEE81}
USB Storage Adapter FX (SM1)-->SM1UN.EXE SM1FX_AT
VAIO Help and Support-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{E68B38DE-D7DD-4FB3-A453-3F03A947EA8E}
VAIO Media 2.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EB317D8-8945-4FD6-B37F-DF470317C6AB}\setup.exe" -l0x9 UNINSTALL
VAIO Media Integrated Server 2.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7A79D11B-FD82-4A5E-834F-20173515DD14}\setup.exe" -l0x9
VAIO Media Redistribution 2.6-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7128C69B-8F7E-4336-8698-3FD3CDD955EC}\setup.exe" -l0x9 UNINSTALL
VAIO Power Management-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{545DB151-1514-4FFC-BF2F-FE8FBBD06987}\setup.exe" -l0x9
VAIO Registration-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{315BA29D-2644-4760-B5FD-5AC04A52B8C5}
VAIO Survey Standalone-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FA11D5B5-7D0A-43E8-88C4-960F97B194DE}
VAIO Update 2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48820099-ED7D-424B-890C-9A82EF00656C}\setup.exe" -l0x9
Virtools 3D Life Player-->C:\Program Files\Virtools\3D Life Player\WebplayerConfig.exe -u
Visviva Animation Capture-->d:\program files\visviva\vac\uninstall.exe
Visviva Animation Player-->d:\program files\visviva\vae\bin\uninstall.exe
Vonage Click-2-Call-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C87218DF-512A-4208-A131-0F626F49E055}\Setup.exe" -l0x9
Windows Defender Signatures-->MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Desktop Search 3.01-->"C:\WINDOWS\$NtUninstallKB917013$\spuninst\spuninst.exe"
Windows Genuine Advantage v1.3.0254.0-->MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Live Favorites for Windows Live Toolbar-->MsiExec.exe /X{786C4AD1-DCBA-49A6-B0EF-B317A344BD66}
Windows Live installer-->MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger-->MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant-->MsiExec.exe /I{9422C8EA-B0C6-4197-B8FC-DC797658CA00}
Windows Live Toolbar Extension (Windows Live Toolbar)-->MsiExec.exe /X{341201D4-4F61-4ADB-987E-9CCE4D83A58D}
Windows Live Toolbar-->"C:\Program Files\Windows Live Toolbar\UnInstall.exe" {D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Live Toolbar-->MsiExec.exe /X{D5A145FC-D00C-4F1A-9119-EB4D9D659750}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Rights Management Client Backwards Compatibility SP2-->MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2-->MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Wisdom-soft ScreenHunter 4.0 Free-->C:\PROGRA~1\WISDOM~1\UNWISE.EXE C:\PROGRA~1\WISDOM~1\INSTALL.LOG
WISE-FTP 5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D21C9D95-DDBA-4962-899D-D1D350186555}\setup.exe" -l0x9 -removeonly
Wise-FTP-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F22C63FE-DBA4-4FDA-9306-55AA627CE6C7}\Setup.exe" -l0x9
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG

======Hosts File======

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

======Security center information======

AV: AVG Anti-Virus Free (outdated)
AV: Dr. Guard (outdated)

======System event log======

Computer Name: KEN
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 131817
Source Name: DCOM
Time Written: 20100210121107.000000-300
Event Type: error
User: KEN\Ken Mitnick

Computer Name: KEN
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 131816
Source Name: DCOM
Time Written: 20100210120133.000000-300
Event Type: error
User: KEN\Ken Mitnick

Computer Name: KEN
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service MDM with arguments ""
in order to run the server:
{0C0A3666-30C9-11D0-8F20-00805F2CD064}

Record Number: 131815
Source Name: DCOM
Time Written: 20100210120107.000000-300
Event Type: error
User: KEN\Ken Mitnick

Computer Name: KEN
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load:
AvgLdx86
AvgMfx86
cdudf_xp
DMICall
Fips
intelppm

Record Number: 131814
Source Name: Service Control Manager
Time Written: 20100210081551.000000-300
Event Type: error
User:

Computer Name: KEN
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Record Number: 131813
Source Name: DCOM
Time Written: 20100210081509.000000-300
Event Type: error
User: NT AUTHORITY\SYSTEM

=====Application event log=====

Computer Name: KEN
Event Code: 35
Message: Failed to determine if the store is in the crawl scope (error=0x8007043c).

Record Number: 14005
Source Name: Outlook
Time Written: 20091218192946.000000-300
Event Type: error
User:

Computer Name: KEN
Event Code: 35
Message: Failed to determine if the store is in the crawl scope (error=0x8007043c).

Record Number: 14004
Source Name: Outlook
Time Written: 20091218192946.000000-300
Event Type: error
User:

Computer Name: KEN
Event Code: 35
Message: Failed to determine if the store is in the crawl scope (error=0x8007043c).

Record Number: 14003
Source Name: Outlook
Time Written: 20091218192946.000000-300
Event Type: error
User:

Computer Name: KEN
Event Code: 35
Message: Failed to determine if the store is in the crawl scope (error=0x8007043c).

Record Number: 14002
Source Name: Outlook
Time Written: 20091218192946.000000-300
Event Type: error
User:

Computer Name: KEN
Event Code: 35
Message: Failed to determine if the store is in the crawl scope (error=0x8007043c).

Record Number: 14001
Source Name: Outlook
Time Written: 20091218192946.000000-300
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Common Files\Roxio Shared\DLLShared;C:\Program Files\Microsoft USB Flash Drive Manager\;"D:\Program Files\";C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 2 Stepping 9, GenuineIntel
"PROCESSOR_REVISION"=0209
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;"C:\Program Files\Java\j2re1.4.2_01\lib\ext\QTJava.zip";C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.5.0_06\lib\ext\QTJava.zip
"FP_NO_HOST_CHECK"=NO
"SAFEBOOT_OPTION"=NETWORK

-----------------EOF-----------------


gmer log:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 01:44:59
Windows 5.1.2600 Service Pack 3
Running: nlwnlozn.exe; Driver: C:\DOCUME~1\KENMIT~1\LOCALS~1\Temp\pxtdqpow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\ACPI \Device\0000009c 855BABC0
Device \Driver\ACPI \Device\0000008f 855BABC0
Device \Driver\ACPI \Device\0000009d 855BABC0
Device \Driver\ACPI \Device\0000009e 855BABC0
Device \Driver\ACPI \Device\0000009f 855BABC0

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\ACPI \Device\000000b0 855BABC0

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)

Device \Driver\ACPI \Device\000000b1 855BABC0
Device \Driver\ACPI \Device\000000a5 855BABC0
Device \Driver\ACPI \Device\00000090 855BABC0
Device \Driver\ACPI \Device\000000c3 855BABC0
Device \Driver\ACPI \Device\00000091 855BABC0
Device \Driver\ACPI \Device\000000c4 855BABC0
Device \Driver\ACPI \Device\00000095 855BABC0
Device \Driver\ACPI \Device\00000096 855BABC0
Device \Driver\ACPI \Device\00000097 855BABC0
Device \Driver\ACPI \Device\000000aa 855BABC0
Device \Driver\ACPI \Device\000000ab 855BABC0
Device \Driver\ACPI \Device\000000ad 855BABC0
Device \Driver\ACPI \Device\000000ae 855BABC0
---- Processes - GMER 1.0.15 ----

Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.exe [384] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [784] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\services.exe [880] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\lsass.exe [892] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1092] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1204] 0x10000000
Library C:\WINDOWS\System32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1296] 0x10000000
Library C:\WINDOWS\System32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1428] 0x10000000
Library C:\WINDOWS\System32\lavufanu.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1464] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Program Files\Outlook Express\msimn.exe [2032] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Desktop\nlwnlozn.exe [2044] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [3776] 0x10000000
Library C:\WINDOWS\system32\lavufanu.dll (*** hidden *** ) @ C:\Documents and Settings\Ken Mitnick\Local Settings\Application Data\Google\Chrome\Application\chrome.exe [3816] 0x10000000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.cs\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.mdb\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.mgbnd\LAN-Express AS IEEE 802.11g miniPCI Adapter - Packet Scheduler Miniport@2010-03-18 40020|1793512|114878
Reg HKLM\SOFTWARE\Classes\.pps\PersistentHandler@ {98de59a0-d175-11cd-a7bd-00006b827d94}
Reg HKLM\SOFTWARE\Classes\.rtf\PersistentHandler@ {2e2294a9-50d7-4fe7-a09f-e6492e185884}
Reg HKLM\SOFTWARE\Classes\.tiff\PersistentHandler@ {5e941d80-bf96-11cd-b579-08002b30bfeb}
Reg HKLM\SOFTWARE\Classes\.xslt\PersistentHandler@ {7E9D8D44-6926-426F-AA2B-217A819A5CCE}
Reg HKLM\SOFTWARE\Classes\mapi\Shell@

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\tehisuvo.dll 65536 bytes
File C:\WINDOWS\system32\suwumuwo.dll 65536 bytes
File C:\WINDOWS\system32\lavufanu.dll 65536 bytes
File C:\WINDOWS\system32\gojevebo 6456 bytes

---- EOF - GMER 1.0.15 ----


I really appreciate all your hard work. Many, many thanks.
Ken Mitnick



#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 19 March 2010 - 08:53 AM

Hello, Ken Mitnick.
Glad to help smile.gif

Poker Program Warning!

Full Tilt Poker.Net, PartyPoker, Poker Superstars II, PokerStars.net

Your logs show that you have been visiting online poker sites with applets installed on your computer. I know that you may use these this game on a regular basis but I think it's important to note that often these kind of programs are installed with other unwanted software, namely spyware or adware. Due to this I strongly suggest that you uninstall these programmes if you do not use them anymore or did not install these programs yourself on purpose.
There are so many online poker games out there these days that it is close to impossible to keep track of whether a program is infected or not. Should you have installed this online poker game on purpose and wish to continue using this, you may ignore this. Should you decide to uninstall the program, then you can do so by following the below steps:

Please uninstall the programs listed above. You can do so via Control Panel >> Add or Remove Programs.
If you are unsure of how to use Add or Remove Programs, the please see this tutorial




We need to disable TeaTimer
TeaTimer works by preventing ANY changes to the system. It will attempt to undo any fixes we run, because it blocks these fixes from running.

In order to safeguard your system from problems that can be brought on by a half finished fix, we need to disable TeaTimer. We can reenable it when we're done if you like.
  1. Open SpyBot Search and Destroy by going to Start -> All Programs -> Spybot Search and Destroy -> Spybot Search and Destroy.
  2. If prompted with a legal dialog, accept the warning.
  3. ClickMode and then on "Advanced Mode"
  4. You may be presented with a warning dialog. If so, press yes
  5. Click on Tools
  6. Click on Resident
  7. Uncheck the following checkboxes:
    • Resident "SDHelper" (Internet Explorer bad download blocker) active.
    • Resident "TeaTimer" (Protection for over-all system settings) active.
  8. Close/Exit Spybot Search and Destroy


NEXT:

We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a new HijackThis log.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 02:58 PM

How frustrating!! I can only start the computer in safe mode and I cannot run ComboFix because it says that AVG and Secure Guard are running. From safe mode, I have been unable to turn them off so that I can run ComboFix.

I ran Malwarebytes and discovered more than 800 infections this time - thinking if I removed the Secure Guard files, I would be allowed to proceed, but I suspect that when I restarted (in safe mode - because I just cannot start in regular mode) I presume Secure Guard has revived itself again and is preventing me from continuing your instructions.

Any ideas?

Again, many thanks for your time and help.



#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 19 March 2010 - 03:01 PM

Hi!

Glad to help smile.gif

Try this:
  1. Click Start > Run
  2. Type the following:
    "%userprofile%\desktop\combofix.exe" /killall
  3. Press enter and combofix should run.
If you are still told that AVG and SecureGuard are running, then let me know.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 03:11 PM

It's still saying Security Guard and AVG are running. Sorry to be difficult.

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 19 March 2010 - 03:14 PM

Hehe.. nope, it's fine smile.gif

Okay, please proceed with running combofix then. As long as they have been disabled, it should be fine smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 03:15 PM

Oh, and by the way, I have removed all of the poker programs - the online games as well as one which was installed and played offline.

#10 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 03:42 PM

OK....Thanks once again. Here are the ComboFix and HijackThis logs - just done.

Combo Fix

ComboFix 10-03-19.04 - Ken Mitnick 03/19/2010 16:19:55.2.1 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.959.564 [GMT -4:00]
Running from: c:\documents and settings\Ken Mitnick\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Security Guard *On-access scanning enabled* (Updated) {071210EE-7705-4FD6-AAC2-A8FBB4A7A1D4}
FW: Security Guard *enabled* {880EC2AC-5F4E-4AE3-8708-04D9B399276E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Ken Mitnick\Application Data\Microsoft\dtPaper
c:\documents and settings\Ken Mitnick\Application Data\Microsoft\dtPaper\1.html
c:\documents and settings\Ken Mitnick\Application Data\Microsoft\dtPaper\tmp.bmp
c:\documents and settings\Ken Mitnick\Local Settings\Application Data\Windows Server
c:\documents and settings\Ken Mitnick\Local Settings\Application Data\Windows Server\flags.ini
c:\documents and settings\Ken Mitnick\Local Settings\Application Data\Windows Server\uses32.dat
.
---- Previous Run -------
.
C:\LOG.TXT
c:\recycler\S-1-5-21-1303907618-993352117-2938593232-1003
c:\recycler\S-1-5-21-1895854652-2745821468-1166886882-1003
c:\recycler\S-1-5-21-2000478354-1935655697-854245398-1003
c:\recycler\S-1-5-21-3634463518-1164549874-975694134-1003
C:\Thumbs.db
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\AUTOLNCH.REG
c:\windows\dbplugin.exe
c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf
c:\windows\eSellerateEngine.dll
c:\windows\npdbplug.dll
c:\windows\sm1bg .exe
c:\windows\system\oeminfo.ini
c:\windows\system32\_007011_.tmp.dll
c:\windows\system32\_007012_.tmp.dll
c:\windows\system32\_007013_.tmp.dll
c:\windows\system32\_007014_.tmp.dll
c:\windows\system32\_007021_.tmp.dll
c:\windows\system32\_007022_.tmp.dll
c:\windows\system32\_007023_.tmp.dll
c:\windows\system32\_007024_.tmp.dll
c:\windows\system32\_007026_.tmp.dll
c:\windows\system32\_007027_.tmp.dll
c:\windows\system32\_007030_.tmp.dll
c:\windows\system32\_007031_.tmp.dll
c:\windows\system32\_007033_.tmp.dll
c:\windows\system32\_007034_.tmp.dll
c:\windows\system32\_007035_.tmp.dll
c:\windows\system32\_007037_.tmp.dll
c:\windows\system32\_007040_.tmp.dll
c:\windows\system32\_007041_.tmp.dll
c:\windows\system32\_007045_.tmp.dll
c:\windows\system32\_007046_.tmp.dll
c:\windows\system32\_007048_.tmp.dll
c:\windows\system32\_007051_.tmp.dll
c:\windows\system32\_007054_.tmp.dll
c:\windows\system32\_007055_.tmp.dll
c:\windows\system32\_007056_.tmp.dll
c:\windows\system32\_007057_.tmp.dll
c:\windows\system32\_007058_.tmp.dll
c:\windows\system32\_007061_.tmp.dll
c:\windows\system32\_007062_.tmp.dll
c:\windows\system32\_007063_.tmp.dll
c:\windows\system32\_007064_.tmp.dll
c:\windows\system32\_007065_.tmp.dll
c:\windows\system32\_007070_.tmp.dll
c:\windows\system32\_007072_.tmp.dll
c:\windows\system32\_007073_.tmp.dll
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\ctfmon .exe
c:\windows\system32\dbxDgrevCheck.dll
c:\windows\system32\dumphive.exe
c:\windows\system32\ezsp_px .exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\lavufanu.dll
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\rundll32 .exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\suwumuwo.dll
c:\windows\system32\tehisuvo.dll
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
c:\windows\system32\zajifali.exe
c:\windows\system32\zohewigu.dll

.
original MBR restored successfully !
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_IAS
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2010-02-19 to 2010-03-19 )))))))))))))))))))))))))))))))
.

2010-03-19 18:16 . 2010-03-19 18:16 5115824 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-03-19 13:06 . 2010-03-19 13:06 -------- d-sh--w- c:\documents and settings\All Users\Application Data\SGWEUBTLD
2010-03-19 13:05 . 2010-03-19 19:28 -------- d-sh--w- c:\documents and settings\All Users\Application Data\bdb33e6
2010-03-19 02:23 . 2010-03-19 02:24 -------- d-----w- c:\program files\trend micro
2010-03-19 02:23 . 2010-03-19 02:24 -------- d-----w- C:\rsit
2010-03-15 19:48 . 2010-03-15 19:48 -------- d-----w- c:\program files\NirSoft
2010-03-15 14:31 . 2010-01-07 20:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-15 14:31 . 2010-01-07 20:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-13 22:51 . 2010-03-13 22:51 -------- d-----w- c:\windows\LastGood.Tmp
2010-03-13 16:22 . 2009-05-07 07:04 157712 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-03-12 18:40 . 2010-03-12 18:40 -------- d-----w- c:\documents and settings\Ken Mitnick\Application Data\AVG8
2010-03-12 18:02 . 2010-03-19 18:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-03-19 18:01 . 2004-05-20 11:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-03-19 16:36 . 2009-05-31 21:51 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-03-19 15:01 . 2007-09-03 18:48 -------- d-----w- c:\program files\Poker Superstars II
2010-03-19 15:00 . 2006-11-18 17:47 -------- d-----w- c:\program files\PartyGaming
2010-03-19 14:59 . 2009-04-26 16:38 -------- d-----w- c:\program files\Full Tilt Poker.Net
2010-03-19 14:17 . 2006-09-23 22:00 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-15 21:45 . 2006-05-14 12:53 -------- d-----w- c:\program files\EasyZip
2010-03-13 21:36 . 2008-11-24 01:46 -------- d-----w- c:\program files\AVG
2010-03-13 20:41 . 2010-03-13 20:41 40448 ----a-w- c:\windows\PCHealth\HelpCtr\Binaries\msconfig.exe
2010-03-12 23:22 . 2008-01-05 16:32 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-03-12 17:34 . 2007-07-10 18:13 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-12 17:34 . 2009-04-28 19:56 -------- d-----w- c:\program files\SpywareBlaster
2010-03-11 14:41 . 2005-06-21 15:44 -------- d-----w- c:\program files\CCleaner
2010-03-04 17:17 . 2004-05-03 13:53 -------- d-----w- c:\program files\TurboNote
2010-02-27 18:49 . 2005-07-25 13:13 -------- d-----w- c:\documents and settings\Ken Mitnick\Application Data\SmartFTP
2010-02-05 20:11 . 2009-06-14 20:53 -------- d-----w- c:\program files\Paltalk Messenger
2010-01-22 21:16 . 2008-03-01 01:18 -------- d-----w- c:\documents and settings\Ken Mitnick\Application Data\Jarte
2010-01-13 19:21 . 2009-03-01 21:31 24 ----a-w- c:\windows\popcinfot.dat
2010-01-13 19:04 . 2006-09-23 22:00 1100 ----a-w- c:\windows\system32\d3d8caps.dat
2009-10-05 18:08 . 2009-10-05 18:06 17920 --sha-w- c:\program files\Thumbs.db
2009-09-14 02:05 . 2009-09-14 02:05 12522 ----a-w- c:\program files\irunin.xml
2009-09-14 02:05 . 2009-09-14 02:05 96408 ----a-w- c:\program files\irunin.dat
2009-09-14 02:02 . 2009-09-14 02:05 61270 ----a-w- c:\program files\IRIMG4.JPG
2009-09-14 02:02 . 2009-09-14 02:05 31678 ----a-w- c:\program files\IRIMG2.JPG
2009-09-14 02:02 . 2009-09-14 02:05 25532 ----a-w- c:\program files\IRIMG1.JPG
2009-09-14 02:02 . 2009-09-14 02:05 11435 ----a-w- c:\program files\IRIMG3.JPG
2009-08-05 16:19 . 2009-08-05 16:18 11537920 ----a-w- c:\program files\paltalk.exe
2009-08-05 16:06 . 2009-08-05 16:06 1285120 ----a-w- c:\program files\PalTextCtl.dll
2009-08-05 16:05 . 2009-08-05 16:05 2393088 ----a-w- c:\program files\WebVideo.dll
2009-08-05 16:04 . 2009-08-05 16:04 961536 ----a-w- c:\program files\palsound.dll
2009-08-05 16:02 . 2009-08-05 16:02 95744 ----a-w- c:\program files\gsmproj.dll
2009-08-05 16:01 . 2009-08-05 16:01 171008 ----a-w- c:\program files\spexproj.dll
2009-08-05 16:01 . 2009-08-05 16:01 419328 ----a-w- c:\program files\n2p.dll
2009-08-05 16:00 . 2009-08-05 16:00 113152 ----a-w- c:\program files\pallauncher.dll
2009-08-05 16:00 . 2009-08-05 16:00 282624 ----a-w- c:\program files\PalVideoCapture.dll
2009-08-05 15:59 . 2009-08-05 15:59 414208 ----a-w- c:\program files\AviFileCtrl.dll
2009-08-05 15:59 . 2009-08-05 15:59 289792 ----a-w- c:\program files\ftpclient.dll
2009-07-28 21:33 . 2009-08-05 15:57 887248 ----a-w- c:\program files\askBarSetup-4.1.0.7.exe
2009-07-28 21:33 . 2009-08-05 15:57 54664 ----a-w- c:\program files\AskInstallChecker.exe
2009-07-28 21:33 . 2009-08-05 15:57 15086 ----a-w- c:\program files\upgrade.ico
2009-07-28 21:32 . 2009-08-05 15:57 85504 ----a-w- c:\program files\License.doc
2009-07-28 21:32 . 2009-08-05 15:57 22528 ----a-w- c:\program files\shfolder.dll
2009-07-28 21:32 . 2009-08-05 15:57 2238 ----a-w- c:\program files\eFax3.ico
2009-07-28 21:32 . 2009-08-05 15:57 202016 ----a-w- c:\program files\StmOCX.dll
2009-07-28 21:25 . 2009-08-05 15:44 64 ----a-w- c:\program files\calleng.lic
2009-07-28 21:25 . 2009-08-05 15:44 180224 ----a-w- c:\program files\ijl11.dll
2009-07-28 21:25 . 2009-08-05 15:44 2056192 ----a-w- c:\program files\CALLENG.dll
2005-05-26 15:51 . 2005-05-26 15:51 93 -c--a-w- c:\program files\ppunistall.bat
2003-08-27 19:19 . 2005-02-01 12:44 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2009-05-04 20:29 . 2009-05-04 20:29 2 --shatr- c:\windows\winstart.bat
2009-06-07 13:04 . 2009-05-26 11:16 57673760 --sha-w- c:\windows\system32\drivers\fidbox.dat
.
CODE
<pre>
c:\program files\AVG\AVG8\avgtray .exe
c:\windows\PCHealth\HelpCtr\Binaries\msconfig .exe
</pre>


------- Sigcheck -------

[7] 2008-04-14 . 5F1D5F88303D4A4DBC8E5F97BA967CC3 . 15360 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2004-08-04 . 24232996A38C0B0CF151C2140AE29FC8 . 15360 . . [5.1.2600.2180] . . c:\windows\$NtServicePackUninstall$\ctfmon.exe

c:\windows\System32\ctfmon.exe ... is missing !!
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-01-07 1394000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-01-07 429392]
"Spybot - Search & Destroy"="c:\program files\Spybot - Search & Destroy\SpybotSD.exe" [2009-01-26 5365592]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2006-7-22 407408]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
CamTrack.lnk - c:\program files\DigitalPeers\CamTrack\camtrack.exe [2006-7-22 407408]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2007-02-05 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-05-31 22:02 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Security Guard]
c:\documents and settings\All Users\Application Data\bdb33e6\SGbdb3.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yojayideku]
suwumuwo.dll [N/A]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LDM"=c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
"SpybotSD TeaTimer"=c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"APCOMPOSERClient"=d:\program files\activePDF\Composer\APClient.exe
"HKSERV.EXE"=c:\program files\Sony\HotKey Utility\HKserv.exe
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
"SonyPowerCfg"=c:\program files\Sony\VAIO Power Management\SPMgr.exe
"VAIO Recovery"=c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" /Stationary
"yojayideku"=Rundll32.exe "suwumuwo.dll",s

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sony\\VAIO Media 2.6\\Vc.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AceBIT\\WISE-FTP\\wise_ftp.exe"=
"c:\\Program Files\\Opera\\Opera.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Paltalk Messenger\\paltalk.exe"=
"c:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Acronis\\TrueImageHome\\TrueImage.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\WINDOWS\\system32\\CIMSVR.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\paltalk.exe"=
"c:\\Program Files\\paltalk.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"3389:TCP"= 3389:TCP:*:Disabled:Remote Desktop
"65533:TCP"= 65533:TCP:Services
"52344:TCP"= 52344:TCP:Services
"2479:TCP"= 2479:TCP:Services
"8406:TCP"= 8406:TCP:Services
"3246:TCP"= 3246:TCP:Services
"3278:TCP"= 3278:TCP:Services
"3669:TCP"= 3669:TCP:Services
"4320:TCP"= 4320:TCP:Services
"9504:TCP"= 9504:TCP:Services
"1906:TCP"= 1906:TCP:Services
"9824:TCP"= 9824:TCP:Services
"1806:TCP"= 1806:TCP:Services
"2858:TCP"= 2858:TCP:Services

S0 iuaq;iuaq;c:\windows\system32\drivers\uopwhng.sys --> c:\windows\system32\drivers\uopwhng.sys [?]
S0 klbyg;klbyg;c:\windows\system32\drivers\lgilfqso.sys --> c:\windows\system32\drivers\lgilfqso.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [5/31/2009 5:51 PM 325896]
S2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [5/31/2009 5:51 PM 298776]
S3 apusbsnt;AirPrime USB Modem Device Driver;c:\windows\system32\drivers\apusbsnt.sys [10/29/2004 12:09 PM 40064]
S3 EL3C574;FE574B-3Com 10/100 LAN PCCard Device Driver;c:\windows\system32\drivers\el574nd4.sys [1/6/2005 8:50 PM 24653]
S3 HPUATA;HP CD Writer Plus Controller Driver;c:\windows\system32\drivers\hpuata.sys [9/24/2001 5:36 AM 75776]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [5/4/2009 4:36 PM 29584]
S3 UsbdpFP;Fingerprint Reader Class Driver;c:\windows\system32\drivers\usbdpfp.sys [8/4/2004 4:59 PM 47360]
S3 utg3mzy4;AVZ Kernel Driver;\??\c:\windows\system32\Drivers\utg3mzy4.sys --> c:\windows\system32\Drivers\utg3mzy4.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2009-06-10 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 15:20]

2009-06-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-07-13 12:17]

2009-06-10 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1585308623-2092770326-810153994-1005.job
- c:\documents and settings\Ken Mitnick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-03-11 15:58]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.sony.com/
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel
IE: {{6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - {F834F29F-717D-41ba-9ABF-14DA1BBE6147} - c:\windows\system32\mscoree.DLL
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: PUFLITE - hxxp://vickymontgomery.point2agent.com/ColpaControls/Photo/Control/PUFLITE.CAB
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab
DPF: {735A7AB7-90C5-4753-8DE1-88DCE554E780} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} - hxxp://rms2.invokesolutions.com/events/bin/comptest/4.1.0.34000/MILiveCompTest.ocx
DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - hxxp://rms2.invokesolutions.com/events/bin/6.0.0.1448/MILive.cab
.
- - - - ORPHANS REMOVED - - - -

BHO-{536ec8a9-7327-49bf-b748-f53ae61a2c71} - tehisuvo.dll
WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
SharedTaskScheduler-{365bab98-3c82-4964-81c4-61a16943a297} - (no file)
SharedTaskScheduler-{7a8bba17-92d9-48ca-95e3-8e9b8c6bae44} - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SSODL-vusavegov-{365bab98-3c82-4964-81c4-61a16943a297} - (no file)
SSODL-tofododud-{7a8bba17-92d9-48ca-95e3-8e9b8c6bae44} - (no file)
Notify-!SASWinLogon - (no file)
Notify-cbxvw - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-03-19 16:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x854209B8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7755f28
\Driver\ACPI -> 0x854209b8
\Driver\atapi -> atapi.sys @ 0xf760c852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a8
ParseProcedure -> ntoskrnl.exe @ 0x8056c1d6
NDIS: Realtek RTL8139/810x Family Fast Ethernet NIC -> SendCompleteHandler -> 0x854c8330
PacketIndicateHandler -> NDIS.sys @ 0xf7507a0d
SendHandler -> NDIS.sys @ 0xf751bb40
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\.cs\PersistentHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Classes\.mdb\PersistentHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Classes\.pps\PersistentHandler]
@DACL=(02 0000)
@="{98de59a0-d175-11cd-a7bd-00006b827d94}"

[HKEY_LOCAL_MACHINE\software\Classes\.rtf\PersistentHandler]
@DACL=(02 0000)
@="{2e2294a9-50d7-4fe7-a09f-e6492e185884}"

[HKEY_LOCAL_MACHINE\software\Classes\.tiff\PersistentHandler]
@DACL=(02 0000)
@="{5e941d80-bf96-11cd-b579-08002b30bfeb}"

[HKEY_LOCAL_MACHINE\software\Classes\.xslt\PersistentHandler]
@DACL=(02 0000)
@="{7E9D8D44-6926-426F-AA2B-217A819A5CCE}"

[HKEY_LOCAL_MACHINE\software\Classes\mapi\Shell]
@DACL=(02 0000)
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(788)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(888)
c:\windows\system32\relog_ap.dll
.
Completion time: 2010-03-19 16:34:50
ComboFix-quarantined-files.txt 2010-03-19 20:34

Pre-Run: 11,710,562,304 bytes free
Post-Run: 11,657,097,216 bytes free

- - End Of File - - A0D3BB7A3F886EC538E7D3D6A9DB68CB


HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:39:16, on 3/19/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16850)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ken Mitnick\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.sony.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 74.125.45.100 securitysoftwarepayments.com
O1 - Hosts: 74.125.45.100 privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure.privatesecuredpayments.com
O1 - Hosts: 74.125.45.100 secure-plus-payments.com
O1 - Hosts: 74.125.45.100 www.secure-plus-payments.com
O1 - Hosts: 74.125.45.100 safebrowsing-cache.google.com
O1 - Hosts: 74.125.45.100 urs.microsoft.com
O1 - Hosts: 74.125.45.100 www.securesoftwarebill.com
O1 - Hosts: 74.125.45.100 secure.paysecuresystem.com
O1 - Hosts: 74.125.45.100 paysoftbillsolution.com
O1 - Hosts: 74.125.45.100 protected.maxisoftwaremart.com
O1 - Hosts: 67.215.240.115 www.google.com
O1 - Hosts: 67.215.240.115 google.com
O1 - Hosts: 67.215.240.115 google.com.au
O1 - Hosts: 67.215.240.115 www.google.com.au
O1 - Hosts: 67.215.240.115 google.be
O1 - Hosts: 67.215.240.115 www.google.be
O1 - Hosts: 67.215.240.115 google.com.br
O1 - Hosts: 67.215.240.115 www.google.com.br
O1 - Hosts: 67.215.240.115 google.ca
O1 - Hosts: 67.215.240.115 www.google.ca
O1 - Hosts: 67.215.240.115 google.ch
O1 - Hosts: 67.215.240.115 www.google.ch
O1 - Hosts: 67.215.240.115 google.de
O1 - Hosts: 67.215.240.115 www.google.de
O1 - Hosts: 67.215.240.115 google.dk
O1 - Hosts: 67.215.240.115 www.google.dk
O1 - Hosts: 67.215.240.115 google.fr
O1 - Hosts: 67.215.240.115 www.google.fr
O1 - Hosts: 67.215.240.115 google.ie
O1 - Hosts: 67.215.240.115 www.google.ie
O1 - Hosts: 67.215.240.115 google.it
O1 - Hosts: 67.215.240.115 www.google.it
O1 - Hosts: 67.215.240.115 google.co.jp
O1 - Hosts: 67.215.240.115 www.google.co.jp
O1 - Hosts: 67.215.240.115 google.nl
O1 - Hosts: 67.215.240.115 www.google.nl
O1 - Hosts: 67.215.240.115 google.no
O1 - Hosts: 67.215.240.115 www.google.no
O1 - Hosts: 67.215.240.115 google.co.nz
O1 - Hosts: 67.215.240.115 www.google.co.nz
O1 - Hosts: 67.215.240.115 google.pl
O1 - Hosts: 67.215.240.115 www.google.pl
O1 - Hosts: 67.215.240.115 google.se
O1 - Hosts: 67.215.240.115 www.google.se
O1 - Hosts: 67.215.240.115 google.co.uk
O1 - Hosts: 67.215.240.115 www.google.co.uk
O1 - Hosts: 67.215.240.115 google.co.za
O1 - Hosts: 67.215.240.115 www.google.co.za
O1 - Hosts: 67.215.240.115 www.google-analytics.com
O1 - Hosts: 67.215.240.115 www.bing.com
O1 - Hosts: 67.215.240.115 search.yahoo.com
O1 - Hosts: 67.215.240.115 www.search.yahoo.com
O1 - Hosts: 67.215.240.115 uk.search.yahoo.com
O1 - Hosts: 67.215.240.115 ca.search.yahoo.com
O1 - Hosts: 67.215.240.115 de.search.yahoo.com
O1 - Hosts: 67.215.240.115 fr.search.yahoo.com
O1 - Hosts: 67.215.240.115 au.search.yahoo.com
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - .DEFAULT User Startup: CamTrack.lnk = C:\Program Files\DigitalPeers\CamTrack\camtrack.exe (User 'Default user')
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Send to OneNote - {6EB2AA45-3F30-40e1-9864-45EB153C6EDC} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: (no name) - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra 'Tools' menuitem: Send to OneNote Settings - {F37F00B3-19B2-4a69-B923-7A24AF07EE68} - C:\WINDOWS\system32\mscoree.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: PUFLITE - http://vickymontgomery.point2agent.com/Col...rol/PUFLITE.CAB
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://ispe.sdc.hp.com/awebui/jsp/answerwe...SWebManager.CAB
O16 - DPF: {735A7AB7-90C5-4753-8DE1-88DCE554E780} - http://rms2.invokesolutions.com/events/bin...1448/MILive.cab
O16 - DPF: {A922B6AB-3B87-11D3-B3C2-0008C7DA6CB9} (InetDownload Class) - https://media.pineconeresearch.com/ActiveX/...loadcontrol.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://3dlifeplayer.dl.3dvia.com/player/in...l/installer.exe
O16 - DPF: {D4F3F795-7712-4D92-91DF-AEB055D8AC73} (Invoke Solutions Compatibility Test Control) - http://rms2.invokesolutions.com/events/bin...iveCompTest.ocx
O16 - DPF: {D8AA889B-2C65-47C3-8C16-3DCD4EF76A47} - http://rms2.invokesolutions.com/events/bin...1448/MILive.cab
O18 - Protocol: bw+0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: offline-8876480 - {1C78BD09-85CD-4807-8FDC-5D487B1E1739} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd - C:\WINDOWS\system32\PDFCreatorMessages.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O24 - Desktop Component 0: (no name) - file:///C:/Program%20Files/Common%20Files/Microsoft%20Shared/Stationery/Malinda_Vera_Cruz_eStationery_Header.jpg
O24 - Desktop Component 1: (no name) - file:///C:/Documents%20and%20Settings/Ken%20Mitnick/Desktop/DTES%20Files/Paul%20Indrigo/indrigo_top_banner1.jpg

--
End of file - 24488 bytes



Thank you, thank you, thank you.


#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 19 March 2010 - 04:44 PM

Hello, Ken Mitnick.
Wow, you've got a real monster there, don't you? hysterical.gif
Glad to help out smile.gif

Backdoor warning!

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advise you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed.
In most cases, a reformat and clean install of the Operating System is the best solution for your (and probably other's) safety. Making this decision is based on what the computer is used for, and what information can be accessed from it. For more information, please read these references very carefully:
When should I re-format? How should I reinstall?
Help: I Got Hacked. Now What Do I Do?
Help: I Got Hacked. Now What Do I Do? Part II
Where to draw the line? When to recommend a format and reinstall?


Again, if you would like me to attempt to clean it, I will be happy to do so. But if you do make that decision, I will do my best to help you clean the computer of any infections, but you must understand that once a machine has been taken over by this type of malware, I cannot guarantee that it will be 100% secure even after disinfection or that the removal will be successful. Should you have any questions, please feel free to ask.

Please let me know what you decide to do. If you decide to continue with the fix, please proceed with the steps below.




We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/302842/rootkit-removal-assistance-please/

    Collect::
    c:\windows\winstart.bat
    c:\windows\system32\suwumuwo.dll
    c:\windows\system32\drivers\uopwhng.sys
    c:\windows\system32\drivers\lgilfqso.sys
    c:\windows\system32\Drivers\utg3mzy4.sys

    Driver::
    iuaq
    klbyg
    utg3mzy4

    Fcopy::
    c:\windows\ServicePackFiles\i386\ctfmon.exe | C:\windows\System32\ctfmon.exe

    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yojayideku]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "yojayideku"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "65533:TCP"=-
    "52344:TCP"=-
    "2479:TCP"=-
    "8406:TCP"=-
    "3246:TCP"=-
    "3278:TCP"=-
    "3669:TCP"=-
    "4320:TCP"=-
    "9504:TCP"=-
    "1906:TCP"=-
    "9824:TCP"=-
    "1806:TCP"=-
    "2858:TCP"=-
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
In your next reply, please include the following:
  • ComboFix.txt
  • Fresh HijackThis Log

Edited by aommaster, 19 March 2010 - 04:45 PM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 05:21 PM

Hi Fai,

I appreciate the quick response once again. I understand that a reformat and a reinstall would most likely be the best solution, but I don't have the original install CDs for this Sony Vaio notebook.

At the moment, I know that my best solution would be to reformat. The only thing I worry about is online banking, and I can use another computer to change passwords for that. So I am thinking that I might try to take the steps you've given me to fix this older machine until I can afford a new one. But I've had enough for one day. so I will follow your instructions tomorrow.
Your patience and assistamce is greatly appreciated very much.

I will be in touch tomorrow.

Ken

#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 19 March 2010 - 05:24 PM

Okay. No problem smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 Ken Mitnick

Ken Mitnick
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Local time:12:42 AM

Posted 19 March 2010 - 05:30 PM

Quick question here: I have a wireless connection on this comp to be online. If I shut off the wireless connection while I make the fix you sent me, will that be sufficient?

#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:08:42 AM

Posted 19 March 2010 - 06:19 PM

Hi!

Yes. As long as you cannot access the internet, it will be fine. However, this new script should close up any open ports, so connection to the internet after this is fine.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users