Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

taskmgr, cmd, regedit and many system programs gone.


  • This topic is locked This topic is locked
19 replies to this topic

#1 anjo03

anjo03

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 17 March 2010 - 09:27 AM

Running on Windows 7 infected, tried to reformat but BSoD 7b during windows xp setup
says use chkdsk/f. But i can't use my command prompt because it is infected.

here's the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:43 PM, on 3/18/2010
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GR469A~1.DLL
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GRA32A~1.DLL
O21 - SSODL: GootkitSSO - {254E31A9-3A81-4896-86D7-C5F9D67FF305} - C:\Windows\System32\msxsltsso.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_62dfbbc3466d0409\aestsrv.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_62dfbbc3466d0409\STacSV.exe

--
End of file - 3912 bytes


BC AdBot (Login to Remove)

 


#2 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 17 March 2010 - 10:47 AM

Hi and welcome to the HijackThis Logs and Virus/Trojan/Spyware/Malware Removal forum,

I am thcbytes and I am here to help you!

I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Please perform all steps in the order received and do not proceed if you need clarification.

Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.

I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!

Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Under "Extra Registry" please check "Use Safelist" and also check "LOP Check" and "Purity Check" as pictured.
  6. Copy and Paste the following code into the textbox. Do not include the word "Code"

    CODE
    netsvcs
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %ALLUSERSPROFILE%\Application Data\*.
    %ALLUSERSPROFILE%\Application Data\*.exe /s
    %APPDATA%\*.
    %APPDATA%\*.exe /s
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    CREATERESTOREPOINT

  7. Push
  8. A report will open. Copy and Paste that report in your next reply.
  9. Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

==========

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

==========

With your next post please provide:

* OTL.txt
* Extra.txt
* Gmer log

Kind regards,
~t
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#3 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 17 March 2010 - 11:38 AM

Hello thcbytes,
so should i disable avast first?

#4 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 17 March 2010 - 12:24 PM

Here's the OTL

OTL logfile created on: 3/19/2010 2:35:01 AM - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Users\User\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 97.56 Gb Total Space | 78.46 Gb Free Space | 80.42% Space Free | Partition Type: NTFS
Drive D: | 135.23 Gb Total Space | 111.01 Gb Free Space | 82.09% Space Free | Partition Type: NTFS
Drive E: | 622.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-PC
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/03/19 02:33:37 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
PRC - [2010/03/09 04:24:10 | 002,769,336 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastUI.exe
PRC - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
PRC - [2010/03/01 00:49:38 | 000,910,296 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/08/18 03:36:36 | 000,348,160 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2009/08/18 03:36:08 | 000,176,128 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2009/08/02 22:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/07/13 18:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sppsvc.exe
PRC - [2009/06/03 21:43:18 | 000,217,170 | ---- | M] (IDT, Inc.) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_62dfbbc3466d0409\stacsv.exe
PRC - [2009/03/02 19:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_62dfbbc3466d0409\AEstSrv.exe


========== Modules (SafeList) ==========

MOD - [2010/03/19 02:33:37 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
MOD - [2009/07/13 18:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/13 18:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/13 18:16:13 | 000,050,688 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\samcli.dll
MOD - [2009/07/13 18:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/13 18:16:03 | 000,022,016 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\netutils.dll
MOD - [2009/07/13 18:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/13 18:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/13 18:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/13 18:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/13 18:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/13 18:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Web Scanner)
SRV - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Mail Scanner)
SRV - [2010/03/09 04:24:08 | 000,040,384 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast5\AvastSvc.exe -- (avast! Antivirus)
SRV - [2009/08/18 03:36:08 | 000,176,128 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2009/07/13 18:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/13 18:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/13 18:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/13 18:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/13 18:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/13 18:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/13 18:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 18:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 18:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/13 18:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/13 18:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/13 18:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/13 18:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/13 18:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/13 18:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/13 18:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/13 18:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/13 18:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/13 18:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/13 18:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/13 18:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2009/06/03 21:43:18 | 000,217,170 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_62dfbbc3466d0409\stacsv.exe -- (STacSV)
SRV - [2009/03/02 19:43:08 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_x86_neutral_62dfbbc3466d0409\AEstSrv.exe -- (AESTFilters)


========== Driver Services (SafeList) ==========

DRV - [2010/03/09 04:12:54 | 000,046,672 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2010/03/09 04:12:33 | 000,162,640 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2010/03/09 04:09:08 | 000,023,376 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2010/03/09 04:08:52 | 000,051,792 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2010/03/09 04:08:30 | 000,019,024 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2010/02/27 23:22:01 | 000,025,616 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Users\User\AppData\Local\Temp\npi2cab.tmp -- (GarenaPEngine)
DRV - [2009/08/18 04:48:06 | 004,994,560 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (atikmdag)
DRV - [2009/07/29 06:28:04 | 000,116,064 | ---- | M] (JMicron Technology Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\jmcr.sys -- (JMCR)
DRV - [2009/07/13 18:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/13 18:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/13 18:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/13 18:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/13 18:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/13 18:20:36 | 000,133,200 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/07/13 18:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/13 18:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/13 18:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/13 18:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/13 18:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/13 18:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/13 18:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/13 18:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/13 18:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/13 18:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/13 18:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/13 18:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/13 18:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/13 18:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/13 18:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/13 18:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/13 18:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/13 18:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/13 18:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/13 18:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/13 18:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/13 18:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/13 18:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/13 18:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/13 17:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/13 17:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/13 16:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/13 16:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/13 16:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/13 16:52:04 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vwififlt.sys -- (vwififlt)
DRV - [2009/07/13 16:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/13 16:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/13 16:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/13 16:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/13 16:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/13 16:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/13 16:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/13 16:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/13 16:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/13 16:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/13 16:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/13 16:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\amdppm.sys -- (AmdPPM)
DRV - [2009/07/13 15:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/13 15:13:48 | 001,035,776 | ---- | M] (LSI Corp) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2009/07/08 01:45:32 | 002,506,232 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\BCMWL6.SYS -- (BCM43XX)
DRV - [2009/06/03 21:43:18 | 000,407,040 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2009/03/02 00:05:32 | 000,139,776 | ---- | M] (Realtek Corporation ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2008/03/28 03:06:00 | 000,199,472 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========



IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-2489746795-948655660-3853586939-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://kr.msn.com/iat/us_kr.aspx
IE - HKU\S-1-5-21-2489746795-948655660-3853586939-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKU\S-1-5-21-2489746795-948655660-3853586939-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = DC 35 2C 21 6E B6 CA 01 [binary data]
IE - HKU\S-1-5-21-2489746795-948655660-3853586939-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..network.proxy.backup.ftp: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.backup.ftp_port: 8080
FF - prefs.js..network.proxy.backup.gopher: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.backup.gopher_port: 8080
FF - prefs.js..network.proxy.backup.socks: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.backup.socks_port: 8080
FF - prefs.js..network.proxy.backup.ssl: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.backup.ssl_port: 8080
FF - prefs.js..network.proxy.ftp: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.ftp_port: 8080
FF - prefs.js..network.proxy.gopher: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.gopher_port: 8080
FF - prefs.js..network.proxy.http: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.http_port: 8080
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.socks_port: 8080
FF - prefs.js..network.proxy.ssl: "proxy7.up.edu.ph"
FF - prefs.js..network.proxy.ssl_port: 8080
FF - prefs.js..network.proxy.type: 4

FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/03/02 14:58:42 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/03/01 00:49:39 | 000,000,000 | ---D | M]

[2010/02/25 22:00:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Extensions
[2010/02/25 22:00:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\8lbbmmkf.default\extensions
[2010/02/25 16:12:04 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/02/25 16:13:39 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll

O1 HOSTS File: ([2010/02/28 20:28:25 | 000,000,803 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O4 - HKLM..\Run: [avast5] C:\Program Files\Alwil Software\Avast5\avastUI.exe (ALWIL Software)
O4 - HKU\S-1-5-19..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe File not found
O4 - HKU\S-1-5-20..\Run: [Sidebar] C:\Program Files\Windows Sidebar\Sidebar.exe File not found
O4 - HKU\S-1-5-21-2489746795-948655660-3853586939-1000..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
F3 - HKU\.DEFAULT WinNT: Load - (C:\Windows\fonts\services.exe) - C:\Windows\fonts\services.exe ()
F3 - HKU\.DEFAULT WinNT: Run - (C:\Windows\fonts\services.exe) - C:\Windows\fonts\services.exe ()
F3 - HKU\S-1-5-18 WinNT: Load - (C:\Windows\fonts\services.exe) - C:\Windows\fonts\services.exe ()
F3 - HKU\S-1-5-18 WinNT: Run - (C:\Windows\fonts\services.exe) - C:\Windows\fonts\services.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: PromptOnSecureDesktop = 0
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/inst...tDetection2.cab (GMNRev Class)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21 - SSODL: GootkitSSO - {254E31A9-3A81-4896-86D7-C5F9D67FF305} - C:\Windows\System32\msxsltsso.dll ()
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O31 - SafeBoot: AlternateShell -
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 14:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O32 - AutoRun File - [2001/08/23 04:00:00 | 000,000,110 | R--- | M] () - E:\AUTORUN.INF -- [ CDFS ]
O33 - MountPoints2\{675bbdcf-e15c-11de-be75-806e6f6e6963}\Shell - "" = AutoRun
O33 - MountPoints2\{675bbdcf-e15c-11de-be75-806e6f6e6963}\Shell\AutoRun\command - "" = E:\SETUP.EXE -- [2008/04/13 21:42:14 | 001,314,816 | R--- | M] (Microsoft Corporation)
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: FastUserSwitchingCompatibility - File not found
NetSvcs: Ias - C:\Windows\System32\ias [2009/07/13 19:37:08 | 000,000,000 | ---D | M]
NetSvcs: Nla - File not found
NetSvcs: Ntmssvc - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: SRService - File not found
NetSvcs: Wmi - C:\Windows\System32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found
NetSvcs: LogonHours - File not found
NetSvcs: PCAudit - File not found
NetSvcs: helpsvc - File not found
NetSvcs: uploadmgr - File not found
NetSvcs: Themes - C:\Windows\System32\themeservice.dll (Microsoft Corporation)
NetSvcs: BDESVC - C:\Windows\System32\bdesvc.dll (Microsoft Corporation)

MsConfig - StartUpReg: Sidebar - hkey= - key= - C:\Program Files\Windows Sidebar\sidebar.exe File not found
MsConfig - StartUpReg: swg - hkey= - key= - C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe File not found
MsConfig - State: "bootini" - 2
MsConfig - State: "startup" - 2

SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: NTDS - File not found
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Power - C:\Windows\System32\umpo.dll (Microsoft Corporation)
SafeBootMin: Primary disk - Driver Group
SafeBootMin: RpcEptMapper - C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: vmms - Service
SafeBootMin: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: Dhcp - C:\Windows\System32\dhcpcore.dll (Microsoft Corporation)
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: Messenger - Service
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: ndiscap - C:\Windows\System32\drivers\ndiscap.sys (Microsoft Corporation)
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: NTDS - File not found
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Power - C:\Windows\System32\umpo.dll (Microsoft Corporation)
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: RpcEptMapper - C:\Windows\System32\RpcEpMap.dll (Microsoft Corporation)
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: TDI - Driver Group
SafeBootNet: vmms - Service
SafeBootNet: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - Reg Error: Value error.
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP

Drivers32: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: MSVideo8 - C:\Windows\System32\vfwwdm32.dll (Microsoft Corporation)
Drivers32: vidc.cvid - C:\Windows\System32\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 30 Days ==========

[2010/03/19 02:33:25 | 000,556,032 | ---- | C] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010/03/18 23:39:16 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/03/17 18:18:47 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\ElevatedDiagnostics
[2010/03/14 14:02:38 | 000,000,000 | ---D | C] -- C:\ProgramData\TEMP
[2010/03/02 15:21:31 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Programming
[2010/03/02 15:05:07 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Dev-Cpp
[2010/03/02 15:04:17 | 000,000,000 | ---D | C] -- C:\Dev-Cpp
[2010/03/01 00:50:06 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\vlc
[2010/03/01 00:48:02 | 000,000,000 | ---D | C] -- C:\Program Files\VideoLAN
[2010/02/28 22:00:29 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Heroes of Newerth
[2010/02/28 21:59:55 | 000,000,000 | ---D | C] -- C:\Program Files\Heroes of Newerth
[2010/02/28 20:29:17 | 000,237,568 | ---- | C] (-) -- C:\Windows\System32\2956919.exe
[2010/02/28 20:29:17 | 000,062,496 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\MSWINSCK.OCX
[2010/02/28 20:29:00 | 000,000,000 | -HSD | C] -- C:\Windows\System32\%APPDATA%
[2010/02/28 20:28:46 | 000,037,376 | ---- | C] (Andreas Hausladen) -- C:\Windows\System32\9425165.exe
[2010/02/28 20:22:20 | 000,000,000 | ---D | C] -- C:\ProgramData\PopCap Games
[2010/02/27 23:05:42 | 004,379,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DX9_40.dll
[2010/02/27 23:05:42 | 002,036,576 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\D3DCompiler_40.dll
[2010/02/27 23:05:42 | 000,452,440 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\d3dx10_40.dll
[2010/02/27 23:05:41 | 000,081,768 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\xinput1_3.dll
[2010/02/26 23:40:56 | 000,000,000 | ---D | C] -- C:\ProgramData\Adobe
[2010/02/25 23:19:56 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\WinRAR
[2010/02/25 22:00:41 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Mozilla
[2010/02/25 22:00:41 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Mozilla
[2010/02/25 21:25:01 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Adobe
[2010/02/25 21:24:43 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Adobe
[2010/02/25 20:46:29 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Local\Yahoo
[2010/02/25 20:46:28 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Yahoo!
[2010/02/25 16:15:41 | 000,019,024 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/02/25 16:15:40 | 000,162,640 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/02/25 16:15:39 | 000,023,376 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/02/25 16:15:38 | 000,046,672 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/02/25 16:15:35 | 000,051,792 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/02/25 16:15:00 | 000,153,184 | ---- | C] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2010/02/25 16:15:00 | 000,038,848 | ---- | C] (ALWIL Software) -- C:\Windows\System32\avastSS.scr
[2010/02/25 16:14:58 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/02/25 16:14:58 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/02/25 16:14:19 | 000,000,000 | ---D | C] -- C:\Program Files\WinRAR
[2010/02/25 16:13:49 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010/02/25 16:13:49 | 000,000,000 | ---D | C] -- C:\Users\User\AppData\Roaming\Foxit
[2010/02/25 16:13:37 | 000,000,000 | ---D | C] -- C:\ProgramData\Yahoo!
[2010/02/25 16:13:26 | 000,000,000 | ---D | C] -- C:\Program Files\Yahoo!
[2010/02/25 16:12:02 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox
[2010/02/25 16:11:49 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\Downloads
[2010/02/25 16:09:12 | 000,000,000 | ---D | C] -- C:\Windows\pss
[2010/02/25 15:54:12 | 000,000,000 | ---D | C] -- C:\Windows\System32\SDA
[2010/02/25 15:54:12 | 000,000,000 | ---D | C] -- C:\Program Files\JMicron
[2010/02/25 15:54:11 | 000,000,000 | ---D | C] -- C:\swsetup
[2010/02/25 15:46:06 | 000,000,000 | ---D | C] -- C:\Program Files\HP
[2010/02/25 15:46:04 | 000,000,000 | ---D | C] -- C:\Windows\Downloaded Installations
[2010/02/24 18:57:35 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 191
[2010/02/24 18:57:35 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 143
[2010/02/24 18:57:34 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 141 Report
[2010/02/24 18:57:34 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 132
[2010/02/24 18:57:34 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 131 GAA
[2010/02/24 18:57:33 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 113 PPT
[2010/02/24 18:57:32 | 000,000,000 | ---D | C] -- C:\Users\User\Documents\PA 111 PPT
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/03/19 02:36:47 | 000,860,672 | ---- | M] () -- C:\Windows\System32\drivers\rjiyexor.sys
[2010/03/19 02:35:33 | 000,010,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/03/19 02:35:33 | 000,010,016 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/03/19 02:34:54 | 000,684,666 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/03/19 02:34:54 | 000,594,316 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/03/19 02:34:54 | 000,096,648 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/03/19 02:33:37 | 000,556,032 | ---- | M] (OldTimer Tools) -- C:\Users\User\Desktop\OTL.exe
[2010/03/19 02:30:31 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/03/19 02:30:30 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/03/19 02:29:37 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/03/19 02:29:34 | 2212,884,480 | -HS- | M] () -- C:\hiberfil.sys
[2010/03/18 23:48:17 | 003,407,872 | -HS- | M] () -- C:\Users\User\NTUSER.DAT
[2010/03/18 23:48:14 | 001,288,389 | -H-- | M] () -- C:\Users\User\AppData\Local\IconCache.db
[2010/03/18 23:39:17 | 000,002,039 | ---- | M] () -- C:\Users\User\Desktop\HijackThis.lnk
[2010/03/18 23:14:05 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/03/14 18:29:06 | 000,009,918 | ---- | M] () -- C:\Users\User\Documents\Andy Bank.xlsx
[2010/03/13 18:13:33 | 000,075,759 | ---- | M] () -- C:\Users\User\Documents\FUTURE OF PHRM.pptx
[2010/03/13 18:12:50 | 000,027,235 | ---- | M] () -- C:\Users\User\Documents\FUTURE OF PUBLIC HUMAN RESOURCE MANAGEMENT.docx
[2010/03/12 01:43:44 | 000,011,143 | ---- | M] () -- C:\Users\User\Documents\DFAAYRA.docx
[2010/03/11 20:20:09 | 000,013,704 | ---- | M] () -- C:\Users\User\Documents\Important Reminders.docx
[2010/03/11 07:58:37 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/03/10 01:38:12 | 000,031,744 | ---- | M] () -- C:\Users\User\Documents\qweqweqwe.doc
[2010/03/09 04:24:05 | 000,153,184 | ---- | M] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2010/03/09 04:12:54 | 000,046,672 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/03/09 04:12:33 | 000,162,640 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/03/09 04:09:08 | 000,023,376 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/03/09 04:08:52 | 000,051,792 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/03/09 04:08:30 | 000,019,024 | ---- | M] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/03/08 19:53:00 | 000,011,163 | ---- | M] () -- C:\Users\User\Documents\ISSUES ON THE PNRC and ICRC.docx
[2010/03/07 11:22:16 | 000,012,302 | ---- | M] () -- C:\Users\User\Documents\PA 191 Interview Questions.docx
[2010/03/06 22:44:09 | 000,034,304 | ---- | M] () -- C:\Users\User\Documents\PA 122 Notes.doc
[2010/03/05 15:54:42 | 000,412,464 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2010/03/05 12:29:36 | 000,109,216 | ---- | M] () -- C:\Users\User\AppData\Local\GDIPFONTCACHEV1.DAT
[2010/03/02 17:28:53 | 000,191,945 | ---- | M] () -- C:\Users\User\Documents\Research - Reading.docx
[2010/03/01 00:48:14 | 000,001,024 | ---- | M] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/03/01 00:39:55 | 000,032,256 | ---- | M] () -- C:\Users\User\Documents\KABANATA 1.doc
[2010/02/28 22:00:29 | 000,001,871 | ---- | M] () -- C:\Users\User\Desktop\Heroes of Newerth.lnk
[2010/02/28 20:29:31 | 000,026,624 | ---- | M] () -- C:\Windows\System32\681254.exe
[2010/02/28 20:29:18 | 000,062,496 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MSWINSCK.OCX
[2010/02/28 20:29:17 | 000,237,568 | ---- | M] (-) -- C:\Windows\System32\2956919.exe
[2010/02/28 20:28:59 | 000,000,038 | ---- | M] () -- C:\{8f3223cc-c3d6-4353-a1cf-079ce42511d9}
[2010/02/28 20:28:56 | 000,042,496 | ---- | M] () -- C:\Windows\System32\msxsltsso.dll
[2010/02/28 20:28:46 | 000,037,376 | ---- | M] (Andreas Hausladen) -- C:\Windows\System32\9425165.exe
[2010/02/28 20:28:25 | 000,000,803 | ---- | M] () -- C:\Windows\System32\drivers\etc\hosts
[2010/02/25 22:00:45 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/02/25 16:15:41 | 000,002,005 | ---- | M] () -- C:\Users\Public\Desktop\avast! Antivirus.lnk
[2010/02/25 16:13:57 | 000,000,199 | ---- | M] () -- C:\Users\Public\Desktop\eBay.url
[2010/02/25 16:13:49 | 000,001,188 | ---- | M] () -- C:\Users\Public\Desktop\Foxit Reader.lnk
[2010/02/25 16:13:39 | 000,001,117 | ---- | M] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/02/25 16:12:05 | 000,001,885 | ---- | M] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[1 C:\Windows\System32\*.tmp files -> C:\Windows\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/03/18 23:39:17 | 000,002,039 | ---- | C] () -- C:\Users\User\Desktop\HijackThis.lnk
[2010/03/12 23:44:06 | 000,027,235 | ---- | C] () -- C:\Users\User\Documents\FUTURE OF PUBLIC HUMAN RESOURCE MANAGEMENT.docx
[2010/03/12 01:43:44 | 000,011,143 | ---- | C] () -- C:\Users\User\Documents\DFAAYRA.docx
[2010/03/11 20:20:08 | 000,013,704 | ---- | C] () -- C:\Users\User\Documents\Important Reminders.docx
[2010/03/10 22:58:41 | 000,075,759 | ---- | C] () -- C:\Users\User\Documents\FUTURE OF PHRM.pptx
[2010/03/08 19:51:46 | 000,011,163 | ---- | C] () -- C:\Users\User\Documents\ISSUES ON THE PNRC and ICRC.docx
[2010/03/06 20:02:55 | 000,012,302 | ---- | C] () -- C:\Users\User\Documents\PA 191 Interview Questions.docx
[2010/03/05 12:12:44 | 000,598,984 | ---- | C] () -- C:\Users\User\Desktop\CRAYA___.TTF
[2010/03/02 17:23:22 | 000,191,945 | ---- | C] () -- C:\Users\User\Documents\Research - Reading.docx
[2010/03/01 00:48:14 | 000,001,024 | ---- | C] () -- C:\Users\Public\Desktop\VLC media player.lnk
[2010/03/01 00:45:44 | 000,031,744 | ---- | C] () -- C:\Users\User\Documents\qweqweqwe.doc
[2010/02/28 22:00:29 | 000,001,871 | ---- | C] () -- C:\Users\User\Desktop\Heroes of Newerth.lnk
[2010/02/28 21:48:23 | 000,032,256 | ---- | C] () -- C:\Users\User\Documents\KABANATA 1.doc
[2010/02/28 20:31:02 | 000,860,672 | ---- | C] () -- C:\Windows\System32\drivers\rjiyexor.sys
[2010/02/28 20:29:31 | 000,026,624 | ---- | C] () -- C:\Windows\System32\681254.exe
[2010/02/28 20:28:59 | 000,000,038 | ---- | C] () -- C:\{8f3223cc-c3d6-4353-a1cf-079ce42511d9}
[2010/02/28 20:28:56 | 000,042,496 | ---- | C] () -- C:\Windows\System32\msxsltsso.dll
[2010/02/25 22:00:45 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/02/25 16:15:41 | 000,002,005 | ---- | C] () -- C:\Users\Public\Desktop\avast! Antivirus.lnk
[2010/02/25 16:13:57 | 000,000,199 | ---- | C] () -- C:\Users\Public\Desktop\eBay.url
[2010/02/25 16:13:49 | 000,001,188 | ---- | C] () -- C:\Users\Public\Desktop\Foxit Reader.lnk
[2010/02/25 16:13:39 | 000,001,117 | ---- | C] () -- C:\Users\Public\Desktop\Yahoo! Messenger.lnk
[2010/02/25 16:12:05 | 000,001,885 | ---- | C] () -- C:\Users\Public\Desktop\Mozilla Firefox.lnk
[2010/02/25 16:04:02 | 000,000,886 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/02/25 16:04:02 | 000,000,882 | ---- | C] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/02/24 18:57:22 | 001,592,320 | ---- | C] () -- C:\Users\User\Documents\PA 113 FINALS.doc
[2010/02/24 18:57:22 | 000,126,583 | ---- | C] () -- C:\Users\User\Documents\PNP Budget.docx
[2010/02/24 18:57:22 | 000,061,952 | ---- | C] () -- C:\Users\User\Documents\EXERCISE 1-1 Ecological Solid Waste Management Act.doc
[2010/02/24 18:57:22 | 000,059,792 | ---- | C] () -- C:\Users\User\Documents\Pinat Resume.docx
[2010/02/24 18:57:22 | 000,039,424 | ---- | C] () -- C:\Users\User\Documents\BACKGROUND PA 141 Policy issue paper-1.doc
[2010/02/24 18:57:22 | 000,035,840 | ---- | C] () -- C:\Users\User\Documents\Outline --- POLICY PAPER.doc
[2010/02/24 18:57:22 | 000,034,304 | ---- | C] () -- C:\Users\User\Documents\PA 122 Notes.doc
[2010/02/24 18:57:22 | 000,027,136 | ---- | C] () -- C:\Users\User\Documents\The Fundamental Principles of the Red Cross and Red Crescent.doc
[2010/02/24 18:57:22 | 000,010,143 | ---- | C] () -- C:\Users\User\Documents\Birth of Andrea Lorraine Salvador.docx
[2010/02/24 18:57:22 | 000,009,918 | ---- | C] () -- C:\Users\User\Documents\Andy Bank.xlsx
[2009/07/13 16:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/13 16:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/07/13 16:19:28 | 000,147,456 | -H-- | C] () -- C:\Windows\Fonts\services.exe
[2006/03/09 17:58:00 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll

========== LOP Check ==========

[2010/03/02 15:35:39 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Dev-Cpp
[2010/02/25 16:13:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Foxit
[2009/07/13 21:53:46 | 000,020,852 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========



========== Custom Scans ==========


< %ALLUSERSPROFILE%\Application Data\*. >

< %ALLUSERSPROFILE%\Application Data\*.exe /s >

< %APPDATA%\*. >
[2010/02/26 23:40:40 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Adobe
[2010/03/02 15:35:39 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Dev-Cpp
[2010/02/25 16:13:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Foxit
[2009/12/04 23:46:51 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Google
[2009/12/04 22:26:42 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Identities
[2009/12/04 23:47:04 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Macromedia
[2009/07/14 00:48:45 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Media Center Programs
[2010/03/07 15:13:18 | 000,000,000 | --SD | M] -- C:\Users\User\AppData\Roaming\Microsoft
[2010/02/25 22:00:49 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Mozilla
[2010/03/18 20:50:55 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\vlc
[2010/02/25 23:19:56 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\WinRAR
[2010/02/25 20:46:28 | 000,000,000 | ---D | M] -- C:\Users\User\AppData\Roaming\Yahoo!

< %APPDATA%\*.exe /s >
[2010/02/25 15:46:06 | 000,010,134 | R--- | M] () -- C:\Users\User\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe

< %SYSTEMDRIVE%\*.exe >


< MD5 for: AGP440.SYS >
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\drivers\agp440.sys
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\System32\DriverStore\FileRepository\machine.inf_x86_neutral_65848c2d7375a720\AGP440.sys
[2009/07/13 18:26:15 | 000,053,312 | ---- | M] (Microsoft Corporation) MD5=507812C3054C21CEF746B6EE3D04DD6E -- C:\Windows\winsxs\x86_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_b9e9435f20046eeb\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\drivers\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\System32\DriverStore\FileRepository\mshdc.inf_x86_neutral_f64b9c35a3a5be81\atapi.sys
[2009/07/13 18:26:15 | 000,021,584 | ---- | M] (Microsoft Corporation) MD5=338C86357871C167A96AB976519BF59E -- C:\Windows\winsxs\x86_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_dd0e7e3d82dd640d\atapi.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\System32\cngaudit.dll
[2009/07/13 18:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll

< MD5 for: IASTORV.SYS >
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\drivers\iaStorV.sys
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\System32\DriverStore\FileRepository\iastorv.inf_x86_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 18:20:36 | 000,332,352 | ---- | M] (Intel Corporation) MD5=934AF4D7C5F457B9F0743F4299B77B67 -- C:\Windows\winsxs\x86_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_aee7a89be91b9000\iaStorV.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\System32\netlogon.dll
[2009/07/13 18:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\x86_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_fd8e0d66994d7dc8\netlogon.dll

< MD5 for: NVSTOR.SYS >
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\drivers\nvstor.sys
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\System32\DriverStore\FileRepository\nvraid.inf_x86_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 18:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) MD5=C99F251A5DE63C6F129CF71933ACED0F -- C:\Windows\winsxs\x86_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_39b1194b205239d8\nvstor.sys

< MD5 for: SCECLI.DLL >
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\System32\scecli.dll
[2009/07/13 18:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\x86_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_37e4387f3a6f0483\scecli.dll

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[1 C:\Windows\system32\*.tmp files -> C:\Windows\system32\*.tmp -> ]

========== Alternate Data Streams ==========

@Alternate Data Stream - 110 bytes -> C:\ProgramData\TEMP:3790BACD

< End of report >



#5 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 17 March 2010 - 12:26 PM

And Here's the extra.

OTL Extras logfile created on: 3/19/2010 2:35:02 AM - Run 1
OTL by OldTimer - Version 3.1.37.2 Folder = C:\Users\User\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 73.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 86.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 97.56 Gb Total Space | 78.46 Gb Free Space | 80.42% Space Free | Partition Type: NTFS
Drive D: | 135.23 Gb Total Space | 111.01 Gb Free Space | 82.09% Space Free | Partition Type: NTFS
Drive E: | 622.63 Mb Total Space | 0.00 Mb Free Space | 0.00% Space Free | Partition Type: CDFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-PC
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe File not found
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)
.html [@ = htmlfile] -- Reg Error: Key error. File not found

[HKEY_USERS\S-1-5-21-2489746795-948655660-3853586939-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* File not found
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -- Reg Error: Key error.
htmlfile [opennew] -- Reg Error: Key error.
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
https [open] -- "C:\Program Files\Internet Explorer\iexplore.exe" -nohome File not found
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V"
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- Reg Error: Key error.
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- Reg Error: Key error.

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 0

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{26604C7E-A313-4D12-867F-7C6E7820BE4C}" = JMicron Flash Media Controller Driver
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"avast5" = avast! Free Antivirus
"Dev-C++" = Dev-C++ 5 beta 9 release (4.9.9.2)
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Foxit Reader" = Foxit Reader
"HijackThis" = HijackThis 2.0.2
"hon" = Heroes of Newerth
"Mozilla Firefox (3.6)" = Mozilla Firefox (3.6)
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"VLC media player" = VLC media player 1.0.5
"WinRAR archiver" = WinRAR archiver
"Yahoo! Messenger" = Yahoo! Messenger

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 3/14/2010 10:31:11 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: ehSSO.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bd9dd Exception code: 0xc0000005 Fault offset: 0x00003d05 Faulting
process id: 0x748 Faulting application start time: 0x01cac3e785e7d1f2 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\ehome\ehSSO.dll Report
Id: d1899efa-2fda-11df-a9d9-00235a3af303

Error - 3/15/2010 12:13:40 AM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: ehSSO.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bd9dd Exception code: 0xc0000005 Fault offset: 0x00003d05 Faulting
process id: 0x6b0 Faulting application start time: 0x01cac3f5d5f542bf Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\ehome\ehSSO.dll Report
Id: 227182a0-2fe9-11df-98c4-00235a3af303

Error - 3/17/2010 10:57:10 AM | Computer Name = User-PC | Source = Google Update | ID = 20
Description =

Error - 3/17/2010 11:16:19 AM | Computer Name = User-PC | Source = Google Update | ID = 20
Description =

Error - 3/17/2010 9:17:23 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: ehSSO.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bd9dd Exception code: 0xc0000005 Fault offset: 0x00003d05 Faulting
process id: 0x684 Faulting application start time: 0x01cac638b596ef13 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\ehome\ehSSO.dll Report
Id: 017f9912-322c-11df-abbf-00235a3af303

Error - 3/17/2010 9:24:15 PM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: kernel32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bdaad Exception code: 0xc0000005 Fault offset: 0x0004f03d Faulting
process id: 0x6b4 Faulting application start time: 0x01cac639ab14741d Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\kernel32.dll
Report
Id: f6cee9e4-322c-11df-aee6-00235a3af303

Error - 3/19/2010 1:47:00 AM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: kernel32.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bdaad Exception code: 0xc0000005 Fault offset: 0x0004f03d Faulting
process id: 0x6e0 Faulting application start time: 0x01cac72788f4aba8 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\system32\kernel32.dll
Report
Id: d5b0441d-331a-11df-ac56-00235a3af303

Error - 3/19/2010 2:05:25 AM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: ehSSO.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bd9dd Exception code: 0xc0000005 Fault offset: 0x00003d05 Faulting
process id: 0x6cc Faulting application start time: 0x01cac72a1b707285 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\ehome\ehSSO.dll Report
Id: 689ef8ed-331d-11df-b858-00235a3af303

Error - 3/19/2010 2:05:48 AM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: ehSSO.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bd9dd Exception code: 0xc0000005 Fault offset: 0x00003d05 Faulting
process id: 0x638 Faulting application start time: 0x01cac72a2db7c84f Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\ehome\ehSSO.dll Report
Id: 767deb86-331d-11df-b858-00235a3af303

Error - 3/19/2010 2:06:01 AM | Computer Name = User-PC | Source = Application Error | ID = 1000
Description = Faulting application name: Explorer.EXE, version: 6.1.7600.16404,
time stamp: 0x4a765076 Faulting module name: ntdll.dll, version: 6.1.7600.16385,
time stamp: 0x4a5bdadb Exception code: 0xc0000374 Fault offset: 0x000c283b Faulting
process id: 0xc7c Faulting application start time: 0x01cac72a3bc3f511 Faulting application
path: C:\Windows\Explorer.EXE Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report
Id: 7e2e7e11-331d-11df-b858-00235a3af303

[ System Events ]
Error - 3/19/2010 2:23:29 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/19/2010 2:23:29 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/19/2010 2:23:29 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/19/2010 2:23:31 AM | Computer Name = User-PC | Source = Service Control Manager | ID = 7001
Description = The Network List Service service depends on the Network Location Awareness
service which failed to start because of the following error: %%1068

Error - 3/19/2010 2:37:09 AM | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 3/19/2010 2:37:09 AM | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/19/2010 2:42:09 AM | Computer Name = User-PC | Source = DCOM | ID = 10001
Description =

Error - 3/19/2010 5:29:37 AM | Computer Name = User-PC | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 3/19/2010 5:29:37 AM | Computer Name = User-PC | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 3/19/2010 5:34:38 AM | Computer Name = User-PC | Source = DCOM | ID = 10001
Description =


< End of report >


#6 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 17 March 2010 - 12:41 PM

And GMER.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-03-19 02:59:06
Windows 6.1.7600
Running: g3xho50q.exe; Driver: C:\Users\User\AppData\Local\Temp\kxldapob.sys


---- System - GMER 1.0.15 ----

INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2AAF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2A104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2A3F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E12634
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E12898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2A1DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2A958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2A6F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2AF2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82E2B1A8

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x837D44FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x837D4322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x837D445C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A43579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A67F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
PAGE ntkrnlpa.exe!ZwLoadDriver 82BA1279 7 Bytes JMP 837D4460 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82C08F59 5 Bytes JMP 837D04BA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ObInsertObject + 27 82C22C5F 5 Bytes JMP 837D19D8 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!NtCreateSection 82C30CE3 7 Bytes JMP 837D4326 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CDAE52 7 Bytes JMP 837D4502 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? System32\Drivers\rjiyexor.sys A device attached to the system is not functioning. !
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9000F000, 0x2D5378, 0xE8000020]
.text peauth.sys ACC21C9D 28 Bytes [44, 23, F8, F9, B2, 71, 0C, ...]
.text peauth.sys ACC21CC1 28 Bytes [44, 23, F8, F9, B2, 71, 0C, ...]
PAGE peauth.sys ACC2802C 102 Bytes [D0, 5B, 5A, ED, DB, EC, 24, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[1236] ntdll.dll!LdrLoadDll 7744F585 5 Bytes JMP 00DF13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
? C:\Windows\System32\svchost.exe[2920] image checksum mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__wgetmainargs] 51EC8B55
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_exit] 1845DB51
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_XcptFilter] F855DD56
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!exit] E8084DDC
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_initterm] 00000633
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_amsg_exit] FF184589
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__setusermatherr] 40517415
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!memcpy] F845DD00
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_controlfp] 8B104DDC
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_except_handler4_common] 1865DAF0
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] 00061AE8
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__set_app_type] 8BC88B00
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__fmode] F74199C6
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!__p__commode] C28B5EF9
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [msvcrt.dll!_cexit] C9184503
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 40517415
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CloseHandle] 244C8B00
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 748D9908
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcAddress] FEF70109
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetLastError] 2BC28B5E
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 244403C1
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 15FFC308
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [00405174] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!InterlockedExchange] 04244C8B
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!Sleep] F9F74199
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] FFC3C28B
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetModuleHandleA] 40517415
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 646A9900
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetTickCount] 33F9F759
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 24543BC0
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C09C0F04
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!DeactivateActCtx] EC8B55C3
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0204EC81
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ActivateActCtx] 68560000
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 516C15FF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegCloseKey] 00FFB8F0
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegOpenKeyExW] 8D500000
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapSetInformation] FFFEFC8D
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] C93351FF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!lstrlenW] 558D5151
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 8D5052FC
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegQueryValueExW] FFFDFC85
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ReleaseActCtx] FF5150FF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!CreateActCtxW] 40505C15
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 56216A00
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] FFFC75FF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!ExitProcess] 40517015
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 0CC48300
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx] C01BD8F7
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] EC8B55C3
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 458B5151
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx] 33565308
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LocalFree] 57C88BF6
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!HeapFree] 33FC7589
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 01518DFF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] 802974CA
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 7420063C
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [75FF850A] C:\Windows\system32\SHELL32.dll (Windows Shell Common Dll/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 45FF470C
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 330274FF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 46C88BFF
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 8A01518D
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] DB844119
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] CA2BF975
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventWrite] D772F13B
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventEnabled] 5FFC458B
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!EtwEventRegister] C3C95B5E
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 83EC8B55
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] FF0A7500
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 45C7F845
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 000001FC
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 0C4D8B00
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] F84D3941
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 016A3275
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 15FF5750
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [00405168] C:\Windows\System32\svchost.exe (Host Process for Windows Services/Microsoft Corporation)
IAT C:\Windows\System32\svchost.exe[2920] @ C:\Windows\System32\svchost.exe [RPCRT4.dll!RpcServerListen] EB0CC483
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\USER32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [6144AE77] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [6144A7A3] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [6144AE29] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [61449CF2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [61449B56] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [61449B94] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [USER32.dll!AnimateWindow] [61449D87] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [USER32.dll!GetSysColor] [61449C27] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [6144A3BA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [GDI32.dll!GetStockObject] [61449CEC] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [6144ADA9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[3088] @ C:\Windows\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [6144ADE9] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 863ACF38

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation)
AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation)

Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\rjiyexor@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\services\rjiyexor@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\services\rjiyexor@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\services\rjiyexor@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\services\rjiyexor@Type 1
Reg HKLM\SYSTEM\ControlSet002\services\rjiyexor@Start 0
Reg HKLM\SYSTEM\ControlSet002\services\rjiyexor@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\services\rjiyexor@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

Any signs?

#7 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 17 March 2010 - 02:06 PM

Hi,

QUOTE
Any signs?

Yep. Probably a rootkit.

CODE
---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\services\rjiyexor@Type 1

==========

[2010/03/19 02:36:47 | 000,860,672 | ---- | M] () -- C:\Windows\System32\drivers\rjiyexor.sys


==========

RKill by Grinler
Link #1
Link #2
Link #3
Link #4
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Download Link #1.
  • Save it to your Desktop.
  • Double click the RKill desktop icon.
    If you are using Vista please right click and run as Admin!
  • A black screen will briefly flash indicating a successful run.
  • If this does not occur please delete that application and download Link #2.
  • Continue process until the tool runs.
  • If the tool does not run from any of the links tell me about it.
  • It shall produce a log located at C:\RKill. Please copy and paste it into your next reply.

=========

Download and Run ComboFix (by sUBs)

You must rename it before saving it.





Please download ComboFix from one of these locations:

Link 1
Link 2

Save thcbytes.exe to your Desktop <-- Important!!!
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Please refer to this link for instructions.

  • Double click on thcbytes.exe & follow the prompts.
  • You will see this warning based on your particular OS. Please select "Yes" and proceed.


  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


==========

With your next post please provide:

* RKill log
* Combofix.txt

Kind regards,
~t

Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#8 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 20 March 2010 - 10:55 PM

Okay, sorry for the late reply.
Going for the instructions now.

#9 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 March 2010 - 08:02 AM

RKills doesn't work. sad.gif
shall i proceed with ComboFix now?

#10 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 21 March 2010 - 08:10 AM

When you say "RKill does not work" what do you mean? You should only see a brief flash. That's all!
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#11 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 March 2010 - 08:13 AM

After Opening the program, brief flash stays at screen and it says "Error! Rkill.pif/scr/com/exe doesn't work."


#12 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 21 March 2010 - 08:19 AM

Did you try all the links? Did you right click and run as admin?
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#13 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 March 2010 - 08:21 AM

Yep tried them all. There's no run as admin on the right click list.

#14 thcbytes

thcbytes

  • Malware Response Team
  • 14,790 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:23 PM

Posted 21 March 2010 - 08:28 AM

Ok. Go ahead and see if you can get CF to run. thumbup2.gif
Proud member - Unified Network of Instructors and Trained Eliminators
Posted Image

I do not accept personal donations for assistance provided. I would ask that you instead consider donating the greatest gift - Organ Donation. Your organs are of no use to you when your gone. You will save a life that would otherwise be lost!

http://donatelife.net/register-now/

#15 anjo03

anjo03
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:09:23 AM

Posted 21 March 2010 - 08:34 AM

Okay, wait a sec. thumbup.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users