Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

NEED URGENT HELP PLS!!!! Infected by Rootkit trojan .. system in a very bad condition..


  • This topic is locked This topic is locked
16 replies to this topic

#1 sab2010

sab2010

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 15 April 2010 - 07:16 AM

Hi

I am first time on this and also to this kind of helping method .. I did see one of the mods helping out another person having a similar problem as mine ...I found that helping person (Elise) very good very patient and I think she also solved the issue ...the best part i liked was she also advised a lot of things which i think will help maintain my computer in a better way... so i thought i will also try out my problem ...

I have been using a laptop with celeron processor ( well i do have a desktop with better config.) ...and recently everythng became very slow ..I mean Google Chrome and my internet ... and then suddenly today morning i get a pop-up message saying my computer's been affected with TR/Rootkit.gen Trojan by Avira Anti-virus .. I tried removing it and it says it sent the file to quarantine ... and asked me to restart the system ... whn i tried restarting the system it did not restart and was jus going back to the booting up from the start ....So i used F8 button and opened the windows using the last good config and it opened very fine .. but the moment windows loaded completely my anti-virus again gave me the msg saying MY computer is infected by the rootkit trojan ...Now everytime i need to restart my system i have to go back to the F8 mode and use the LAST GOOD CONFIG to open windows...I am also not been able to open windows in the Safe mode .....

I need help to remove that damn trojan and also want to know whthr thr was any backdoor activity .. coz i use my laptop for a lot of password required sites including bank accounts emails etc ... I m enclosing all the log files u maybe needing .. if need be will give it again .. when i get a reply for this...

Here is the Log I got from the HijackThis...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:42:25 PM, on 4/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17023)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Philips\GoGear SA19xx Device Manager\main.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com/?fr=fp-yie8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.imesh.com/sidebar.html?src=ssb
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O2 - BHO: (no name) - {7cf52a41-3ab9-59fb-7948-c6c8c2306698} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: (no name) - {e4bff1bb-57cd-2af2-56f6-0bf87dafc5df} - (no file)
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Zynga Toolbar - {7b13ec3e-999a-4b70-b9cb-2617b8323822} - C:\Program Files\Zynga\tbZyng.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\Empowering Technology\ePower\epm-dm.exe
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe"
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Alarm Clock.lnk = D:\application\Alarm Clock\AlarmClock.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Philips SA19xx Device Manager.lnk = C:\Program Files\Philips\GoGear SA19xx Device Manager\main.exe
O8 - Extra context menu item: &Sample Toolband Serach - res://C:\WINDOWS\system32\ToolBand.dll/MENUSEARCH.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.flvdirect.com
O15 - ESC Trusted Zone: http://www.flvdirect.com
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{58A02411-812C-41DB-B087-C66AC6A35209}: NameServer = 161.142.201.17,161.142.2.17
O17 - HKLM\System\CCS\Services\Tcpip\..\{F116FB64-2441-40F8-A50F-B2D6426CD41E}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Update Service (gupdate1c9fb00375d8a7e) (gupdate1c9fb00375d8a7e) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Tango Service (TangoService) - Unknown owner - C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe

--
End of file - 13439 bytes


Here is the DDS / Attach and Gmer log as well: ( I m also attaching the txt files of these)

DDS.txt....

DDS (Ver_10-03-17.01) - FAT32x86
Run by User at 19:50:39.68 on Thu 04/15/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.758.215 [GMT 8:00]

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
svchost.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Acer\Empowering Technology\admServ.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\Empowering Technology\ePower\epm-dm.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\VM303_STI.EXE
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Philips\GoGear SA19xx Device Manager\main.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\WINDOWS\System32\svchost.exe"
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter4.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\User\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://uk.yahoo.com/?fr=fp-yie8
uSearch Bar = hxxp://search.imesh.com/sidebar.html?src=ssb
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
uURLSearchHooks: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
BHO: {7cf52a41-3ab9-59fb-7948-c6c8c2306698} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {e4bff1bb-57cd-2af2-56f6-0bf87dafc5df} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Easy-WebPrint: {327c2873-e90d-4c37-aa9d-10ac9baba46c} - c:\program files\canon\easy-webprint\Toolband.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\program files\zynga\tbZyng.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Messenger (Yahoo!)] "c:\program files\yahoo!\messenger\YahooMessenger.exe" -quiet
mRun: [preload] c:\windows\RUNXMLPL.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [PCMService] "c:\program files\acer\acer arcade\PCMService.exe"
mRun: [LaunchAp] "c:\program files\launch manager\LaunchAp.exe"
mRun: [PowerKey] "c:\program files\launch manager\PowerKey.exe"
mRun: [LManager] "c:\program files\launch manager\HotkeyApp.exe"
mRun: [CtrlVol] "c:\program files\launch manager\CtrlVol.exe"
mRun: [LMgrOSD] "c:\program files\launch manager\OSDCtrl.exe"
mRun: [Wbutton] "c:\program files\launch manager\Wbutton.exe"
mRun: [EPM-DM] c:\acer\empowering technology\epower\epm-dm.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [BigDog303] c:\windows\VM303_STI.EXE VIMICRO USB PC Camera (ZC0301PLH)
mRun: [OpwareSE2] "c:\program files\scansoft\omnipagese2.0\OpwareSE2.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\alarmc~1.lnk - d:\application\alarm clock\AlarmClock.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\philip~1.lnk - c:\program files\philips\gogear sa19xx device manager\main.exe
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: flvdirect.com\www
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: {58A02411-812C-41DB-B087-C66AC6A35209} = 161.142.201.17,161.142.2.17
TCP: {F116FB64-2441-40F8-A50F-B2D6426CD41E} = 202.188.0.133 202.188.1.5
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\04slxbru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\user\application data\mozilla\firefox\profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\mozilla firefox\extensions\{656196f5-1112-a5cd-041a-ae308b0eeb03}\components\_1-W_Mx-n.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: LoudMo Contextual Ad Assistant: No Registry Reference - c:\program files\mozilla firefox\extensions\{656196f5-1112-a5cd-041a-ae308b0eeb03}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: google.toolbar.linkdoctor.enabled - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-12-2 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-12-2 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-12-2 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-12-2 56816]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-1-7 54752]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [2009-6-18 38496]
R3 POWERKEY;POWERKEY;c:\program files\launch manager\POWERKEY.SYS [2008-12-3 2343]
S1 mailKmd;mailKmd; [x]
S2 gupdate1c9fb00375d8a7e;Google Update Service (gupdate1c9fb00375d8a7e);c:\program files\google\update\GoogleUpdate.exe [2009-7-2 133104]
S3 ENDETECT;ENDETECT;c:\progra~1\effici~1\tangom~1\app\ENDETECT.SYS [2009-6-18 7752]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 NTSTPL1;NTSTPL1;c:\progra~1\effici~1\tangom~1\app\NTSTPL1.SYS [2009-6-18 16160]
S3 NTSTPL2;NTSTPL2;c:\progra~1\effici~1\tangom~1\app\NTSTPL2.SYS [2009-6-18 16160]
S3 RAWESR;RAWESR;c:\progra~1\effici~1\tangom~1\app\RAWESR.SYS [2009-6-18 15888]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2009-7-24 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2009-7-24 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2009-7-24 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2009-7-24 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2009-7-24 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2009-7-24 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2009-7-24 115752]
S3 TAPBIND;TAPBIND;c:\progra~1\effici~1\tangom~1\app\TAPBIND1.SYS [2009-6-18 44736]

=============== Created Last 30 ================

2010-04-15 11:15:32 0 d-----w- c:\program files\Trend Micro
2010-04-15 11:10:05 0 d-----w- c:\program files\Enigma Software Group
2010-04-15 11:09:39 0 d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 11:09:34 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-15 10:16:55 586240 ----a-w- c:\windows\system32\drivers\cearxdf.sys
2010-04-15 08:23:30 54016 ----a-w- c:\windows\system32\drivers\kjjeej.sys
2010-04-15 01:30:30 0 d-----w- c:\windows\LastGood.Tmp
2010-04-01 19:01:12 1374 ----a-w- c:\windows\imsins.BAK
2010-03-25 08:58:01 0 d-----w- c:\program files\Zynga
2010-03-25 06:24:53 0 d-----w- c:\program files\Conduit
2010-03-20 14:55:15 0 d-----w- c:\program files\common files\Scanner
2010-03-20 14:55:10 0 d-----w- c:\program files\CA Yahoo! Anti-Spy

==================== Find3M ====================

2010-04-15 11:50:40 802304 ----a-w- c:\windows\system32\drivers\lkwxrfkv.sys
2010-03-29 16:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-10 13:18:22 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2010-03-10 13:18:20 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-08 20:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-23 05:20:02 634648 ------w- c:\windows\system32\dllcache\iexplore.exe
2010-02-23 05:18:28 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2010-02-04 11:13:08 69788 ---ha-w- c:\windows\system32\mlfcache.dat
2009-11-22 04:15:14 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009112220091123\index.dat

============= FINISH: 19:50:53.04 ===============

ATTACH.txt ....



UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 12/3/2008 1:17:20 AM
System Uptime: 4/15/2010 5:41:11 PM (2 hours ago)

Motherboard: Acer | | Garda-910
Processor: Intel® Celeron® M processor 1.50GHz | U1 | 1496/100mhz

==== Disk Partitions =========================

C: is FIXED (FAT32) - 17 GiB total, 1.807 GiB free.
D: is FIXED (FAT32) - 17 GiB total, 0.64 GiB free.
E: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Atheros AR5005G Wireless Network Adapter
Device ID: PCI\VEN_168C&DEV_001A&SUBSYS_04181468&REV_01\4&AD1B67F&0&28F0
Manufacturer: Atheros
Name: Atheros AR5005G Wireless Network Adapter
PNP Device ID: PCI\VEN_168C&DEV_001A&SUBSYS_04181468&REV_01\4&AD1B67F&0&28F0
Service: AR5211

==== System Restore Points ===================

RP341: 3/25/2010 12:27:39 PM - Removed Opera 10.50.
RP342: 3/25/2010 12:27:53 PM - Installed Opera 10.51.
RP343: 3/26/2010 12:47:55 PM - System Checkpoint
RP344: 3/27/2010 1:48:16 PM - System Checkpoint
RP345: 3/28/2010 5:39:22 PM - System Checkpoint
RP346: 3/29/2010 6:48:59 PM - System Checkpoint
RP347: 3/30/2010 11:31:20 PM - System Checkpoint
RP348: 3/31/2010 9:55:55 AM - Installed Java™ 6 Update 19
RP349: 4/1/2010 10:44:20 AM - System Checkpoint
RP350: 4/2/2010 3:00:22 AM - Software Distribution Service 3.0
RP351: 4/3/2010 8:45:05 AM - System Checkpoint
RP352: 4/4/2010 9:24:37 AM - System Checkpoint
RP353: 4/5/2010 9:32:38 AM - System Checkpoint
RP354: 4/6/2010 10:09:50 AM - System Checkpoint
RP355: 4/7/2010 10:11:35 AM - System Checkpoint
RP356: 4/8/2010 10:38:08 AM - System Checkpoint
RP357: 4/9/2010 11:40:31 AM - System Checkpoint
RP358: 4/10/2010 2:39:45 PM - System Checkpoint
RP359: 4/11/2010 7:18:04 PM - System Checkpoint
RP360: 4/13/2010 1:09:17 AM - System Checkpoint
RP361: 4/14/2010 7:35:23 AM - System Checkpoint
RP362: 4/15/2010 7:23:48 AM - Software Distribution Service 3.0
RP363: 4/15/2010 7:10:03 PM - Installed SpyHunter
RP364: 4/15/2010 7:15:49 PM - Removed SpyHunter

==== Installed Programs ======================

µTorrent
ACDSee 9 Photo Manager
Acer Arcade
Acer eDataSecurity Management
Acer eDataSecurity Management 1.00.21
Acer eLock Management
Acer Empowering Technology framework
Acer ePerformance Management
Acer ePower Management
Acer ePresentation Management
Acer eSettings Management
Acer GridVista
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 6.0
Adobe Reader 7.0
Adobe Shockwave Player 11.5
Adobe SVG Viewer
Allok AVI DivX MPEG to DVD Converter 1.2.0
Allok MPEG4 Converter 5.1.0626
Allok RM RMVB to AVI MPEG DVD Converter 2.2.0920
Allok Video Joiner 3.2.0920
Apple Application Support
Apple Mobile Device Support
Apple Software Update
ArcSoft PhotoStudio 5.5
Avira AntiVir Personal - Free Antivirus
Bonjour
CA Yahoo! Anti-Spy (remove only)
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
CyberLink PowerDVD 8
Easy-WebPrint
Funny Bricks
GoGear SA19xx Device Manager
Google Chrome
Google Update Helper
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Intel® Graphics Media Accelerator Driver for Mobile
Java Auto Updater
Java™ 6 Update 19
Junk Mail filter update
K-Lite Codec Pack 4.3.1 (Full)
Launch Manager V1.0.9.3
Magic ISO Maker v5.5 (build 0274)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Live Add-in 1.3
Microsoft Office Outlook Connector
Microsoft Office Professional Edition 2003
Microsoft Search Enhancement Pack
Microsoft Silverlight
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla Firefox (3.6.2)
MSVCRT
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
NTI Backup NOW! 4
NTI CD & DVD-Maker
OmniPage SE 2.0
Opera 10.51
PowerProducer
QuickTime
RealPlayer
Realtek AC'97 Audio
Safari
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Segoe UI
Skype web features
Skype™ 4.1
SoftV90 Data Fax Modem with SmartCP
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Tango Manager
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Vimicro USB PC Camera (ZC301PLH)
WebFldrs XP
Winamp
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinRAR archiver
WinZip 12.0
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Toolbar
Zynga Toolbar

==== Event Viewer Messages From Past Week ========

4/8/2010 9:50:04 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/8/2010 9:35:03 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/8/2010 10:20:06 AM, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
4/12/2010 6:50:22 PM, error: ACPIEC [1] - \Device\ACPIEC: The embedded controller (EC) hardware didn't respond within the timeout period. This may indicate an error in the EC hardware or firmware, or possibly a poorly designed BIOS which accesses the EC in an unsafe manner. The EC driver will retry the failed transaction if possible.
4/12/2010 12:33:13 PM, error: Service Control Manager [7000] - The Microsoft Kernel Acoustic Echo Canceller service failed to start due to the following error: A device attached to the system is not functioning.

==== End Of File ===========================


Gmer.log ...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-15 20:02:40
Windows 5.1.2600 Service Pack 3
Running: 06r5muq2.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\awrcqkog.sys


---- System - GMER 1.0.15 ----

SSDT F7BF7B0E ZwCreateKey
SSDT F7BF7B04 ZwCreateThread
SSDT F7BF7B13 ZwDeleteKey
SSDT F7BF7B1D ZwDeleteValueKey
SSDT F7BF7B22 ZwLoadKey
SSDT F7BF7AF0 ZwOpenProcess
SSDT F7BF7AF5 ZwOpenThread
SSDT F7BF7B2C ZwReplaceKey
SSDT F7BF7B27 ZwRestoreKey
SSDT F7BF7B18 ZwSetValueKey
SSDT F7BF7AFF ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? lkwxrfkv.sys A device attached to the system is not functioning. !
PAGE Fastfat.sys F718FD56 4 Bytes CALL 83DA8611
? System32\Drivers\cearxdf.SYS A device attached to the system is not functioning. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2168] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[3572] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]
? C:\WINDOWS\System32\svchost.exe[3660] image checksum mismatch; number of sections mismatch; time/date stamp mismatch;

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [610E9B47] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [610E89E8] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [610E8922] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [610E8960] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [610E89B0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [610E88E4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [610E9B47] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [610E8960] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [610E88E4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[204] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [610E8922] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 51EC8B55
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 1845DB51
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] F855DD56
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] E8084DDC
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 000004D2
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] FF184589
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenProcessToken] F845DD00
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!OpenThreadToken] 8B104DDC
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 1865DAF0
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 0004B9E8
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegCloseKey] 8BC88B00
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] F74199C6
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] C28B5EF9
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 2B08244C
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrlenW] 9904244C
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalFree] 8BF9F741
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 244403C2
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThread] FF56C304
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcAddress] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 244C8B00
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LCMapStringW] 244403C1
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!FreeLibrary] 15FFC308
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcpyW] [0040515C] C:\WINDOWS\System32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation)
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 04244C8B
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpiW] F9F74199
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!ExitProcess] FFC3C28B
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCommandLineW] 40515C15
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 646A9900
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetProcessHeap] 33F9F759
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetErrorMode] 24543BC0
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] C09C0F04
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 0204EC81
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] 68560000
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 00000100
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetTickCount] 515415FF
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 8B590040
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 00FFB8F0
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8D500000
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!TerminateProcess] FFFEFC8D
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] C93351FF
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LocalAlloc] 558D5151
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!lstrcmpW] 8D5052FC
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] FFFDFC85
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 40503015
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlFreeHeap] 56216A00
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] FFFC75FF
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscat] 40515815
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcscpy] 0CC48300
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlAllocateHeap] C01BD8F7
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] C95EC623
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitUnicodeString] EC8B55C3
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlInitializeSid] 458B5151
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 33565308
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 57C88BF6
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] 33FC7589
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 01518DFF
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8441198A
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 2BF975DB
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlGetAce] 802974CA
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlImageNtHeader] 7420063C
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!wcslen] 75FF850A
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 45FF470C
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!RtlCopySid] 8506EBFC
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 46C88BFF
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 8A01518D
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] DB844119
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] CA2BF975
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerListen] D772F13B
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 5FFC458B
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C3C95B5E
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 83EC8B55
IAT C:\WINDOWS\System32\svchost.exe[3660] @ C:\WINDOWS\System32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 56530CEC

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom 83D69D68

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
Device \FileSystem\Fastfat \Fat 83D69D68

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\Program [2600] 0x00400000
Library C:\Program (*** hidden *** ) @ C:\Program [2600] 0x10000000
Library C:\Program (*** hidden *** ) @ C:\Program [2600] 0x006F0000
Library C:\Program (*** hidden *** ) @ C:\Program [2600] 0x00350000
Library C:\Program (*** hidden *** ) @ C:\Program [2600] 0x00890000

---- Services - GMER 1.0.15 ----

Service (*** hidden *** ) [BOOT] cearxdf <-- ROOTKIT !!!
Service (*** hidden *** ) [BOOT] lkwxrfkv <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\lkwxrfkv@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\lkwxrfkv@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\lkwxrfkv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\lkwxrfkv@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\lkwxrfkv@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\lkwxrfkv@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\lkwxrfkv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\lkwxrfkv@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet003\Services\lkwxrfkv@Type 1
Reg HKLM\SYSTEM\ControlSet003\Services\lkwxrfkv@Start 0
Reg HKLM\SYSTEM\ControlSet003\Services\lkwxrfkv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet003\Services\lkwxrfkv@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet004\Services\lkwxrfkv@Type 1
Reg HKLM\SYSTEM\ControlSet004\Services\lkwxrfkv@Start 0
Reg HKLM\SYSTEM\ControlSet004\Services\lkwxrfkv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet004\Services\lkwxrfkv@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\cearxdf@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\cearxdf@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cearxdf@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\cearxdf@Group Boot Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkwxrfkv@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkwxrfkv@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkwxrfkv@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\lkwxrfkv@Group Boot Bus Extender
Reg HKLM\SYSTEM\ControlSet006\Services\lkwxrfkv@Type 1
Reg HKLM\SYSTEM\ControlSet006\Services\lkwxrfkv@Start 0
Reg HKLM\SYSTEM\ControlSet006\Services\lkwxrfkv@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet006\Services\lkwxrfkv@Group Boot Bus Extender

---- EOF - GMER 1.0.15 ----

I really hope I can get rid of the trojan from my computer and not much damage has been done ...Thank u very much....

Attached Files



BC AdBot (Login to Remove)

 


#2 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:06 AM

Posted 15 April 2010 - 07:32 AM

Hello, sab2010

Welcome to the Bleeping Computer Forums. My name is Jat, and I will be helping you with your situation.

If you do not make a reply in 5 days, we will have to close your topic.


You may want to keep the link to this topic in your favourites. Alternatively, you can click the button at the top bar of this topic and Track this Topic. The topics you are tracking can be found here.

Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools. Doing so could cause changes to the directions I have to give you and prolong the time required. Further more, you should not be taking any advice relating to this computer from any other source throughout the course of this fix.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean". We do not want to clean you part-way, only to have the system re-infect itself.
  • Please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just post back here so that we know you're still here.



Gmer identified a rootkit(s) on your system, many are known to have backdoor capabilities. Let's run ComboFix and see if we can see which rootkit you have been infected with:

ComboFix

Please download ComboFix from one of these locations (If you already have it, delete it and download again):

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found here
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Note** ComboFix was designed only to be used under the supervision of a helper, not for general use.

Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#3 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 April 2010 - 12:05 AM

Hi jat sorry I dint see ur reply yrstday ... I thot my post never got posted as when i was trying to post the msg i got the blue screen .....thanks for such a quick reply .. I did actually do the combifix scan but it doesnt seem to solve my problem ... I m giving my combofix scan log down here ..This scan was done yrstday but after doing it I m getting almost around 10 virus msgs from Avira ... Before that it was showing as only 1 file... I m giving u this bcoz its really difficult to download again and also once it goes for a restart sometimes the windows doesn't get loaded or i m not able to connect to the net at all...if i m able to get a new one today i will surely post it down again ...I havent doen any changes after the scan ... infact i was not able to connect to the net till today afternoon whn i came directly to this website ...hope this helps u ....

ComboFix 10-04-14.01 - Administrator 04/15/2010 23:38:53.2.1 - FAT32x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.758.517 [GMT 8:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDOWS_HOSTS_CONTROLLER


((((((((((((((((((((((((( Files Created from 2010-03-15 to 2010-04-15 )))))))))))))))))))))))))))))))
.

2010-04-15 15:31 . 2010-04-15 15:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-15 11:15 . 2010-04-15 11:15 -------- d-----w- c:\program files\Trend Micro
2010-04-15 11:10 . 2010-04-15 11:10 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 11:09 . 2010-04-15 11:09 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 11:09 . 2010-04-15 11:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-15 07:08 . 2010-04-15 07:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-15 02:25 . 2010-04-15 02:25 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 22:44 . 2010-04-06 22:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
2010-04-06 22:44 . 2010-04-06 22:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2010-04-01 09:45 . 2010-04-01 09:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
2010-03-31 01:59 . 2010-03-31 01:59 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 01:57 . 2010-03-31 01:57 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\msvcp71.dll
2010-03-31 01:57 . 2010-03-31 01:57 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\jmc.dll
2010-03-31 01:57 . 2010-03-31 01:57 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\msvcr71.dll
2010-03-31 01:57 . 2010-03-31 01:57 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3a015fc2-n\decora-sse.dll
2010-03-31 01:57 . 2010-03-31 01:57 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3a015fc2-n\decora-d3d.dll
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Zynga
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\program files\Zynga
2010-03-25 06:24 . 2010-03-25 06:24 -------- d-----w- c:\program files\Conduit
2010-03-25 06:24 . 2010-03-25 06:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Conduit
2010-03-25 05:52 . 2010-03-24 07:03 52224 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-25 05:52 . 2010-03-24 07:03 101376 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-21 09:26 . 2010-03-21 09:26 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Opera
2010-03-21 09:26 . 2010-03-21 09:26 -------- d-----w- c:\program files\Opera
2010-03-21 00:23 . 2010-03-21 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- c:\program files\Common Files\Scanner
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 01:56 . 2009-04-05 05:20 26 ----a-w- c:\windows\popcinfo.dat
2010-03-29 16:46 . 2009-07-17 05:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-07-17 05:28 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-08-03 21:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-03-27 15:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-03 21:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-08 20:28 . 2008-12-02 18:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-06 03:05 . 2009-04-15 05:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 11:13 . 2010-02-04 11:13 69788 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-04 09:52 . 2010-02-04 09:52 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-17 12:55 . 2008-12-02 17:18 86464 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 04:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 147456]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 81920]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 212992]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 397312]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 69632]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-04-30 49152]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-05-27 13:58 4269296 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 03:36 50472 ------w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-20 12:23 83240 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:*:Disabled:BS
"9991:TCP"= 9991:TCP:PORT2
"14811:TCP"= 14811:TCP:FD
"15703:TCP"= 15703:TCP:FD
"6672:TCP"= 6672:TCP:FD
"42870:TCP"= 42870:TCP:FD
"53634:TCP"= 53634:TCP:FD
"61337:TCP"= 61337:TCP:FD
"58534:TCP"= 58534:TCP:FD

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2009 6:04 PM 108289]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [6/18/2009 6:50 PM 38496]
R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [12/3/2008 1:27 AM 2343]
S1 mailKmd;mailKmd; [x]
S2 gupdate1c9fb00375d8a7e;Google Update Service (gupdate1c9fb00375d8a7e);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2009 6:31 PM 133104]
S3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [6/18/2009 6:50 PM 7752]
S3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [6/18/2009 6:50 PM 16160]
S3 NTSTPL2;NTSTPL2;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL2.SYS [6/18/2009 10:54 PM 16160]
S3 RAWESR;RAWESR;c:\progra~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS [6/18/2009 6:50 PM 15888]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [7/24/2009 9:20 PM 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [7/24/2009 9:20 PM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [7/24/2009 9:20 PM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [7/24/2009 9:20 PM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [7/24/2009 9:20 PM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [7/24/2009 9:20 PM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [7/24/2009 9:20 PM 115752]
S3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [6/18/2009 6:50 PM 44736]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - INT15.SYS
*Deregistered* - lkwxrfkv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-03-11 12:38 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 10:31]

2010-04-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 10:31]

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: flvdirect.com\www
TCP: {58A02411-812C-41DB-B087-C66AC6A35209} = 161.142.201.17,161.142.2.17
FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-15 23:50
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\lkwxrfkv]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2152)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\admServ.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Efficient Networks\Tango Manager\app\TangoService.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Philips\GoGear SA19xx Device Manager\main.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-04-15 23:54:26 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-15 15:54
ComboFix2.txt 2010-04-15 13:06

Pre-Run: 2,710,274,048 bytes free
Post-Run: 1,844,264,960 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - BCEEA361DCFEE8CAD9F6E86996CC96F4

Edited by sab2010, 16 April 2010 - 05:35 AM.


#4 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 April 2010 - 06:17 AM

OK jat ... I got the new Combofix scan ....Jus now .... this time combofix never asked me to restart the system .. I really dont know y ....I followed ur instruction and deleted the 1 had downloaded yrstday and downloaded again jus now and ran the scan ... it completed the scan and gave out the log.txt ... but never asked me to restart the system ... is thr smthng wrong with that ??? anyways i m giving my latest scan done jus few minuted before this post ...

ComboFix 10-04-15.02 - User 04/16/2010 18:59:56.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.758.403 [GMT 8:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 16:49 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-15 16:49 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-15 16:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-04-15 16:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-04-15 15:31 . 2010-04-15 15:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-15 11:15 . 2010-04-15 11:15 -------- d-----w- c:\program files\Trend Micro
2010-04-15 11:10 . 2010-04-15 11:10 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 11:09 . 2010-04-15 11:09 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 11:09 . 2010-04-15 11:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-15 07:08 . 2010-04-15 07:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-15 02:25 . 2010-04-15 02:25 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 22:44 . 2010-04-06 22:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
2010-04-06 22:44 . 2010-04-06 22:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2010-04-01 09:45 . 2010-04-01 09:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
2010-03-31 01:59 . 2010-03-31 01:59 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 01:57 . 2010-03-31 01:57 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\msvcp71.dll
2010-03-31 01:57 . 2010-03-31 01:57 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\jmc.dll
2010-03-31 01:57 . 2010-03-31 01:57 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\msvcr71.dll
2010-03-31 01:57 . 2010-03-31 01:57 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3a015fc2-n\decora-sse.dll
2010-03-31 01:57 . 2010-03-31 01:57 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3a015fc2-n\decora-d3d.dll
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Zynga
2010-03-25 08:58 . 2010-03-25 08:58 -------- d-----w- c:\program files\Zynga
2010-03-25 06:24 . 2010-03-25 06:24 -------- d-----w- c:\program files\Conduit
2010-03-25 06:24 . 2010-03-25 06:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Conduit
2010-03-25 05:52 . 2010-03-24 07:03 52224 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-25 05:52 . 2010-03-24 07:03 101376 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-21 09:26 . 2010-03-21 09:26 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Opera
2010-03-21 09:26 . 2010-03-21 09:26 -------- d-----w- c:\program files\Opera
2010-03-21 00:23 . 2010-03-21 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-03-21 00:23 . 2010-03-21 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- c:\program files\Common Files\Scanner
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 01:56 . 2009-04-05 05:20 26 ----a-w- c:\windows\popcinfo.dat
2010-03-29 16:46 . 2009-07-17 05:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-07-17 05:28 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-08-03 21:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-03-27 15:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-03 21:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-03 21:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-12-02 18:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-01 17:01 . 2010-03-01 17:01 12 ----a-w- c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat
2010-02-24 13:11 . 2004-08-03 21:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 01:10 . 2004-08-03 21:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 21:00 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-03 21:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-03 21:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 03:05 . 2009-04-15 05:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 11:13 . 2010-02-04 11:13 69788 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-04 09:52 . 2010-02-04 09:52 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-17 12:55 . 2008-12-02 17:18 86464 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot@2010-04-15_15.50.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-16 03:48 . 2010-04-16 03:48 16384 c:\windows\temp\Perflib_Perfdata_1e4.dat
- 2009-06-24 14:01 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2009-06-24 14:01 . 2009-05-26 11:40 17272 c:\windows\system32\spmsg.dll
+ 2008-12-11 09:48 . 2008-04-13 18:46 19200 c:\windows\system32\dllcache\wstcodec.sys
+ 2004-08-03 21:00 . 2008-04-13 18:45 26368 c:\windows\system32\dllcache\usbstor.sys
+ 2008-12-23 14:02 . 2008-04-13 18:45 15104 c:\windows\system32\dllcache\usbscan.sys
+ 2008-12-23 14:04 . 2008-04-13 18:47 25856 c:\windows\system32\dllcache\usbprint.sys
+ 2008-12-23 14:02 . 2008-04-13 18:45 32128 c:\windows\system32\dllcache\usbccgp.sys
+ 2004-08-03 21:00 . 2008-04-14 00:13 21896 c:\windows\system32\dllcache\tdtcp.sys
+ 2004-08-03 21:00 . 2008-04-14 00:13 12040 c:\windows\system32\dllcache\tdpipe.sys
+ 2001-08-17 06:00 . 2008-04-13 18:45 56576 c:\windows\system32\dllcache\swmidi.sys
+ 2008-12-11 09:48 . 2008-04-13 18:46 15232 c:\windows\system32\dllcache\streamip.sys
+ 2008-12-11 09:48 . 2008-04-13 18:46 11136 c:\windows\system32\dllcache\slip.sys
+ 2004-08-03 21:00 . 2008-04-13 18:40 11392 c:\windows\system32\dllcache\sfloppy.sys
+ 2004-08-03 21:00 . 2008-04-13 19:15 64512 c:\windows\system32\dllcache\serial.sys
+ 2001-08-17 05:51 . 2001-08-17 05:51 19584 c:\windows\system32\dllcache\rasirda.sys
+ 2004-08-03 21:00 . 2008-04-13 18:31 35840 c:\windows\system32\dllcache\processr.sys
+ 2004-08-03 21:00 . 2008-04-13 18:40 80128 c:\windows\system32\dllcache\parport.sys
+ 2004-08-03 15:00 . 2008-04-13 18:54 28672 c:\windows\system32\dllcache\nscirda.sys
+ 2004-08-03 21:00 . 2008-04-13 18:51 61824 c:\windows\system32\dllcache\nic1394.sys
+ 2008-12-11 09:48 . 2008-04-13 18:46 10880 c:\windows\system32\dllcache\ndisip.sys
+ 2008-12-11 09:48 . 2008-04-13 18:46 85248 c:\windows\system32\dllcache\nabtsfec.sys
+ 2004-08-03 21:00 . 2008-04-13 18:54 11264 c:\windows\system32\dllcache\irenum.sys
+ 2004-08-03 21:00 . 2008-04-13 18:57 20864 c:\windows\system32\dllcache\ipinip.sys
+ 2004-08-03 21:00 . 2008-04-13 18:53 36608 c:\windows\system32\dllcache\ip6fw.sys
+ 2004-08-03 21:00 . 2008-04-13 18:40 20480 c:\windows\system32\dllcache\flpydisk.sys
+ 2001-08-17 04:13 . 2001-08-17 04:13 27165 c:\windows\system32\dllcache\fetnd5.sys
+ 2004-08-03 21:00 . 2008-04-13 18:40 27392 c:\windows\system32\dllcache\fdc.sys
+ 2004-08-03 15:07 . 2008-04-13 18:45 52864 c:\windows\system32\dllcache\dmusic.sys
+ 2004-08-03 21:00 . 2004-08-03 21:00 18688 c:\windows\system32\dllcache\cdaudio.sys
+ 2008-12-11 09:48 . 2008-04-13 18:46 17024 c:\windows\system32\dllcache\ccdecode.sys
+ 2004-08-03 21:00 . 2008-04-13 18:51 59904 c:\windows\system32\dllcache\atmarpc.sys
+ 2004-08-03 21:00 . 2008-04-13 18:57 14336 c:\windows\system32\dllcache\asyncmac.sys
+ 2004-08-03 21:00 . 2008-04-13 18:51 60800 c:\windows\system32\dllcache\arp1394.sys
- 2008-12-02 18:44 . 2010-03-21 00:14 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2004-08-03 15:07 . 2008-04-13 18:45 6272 c:\windows\system32\dllcache\splitter.sys
+ 2008-12-11 09:48 . 2008-04-13 18:39 5504 c:\windows\system32\dllcache\mstee.sys
+ 2004-08-03 14:58 . 2008-04-13 18:39 4992 c:\windows\system32\dllcache\mspqm.sys
+ 2004-08-03 14:58 . 2008-04-13 18:39 5376 c:\windows\system32\dllcache\mspclock.sys
+ 2004-08-03 14:58 . 2008-04-13 18:39 7552 c:\windows\system32\dllcache\mskssrv.sys
+ 2004-08-03 15:07 . 2008-04-13 18:45 2944 c:\windows\system32\dllcache\drmkaud.sys
+ 2008-12-02 18:44 . 2010-04-16 02:26 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-05-09 10:53 . 2010-03-09 11:09 430080 c:\windows\system32\dllcache\vbscript.dll
- 2008-05-09 10:53 . 2008-05-09 10:53 430080 c:\windows\system32\dllcache\vbscript.dll
+ 2008-06-20 11:08 . 2010-02-11 12:02 226880 c:\windows\system32\dllcache\tcpip6.sys
+ 2004-08-03 21:00 . 2008-04-14 00:13 139656 c:\windows\system32\dllcache\rdpwd.sys
+ 2004-08-03 15:01 . 2008-04-13 18:32 196224 c:\windows\system32\dllcache\rdpdr.sys
+ 2009-07-17 15:08 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2004-08-03 15:07 . 2008-04-13 18:45 172416 c:\windows\system32\dllcache\kmixer.sys
+ 2010-02-12 04:33 . 2010-02-12 04:33 100864 c:\windows\system32\dllcache\6to4svc.dll
+ 2008-12-02 18:44 . 2010-04-16 02:26 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-12-02 18:44 . 2010-03-21 00:14 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-12-02 18:44 . 2010-04-16 02:26 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-07-17 15:08 . 2010-02-24 13:11 455680 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2009-07-17 19:58 . 2010-02-17 01:10 2189952 c:\windows\system32\dllcache\ntoskrnl.exe
+ 2009-07-17 19:58 . 2010-02-16 13:25 2024448 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2009-02-07 11:02 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2009-07-17 19:58 . 2010-02-16 14:08 2146304 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2010-03-11 04:03 . 2010-03-11 04:03 5524480 c:\windows\Installer\44da4.msp
+ 2009-07-17 19:58 . 2010-02-17 01:10 2189952 c:\windows\Driver Cache\i386\ntoskrnl.exe
+ 2009-07-17 19:58 . 2010-02-16 13:25 2024448 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2009-02-07 11:02 . 2010-02-16 13:25 2066816 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2009-07-17 19:58 . 2010-02-16 14:08 2146304 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-03-27 15:25 . 2010-04-06 17:52 31971272 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
2010-02-22 04:05 2353176 ----a-w- c:\program files\Zynga\tbZyng.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"= "c:\program files\Zynga\tbZyng.dll" [2010-02-22 2353176]

[HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 147456]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 81920]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 212992]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 397312]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 69632]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-04-30 49152]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-05-27 13:58 4269296 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 03:36 50472 ------w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-20 12:23 83240 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:*:Disabled:BS
"9991:TCP"= 9991:TCP:PORT2
"14811:TCP"= 14811:TCP:FD
"15703:TCP"= 15703:TCP:FD
"6672:TCP"= 6672:TCP:FD
"42870:TCP"= 42870:TCP:FD
"53634:TCP"= 53634:TCP:FD
"61337:TCP"= 61337:TCP:FD
"58534:TCP"= 58534:TCP:FD

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2009 6:04 PM 108289]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [6/18/2009 6:50 PM 38496]
R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [12/3/2008 1:27 AM 2343]
S1 mailKmd;mailKmd; [x]
S2 gupdate1c9fb00375d8a7e;Google Update Service (gupdate1c9fb00375d8a7e);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2009 6:31 PM 133104]
S3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [6/18/2009 6:50 PM 7752]
S3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [6/18/2009 6:50 PM 16160]
S3 NTSTPL2;NTSTPL2;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL2.SYS [6/18/2009 10:54 PM 16160]
S3 RAWESR;RAWESR;c:\progra~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS [6/18/2009 6:50 PM 15888]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys --> c:\windows\system32\DRIVERS\s0016bus.sys [?]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [7/24/2009 9:20 PM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [7/24/2009 9:20 PM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [7/24/2009 9:20 PM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [7/24/2009 9:20 PM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [7/24/2009 9:20 PM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [7/24/2009 9:20 PM 115752]
S3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [6/18/2009 6:50 PM 44736]

--- Other Services/Drivers In Memory ---

*Deregistered* - lkwxrfkv

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-03-11 12:38 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 10:31]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 10:31]

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uSearchAssistant =
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: flvdirect.com\www
TCP: {58A02411-812C-41DB-B087-C66AC6A35209} = 161.142.201.17,161.142.2.17
TCP: {F116FB64-2441-40F8-A50F-B2D6426CD41E} = 202.188.0.133 202.188.1.5
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 19:05
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet007\Services\lkwxrfkv]

.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(4068)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-16 19:08:27
ComboFix-quarantined-files.txt 2010-04-16 11:08
ComboFix2.txt 2010-04-15 15:54
ComboFix3.txt 2010-04-15 13:06

Pre-Run: 1,888,813,056 bytes free
Post-Run: 1,843,462,144 bytes free

Current=7 Default=7 Failed=6 LastKnownGood=8 Sets=1,2,3,4,5,6,7,8
- - End Of File - - 97E2331AA0F5A06AF5D116565D380C52


Thank u and awaiting ur reply .... I m really worried if i have to go for a complete re-installation of my system .. also 1 more detail i havent got any virus msg for quite some time now ... I noticed that the msg comes only whn i restart the system and when everythng jus abt gets loaded....specially the antivirus ... thank u ...i m jus trying to give as much info as pssbl so that u can understand the real issue here ... if u think i m blabbering too much jus give me a hint .. and i will stick to wat u want only ..lol... thank u once again ...

#5 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:06 AM

Posted 16 April 2010 - 07:18 AM

Hello,

Your second attempt at running ComboFix deleted a lot more than your first attempt. Nevertheless, you shouldn't have run it a second time without waiting for instruction. Let's see what we can do:

CFScript

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
Driver::
lkwxrfkv

File::
c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
c:\windows\popcinfo.dat
c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat

Folder::
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
c:\documents and settings\User\Local Settings\Application Data\Zynga
c:\program files\Zynga

Registry::
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\browser helper objects\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7b13ec3e-999a-4b70-b9cb-2617b8323822}"=-
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{7B13EC3E-999A-4B70-B9CB-2617B8323822}"=-
[-HKEY_CLASSES_ROOT\clsid\{7b13ec3e-999a-4b70-b9cb-2617b8323822}]


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Suspicious Files

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

c:\windows\system32\drivers\lbrtfdc.sys
c:\windows\system32\drivers\Changer.sys

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

Gmer

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.


  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
-- If you encounter any problems, try running GMER in safe mode.
-- If GMER crashes or keeps resulting in a BSODs, uncheck Devices on the right side before scanning
.


In your next reply, please post:
  • ComboFix log
  • Jotti log
  • Gmer log

Edited by Jat90, 16 April 2010 - 07:21 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#6 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 April 2010 - 07:47 AM

I m sorry about the combofix scan goof up.. but i had done that yrstday before i even knew u had asked me abt it .. and whn u said in ur msg tht if i already have it to delete it and download a new one... so it made me think i should do it all over again ...my bad.. sorry for that ...

Now before i go ahead with ur instructions i have a doubt and thot maybe i will ask u as i dont want to do any other mistake ... I tried the combofix scan with that CFScript.txt dragged on to the combofix.exe and now its asking me that a newer version of Combofix is available and asking whthr it shud update it ... pls advise wat shud b my action... YES or NO....I m waiting with that dialog box open here... thank u ..

#7 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 16 April 2010 - 11:12 AM

Ok Jat Here are the logs u wanted ....

Combofix Scan Log

ComboFix 10-04-15.02 - User 04/16/2010 22:17:42.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.758.398 [GMT 8:00]
Running from: c:\documents and settings\User\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\User\My Documents\Downloads\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

FILE ::
"c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP"
"c:\windows\popcinfo.dat"
"c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\LocalService\Local Settings\Application Data\Zynga
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_633935932263402500_png.png
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_ct2438727_images_633937740843970000_png.png
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_633961958884093750_png.png
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_Menu-Bsilkset_help_gif-Silk_2-633935931302152500_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_Menu-Dsilkset_comments_gif-Silk_3-633935930069808750_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_SearchActivationButton-go_but20_gif-General-633936029048558750_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_about_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_clear_history_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_options_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_refresh_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_shrink_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_searchengines_search_icon_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_skins_zynga_dragline_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_skins_zynga_seperator_gif.gif
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\LanguagePack\en\LanguagePack.xml
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\LocalSettings.txt
c:\documents and settings\LocalService\Local Settings\Application Data\Zynga\ThirdPartyComponents.xml
c:\documents and settings\NetworkService\Local Settings\Application Data\Zynga
c:\documents and settings\User\Local Settings\Application Data\Zynga
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_633935932263402500_png.png
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_ct2438727_images_633937740843970000_png.png
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_633961958884093750_png.png
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_Menu-Bsilkset_help_gif-Silk_2-633935931302152500_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_Menu-Dsilkset_comments_gif-Silk_3-633935930069808750_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_27_243_CT2438727_Images_SearchActivationButton-go_but20_gif-General-633936029048558750_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_about_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_clear_history_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_options_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_refresh_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_main_menu_shrink_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_searchengines_search_icon_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_skins_zynga_dragline_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\CacheIcons\http___storage_conduit_com_images_skins_zynga_seperator_gif.gif
c:\documents and settings\User\Local Settings\Application Data\Zynga\LanguagePack\en\LanguagePack.xml
c:\documents and settings\User\Local Settings\Application Data\Zynga\LocalSettings.txt
c:\documents and settings\User\Local Settings\Application Data\Zynga\ThirdPartyComponents.xml
c:\program files\Zynga
c:\program files\Zynga\INSTALL.LOG
c:\program files\Zynga\tbZyng.dll
c:\program files\Zynga\toolbar.cfg
c:\program files\Zynga\UNWISE.EXE
c:\program files\Zynga\ZyngaToolbarHelper.exe
c:\windows\popcinfo.dat
c:\windows\system32\config\systemprofile\Application Data\rbuwzv.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LKWXRFKV
-------\Service_lkwxrfkv


((((((((((((((((((((((((( Files Created from 2010-03-16 to 2010-04-16 )))))))))))))))))))))))))))))))
.

2010-04-15 16:49 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\drivers\lbrtfdc.sys
2010-04-15 16:49 . 2008-04-13 18:40 34688 ----a-w- c:\windows\system32\dllcache\lbrtfdc.sys
2010-04-15 16:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\drivers\Changer.sys
2010-04-15 16:48 . 2008-04-13 18:40 8192 ----a-w- c:\windows\system32\dllcache\changer.sys
2010-04-15 15:31 . 2010-04-15 15:31 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Adobe
2010-04-15 11:15 . 2010-04-15 11:15 -------- d-----w- c:\program files\Trend Micro
2010-04-15 11:10 . 2010-04-15 11:10 -------- d-----w- c:\program files\Enigma Software Group
2010-04-15 11:09 . 2010-04-15 11:09 -------- d-----w- c:\windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
2010-04-15 11:09 . 2010-04-15 11:09 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-15 07:08 . 2010-04-15 07:08 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-15 02:25 . 2010-04-15 02:25 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe
2010-04-06 22:44 . 2010-04-06 22:44 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Conduit
2010-03-31 01:59 . 2010-03-31 01:59 -------- d-----w- c:\program files\Common Files\Java
2010-03-31 01:57 . 2010-03-31 01:57 503808 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\msvcp71.dll
2010-03-31 01:57 . 2010-03-31 01:57 499712 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\jmc.dll
2010-03-31 01:57 . 2010-03-31 01:57 348160 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-2abbce85-n\msvcr71.dll
2010-03-31 01:57 . 2010-03-31 01:57 61440 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3a015fc2-n\decora-sse.dll
2010-03-31 01:57 . 2010-03-31 01:57 12800 ----a-w- c:\documents and settings\User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3a015fc2-n\decora-d3d.dll
2010-03-25 06:24 . 2010-03-25 06:24 -------- d-----w- c:\program files\Conduit
2010-03-25 06:24 . 2010-03-25 06:24 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Conduit
2010-03-25 05:52 . 2010-03-24 07:03 52224 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
2010-03-25 05:52 . 2010-03-24 07:03 101376 ----a-w- c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
2010-03-21 09:26 . 2010-03-21 09:26 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Opera
2010-03-21 09:26 . 2010-03-21 09:26 -------- d-----w- c:\program files\Opera
2010-03-21 00:23 . 2010-03-21 00:23 -------- d-----w- c:\windows\system32\config\systemprofile\Application Data\Yahoo!
2010-03-21 00:23 . 2010-03-21 00:23 -------- d-----w- c:\documents and settings\LocalService\Application Data\Yahoo!
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- c:\program files\Common Files\Scanner
2010-03-20 14:55 . 2010-03-20 14:55 -------- d-----w- c:\program files\CA Yahoo! Anti-Spy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-16 14:24 . 2010-03-01 17:03 802304 ----a-w- c:\windows\system32\drivers\lkwxrfkv.sys
2010-03-29 16:46 . 2009-07-17 05:28 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-29 16:45 . 2009-07-17 05:28 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38 . 2004-08-03 21:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-03-27 15:28 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-03 21:00 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2004-08-03 21:00 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-03-08 20:28 . 2008-12-02 18:42 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-24 13:11 . 2004-08-03 21:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 01:10 . 2004-08-03 21:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2004-08-03 21:00 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2004-08-03 21:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2004-08-03 21:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 03:05 . 2009-04-15 05:28 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-02-04 11:13 . 2010-02-04 11:13 69788 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-04 09:52 . 2010-02-04 09:52 79144 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\Safari 5.31.21.10\SetupAdmin.exe
2010-01-17 12:55 . 2008-12-02 17:18 86464 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( SnapShot_2010-04-16_11.05.44 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-16 14:26 . 2010-04-16 14:26 16384 c:\windows\temp\Perflib_Perfdata_bb4.dat
+ 2010-04-16 14:25 . 2010-04-16 14:26 16384 c:\windows\temp\Perflib_Perfdata_3a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-05-27 4269296]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"preload"="c:\windows\RUNXMLPL.exe" [2005-05-19 32768]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-03 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-03 455168]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-08-24 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-08-24 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-08-24 114688]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-04 102490]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-04 708698]
"SoundMan"="SOUNDMAN.EXE" [2005-04-15 77824]
"PCMService"="c:\program files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 147456]
"LaunchAp"="c:\program files\Launch Manager\LaunchAp.exe" [2005-07-25 32768]
"PowerKey"="c:\program files\Launch Manager\PowerKey.exe" [2002-08-30 94208]
"LManager"="c:\program files\Launch Manager\HotkeyApp.exe" [2005-11-08 69632]
"CtrlVol"="c:\program files\Launch Manager\CtrlVol.exe" [2003-09-16 20480]
"LMgrOSD"="c:\program files\Launch Manager\OSDCtrl.exe" [2005-07-25 241664]
"Wbutton"="c:\program files\Launch Manager\Wbutton.exe" [2005-11-08 81920]
"EPM-DM"="c:\acer\Empowering Technology\ePower\epm-dm.exe" [2005-11-10 212992]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2005-11-09 3084288]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2005-11-16 397312]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-07-26 69632]
"BigDog303"="c:\windows\VM303_STI.EXE" [2005-04-30 49152]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-19 198160]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-10 417792]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2008-05-27 13:58 4269296 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDVD8LanguageShortcut]
2007-12-14 03:36 50472 ------w- c:\program files\CyberLink\PowerDVD8\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl8]
2008-03-20 12:23 83240 ------w- c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2009-07-01 16:37 37888 ----a-w- c:\program files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Opera\\opera.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9999:TCP"= 9999:TCP:PORT1
"1013:TCP"= 1013:TCP:*:Disabled:BS
"9991:TCP"= 9991:TCP:PORT2
"14811:TCP"= 14811:TCP:FD
"15703:TCP"= 15703:TCP:FD
"6672:TCP"= 6672:TCP:FD
"42870:TCP"= 42870:TCP:FD
"53634:TCP"= 53634:TCP:FD
"61337:TCP"= 61337:TCP:FD
"58534:TCP"= 58534:TCP:FD

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [12/2/2009 6:04 PM 108289]
R3 ENETNT5;Efficient Networks, tango Access PPPoE WAN Miniport;c:\windows\system32\drivers\enetnt.sys [6/18/2009 6:50 PM 38496]
R3 POWERKEY;POWERKEY;c:\program files\Launch Manager\POWERKEY.SYS [12/3/2008 1:27 AM 2343]
S1 mailKmd;mailKmd; [x]
S2 gupdate1c9fb00375d8a7e;Google Update Service (gupdate1c9fb00375d8a7e);c:\program files\Google\Update\GoogleUpdate.exe [7/2/2009 6:31 PM 133104]
S3 ENDETECT;ENDETECT;c:\progra~1\EFFICI~1\TANGOM~1\app\ENDETECT.SYS [6/18/2009 6:50 PM 7752]
S3 NTSTPL1;NTSTPL1;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL1.SYS [6/18/2009 6:50 PM 16160]
S3 NTSTPL2;NTSTPL2;c:\progra~1\EFFICI~1\TANGOM~1\app\NTSTPL2.SYS [6/18/2009 10:54 PM 16160]
S3 RAWESR;RAWESR;c:\progra~1\EFFICI~1\TANGOM~1\app\RAWESR.SYS [6/18/2009 6:50 PM 15888]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\DRIVERS\s0016bus.sys --> c:\windows\system32\DRIVERS\s0016bus.sys [?]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [7/24/2009 9:20 PM 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [7/24/2009 9:20 PM 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [7/24/2009 9:20 PM 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [7/24/2009 9:20 PM 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [7/24/2009 9:20 PM 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [7/24/2009 9:20 PM 115752]
S3 TAPBIND;TAPBIND;c:\progra~1\EFFICI~1\TANGOM~1\app\TAPBIND1.SYS [6/18/2009 6:50 PM 44736]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2010-03-11 12:38 124928 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 10:31]

2010-04-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-02 10:31]

2010-04-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 04:34]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://global.acer.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: &Sample Toolband Serach - c:\windows\system32\ToolBand.dll/MENUSEARCH.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
Trusted Zone: flvdirect.com\www
TCP: {58A02411-812C-41DB-B087-C66AC6A35209} = 161.142.201.17,161.142.2.17
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\
FF - prefs.js: browser.search.defaulturl - hxxp://flvdirect.iamwired.net/websearch.php?src=tops&search=
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com.my/
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\program files\Mozilla Firefox\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\components\NPComponent.dll
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

BHO-{7b13ec3e-999a-4b70-b9cb-2617b8323822} - (no file)
AddRemove-Zynga Toolbar - c:\progra~1\ZYNGA\UNWISE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-16 22:27
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2704)
c:\windows\system32\WININET.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\MSVCR71.dll
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\SOUNDMAN.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Philips\GoGear SA19xx Device Manager\main.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Efficient Networks\Tango Manager\app\TangoService.exe
c:\program files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2010-04-16 22:30:16 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-16 14:30
ComboFix2.txt 2010-04-16 11:08
ComboFix3.txt 2010-04-15 15:54
ComboFix4.txt 2010-04-15 13:06

Pre-Run: 1,830,928,384 bytes free
Post-Run: 1,781,284,864 bytes free

- - End Of File - - 4B5D2AACA4D1AB1090BEE5CF72E0B4E9


Jotti Status ....


Filename: lbrtfdc.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Tue 9 Feb 2010 19:48:40 (CET) Permalink


Filename: changer.sys
Status:
Scan finished. 0 out of 20 scanners reported malware.
Scan taken on: Sat 13 Mar 2010 06:31:53 (CET) Permalink

and the last gmer log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-16 23:02:56
Windows 5.1.2600 Service Pack 3
Running: 06r5muq2.exe; Driver: C:\DOCUME~1\User\LOCALS~1\Temp\awrcqkog.sys


---- System - GMER 1.0.15 ----

SSDT F701474E ZwCreateKey
SSDT F7014744 ZwCreateThread
SSDT F7014753 ZwDeleteKey
SSDT F701475D ZwDeleteValueKey
SSDT F7014762 ZwLoadKey
SSDT F7014730 ZwOpenProcess
SSDT F7014735 ZwOpenThread
SSDT F701476C ZwReplaceKey
SSDT F7014767 ZwRestoreKey
SSDT F7014758 ZwSetValueKey
SSDT F701473F ZwTerminateProcess

---- Kernel code sections - GMER 1.0.15 ----

? C:\ComboFix\catchme.sys The system cannot find the path specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[2804] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2]

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExA] [610E9B47] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!AnimateWindow] [610E89E8] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenuEx] [610E8922] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcA] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColor] [610E8960] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!DefWindowProcW] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetSysColorBrush] [610E89B0] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!TrackPopupMenu] [610E88E4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [GDI32.dll!GetStockObject] [610E89AA] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [610E9B47] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [610E9B95] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [610E9B07] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [610E9AC7] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [610E93C2] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcA] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!DefWindowProcW] [610E8FD9] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetSysColor] [610E8960] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenu] [610E88E4] C:\Program Files\Yahoo!\Messenger\yui.dll
IAT C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe[2792] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!TrackPopupMenuEx] [610E8922] C:\Program Files\Yahoo!\Messenger\yui.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

I dint get the virus msg when i restarted my system this time ... I was also able to restart the system without much hassle.....things look ok but my net connection still looks a bit slow than wat it used to be .. and I got the blue screen after i ran the gmer scan .after which my system restarted once again ....hope u can tell me the real picture of how my system is now after going thru my logs ... thank u ...

sab2010



#8 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:06 AM

Posted 16 April 2010 - 03:58 PM

Hello,

ESET Online Scan

I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push


Malwarebytes Anti-Malware

Please download Malwarebytes Anti-Malware (v1.44) and save it to your desktop.MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
    For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
In your next reply, please post:
  • ESET log
  • MBAM log

Edited by Jat90, 17 April 2010 - 10:10 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#9 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 17 April 2010 - 10:12 AM

Ok Jat .. i did get both the logs u wanted .... the ESETScan took a real long time and when it finished it said that my system was infected by 143 Trojans and all the 143 were cleaned ... I have got the log below of that .... and I also downloaded the MBAM and scanned my computer which said 0 infection found .... log given below .....

ESETScan Log....

C:\WINDOWS\system32\ConSvc.exe Win32/Packed.Autoit.Gen application deleted - quarantined
C:\WINDOWS\system32\asr_tznxo probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_gjpsx probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_jfxic probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_glceh probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_hrqlx probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fsdib probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zddip probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_xuuzm probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fryuq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lkssq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_vgtxr probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_iuzvq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_jqdus probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_bwwho probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_gecgq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_emsyr probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_pdpxq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ixkpy probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ehqvw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mlecm probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_aitjp probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_jsttp probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_kkriw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_sfsxc probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_cdjcw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lobtu probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_rrnji probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_uvmzp probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_neaoi probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_cyias probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mbfqc probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lipud probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_euhdj probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_hoprn probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_uilpw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mmfii probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zqtla probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_jnbpv probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_iotvb probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qbedd probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zerpx probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mzvds probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_buboc probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zhvgw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ktspa probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_kupno probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mxvmj probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ljnli probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lkuxl probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ftmpq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lmdpz probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_umxzx probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ymsrk probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_nkdah probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ppsrq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_vicju probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_iismd probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ysucg probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qiidw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_nbxiy probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_iqynp probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_tfqyq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_sitea probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_gvhur probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_vumqd probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_dhwcb probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_yguvt probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lbtum probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_whdgk probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_cannv probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_nyuvx probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_oksbc probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_hidvi probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_egzgp probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lrmxf probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qvnaq probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ojthd probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_zfvno probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_hhoxu probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_vnxiw probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qaeof probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_nmtzj probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_tlrqf probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_kpois probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lnbko probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_amgul probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mfcws probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lmhdg probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_chzic probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_dolhf probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_avhwf probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fvecm probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fvxbz probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fpmyu probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_xxuak probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_vihoo probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_mzmxs probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_lbsga probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_rbnfg probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_txqup probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_bfsao probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_tbmtd probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_czwxs probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_iqdvk probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_gpyxb probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_fsxbv probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_eppcp probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qnvnu probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_ecmmr probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_cljqi probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_slvoo probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_boieh probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_qozbn probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_wvpos probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_wwcbh probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_oanld probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_govei probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_pwaok probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_rshrt probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_dydbm probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_eqnhj probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\asr_wntyr probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP362\A0172316.SYS Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP362\A0173339.SYS Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP365\A0174824.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP365\A0178161.exe Win32/Packed.Autoit.Gen application deleted - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174430.inf INF/Autorun virus deleted - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174431.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174442.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174692.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174716.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174781.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174782.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174783.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174784.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP364\A0174785.sys Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\autorun.inf.vir INF/Autorun virus deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\cearxdf.sys.vir Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\_pcndj_.sys.zip Win32/Bubnix.AB trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\pcndj.sys.vir Win32/Bubnix.AB trojan cleaned by deleting - quarantined
C:\Recycled\Dc1.sys Win32/Bubnix.AA trojan cleaned by deleting - quarantined
D:\application\AVG Anti-Spyware 7.5\alarmclock4free.exe Win32/Adware.RK.AB application deleted - quarantined


MBAM log ....


Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4001

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/17/2010 11:04:31 PM
mbam-log-2010-04-17 (23-04-31).txt

Scan type: Quick scan
Objects scanned: 111462
Time elapsed: 6 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Hope i have done the right thing .....Waiting for your next instruction ..... thank u ....


#10 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:06 AM

Posted 17 April 2010 - 12:48 PM

Hello,

Looks like ESET removed a lot of stuff, surprised CF couldn't find them, anyways how is your PC running now?

Let's do one more online scan to be sure:

Kaspersky Scan

Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.
- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#11 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 18 April 2010 - 08:09 PM

Hi Jat ... I tried the Kaspersky Scan ...3 times .... Every time it stops halfway thru the scan ...Everything comes to a standstill (only in the scanner including the timer) ... It takes a real long time ... the first time i tried it took more than 2 hours ... and then i again tried it took 48 minutes and now the last one took 1hr 55 minutes ... the scan starts running perfectly and then suddenly stops on a certain file .. i also checked its not the same file ...i tried it 3 times and all 3 times it was different files .. The view report is also empty ... what am i doing wrong here ? or what should i do next??

#12 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:06 AM

Posted 19 April 2010 - 05:32 AM

Hmm,

Okay, let's perform a Full Scan with Malwarebyte's Anti Malware. Please post the resulting log in your next reply.

Also:

OTL
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. Push the button.
  6. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Edited by Jat90, 19 April 2010 - 05:34 AM.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#13 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 19 April 2010 - 12:37 PM

Hi jat did both the scans .. I really dont understand where the trojan is coming from ... mayb its coming from any one of the websites I m using ... mainly i use Facebook and the online game on that... Mafia wars...other than that its only yahoo mail ... and cricket website called CRICINFO.....till today mrng whn i ran the anti-virus it said nothing on my computer .. and now when i run the Mbam .. it says 1 file infected and immdly my anti-virus shows up the same old virus all over again ...i m posting both the saved logs down here ...

MBAM Log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4001

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/19/2010 9:40:57 PM
mbam-log-2010-04-19 (21-40-57).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 177374
Time elapsed: 42 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{64C55BAE-0167-4E29-A424-980E0BCA06F2}\RP362\A0172297.exe (Adware.LoudMo) -> Quarantined and deleted successfully.



OTL.txt

OTL logfile created on: 4/19/2010 9:45:31 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.88 Gb Total Space | 1.11 Gb Free Space | 6.57% Space Free | Partition Type: FAT32
Drive D: | 17.24 Gb Total Space | 1.30 Gb Free Space | 7.53% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-684C9A655D
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/04/19 20:50:22 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
PRC - [2010/03/17 21:08:30 | 000,124,760 | ---- | M] (KeenHigh Tech.) -- C:\Program Files\Philips\GoGear SA19xx Device Manager\main.exe
PRC - [2009/09/19 23:35:00 | 000,198,160 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/07/21 13:34:34 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2009/07/02 00:37:06 | 000,037,888 | ---- | M] () -- C:\Program Files\Winamp\winampa.exe
PRC - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2009/05/13 15:48:24 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2009/03/02 12:08:48 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2008/04/14 08:12:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2005/11/16 17:00:50 | 000,397,312 | ---- | M] (acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\Monitor.exe
PRC - [2005/11/10 19:09:24 | 000,212,992 | ---- | M] (Acer Inc) -- C:\Acer\Empowering Technology\ePower\epm-dm.exe
PRC - [2005/11/08 10:45:52 | 000,069,632 | ---- | M] (Wistron) -- C:\Program Files\Launch Manager\HotkeyApp.exe
PRC - [2005/11/08 10:19:28 | 000,081,920 | ---- | M] () -- C:\Program Files\Launch Manager\WButton.exe
PRC - [2005/10/24 16:45:32 | 002,462,208 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admtray.exe
PRC - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) -- C:\Acer\Empowering Technology\admServ.exe
PRC - [2005/08/31 19:59:48 | 000,114,784 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
PRC - [2005/08/31 19:59:46 | 000,249,954 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
PRC - [2005/08/31 19:59:34 | 000,147,456 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Acer\Acer Arcade\PCMService.exe
PRC - [2005/08/31 19:59:22 | 001,077,376 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
PRC - [2005/08/31 19:59:22 | 000,061,440 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
PRC - [2005/07/26 11:36:00 | 000,069,632 | ---- | M] () -- C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
PRC - [2005/07/25 13:36:40 | 000,032,768 | ---- | M] () -- C:\Program Files\Launch Manager\LaunchAp.exe
PRC - [2005/07/25 10:45:00 | 000,241,664 | ---- | M] () -- C:\Program Files\Launch Manager\OSDCtrl.exe
PRC - [2005/04/30 18:46:36 | 000,049,152 | ---- | M] (Vimicro) -- C:\WINDOWS\VM303_STI.EXE
PRC - [2005/04/15 11:01:46 | 000,077,824 | ---- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\SOUNDMAN.EXE
PRC - [2005/02/04 11:12:58 | 000,102,490 | ---- | M] (Synaptics, Inc.) -- C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
PRC - [2004/12/14 02:40:56 | 000,031,744 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
PRC - [2003/05/08 11:00:58 | 000,049,152 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\opwareSE2.exe
PRC - [2002/11/12 12:01:54 | 000,057,344 | ---- | M] () -- C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe
PRC - [2002/08/30 15:02:48 | 000,094,208 | ---- | M] () -- C:\Program Files\Launch Manager\Powerkey.exe


========== Modules (SafeList) ==========

MOD - [2010/04/19 20:50:22 | 000,562,176 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL.exe
MOD - [2009/09/19 23:35:36 | 000,102,400 | ---- | M] (RealPlayer) -- c:\Program Files\real\realplayer\browserrecord\chrome\hook\rpchromebrowserrecordhelper.dll
MOD - [2009/08/13 21:55:04 | 001,748,992 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.GdiPlus_6595b64144ccf1df_1.0.6001.22319_x-ww_f0b4c2df\GdiPlus.dll
MOD - [2009/01/01 18:13:16 | 000,499,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcp71.dll
MOD - [2005/09/06 18:10:18 | 000,053,248 | ---- | M] (HiTRUST) -- C:\WINDOWS\system32\sysenv.dll
MOD - [2005/08/24 01:24:00 | 000,010,752 | ---- | M] () -- C:\WINDOWS\system32\MSNChatHook.dll
MOD - [2005/02/04 11:12:50 | 000,069,722 | ---- | M] (Synaptics, Inc.) -- C:\WINDOWS\system32\SynTPFcs.dll
MOD - [2003/05/08 11:00:46 | 000,159,744 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files\ScanSoft\OmniPageSE2.0\OpHookSE2.dll
MOD - [2003/03/18 22:12:12 | 001,047,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MFC71u.dll
MOD - [2003/02/21 05:42:20 | 000,348,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msvcr71.dll


========== Win32 Services (SafeList) ==========

SRV - [2009/08/05 22:48:42 | 000,704,864 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Live\Family Safety\fsssvc.exe -- (fsssvc)
SRV - [2009/07/21 13:34:34 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2009/05/19 11:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)
SRV - [2009/05/13 15:48:24 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2005/10/24 16:40:52 | 001,314,816 | ---- | M] (Avocent Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\admServ.exe -- (AWService)
SRV - [2005/08/31 19:59:48 | 000,114,784 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS)
SRV - [2005/08/31 19:59:46 | 000,249,954 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS)
SRV - [2005/08/31 19:59:22 | 000,061,440 | ---- | M] (Cyberlink) [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service)
SRV - [2002/11/12 12:01:54 | 000,057,344 | ---- | M] () [Auto | Running] -- C:\Program Files\Efficient Networks\Tango Manager\app\TangoService.exe -- (TangoService)


========== Driver Services (SafeList) ==========

DRV - [2009/12/10 01:22:56 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/08/05 22:48:42 | 000,054,752 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\fssfltr_tdi.sys -- (fssfltr)
DRV - [2009/06/14 16:49:16 | 000,102,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/05/11 09:12:26 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/03/30 09:33:08 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2009/02/13 11:35:06 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2008/12/03 02:33:50 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2008/05/16 12:33:14 | 000,115,752 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016unic.sys -- (s0016unic) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM)
DRV - [2008/05/16 12:33:14 | 000,025,512 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016nd5.sys -- (s0016nd5) Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS)
DRV - [2008/05/16 12:33:14 | 000,015,016 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016mdfl.sys -- (s0016mdfl)
DRV - [2008/05/16 12:33:12 | 000,120,744 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016mdm.sys -- (s0016mdm)
DRV - [2008/05/16 12:33:12 | 000,114,216 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016mgmt.sys -- (s0016mgmt) Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM)
DRV - [2008/05/16 12:33:12 | 000,110,632 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016obex.sys -- (s0016obex)
DRV - [2008/05/16 12:33:12 | 000,089,256 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\s0016bus.sys.bak -- (s0016bus) Sony Ericsson Device 0016 driver (WDM)
DRV - [2008/04/14 02:54:36 | 000,028,672 | ---- | M] (National Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\nscirda.sys -- (NSCIRDA)
DRV - [2008/04/14 02:40:58 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\Changer.sys -- (Changer)
DRV - [2008/04/14 02:40:26 | 000,034,688 | ---- | M] (Toshiba Corp.) [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\lbrtfdc.sys -- (lbrtfdc)
DRV - [2008/04/14 02:36:40 | 000,043,008 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\amdagp.sys -- (amdagp)
DRV - [2008/04/14 02:36:40 | 000,040,960 | ---- | M] (Silicon Integrated Systems Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sisagp.sys -- (sisagp)
DRV - [2005/11/24 14:08:02 | 000,006,144 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV - [2005/10/15 18:20:44 | 000,012,106 | ---- | M] (OSA Technologies) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\OsaFsLoc.sys -- (OsaFsLoc)
DRV - [2005/09/13 15:34:40 | 000,004,392 | ---- | M] (OSA Technologies) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NdisFilt.sys -- (NdisFilt)
DRV - [2005/06/30 16:58:24 | 000,007,296 | ---- | M] (OSA Technologies, An Avocent Company) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osaio.sys -- (osaio)
DRV - [2005/05/08 15:38:36 | 002,313,725 | ---- | M] (Vimicro Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\usbVM303.sys -- (ZSMC303) VIMICRO USB PC Camera (ZC0301PLH)
DRV - [2005/05/02 12:13:42 | 000,009,600 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\netmnt.sys -- (NETMNT)
DRV - [2005/04/19 10:40:52 | 002,317,504 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ALCXWDM.SYS -- (ALCXWDM) Service for Realtek AC97 Audio (WDM)
DRV - [2005/04/07 18:08:46 | 000,078,208 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-shd.sys -- (EpmShd)
DRV - [2005/02/04 10:59:46 | 000,193,216 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\SynTP.sys -- (SynTP)
DRV - [2005/01/14 15:57:16 | 000,004,010 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\osanbm.sys -- (osanbm)
DRV - [2005/01/13 14:46:16 | 000,069,632 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15.sys)
DRV - [2005/01/10 15:47:14 | 000,449,888 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ar5211.sys -- (AR5211)
DRV - [2004/12/22 01:32:12 | 000,369,024 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\bcmwl5.sys -- (BCM43XX)
DRV - [2004/12/17 01:14:44 | 000,013,952 | ---- | M] () [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\UBHelper.sys -- (UBHelper)
DRV - [2004/12/15 15:18:34 | 000,207,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWICH.sys -- (HSFHWICH)
DRV - [2004/12/15 15:18:28 | 000,703,232 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2004/12/15 15:18:26 | 001,038,208 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2004/12/02 16:36:08 | 000,070,912 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtlnicxp.sys -- (RTL8023xp)
DRV - [2004/07/19 13:10:00 | 000,004,096 | ---- | M] (Acer Value Labs, USA) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\epm-psd.sys -- (EpmPsd)
DRV - [2003/04/28 11:27:06 | 000,009,867 | ---- | M] () [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\HOTKEY.sys -- (Hotkey)
DRV - [2002/11/12 09:56:12 | 000,016,160 | ---- | M] (Network TeleSystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Efficient Networks\Tango Manager\app\ntstpl2.sys -- (NTSTPL2)
DRV - [2002/11/12 09:56:12 | 000,016,160 | ---- | M] (Network TeleSystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Efficient Networks\Tango Manager\app\ntstpl1.sys -- (NTSTPL1)
DRV - [2002/11/12 09:56:08 | 000,044,736 | ---- | M] (Network TeleSystems, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Efficient Networks\Tango Manager\app\tapbind1.sys -- (TAPBIND)
DRV - [2002/11/12 09:55:50 | 000,015,888 | ---- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Efficient Networks\Tango Manager\app\rawesr.sys -- (RAWESR)
DRV - [2002/11/12 09:55:44 | 000,038,496 | ---- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\enetnt.sys -- (ENETNT5)
DRV - [2002/11/12 09:55:40 | 000,007,752 | ---- | M] (Efficient Networks, Inc.) [Kernel | On_Demand | Stopped] -- C:\Program Files\Efficient Networks\Tango Manager\app\endetect.sys -- (ENDETECT)
DRV - [2001/08/17 14:07:44 | 000,019,072 | ---- | M] (Adaptec, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sparrow.sys -- (Sparrow)
DRV - [2001/08/17 14:07:42 | 000,030,688 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_u3.sys -- (sym_u3)
DRV - [2001/08/17 14:07:40 | 000,028,384 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\sym_hi.sys -- (sym_hi)
DRV - [2001/08/17 14:07:36 | 000,032,640 | ---- | M] (LSI Logic) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc8xx.sys -- (symc8xx)
DRV - [2001/08/17 14:07:34 | 000,016,256 | ---- | M] (Symbios Logic Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\symc810.sys -- (symc810)
DRV - [2001/08/17 13:52:22 | 000,036,736 | ---- | M] (Promise Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ultra.sys -- (ultra)
DRV - [2001/08/17 13:52:20 | 000,045,312 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql12160.sys -- (ql12160)
DRV - [2001/08/17 13:52:20 | 000,040,320 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1080.sys -- (ql1080)
DRV - [2001/08/17 13:52:18 | 000,049,024 | ---- | M] (QLogic Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\ql1280.sys -- (ql1280)
DRV - [2001/08/17 13:52:16 | 000,179,584 | ---- | M] (Mylex Corporation) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\dac2w2k.sys -- (dac2w2k)
DRV - [2001/08/17 13:52:12 | 000,017,280 | ---- | M] (American Megatrends Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\mraid35x.sys -- (mraid35x)
DRV - [2001/08/17 13:52:00 | 000,026,496 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc.sys -- (asc)
DRV - [2001/08/17 13:51:58 | 000,014,848 | ---- | M] (Advanced System Products, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\asc3550.sys -- (asc3550)
DRV - [2001/08/17 13:51:56 | 000,005,248 | ---- | M] (Acer Laboratories Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\aliide.sys -- (AliIde)
DRV - [2001/08/17 13:51:54 | 000,006,656 | ---- | M] (CMD Technology, Inc.) [Kernel | Boot | Stopped] -- C:\WINDOWS\system32\DRIVERS\cmdide.sys -- (CmdIde)
DRV - [2000/12/19 18:29:52 | 000,002,343 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Program Files\Launch Manager\POWERKEY.SYS -- (POWERKEY)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL =


IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0



IE - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Internet Explorer\Main,SearchDefaultBranded = 1
IE - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant =
IE - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Search"
FF - prefs.js..browser.search.defaulturl: "http://flvdirect.iamwired.net/websearch.php?src=tops&search="
FF - prefs.js..browser.startup.homepage: "http://www.google.com.my/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..extensions.enabledItems: {656196f5-1112-a5cd-041a-ae308b0eeb03}:4.6.6.3
FF - prefs.js..extensions.enabledItems: {ABDE892B-13A8-4d1b-88E6-365A6E755758}:1.0
FF - prefs.js..extensions.enabledItems: {B13721C7-F507-4982-B2E5-502A71474FED}:3.3.0.3971
FF - prefs.js..extensions.enabledItems: {7b13ec3e-999a-4b70-b9cb-2617b8323822}:2.5.7.3


FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2008/12/13 18:11:36 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2008/12/13 18:11:36 | 000,000,000 | ---D | M]

[2009/06/14 16:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2009/06/14 16:45:48 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions
[2010/01/20 19:00:10 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
[2010/03/25 13:52:34 | 000,000,000 | ---D | M] (Zynga Toolbar) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
[2009/12/10 20:07:24 | 000,000,266 | ---- | M] () -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\04slxbru.default\searchplugins\Search.xml
[2008/12/13 18:11:36 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2010/01/31 14:33:38 | 000,000,000 | ---D | M] (LoudMo Contextual Ad Assistant) -- C:\Program Files\Mozilla Firefox\extensions\{656196f5-1112-a5cd-041a-ae308b0eeb03}

O1 HOSTS File: ([2010/04/16 22:25:36 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O2 - BHO: (AcroIEHlprObj Class) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\real\realplayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Search Helper) - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll (Microsoft Corporation)
O2 - BHO: (Windows Live Toolbar Helper) - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKLM\..\Toolbar: (Easy-WebPrint) - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll ()
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\..\Toolbar\WebBrowser: (&Windows Live Toolbar) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll (Microsoft Corporation)
O3 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe (Acer Value Labs, Taiwan)
O4 - HKLM..\Run: [ADMTray.exe] C:\Acer\Empowering Technology\admtray.exe (Avocent Inc.)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BigDog303] C:\WINDOWS\VM303_STI.EXE (Vimicro)
O4 - HKLM..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe (Wistron)
O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe ()
O4 - HKLM..\Run: [EPM-DM] c:\Acer\Empowering Technology\ePower\epm-dm.exe (Acer Inc)
O4 - HKLM..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe (acer Inc.)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe ()
O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\HotkeyApp.exe (Wistron)
O4 - HKLM..\Run: [LMgrOSD] C:\Program Files\Launch Manager\OSDCtrl.exe ()
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [OpwareSE2] C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Acer\Acer Arcade\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [PowerKey] C:\Program Files\Launch Manager\PowerKey.exe ()
O4 - HKLM..\Run: [preload] C:\WINDOWS\RUNXMLPL.EXE (Wistron)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\SOUNDMAN.EXE (Realtek Semiconductor Corp.)
O4 - HKLM..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe (Synaptics, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Wbutton] C:\Program Files\Launch Manager\Wbutton.exe ()
O4 - HKLM..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe ()
O4 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005..\Run: [Messenger (Yahoo!)] C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe (Yahoo! Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Alarm Clock.lnk = D:\application\Alarm Clock\AlarmClock.exe File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Philips SA19xx Device Manager.lnk = C:\Program Files\Philips\GoGear SA19xx Device Manager\main.exe (KeenHigh Tech.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O8 - Extra context menu item: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll ()
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKU\S-1-5-21-1214420101-3099525302-555687939-1005\..Trusted Domains: flvdirect.com ([www] http in Trusted sites)
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab (Trend Micro ActiveX Scan Agent 6.6)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} http://us.dl1.yimg.com/download.yahoo.com/...nst_current.cab (YInstStarter Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_19)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2010/04/15 19:10:36 | 000,000,000 | ---- | M] () - C:\autoexec.bat -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/04/17 22:56:41 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/17 22:56:39 | 000,020,824 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/17 22:56:39 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/04/17 10:32:33 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/04/16 23:12:11 | 000,000,000 | -HSD | C] -- C:\Recycled
[2010/04/16 23:07:28 | 000,000,000 | -HSD | C] -- C:\FOUND.051
[2010/04/16 20:35:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Virus removal attempt
[2010/04/16 00:49:21 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\drivers\lbrtfdc.sys
[2010/04/16 00:49:21 | 000,034,688 | ---- | C] (Toshiba Corp.) -- C:\WINDOWS\System32\dllcache\lbrtfdc.sys
[2010/04/16 00:48:34 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\drivers\Changer.sys
[2010/04/16 00:48:34 | 000,008,192 | ---- | C] (Microsoft Corporation) -- C:\WINDOWS\System32\dllcache\changer.sys
[2010/04/15 23:44:46 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2010/04/15 20:48:34 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/04/15 20:37:30 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/04/15 20:37:30 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/04/15 20:37:30 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/04/15 20:37:30 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/04/15 20:37:26 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/04/15 20:36:38 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/04/15 20:19:18 | 000,000,000 | ---D | C] -- C:\WINDOWS\Minidump
[2010/04/15 19:15:50 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/04/15 19:15:32 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro
[2010/04/15 19:10:05 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/04/15 19:09:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\61D3AAE1D5214CD7939B37813DE8F955.TMP
[2010/04/15 19:09:34 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/07 06:44:36 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Conduit
[2010/03/31 09:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Sun
[2010/03/31 09:59:11 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2010/03/31 09:56:49 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaws.exe
[2010/03/31 09:56:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\javaw.exe
[2010/03/31 09:56:49 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.) -- C:\WINDOWS\System32\java.exe
[2010/03/25 14:24:53 | 000,000,000 | ---D | C] -- C:\Program Files\Conduit
[2010/03/25 14:24:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Conduit
[2010/03/21 17:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Opera
[2010/03/21 17:26:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Opera
[2010/03/21 17:26:24 | 000,000,000 | ---D | C] -- C:\Program Files\Opera
[2010/03/21 08:23:28 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Yahoo!
[2010/03/20 22:55:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Scanner
[2010/03/20 22:55:10 | 000,000,000 | ---D | C] -- C:\Program Files\CA Yahoo! Anti-Spy
[2010/01/11 22:17:26 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2009/07/09 17:45:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2009/07/02 19:01:02 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
[2009/07/02 18:31:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
[2004/09/14 13:09:06 | 000,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2004/09/14 13:09:04 | 000,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2004/09/14 12:56:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2004/09/14 12:56:26 | 000,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/04/19 21:44:16 | 000,000,451 | ---- | M] () -- C:\WINDOWS\System32\eRLog.ini
[2010/04/19 21:43:26 | 000,000,098 | ---- | M] () -- C:\WINDOWS\ComponentList.xml
[2010/04/19 21:43:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/04/19 21:43:02 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/04/19 21:43:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/04/19 21:42:58 | 795,332,608 | -HS- | M] () -- C:\hiberfil.sys
[2010/04/19 21:41:50 | 008,126,464 | -H-- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/04/19 21:41:50 | 000,000,278 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/04/19 21:18:06 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/04/19 20:56:12 | 000,029,184 | ---- | M] () -- C:\Documents and Settings\User\My Documents\mystery bags.doc
[2010/04/19 13:27:50 | 000,002,265 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Skype.lnk
[2010/04/18 17:57:28 | 000,000,534 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\sabsam.lnk
[2010/04/17 12:53:58 | 000,056,832 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Hello.doc
[2010/04/16 22:26:30 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/04/16 10:32:00 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/04/15 20:48:40 | 000,000,264 | RHS- | M] () -- C:\BOOT.INI
[2010/04/15 19:15:34 | 000,001,642 | ---- | M] () -- C:\Documents and Settings\User\Desktop\HijackThis.lnk
[2010/04/15 19:10:36 | 000,000,000 | ---- | M] () -- C:\autoexec.bat
[2010/04/15 17:47:14 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/11 09:57:56 | 001,576,896 | -H-- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\IconCache.db
[2010/04/09 11:11:28 | 000,147,968 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/08 17:31:04 | 000,071,168 | ---- | M] () -- C:\Documents and Settings\User\My Documents\MW Stats 25thmar.doc
[2010/04/04 08:53:06 | 000,000,918 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/04/04 08:52:58 | 000,001,596 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Retro64 Games.lnk
[2010/03/31 20:12:42 | 000,024,576 | ---- | M] () -- C:\Documents and Settings\User\My Documents\kelulusan belajar.doc
[2010/03/30 00:46:30 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/03/30 00:45:52 | 000,020,824 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/03/25 12:28:02 | 000,000,500 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/03/23 02:45:18 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\User\My Documents\EQUIPMENT.doc
[5 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[3 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/04/18 17:57:26 | 000,000,534 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\sabsam.lnk
[2010/04/17 12:53:55 | 000,056,832 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Hello.doc
[2010/04/15 23:48:54 | 795,332,608 | -HS- | C] () -- C:\hiberfil.sys
[2010/04/15 20:48:38 | 000,000,193 | ---- | C] () -- C:\Boot.bak
[2010/04/15 20:48:36 | 000,260,272 | ---- | C] () -- C:\cmldr
[2010/04/15 20:37:30 | 000,261,632 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/04/15 20:37:30 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/04/15 20:37:30 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/04/15 20:37:30 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/04/15 20:37:30 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/04/15 19:15:33 | 000,001,642 | ---- | C] () -- C:\Documents and Settings\User\Desktop\HijackThis.lnk
[2010/04/15 19:10:35 | 000,000,000 | ---- | C] () -- C:\autoexec.bat
[2010/04/04 08:52:56 | 000,001,596 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Retro64 Games.lnk
[2010/04/02 03:01:12 | 000,001,374 | ---- | C] () -- C:\WINDOWS\imsins.BAK
[2010/03/31 20:12:40 | 000,024,576 | ---- | C] () -- C:\Documents and Settings\User\My Documents\kelulusan belajar.doc
[2010/03/27 18:41:23 | 000,029,184 | ---- | C] () -- C:\Documents and Settings\User\My Documents\mystery bags.doc
[2010/03/23 02:45:15 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\User\My Documents\EQUIPMENT.doc
[2010/03/22 20:07:34 | 000,071,168 | ---- | C] () -- C:\Documents and Settings\User\My Documents\MW Stats 25thmar.doc
[2010/03/21 17:26:33 | 000,000,500 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Opera.lnk
[2010/02/13 01:05:47 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2009/07/08 14:52:59 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\User\AdobeWeb.log
[2009/06/17 23:45:17 | 000,000,000 | ---- | C] () -- C:\WINDOWS\JCMKR32.INI
[2009/05/05 00:38:53 | 000,000,023 | ---- | C] () -- C:\Documents and Settings\User\presets.ini
[2009/05/01 23:26:02 | 000,000,026 | ---- | C] () -- C:\WINDOWS\WINTOYS.INI
[2009/04/22 17:17:26 | 000,129,024 | ---- | C] () -- C:\WINDOWS\System32\AVERM.dll
[2009/04/22 17:17:26 | 000,028,672 | ---- | C] () -- C:\WINDOWS\System32\AVEQT.dll
[2009/04/14 23:29:21 | 000,000,086 | ---- | C] () -- C:\WINDOWS\GECKOS.INI
[2009/04/14 23:27:43 | 000,000,070 | ---- | C] () -- C:\WINDOWS\SYMGAMES.INI
[2009/04/14 20:20:32 | 000,000,050 | ---- | C] () -- C:\WINDOWS\MIKAN.INI
[2009/04/14 13:22:02 | 000,000,131 | ---- | C] () -- C:\WINDOWS\chess.ini
[2009/01/09 11:13:25 | 000,000,124 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2008/12/23 22:13:31 | 000,000,532 | ---- | C] () -- C:\WINDOWS\MAXLINK.INI
[2008/12/11 17:47:11 | 000,028,672 | ---- | C] () -- C:\WINDOWS\VMPipe.dll
[2008/12/11 17:47:10 | 000,024,576 | ---- | C] () -- C:\WINDOWS\RunSetup.dll
[2008/12/03 02:24:48 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\Outlook Addin.dll
[2008/12/03 02:24:47 | 000,822,784 | ---- | C] () -- C:\WINDOWS\System32\UIVCL.dll
[2008/12/03 02:24:47 | 000,152,576 | ---- | C] () -- C:\WINDOWS\System32\CryptoAPI.dll
[2008/12/03 02:24:47 | 000,082,432 | ---- | C] () -- C:\WINDOWS\System32\keyManager.dll
[2008/12/03 02:24:47 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\LogSPWusage.dll
[2008/12/03 02:24:47 | 000,053,248 | ---- | C] () -- C:\WINDOWS\System32\APISlice.dll
[2008/12/03 02:24:47 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\SC_res.dll
[2008/12/03 02:24:47 | 000,045,056 | ---- | C] () -- C:\WINDOWS\System32\EN_res.dll
[2008/12/03 02:24:47 | 000,032,768 | ---- | C] () -- C:\WINDOWS\System32\TC_res.dll
[2008/12/03 02:24:47 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\MSNChatHook.dll
[2008/12/03 02:23:29 | 000,000,451 | ---- | C] () -- C:\WINDOWS\System32\eRLog.ini
[2008/12/03 01:27:30 | 000,009,867 | ---- | C] () -- C:\WINDOWS\System32\drivers\HOTKEY.sys
[2008/12/03 01:18:15 | 000,007,345 | ---- | C] () -- C:\Documents and Settings\User\launApp.log
[2008/12/03 01:18:14 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\User\ntuser.dat.LOG
[2008/12/03 01:18:14 | 000,000,278 | -HS- | C] () -- C:\Documents and Settings\User\ntuser.ini
[2008/12/03 01:18:13 | 008,126,464 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.DAT
[2008/12/03 01:17:19 | 000,262,144 | ---- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT
[2008/12/03 01:17:19 | 000,001,024 | -H-- | C] () -- C:\Documents and Settings\All Users\NTUSER.DAT.LOG
[2008/12/02 23:35:59 | 000,147,968 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2008/12/02 12:03:20 | 000,164,352 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2008/12/02 12:03:20 | 000,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2008/12/02 12:03:18 | 000,755,027 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2008/12/02 12:03:17 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2008/12/02 12:03:17 | 000,159,839 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2008/12/02 12:03:16 | 000,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2008/12/02 12:03:15 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2008/12/02 11:50:17 | 000,008,704 | ---- | C] () -- C:\WINDOWS\System32\CNMVS7K.DLL
[2008/12/02 10:44:59 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/11/24 14:08:48 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIBUN4.dll
[2005/11/24 14:08:04 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMPEG2.dll
[2005/11/24 14:08:04 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIMP3.dll
[2005/11/24 14:08:04 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIFCD3.dll
[2005/11/24 14:08:04 | 000,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTICDMK7.dll
[2005/06/20 02:42:14 | 000,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2005/05/02 12:13:42 | 000,009,600 | ---- | C] () -- C:\WINDOWS\System32\drivers\netmnt.sys
[2005/01/21 11:48:08 | 000,225,280 | ---- | C] () -- C:\WINDOWS\Capsule.dll
[2004/12/17 01:14:44 | 000,013,952 | ---- | C] () -- C:\WINDOWS\System32\drivers\UBHelper.sys
[2004/09/07 14:23:16 | 000,156,672 | ---- | C] () -- C:\WINDOWS\System32\RtlCPAPI.dll
[2004/08/04 05:00:00 | 000,001,793 | ---- | C] () -- C:\WINDOWS\System32\fxsperf.ini
[2003/12/29 20:45:08 | 000,040,960 | ---- | C] () -- C:\WINDOWS\System32\ServiceControl.dll
[2003/11/24 15:55:48 | 000,743,424 | ---- | C] () -- C:\WINDOWS\libxml2.dll
[2003/11/24 15:55:32 | 000,872,448 | ---- | C] () -- C:\WINDOWS\iconv.dll
[2003/07/21 16:52:40 | 000,001,150 | ---- | C] () -- C:\WINDOWS\System32\oeminfo.ini
[2003/01/07 15:05:08 | 000,002,695 | ---- | C] () -- C:\WINDOWS\System32\OUTLPERF.INI
[2002/03/21 15:39:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\UNACEV2.DLL
[2001/12/26 16:12:30 | 000,065,536 | R--- | C] () -- C:\WINDOWS\System32\multiplex_vcd.dll
[2001/09/03 23:46:38 | 000,110,592 | R--- | C] () -- C:\WINDOWS\System32\Hmpg12.dll
[2001/07/30 16:33:56 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC.dll
[2001/07/23 22:04:36 | 000,118,784 | R--- | C] () -- C:\WINDOWS\System32\HMPV2_ENC_MMX.dll
< End of report >

EXTRAS.txt

OTL Extras logfile created on: 4/19/2010 9:45:31 PM - Run 1
OTL by OldTimer - Version 3.2.1.3 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

758.00 Mb Total Physical Memory | 365.00 Mb Available Physical Memory | 48.00% Memory free
2.00 Gb Paging File | 1.00 Gb Available in Paging File | 77.00% Paging File free
Paging file location(s): C:\pagefile.sys 1140 2280 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 16.88 Gb Total Space | 1.11 Gb Free Space | 6.57% Space Free | Partition Type: FAT32
Drive D: | 17.24 Gb Total Space | 1.30 Gb Free Space | 7.53% Space Free | Partition Type: FAT32
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACER-684C9A655D
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_USERS\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Classes\<extension>]
.html [@ = Opera.HTML] -- Reg Error: Key error. File not found

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0
"DoNotAllowExceptions" = 0
"DisableNotifications" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"9999:TCP" = 9999:TCP:*:Enabled:PORT1
"1013:TCP" = 1013:TCP:*:Disabled:BS
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"9991:TCP" = 9991:TCP:*:Enabled:PORT2
"14811:TCP" = 14811:TCP:*:Enabled:FD
"15703:TCP" = 15703:TCP:*:Enabled:FD
"6672:TCP" = 6672:TCP:*:Enabled:FD
"42870:TCP" = 42870:TCP:*:Enabled:FD
"53634:TCP" = 53634:TCP:*:Enabled:FD
"61337:TCP" = 61337:TCP:*:Enabled:FD
"58534:TCP" = 58534:TCP:*:Enabled:FD
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)
"C:\Program Files\MSN Messenger\livecall.exe" = C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Acer\Acer Arcade\PCMService.exe" = C:\Program Files\Acer\Acer Arcade\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program -- (CyberLink Corp.)
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" = C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger -- (Yahoo! Inc.)
"C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe" = C:\Program Files\CyberLink\PowerDVD8\PowerDVD8.exe:*:Enabled:CyberLink PowerDVD 8.0 -- (CyberLink Corp.)
"C:\Program Files\uTorrent\uTorrent.exe" = C:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent -- (BitTorrent, Inc.)
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Disabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe" = C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Disabled:Windows Live Sync -- (Microsoft Corporation)
"C:\Program Files\Opera\opera.exe" = C:\Program Files\Opera\opera.exe:*:Enabled:Opera Internet Browser -- (Opera Software)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{05ADEEC8-BD58-43D9-A9E3-1F53B0DA117A}" = Opera 10.51
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{0CE473E5-4187-4D59-8CC0-0983395B37DC}" = GoGear SA19xx Device Manager
"{139E303E-1050-497F-98B1-9AE87B15C463}" = Windows Live Family Safety
"{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}" = QuickTime
"{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"{15B70821-7893-4607-805A-BB80F3EA8279}" = Acer Empowering Technology framework
"{178832DE-9DE0-4C87-9F82-9315A9B03985}" = Windows Live Writer
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade
"{26A24AE4-039D-4CA4-87B4-2F83216010FF}" = Java™ 6 Update 19
"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"{3FA365DF-2D68-45ED-8F83-8C8A33E65143}" = Apple Application Support
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4CBA3D4C-8F51-4D60-B27E-F6B641C571E7}" = Microsoft Search Enhancement Pack
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}" = Microsoft Office Live Add-in 1.3
"{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}" = Acer eLock Management
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{79D5997E-BF79-48BB-8B41-9BE59C15C2D7}" = OmniPage SE 2.0
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}" = Windows Live Sync
"{85309D89-7BE9-4094-BB17-24999C6118FC}" = ArcSoft PhotoStudio 5.5
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver for Mobile
"{8A74E887-8F0F-4017-AF53-CBA42211AAA5}" = Microsoft Sync Framework Runtime Native v1.0 (x86)
"{90110409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Professional Edition 2003
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{95120000-0122-0409-0000-0000000FF1CE}" = Microsoft Office Outlook Connector
"{995F1E2E-F542-4310-8E1D-9926F5A279B3}" = Windows Live Toolbar
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}" = Apple Mobile Device Support
"{AC76BA86-7AD7-1033-7B44-A70000000000}" = Adobe Reader 7.0
"{B2D41883-3BFC-4BA0-A2F6-5A2C9836C238}" = ACDSee 9 Photo Manager
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}" = Microsoft Sync Framework Services Native v1.0 (x86)
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{CA9A3609-3ECC-4574-8824-A8161A71A603}" = Canon MP150
"{CBB25040-2D43-4868-930C-F08B812F2BF8}" = Acer eDataSecurity Management
"{CD95F661-A5C4-44F5-A6AA-ECDD91C240B7}" = WinZip 12.0
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CE3B8E96-B0AF-4871-9178-1519B58E3A93}" = Vimicro USB PC Camera (ZC301PLH)
"{CF35000B-8247-449B-85C9-D9C2A5936683}" = GoGear SA19xx Device Manager
"{D0846526-66DD-4DC9-A02C-98F9A2806812}" = Launch Manager V1.0.9.3
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}" = Windows Live Photo Gallery
"{D6E4E5D6-7693-4BB4-95BA-21F38FAFEE90}" = Safari
"{DEE08946-40F0-4890-853E-60A6C3306041}" = Acer ePerformance Management
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}" = Acer eSettings Management
"{E431C518-2EE2-471E-9234-BE995C36D513}" = Acer eDataSecurity Management 1.00.21
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F63BF3C0-D774-11D5-9241-444553540000}" = Tango Manager
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{FB08F381-6533-4108-B7DD-039E11FBC27E}" = Realtek AC'97 Audio
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 6.0" = Adobe Photoshop 6.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe SVG Viewer" = Adobe SVG Viewer
"Allok AVI DivX MPEG to DVD Converter_is1" = Allok AVI DivX MPEG to DVD Converter 1.2.0
"Allok MPEG4 Converter_is1" = Allok MPEG4 Converter 5.1.0626
"Allok RM RMVB to AVI MPEG DVD Converter_is1" = Allok RM RMVB to AVI MPEG DVD Converter 2.2.0920
"Allok Video Joiner_is1" = Allok Video Joiner 3.2.0920
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"cayahooantispy" = CA Yahoo! Anti-Spy (remove only)
"CCleaner" = CCleaner (remove only)
"CNXT_MODEM_PCI_VEN_8086&DEV_266D&SUBSYS_006A1025" = SoftV90 Data Fax Modem with SmartCP
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-WebPrint" = Easy-WebPrint
"ePresentation" = Acer ePresentation Management
"ESET Online Scanner" = ESET Online Scanner v3
"Funny Bricks_is1" = Funny Bricks
"Google Chrome" = Google Chrome
"GridVista" = Acer GridVista
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker
"InstallShield_{15B70821-7893-4607-805A-BB80F3EA8279}" = Acer Empowering Technology framework
"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = CyberLink PowerDVD 8
"InstallShield_{385979FE-DC4F-4140-8EAD-A59625000D72}" = NTI Backup NOW! 4
"InstallShield_{6CA897D0-67F5-4F75-8261-DC8BFCA6DA42}" = Acer eLock Management
"InstallShield_{DEE08946-40F0-4890-853E-60A6C3306041}" = Acer ePerformance Management
"InstallShield_{E38BC648-883B-4EE5-966C-94C4B7AB3E0B}" = Acer eSettings Management
"KLiteCodecPack_is1" = K-Lite Codec Pack 4.3.1 (Full)
"Magic ISO Maker v5.5 (build 0274)" = Magic ISO Maker v5.5 (build 0274)
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.6.2)" = Mozilla Firefox (3.6.2)
"MP Navigator 2.0" = Canon MP Navigator 2.0
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"RealPlayer 12.0" = RealPlayer
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"Winamp" = Winamp
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"Yahoo! Companion" = Yahoo! Toolbar
"Yahoo! Messenger" = Yahoo! Messenger
"YInstHelper" = Yahoo! Install Manager

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1214420101-3099525302-555687939-1005\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"uTorrent" = µTorrent

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 4/17/2010 7:21:15 PM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/17/2010 8:21:16 PM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/17/2010 9:21:14 PM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/17/2010 10:21:14 PM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/17/2010 11:21:14 PM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/18/2010 12:21:14 AM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/18/2010 1:21:14 AM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/18/2010 2:21:14 AM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/18/2010 4:21:14 AM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

Error - 4/18/2010 5:21:14 AM | Computer Name = ACER-684C9A655D | Source = Google Update | ID = 20
Description =

[ System Events ]
Error - 4/15/2010 11:57:42 PM | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7000
Description = The VIMICRO USB PC Camera (ZC0301PLH) service failed to start due
to the following error: %%2

Error - 4/16/2010 6:59:45 AM | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7034
Description = The Tango Service service terminated unexpectedly. It has done this
1 time(s).

Error - 4/16/2010 10:23:33 AM | Computer Name = ACER-684C9A655D | Source = PlugPlayManager | ID = 11
Description = The device Root\LEGACY_LKWXRFKV\0000 disappeared from the system without
first being prepared for removal.

Error - 4/16/2010 11:19:09 AM | Computer Name = ACER-684C9A655D | Source = Print | ID = 19
Description = Sharing printer failed + 1722, Printer Microsoft XPS Document Writer
share name Printer.

Error - 4/18/2010 11:04:20 AM | Computer Name = ACER-684C9A655D | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 4/18/2010 11:04:21 AM | Computer Name = ACER-684C9A655D | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 4/19/2010 3:01:48 AM | Computer Name = ACER-684C9A655D | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 4/19/2010 3:01:58 AM | Computer Name = ACER-684C9A655D | Source = ACPIEC | ID = 327681
Description = \Device\ACPIEC: The embedded controller (EC) hardware didn't respond
within the timeout period. This may indicate an error in the EC hardware or firmware,
or possibly a poorly designed BIOS which accesses the EC in an unsafe manner.
The EC driver will retry the failed transaction if possible.

Error - 4/19/2010 9:43:01 AM | Computer Name = ACER-684C9A655D | Source = sr | ID = 1
Description = The System Restore filter encountered the unexpected error '0xC0000001'
while processing the file '' on the volume 'HarddiskVolume2'. It has stopped monitoring
the volume.

Error - 4/19/2010 9:43:19 AM | Computer Name = ACER-684C9A655D | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
abp480n5 adpu160m agp440 agpCPQ Aha154x aic78u2 aic78xx AliIde alim1541 amdagp amsint asc asc3350p
asc3550
cbidf
cd20xrnt
CmdIde
Cpqarray
dac2w2k
dac960nt
dpti2o
gagp30kx
hpn
i2omp
ini910u
IntelIde
mraid35x
perc2
perc2hib
ql1080
Ql10wnt
ql12160
ql1240
ql1280
sisagp
Sparrow
symc810
symc8xx
sym_hi
sym_u3
TosIde
ultra
viaagp
ViaIde


I hope thrs no backdoor activity going on .. I have assumed it is not ....since u never said anything abt it after going thru the logs and scan reports ...

regards

sab2010

< End of report >




#14 Jat90

Jat90

  • Members
  • 1,515 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:United Kingdom
  • Local time:06:06 AM

Posted 19 April 2010 - 03:34 PM

Hello,

QUOTE
I hope thrs no backdoor activity going on .. I have assumed it is not ....since u never said anything abt it after going thru the logs and scan reports ...


I did mention backdoor capability, first post in fact:

QUOTE
Gmer identified a rootkit(s) on your system, many are known to have backdoor capabilities. Let's run ComboFix and see if we can see which rootkit you have been infected with


Unfortunately I was anable to identify exactly which rootkit you have been infected with so I can't say for certain if they had backdoor functionalities. However if you are a suspicious person, you could always choose to reformat and reinstall and take no chances, or I could continue with the fix. Take a read of this: When Should I Format, How Should I Reinstall and let me know what you decide to do.

- Jat90 -

If I have not responded to you within 24 hours, then please feel free to send me a message.

Posted Image

#15 sab2010

sab2010
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:01:06 PM

Posted 19 April 2010 - 09:26 PM

Hi jat i prefer to rectify myself with ur help than going for a reformat / reinstall of everythng ... I hate to do that as i will lose quite a lot of data... things which i will not rembr now to take a backup... but may need it for smthng on some fine day ... If thrs no other choice other than reformatting then i will go for that .....

well all this provided u r not fed up with my computer and the damn trojan in my computer coming up again n again or fed up of me itself in the whole .... lol ... then i will have no other choice ..do I??

regards

Sab2010




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users