Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.Bot infection Windows XP


  • This topic is locked This topic is locked
24 replies to this topic

#1 kjewell

kjewell

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 19 May 2010 - 10:41 PM

First noticed following any Google link redirecting to other sights. I ran Malware's mbam.exe without having to rename. Mbam indicated that it found and removed infected files. Upon reboot, same Google redirect occurred. After doing some reading on the forum, I realize that this is out of my league to try and fix this without some help. I would greatly appreciate it if someone here could walk me through the process.


DDS (Ver_10-03-17.01) - NTFSx86
Run by kjewell at 16:12:16.87 on Wed 05/19/2010
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.139 [GMT -6:00]

AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning enabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
FW: Trend Micro PC-cillin Internet Security (Firewall) *disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE
C:\PROGRA~1\MI1933~1\Office12\OUTLOOK.EXE
C:\Documents and Settings\kjewell.DESKTOP\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearch Page = hxxp://www.google.com


Attached Files



BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 20 May 2010 - 09:03 PM

Hello, kjewell.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 20 May 2010 - 11:18 PM

Thank you. I'll refrain from making any changes or scans unless directed by you, and discontinue any efforts on my own.

Downloaded RSIT and scanned. Copied ifo.txt and log.txt files here. Downloaded new GMER and scanned with requested options and copied gmer.log here.

info.txt

Logfile of random's system information tool 1.07 (written by random/random)
Run by kjewell at 2010-05-20 20:21:30
Microsoft Windows XP Professional Service Pack 3
System drive C: has 96 GB (52%) free of 184 GB
Total RAM: 1535 MB (67% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:21:42 PM, on 5/20/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Carbonite\CarbonitePreinstaller.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kjewell.DESKTOP\Desktop\RSIT.exe
C:\Program Files\trend micro\kjewell.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: HP Print Enhancer - {0347C33E-8762-4905-BF09-768834316C61} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: BrowserHelper Class - {8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6} - C:\Program Files\SGPSA\SearchAssistant.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [faxhijkj] C:\Documents and Settings\NetworkService\Local Settings\Application Data\nkftsuirk\iuockyetssd.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [faxhijkj] C:\Documents and Settings\NetworkService\Local Settings\Application Data\nkftsuirk\iuockyetssd.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Health Key and Certificate Management Service hkmsvcRasAuto (hkmsvcRasAuto) - Unknown owner - C:\WINDOWS\system32\acleditq.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Desktop Help Session Manager RDSessMgrehSched (RDSessMgrehSched) - Unknown owner - C:\WINDOWS\system32\adsldpcu.exe (file missing)
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Personal Firewall TmPfwRSVP (TmPfwRSVP) - Unknown owner - C:\WINDOWS\system32\Adobeb.exe (file missing)
O24 - Desktop Component 0: (no name) - http://www.drakeshangout.com/pics/animated...ell_avatar2.gif

--
End of file - 7367 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 803864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0347C33E-8762-4905-BF09-768834316C61}]
HP Print Enhancer - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll [2007-11-06 322880]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 54248]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll [2007-12-14 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8A9D74F9-560B-4FE7-ABEB-3B2E638E5CD6}]
BrowserHelper Class - C:\Program Files\SGPSA\SearchAssistant.dll [2009-10-15 123904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856}]
HP Smart BHO Class - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll [2007-11-06 542016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2007-03-20 803864]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe [2008-04-13 169984]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2009-01-05 413696]
"CarboniteSetupLite"=C:\Program Files\Carbonite\CarbonitePreinstaller.exe [2009-08-04 318096]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
C:\WINDOWS\AGRSMMSG.exe [2004-06-29 88363]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
C:\WINDOWS\ALCXMNTR.EXE [2004-09-07 57344]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
C:\WINDOWS\ehome\ehtray.exe [2005-08-05 64512]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06]
[]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
c:\windows\system\hpsysdrv.exe [1998-05-07 52736]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-06-28 8466432]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2007-06-28 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE [2004-04-14 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3
"WMPNetworkSvc"=3
"tmproxy"=2
"PcCtlCom"=2
"ose"=3
"odserv"=3
"NVSvc"=2
"Microsoft Office Groove Audit Service"=3
"MDM"=2
"LeapFrog Connect Device Service"=2
"iPod Service"=3
"idsvc"=3
"gusvc"=3
"gupdate1ca4ba67991be62"=2
"TrkWksNtmsSvc"=2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2004-08-03 344064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2007-03-15 236928]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll [2009-02-12 2217848]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe"="C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe:*:Enabled:BackWeb for Pavilion"
"C:\Program Files\EarthLink TotalAccess\TaskPanl.exe"="C:\Program Files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink"
"C:\Program Files\Kazaa\kazaa.exe"="C:\Program Files\Kazaa\kazaa.exe:*:Enabled:Kazaa"
"C:\Program Files\Internet Explorer\IEXPLORE.EXE"="C:\Program Files\Internet Explorer\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"C:\Program Files\InterMute\SpamSubtract\SpamSub.exe"="C:\Program Files\InterMute\SpamSubtract\SpamSub.exe:*:Enabled:SpamSubtract"
"C:\Program Files\InterMute\SpySubtract\SpySub.exe"="C:\Program Files\InterMute\SpySubtract\SpySub.exe:*:Enabled:SpySubtract"
"C:\Program Files\LimeWire\LimeWire.exe"="C:\Program Files\LimeWire\LimeWire.exe:*:Enabled:LimeWire"
"C:\Program Files\BitTorrent\bittorrent.exe"="C:\Program Files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\Program Files\Sony\Media Manager for WALKMAN\MediaManager.exe"="C:\Program Files\Sony\Media Manager for WALKMAN\MediaManager.exe:*:Enabled:Media Manager for WALKMAN 1.1"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\Program Files\HP\Digital Imaging\bin\hposid01.exe"="C:\Program Files\HP\Digital Imaging\bin\hposid01.exe:*:Enabled:hposid01.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqcopy.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqcopy.exe:*:Enabled:hpqcopy.exe"
"C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe"="C:\Program Files\HP\Digital Imaging\Unload\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpiscnapp.exe:*:Enabled:hpiscnapp.exe"
"C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe"="C:\Program Files\HP\Digital Imaging\bin\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\GROOVE.EXE"="C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%ProgramFiles%\iTunes\iTunes.exe"="%ProgramFiles%\iTunes\iTunes.exe:*:enabled:iTunes"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\K]
shell\AutoRun\command - K:\Seagate\Installer\InstallSeagateManager.exe
shell\Install\command - K:\Seagate\Installer\InstallSeagateManager.exe


======List of files/folders created in the last 2 months======

2010-05-20 20:21:30 ----D---- C:\rsit
2010-05-20 13:49:31 ----D---- C:\Program Files\ESET
2010-05-20 13:13:33 ----D---- C:\Program Files\Carbonite
2010-05-20 13:12:09 ----D---- C:\Program Files\Seagate
2010-05-19 15:15:48 ----A---- C:\mbam-error.txt
2010-05-12 03:02:04 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-04-14 03:04:49 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-04-14 03:04:35 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-04-14 03:04:26 ----HDC---- C:\WINDOWS\$NtUninstallKB981349$
2010-04-14 03:03:27 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-04-14 03:03:18 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-04-14 03:03:09 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-04-14 03:02:28 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-04-01 07:51:52 ----D---- C:\Program Files\Coupons
2010-03-31 03:01:08 ----HDC---- C:\WINDOWS\$NtUninstallKB980182$
2010-03-21 20:05:45 ----D---- C:\Program Files\Mpeg2Decoder

======List of files/folders modified in the last 2 months======

2010-05-20 20:21:42 ----D---- C:\Program Files\Trend Micro
2010-05-20 20:21:13 ----D---- C:\WINDOWS\Prefetch
2010-05-20 20:18:23 ----D---- C:\Program Files\Mozilla Firefox
2010-05-20 17:40:04 ----D---- C:\WINDOWS\Temp
2010-05-20 17:07:12 ----D---- C:\WINDOWS\Registration
2010-05-20 17:05:22 ----D---- C:\WINDOWS\system32\CatRoot2
2010-05-20 17:05:04 ----D---- C:\WINDOWS
2010-05-20 13:49:31 ----RD---- C:\Program Files
2010-05-20 13:13:06 ----A---- C:\AUTOEXEC.BAT
2010-05-20 13:12:09 ----D---- C:\Program Files\Common Files\muvee Technologies
2010-05-20 13:12:06 ----HD---- C:\Program Files\InstallShield Installation Information
2010-05-20 13:11:31 ----A---- C:\WINDOWS\ntbtlog.txt
2010-05-20 13:10:01 ----D---- C:\WINDOWS\system32
2010-05-20 13:07:11 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2010-05-20 12:41:48 ----HDC---- C:\WINDOWS\$NtUninstallKB948881$
2010-05-20 12:41:48 ----D---- C:\WINDOWS\system32\drivers
2010-05-20 12:41:17 ----HDC---- C:\WINDOWS\$NtUninstallKB946627$
2010-05-20 12:37:54 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-05-20 11:28:25 ----HD---- C:\WINDOWS\inf
2010-05-19 16:04:39 ----D---- C:\Documents and Settings\kjewell.DESKTOP\Application Data\HPAppData
2010-05-19 15:50:26 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-05-19 10:01:25 ----D---- C:\Program Files\RealArcade
2010-05-16 06:37:11 ----SD---- C:\Documents and Settings\kjewell.DESKTOP\Application Data\Microsoft
2010-05-12 03:02:32 ----SHD---- C:\WINDOWS\Installer
2010-05-12 03:02:32 ----HD---- C:\Config.Msi
2010-05-12 03:02:32 ----D---- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2010-05-12 03:02:07 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-05-12 03:02:07 ----D---- C:\Program Files\Outlook Express
2010-05-11 19:24:08 ----HD---- C:\WINDOWS\$hf_mig$
2010-05-10 06:59:46 ----AH---- C:\boot.ini
2010-05-10 06:59:46 ----A---- C:\WINDOWS\win.ini
2010-05-10 06:59:46 ----A---- C:\WINDOWS\system.ini
2010-05-02 10:23:59 ----D---- C:\Documents and Settings\kjewell.DESKTOP\Application Data\AdobeUM
2010-04-25 21:24:50 ----A---- C:\WINDOWS\IE4 Error Log.txt
2010-04-23 10:18:29 ----D---- C:\Michelle Sangray Work
2010-04-14 03:04:59 ----A---- C:\WINDOWS\imsins.BAK
2010-03-27 00:29:24 ----D---- C:\WINDOWS\system32\FxsTmp
2010-03-21 20:00:38 ----D---- C:\Documents and Settings\kjewell.DESKTOP\Application Data\LimeWire

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK8;AMD Athlon64 Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2004-05-08 35840]
R1 SiSkp;SiSkp; C:\WINDOWS\system32\DRIVERS\srvkp.sys [2004-07-17 12160]
R1 tmtdi;Trend Micro TDI Driver; C:\WINDOWS\System32\Drivers\tmtdi.sys [2006-03-15 68608]
R1 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2004-08-10 12032]
R2 tm_cfw;Common Firewall Driver; C:\WINDOWS\System32\Drivers\tm_cfw.sys [2006-03-15 1940992]
R2 Tmfilter;Tmfilter; C:\WINDOWS\system32\drivers\TmXPFlt.sys [2008-08-16 205328]
R2 Tmpreflt;Tmpreflt; C:\WINDOWS\system32\drivers\Tmpreflt.sys [2008-08-16 36368]
R2 Vsapint;Vsapint; C:\WINDOWS\system32\drivers\VsapiNT.sys [2008-08-16 1195448]
R3 AgereSoftModem;Agere Systems Soft Modem; C:\WINDOWS\system32\DRIVERS\AGRSM.sys [2004-06-29 1268204]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2005-04-20 2317696]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys [2009-03-19 23400]
R3 hcwPP2;Hauppauge WinTV PVR PCI II (26xxx); C:\WINDOWS\system32\DRIVERS\hcwPP2.sys [2004-08-27 116736]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2007-06-28 6807328]
R3 Ps2;PS2; C:\WINDOWS\system32\DRIVERS\PS2.sys [2005-12-12 19072]
R3 SISNIC;SiS PCI Fast Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\sisnic.sys [2003-07-11 32768]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-13 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
S3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2003-12-12 391424]
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-13 60800]
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\drivers\BVRPMPR5.SYS []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 HidIr;Microsoft Infrared HID Driver; C:\WINDOWS\system32\DRIVERS\hidir.sys [2008-04-13 19200]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2007-10-30 49920]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2007-10-30 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2007-10-30 21568]
S3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2004-08-03 730653]
S3 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
S3 IrBus;Infrared bus filter driver for eHome remote controls; C:\WINDOWS\system32\DRIVERS\IrBus.sys [2008-04-13 46592]
S3 MHNDRV;MHN driver; C:\WINDOWS\system32\DRIVERS\mhndrv.sys [2004-08-10 11008]
S3 motccgp;Motorola USB Composite Device Driver; C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-06-18 17920]
S3 motccgpfl;MotCcgpFlService; C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-22 7680]
S3 MotDev;Motorola Inc. USB Device; C:\WINDOWS\system32\DRIVERS\motodrv.sys [2007-05-07 42112]
S3 motmodem;Motorola USB CDC ACM Driver; C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 23680]
S3 motport;Motorola USB Diagnostic Port; C:\WINDOWS\system32\DRIVERS\motport.sys [2007-06-18 23680]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-13 61824]
S3 rtl8139;Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver; C:\WINDOWS\system32\DRIVERS\R8139n51.SYS [2002-10-04 46976]
S3 SiS315;SiS315; C:\WINDOWS\system32\DRIVERS\sisgrp.sys [2004-07-19 218112]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys []
S3 usbaudio;USB Audio Driver (WDM); C:\WINDOWS\system32\drivers\usbaudio.sys [2008-04-13 60032]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-13 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
S3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S3 Wdf01000;Wdf01000; C:\WINDOWS\system32\DRIVERS\Wdf01000.sys [2006-11-02 492000]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 xnacc;Microsoft Common Controller For Windows Driver Service; C:\WINDOWS\system32\DRIVERS\xnacc.sys [2006-06-01 509440]
S4 IntelIde;IntelIde; C:\WINDOWS\system32\DRIVERS\intelide.sys [2008-04-13 5504]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ehRecvr;Media Center Receiver Service; C:\WINDOWS\eHome\ehRecvr.exe [2006-10-09 237568]
R2 ehSched;Media Center Scheduler Service; C:\WINDOWS\eHome\ehSched.exe [2005-08-05 102912]
R2 hpqddsvc;HP CUE DeviceDiscovery Service; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R2 McrdSvc;Media Center Extender Service; C:\WINDOWS\ehome\mcrdsvc.exe [2005-08-05 99328]
R2 Net Driver HPZ12;Net Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
R2 Tmntsrv;Trend Micro Real-time Service; C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe [2006-03-08 340040]
R2 TmPfw;Trend Micro Personal Firewall; C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe [2006-03-15 634944]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
R3 hpqcxs08;hpqcxs08; C:\WINDOWS\system32\svchost.exe [2008-04-13 14336]
S2 hkmsvcRasAuto;Health Key and Certificate Management Service hkmsvcRasAuto; C:\WINDOWS\system32\acleditq.exe srv []
S2 RDSessMgrehSched;Remote Desktop Help Session Manager RDSessMgrehSched; C:\WINDOWS\system32\adsldpcu.exe srv []
S2 TmPfwRSVP;Trend Micro Personal Firewall TmPfwRSVP; C:\WINDOWS\system32\Adobeb.exe srv []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 Fax;Fax; C:\WINDOWS\system32\fxssvc.exe [2008-04-13 267776]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-04-02 656168]
S3 MHN;MHN; C:\WINDOWS\System32\svchost.exe [2008-04-13 14336]
S4 gupdate1ca4ba67991be62;Google Update Service (gupdate1ca4ba67991be62); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-10-12 133104]
S4 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S4 LeapFrog Connect Device Service;LeapFrog Connect Device Service; C:\Program Files\LeapFrog\LeapFrog Connect\CommandService.exe [2009-05-07 1089536]
S4 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-20 322120]
S4 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2008-10-25 65888]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
S4 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-06-28 155716]
S4 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S4 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 PcCtlCom;Trend Micro Central Control Component; C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe [2006-03-08 950354]
S4 tmproxy;Trend Micro Proxy Service; C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe [2006-03-15 286791]
S4 TrkWksNtmsSvc;Distributed Link Tracking Client TrkWksNtmsSvc; C:\WINDOWS\system32\1028m.exe srv []
S4 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

-----------------EOF-----------------

log.txt

info.txt logfile of random's system information tool 1.06 2010-05-20 20:21:46

======Uninstall list======

-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\orun32.isu
-->c:\WINDOWS\system32\\MSIEXEC.EXE /x {9541FED0-327F-4df0-8B96-EF57EF622F19}
-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{39DA87A1-0B26-4562-A70C-2A6147366E47}\Setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9F765BD0-B900-4EDE-A90B-61C8A9E95C42}\Setup.exe"
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BAD59025-5B73-4E12-B789-0028C5A573C2}\Setup.exe"
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F1E63043-54FC-429B-AB2C-31AF9FBA4BC7}
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->MsiExec.exe /X{0DFB3DE8-65B9-44FF-AA0A-3BECC5A2BFD1}
Adobe Reader 6.0.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A00000000001}
Adobe Shockwave Player 11.5-->"C:\WINDOWS\system32\Adobe\Shockwave 11\uninstaller.exe"
Agere Systems PCI Soft Modem-->agrsmdel
Audacity 1.2.6-->"C:\Program Files\Audacity\unins000.exe"
Carbonite Online Backup Setup-->"C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=900 /uninstall
Coupon Printer for Windows-->"C:\Program Files\Coupons\uninstall.exe" "/U:C:\Program Files\Coupons\Uninstall\uninstall.xml"
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Google Earth-->MsiExec.exe /X{2EAF7E61-068E-11DF-953C-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Guitar Hero III-->MsiExec.exe /I{0CE1A6C0-F3F7-49E6-8F9D-2431F9827441}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344)-->"C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 10 (KB903157)-->"C:\WINDOWS\$NtUninstallKB903157$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"
HP Deskjet F4200 All-In-One Driver Software 10.0 Rel .3-->C:\Program Files\HP\Digital Imaging\{AE9A67F9-ADF1-4a44-BAB5-C1DB302B37A2}\setup\hpzscr01.exe -datfile hposcr28.dat -onestop
HP Image Zone for Media Center PC-->MsiExec.exe /X{8D0C57BC-4942-4960-BB6D-142456D6F233}
HP Image Zone Plus 4.2-->C:\Program Files\HP\Digital Imaging\{5E1494D4-3562-4FFB-B35C-600F80F6934C}\setup\hpzscr01.exe -datfile hpdscr01.dat
HP Imaging Device Functions 10.0-->C:\Program Files\HP\Digital Imaging\DeviceManagement\hpzscr01.exe -datfile hpqbud01.dat
HP Photo & Imaging 3.5 - HP Devices-->C:\Program Files\HP\Digital Imaging\{15B9DC72-73F9-4d99-9E28-848D66DA8D99}\setup\hpzscr01.exe -datfile hpiscr01.dat
HP Smart Web Printing-->C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe -datfile hpqbud15.dat
iTunes-->MsiExec.exe /I{5EFCBB42-36AB-4FF9-B90C-E78C7B9EE7B3}
Jamorama Maestro Bonus Tools-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{07241C26-FE77-48C7-B4A4-598C2C68DEE0}\setup.exe"
Jamorama Maestro-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CA80D1B-4931-445E-A07E-422F5E0D9C49}\setup.exe" -L0x9
Java™ 6 Update 4-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160040}
Java™ SE Runtime Environment 6 Update 1-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160010}
LeapFrog Connect-->C:\Program Files\LeapFrog\LeapFrog Connect\uninst.exe
LeapFrog Connect-->MsiExec.exe /X{47FB62DF-832D-485F-95FC-C93BB08B8FE3}
LeapFrog Didj Plugin-->MsiExec.exe /X{F6E306FF-DCC2-4FC0-B919-F95D224C4A10}
LimeWire 5.4.6-->"C:\Program Files\LimeWire\uninstall.exe"
LiveReg (Symantec Corporation)-->C:\Program Files\Common Files\Symantec Shared\LiveReg\VcSetup.exe /REMOVE
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Media Manager for WALKMAN 1.1-->MsiExec.exe /X{F32D27BF-F003-416D-82E6-8CB002A0B75D}
Microsoft .NET Framework 1.0 Hotfix (KB953295)-->"C:\WINDOWS\$NtUninstallKB953295$\spuninst\spuninst.exe"
Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5-->"C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
Microsoft Office 2007 Service Pack 2 (SP2)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISER /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{91120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual J# .NET Redistributable Package 1.1-->MsiExec.exe /X{1A655D51-1423-48A3-B748-8F5A0BE294C8}
Microsoft Visual J# .NET Redistributable Package(ENU) v1.0.4205-->msiexec.exe /I {90AD8C11-ED4A-4AE7-BB70-7740C452C999} /l*v "C:\Program Files\Common Files\Microsoft Visual J# .NET Setup\logs\RedistRepairRemove1033.log"
Microsoft Works 2005 Setup Launcher-->C:\Program Files\Microsoft Works Suite 2005\Setup\Launcher.exe /ARP F:\
Microsoft Works Suite Add-in for Microsoft Word-->MsiExec.exe /I{CB54ABA8-D67F-47AD-A76C-2631BADA9FE5}
Microsoft Works-->MsiExec.exe /I{416D80BA-6F6D-4672-B7CF-F54DA2F80B44}
Mozilla Firefox (2.0.0.20)-->C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Mpeg2Decoder 1.3-->"C:\Program Files\Mpeg2Decoder\unins000.exe"
MSConfig CleanUp 1.2-->"C:\Program Files\MSConfig CleanUp\UninsHs.exe"
MSXML 4.0 SP2 (KB927978)-->MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
muvee autoProducer 6.1 Seagate Edition-->C:\Program Files\InstallShield Installation Information\{C880E328-DA82-47F2-B429-3E42C73C7549}\setup.exe -runfromtemp -l0x0009 -removeonly
Norton Personal Firewall-->MsiExec.exe /I{3BD0196C-6553-460c-A0C4-90D8AE5D60D2}
NVIDIA Drivers-->C:\WINDOWS\system32\nvudisp.exe UninstallGUI
OpenOffice.org 2.4-->MsiExec.exe /I{F87A8E11-02A4-4875-A3A5-5961081B0E4E}
PC-Doctor for Windows-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1F7CCFA3-D926-4882-B2A5-A0217ED25597}\Setup.exe"
QuickTime-->MsiExec.exe /I{216AB108-2AE1-4130-B3D5-20B2C4C80F8F}
RealArcade-->"C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\RealArcade.rguninst" "AddRemove"
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for 2007 Microsoft Office System (KB978380)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {667A88D1-0369-4070-A62A-70672D68A9BF}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB978382)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {6DE3DABF-0203-426B-B330-7287D1003E86}
Security Update for Microsoft Office Outlook 2007 (KB972363)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {120BE9A0-9B09-4855-9E0C-7DEE45CB03C0}
Security Update for Microsoft Office PowerPoint 2007 (KB957789)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {7559E742-FF9F-4FAE-B279-008ED296CB4D}
Security Update for Microsoft Office Publisher 2007 (KB980470)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {34573F17-DADE-4D0D-835F-A54A1DE8AC1F}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Step By Step Interactive Training (KB898458)-->"C:\WINDOWS\$NtUninstallKB898458$\spuninst\spuninst.exe"
Security Update for Step By Step Interactive Training (KB923723)-->"C:\WINDOWS\$NtUninstallKB923723$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB911565)-->"C:\WINDOWS\$NtUninstallKB911565$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB917734)-->"C:\WINDOWS\$NtUninstallKB917734_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 10 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP10$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950759)-->"C:\WINDOWS\$NtUninstallKB950759$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376)-->"C:\WINDOWS\$NtUninstallKB951376$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953838)-->"C:\WINDOWS\$NtUninstallKB953838$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956390)-->"C:\WINDOWS\$NtUninstallKB956390$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958215)-->"C:\WINDOWS\$NtUninstallKB958215$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960714)-->"C:\WINDOWS\$NtUninstallKB960714$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961371)-->"C:\WINDOWS\$NtUninstallKB961371$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB963027)-->"C:\WINDOWS\$NtUninstallKB963027$\spuninst\spuninst.exe"
Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969897)-->"C:\WINDOWS\$NtUninstallKB969897$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969898)-->"C:\WINDOWS\$NtUninstallKB969898$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972260)-->"C:\WINDOWS\$NtUninstallKB972260$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973346)-->"C:\WINDOWS\$NtUninstallKB973346$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB976325)-->"C:\WINDOWS\$NtUninstallKB976325$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
Shockwave-->C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Sonic Encoders-->MsiExec.exe /I{9941F0AA-B903-4AF4-A055-83A9815CC011}
Sonic RecordNow!-->MsiExec.exe /I{9541FED0-327F-4DF0-8B96-EF57EF622F19}
Super Collapse! II-->"C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\supercollapseii.rguninst" "AddRemove"
Super Collapse-->"C:\Program Files\RealArcade\Installer\bin\gameinstaller.exe" "C:\Program Files\RealArcade\Installer\installerMain.clf" "C:\Program Files\RealArcade\Installer\uninstall\supercollapse.rguninst" "AddRemove"
TonkaŽ On the Job-->C:\Program Files\InstallShield Installation Information\{D0B5F130-CA18-4CF7-AD7D-8286192CFAA4}\Setup.exe -runfromtemp -l0x0009 -removeonly
Trend Micro PC-cillin Internet Security 2006-->MsiExec.exe /X{EA8C73AA-3D75-44C9-87A2-8E945FC5FEE6}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for 2007 Microsoft Office System (KB981715)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {661B3F32-FFE4-4606-AE3A-DFA11DCC0D79}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Microsoft Office InfoPath 2007 (KB976416)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {432C5EE4-8096-4FF1-95E1-65219365DFF7}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office Word 2007 (KB974631)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {1D53FB73-9826-4541-B2E0-A239C6EBA718}
Update for Microsoft Office Word 2007 (KB974631)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {34726474-50D6-49FC-B8AC-35411459D27A}
Update for Outlook 2007 Junk Email Filter (kb981726)-->msiexec /package {91120000-0030-0000-0000-0000000FF1CE} /uninstall {2C69BACE-1151-41C0-8C8D-F6026D510BD4}
Update for Windows Media Player 10 (KB913800)-->"C:\WINDOWS\$NtUninstallKB913800$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
Update for Windows XP (KB976749)-->"C:\WINDOWS\$NtUninstallKB976749$\spuninst\spuninst.exe"
Update for Windows XP (KB978207)-->"C:\WINDOWS\$NtUninstallKB978207$\spuninst\spuninst.exe"
Update for Windows XP (KB980182)-->"C:\WINDOWS\$NtUninstallKB980182$\spuninst\spuninst.exe"
Update Rollup 2 for Windows XP Media Center Edition 2005-->C:\WINDOWS\$NtUninstallKB900325$\spuninst\spuninst.exe
Updates from HP-->C:\WINDOWS\BWUnin-6.3.2.62.exe -AppId 309731
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB925766-->"C:\WINDOWS\$NtUninstallKB925766$\spuninst\spuninst.exe"
Windows XP Media Center Edition 2005 KB973768-->"C:\WINDOWS\$NtUninstallKB973768$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Wizard101-->"C:\Program Files\InstallShield Installation Information\{A9E27FF5-6294-46A8-B8FD-77B1DECA3021}\setup.exe" -runfromtemp -l0x0009 -removeonly
Xbox 360 Controller for Windows-->"C:\WINDOWS\$NtUninstall_Xbox_360_CC_Driver$\spuninst\spuninst.exe"
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\unyt.exe

======Security center information======

AV: Trend Micro PC-cillin Internet Security 2006 (outdated)
FW: Trend Micro PC-cillin Internet Security (Firewall) (disabled)

======System event log======

Computer Name: DESKTOP
Event Code: 7011
Message: Timeout (30000 milliseconds) waiting for a transaction response from the NVSvc service.

Record Number: 53
Source Name: Service Control Manager
Time Written: 20100307171308.000000-420
Event Type: error
User:

Computer Name: DESKTOP
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 37
Source Name: W32Time
Time Written: 20100306013921.000000-420
Event Type: warning
User:

Computer Name: DESKTOP
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Record Number: 28
Source Name: W32Time
Time Written: 20100304085409.000000-420
Event Type: warning
User:

Computer Name: DESKTOP
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 27
Source Name: Tcpip
Time Written: 20100304081002.000000-420
Event Type: warning
User:

Computer Name: DESKTOP
Event Code: 7022
Message: The HP CUE DeviceDiscovery Service service hung on starting.

Record Number: 4
Source Name: Service Control Manager
Time Written: 20100303191625.000000-420
Event Type: error
User:

=====Application event log=====

Computer Name: DESKTOP
Event Code: 5000
Message: EventType officelifeboathang, P1 winword.exe, P2 12.0.6514.5001, P3 ntdll.dll, P4 5.1.2600.5755, P5 NIL, P6 NIL, P7 NIL, P8 NIL, P9 NIL, P10 NIL.

Record Number: 58
Source Name: Microsoft Office 12
Time Written: 20100519095816.000000-360
Event Type: error
User:

Computer Name: DESKTOP
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 52
Source Name: Application Hang
Time Written: 20100517211919.000000-360
Event Type: error
User:

Computer Name: DESKTOP
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 47
Source Name: Application Hang
Time Written: 20100517172322.000000-360
Event Type: error
User:

Computer Name: DESKTOP
Event Code: 1000
Message: Faulting application svchost.exe, version 5.1.2600.5512, faulting module Flash10b.ocx, version 10.0.22.87, fault address 0x000e5aaa.

Record Number: 41
Source Name: Application Error
Time Written: 20100517004154.000000-360
Event Type: error
User:

Computer Name: DESKTOP
Event Code: 1002
Message: Hanging application iexplore.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Record Number: 12
Source Name: Application Hang
Time Written: 20100510205355.000000-360
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Python22;C:\Program Files\PC-Doctor for Windows\services;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 4 Stepping 10, AuthenticAMD
"PROCESSOR_REVISION"=040a
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_04\lib\ext\QTJava.zip

-----------------EOF-----------------

gmer.log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-20 22:17:12
Windows 5.1.2600 Service Pack 3
Running: 1cg30dzr.exe; Driver: C:\DOCUME~1\KJEWEL~1.DES\LOCALS~1\Temp\kxldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9715380, 0x2FF527, 0xE8000020]
.rsrc C:\WINDOWS\system32\DRIVERS\tcpip.sys entry point in ".rsrc" section [0xB301BA94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[984] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 007A000A
.text C:\WINDOWS\System32\svchost.exe[984] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 007B000A
.text C:\WINDOWS\System32\svchost.exe[984] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0079000C
.text C:\WINDOWS\System32\svchost.exe[984] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 027B000A
.text C:\WINDOWS\System32\svchost.exe[984] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0203000A
.text C:\WINDOWS\Explorer.EXE[1636] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A
.text C:\WINDOWS\Explorer.EXE[1636] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A7000A
.text C:\WINDOWS\Explorer.EXE[1636] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C
.text C:\Program Files\Mozilla Firefox\firefox.exe[3076] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0114000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3076] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0115000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3076] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003F000C
.text C:\WINDOWS\system32\wuauclt.exe[3316] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A3000A
.text C:\WINDOWS\system32\wuauclt.exe[3316] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A4000A
.text C:\WINDOWS\system32\wuauclt.exe[3316] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003D000C
.text C:\WINDOWS\eHome\ehRecvr.exe[3916] kernel32.dll!IsDebuggerPresent 7C813133 6 Bytes JMP 018C32D0 C:\Program Files\Mpeg2Decoder\GplMpgDec2.ax (GPL MPEG-1/2 Decoder Filter for DirectShow/Peter Wimmer, Gabest)
.text C:\WINDOWS\eHome\ehRecvr.exe[3916] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 018C1B60 C:\Program Files\Mpeg2Decoder\GplMpgDec2.ax (GPL MPEG-1/2 Decoder Filter for DirectShow/Peter Wimmer, Gabest)
.text C:\WINDOWS\eHome\ehRecvr.exe[3916] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 018C1B90 C:\Program Files\Mpeg2Decoder\GplMpgDec2.ax (GPL MPEG-1/2 Decoder Filter for DirectShow/Peter Wimmer, Gabest)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat Tmpreflt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device -> \Driver\atapi \Device\Harddisk0\DR0 89DC0EE4

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\tcpip.sys suspicious modification
File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----




#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 20 May 2010 - 11:58 PM

Hello, kjewell.
P2P Program Warning!

Limewire

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 21 May 2010 - 06:58 AM

To the best of my knowledge, I believe that all anti-virus is disabled at this time. Please advise is this is incorrect. I'm going ahead with Combofix based on this assumption.

I downloaded Combofix.exe to desktop. Double clicking ComboFix icon brings up very small window with a green progress bar. A few seconds later a Media Center Receiver Service has encountered a problem and needs to close window pops up. It gives the option of Send Error Report, Don't Send, or Debug. This window has been popping up for many different programs being run. I do not know if it is legitimate or fake.

Then, an Error window pops up. It reads "Some files could not be created. Please close all applications, reboot Windows and restart the installation."

Should I follow the instructions to close applications, reboot, and rereun CmboFix?



#6 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 21 May 2010 - 07:54 AM

After reboot mentioned in last reply, ComboFix ran, started scan, Window popped up saying Combofix detected rootkit activity and needs to reboot. I clicked OK and allowed reboot. Combofix ran automatically after reboot. Scanning for infected files, Completed Stages_1 through 30 something.

COMBOFIX LOG

ComboFix 10-05-20.A1 - kjewell 05/21/2010 6:34.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1167 [GMT -6:00]
Running from: c:\documents and settings\kjewell.DESKTOP\Desktop\ComboFix.exe
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\510.exe
c:\documents and settings\AA\Step4 .pdf
c:\documents and settings\All Users\Application Data\99871246.ini
c:\program files\Altnet
c:\program files\Altnet\Download Manager\altinst1.dll
c:\program files\Altnet\Download Manager\altinst2.dll
c:\program files\SGPSA
c:\program files\SGPSA\SearchAssistant.dll
c:\windows\cdmxtras
c:\windows\Downloaded Program Files\f3initialsetup1.0.1.1.inf
D:\Autorun.inf

Infected copy of c:\windows\system32\drivers\tcpip.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_HKMSVCRASAUTO
-------\Legacy_MYWEBSEARCHSERVICE
-------\Legacy_RDSESSMGREHSCHED
-------\Legacy_TRKWKSNTMSSVC
-------\Service_hkmsvcRasAuto
-------\Service_RDSessMgrehSched
-------\Service_TrkWksNtmsSvc


((((((((((((((((((((((((( Files Created from 2010-04-21 to 2010-05-21 )))))))))))))))))))))))))))))))
.

2010-05-21 02:21 . 2010-05-21 02:21 -------- d-----w- C:\rsit
2010-05-20 19:49 . 2010-05-20 19:49 -------- d-----w- c:\program files\ESET
2010-05-20 19:13 . 2010-05-20 19:13 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Local Settings\Application Data\Downloaded Installations
2010-05-20 19:13 . 2010-05-20 19:13 -------- d-----w- c:\program files\Carbonite
2010-05-20 19:12 . 2010-05-20 19:12 -------- d-----w- c:\program files\Seagate
2010-05-20 06:29 . 2010-05-20 18:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\nkftsuirk
2010-05-20 06:29 . 2010-05-20 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-20 06:29 . 2010-05-20 06:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-12 18:24 . 2010-05-12 18:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 12:08 . 2005-04-15 11:40 89336 ----a-w- c:\documents and settings\kjewell.DESKTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-21 02:21 . 2008-03-23 22:04 -------- d-----w- c:\program files\Trend Micro
2010-05-20 19:12 . 2004-09-03 07:24 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-05-20 19:12 . 2004-09-03 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-20 19:10 . 2005-04-30 12:02 8356 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-20 19:07 . 2009-05-15 22:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-19 22:04 . 2009-12-31 19:13 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Application Data\HPAppData
2010-05-19 21:50 . 2009-07-09 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 16:01 . 2009-01-23 02:26 -------- d-----w- c:\program files\RealArcade
2010-05-19 15:57 . 2005-04-15 11:27 37620 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\wklnhst.dat
2010-05-14 23:57 . 2010-01-03 23:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPAppData
2010-05-14 23:53 . 2005-10-03 02:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2010-05-12 09:02 . 2010-02-14 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-09 02:55 . 2010-03-14 03:00 -------- d-----w- c:\documents and settings\Brianna\Application Data\HPAppData
2010-05-02 16:23 . 2005-04-15 12:09 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Application Data\AdobeUM
2010-04-29 21:39 . 2009-07-09 17:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-07-09 17:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 20:44 . 2010-01-17 19:32 130 ----a-w- c:\documents and settings\Brianna\Local Settings\Application Data\fusioncache.dat
2010-04-01 13:51 . 2010-04-01 13:51 -------- d-----w- c:\program files\Coupons
2010-03-28 19:04 . 2010-03-28 19:04 85424 ----a-w- c:\documents and settings\Brianna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 03:52 . 2010-03-27 03:52 -------- d-----w- c:\documents and settings\Brianna\Application Data\Sonic
2010-03-26 16:33 . 2010-04-09 15:22 43008 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 16:33 . 2010-04-09 15:22 339456 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 16:33 . 2010-04-09 15:22 1496064 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 16:32 . 2010-04-09 15:22 346112 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-09 11:09 . 2004-09-10 23:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 18:59 . 2005-05-17 01:25 90128 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 05:43 . 2004-09-10 23:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-09-10 23:15 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2004-09-10 23:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-02 02:05 . 2009-01-23 02:28 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-01-02 02:05 . 2009-01-23 02:28 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-01-02 02:05 . 2009-01-23 02:28 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-01-02 02:05 . 2009-01-23 02:28 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-01-02 02:05 . 2009-01-23 02:28 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-04-03 19:45 . 2005-04-03 18:45 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon06
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-30 00:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-29 04:43 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-29 04:43 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"tmproxy"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1ca4ba67991be62"=2 (0x2)
"TrkWksNtmsSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 TmPfwRSVP;Trend Micro Personal Firewall TmPfwRSVP;c:\windows\system32\Adobeb.exe srv --> c:\windows\system32\Adobeb.exe srv [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/20/2007 9:42 AM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/20/2007 9:42 AM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [10/20/2007 9:42 AM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [10/20/2007 9:42 AM 23680]
S4 gupdate1ca4ba67991be62;Google Update Service (gupdate1ca4ba67991be62);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2009 7:42 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{D0523BB4-21E7-11DD-9AB7-415B56D89593} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-21 06:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3328)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehSched.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-05-21 06:50:00 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-21 12:49

Pre-Run: 100,874,084,352 bytes free
Post-Run: 101,454,544,896 bytes free

- - End Of File - - 0EBBC254C61026F011B889D9943CFCD0


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 21 May 2010 - 01:30 PM

Hello, kjewell.
Good to know you got combofix running thumbup2.gif

We need to run a Jotti scan

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
  1. Go to the Jotti website
  2. When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.

    c:\windows\system32\Adobeb.exe

  3. Please post back the results of the scan in your next post.
**Note:If Jotti is busy, try the same at Virustotal
**Note: No logs will be produced. You can either copy/paste the results into your reply, or you can state the infection found (if any) and the scanner that found it


NEXT:

We need to run a GMER scan
  1. Close all other open programs as there is a slight chance your computer will crash.
  2. Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.
  3. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  4. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  5. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Jotti Log(s)
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 21 May 2010 - 06:01 PM

OK, thanks. So far so good.

I set folder options to view everything possible including hidden files, system files, and hidden operating systems. No file named Adobeb.exe is found in the c:\windows\system32\ directory.

I even tried doing a search on the whole c: drive for any such named file. The search included looking for system files and hidden files.

Next step?

I will run the gmer scan (using the previously downloaded gmer executable) and post results when it finishes.




#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 21 May 2010 - 07:57 PM

Hi!

Yes, I'll wait for the GMER scan, then I'll provide you with a Combofix script that you can run to upload the file, if it still exists, to me.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 May 2010 - 12:08 AM

Latest gmer.log. Seriously, thanks so much for your help.

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-21 23:06:08
Windows 5.1.2600 Service Pack 3
Running: 1cg30dzr.exe; Driver: C:\DOCUME~1\KJEWEL~1.DES\LOCALS~1\Temp\kxldapow.sys


---- Kernel code sections - GMER 1.0.15 ----

? Combo-Fix.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9086380, 0x2FF527, 0xE8000020]
? C:\DOCUME~1\KJEWEL~1.DES\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\eHome\ehRecvr.exe[3580] kernel32.dll!IsDebuggerPresent 7C813133 6 Bytes JMP 018D32D0 C:\Program Files\Mpeg2Decoder\GplMpgDec2.ax (GPL MPEG-1/2 Decoder Filter for DirectShow/Peter Wimmer, Gabest)
.text C:\WINDOWS\eHome\ehRecvr.exe[3580] USER32.dll!ChangeDisplaySettingsExA 7E42384E 5 Bytes JMP 018D1B60 C:\Program Files\Mpeg2Decoder\GplMpgDec2.ax (GPL MPEG-1/2 Decoder Filter for DirectShow/Peter Wimmer, Gabest)
.text C:\WINDOWS\eHome\ehRecvr.exe[3580] USER32.dll!ChangeDisplaySettingsExW 7E4595BD 5 Bytes JMP 018D1B90 C:\Program Files\Mpeg2Decoder\GplMpgDec2.ax (GPL MPEG-1/2 Decoder Filter for DirectShow/Peter Wimmer, Gabest)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


#11 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 22 May 2010 - 12:12 AM

Hello, kjewell.
No problem! Glad to help out smile.gif

We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    Suspect::[101]
    c:\windows\system32\Adobeb.exe

    Quit::
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#12 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 May 2010 - 08:27 AM

A couple of issues when I tried the ComboFix script.

1) I am still getting a pop up Media Center Receiver Service window saying 'has encountered a problem and needs to close. We are sorry for the inconvenence. Please tell Microsoft about this problem." 3 options to Debug, Send Error Report, or Don't Send. These pop up up routinely whenever I run something, and I've just been ignoring them, not clicking on any of the options.

2) ComboFix pooped up a window saying a new version is available and asked if I wanted to update. I tried to kill that process so I couls ask you first, but I think it updated anyway.

3) When I opened Firefox to ask you these questions, it popped up a window asking if I want to make Firefox my default browser. I ignored this as well, but it makes my Firefox unusable until I pick one of the options. I'm posting through Microsoft Internet explorer now.

Dragged and dropped ComboFix script. Log as follows ComboFix2log.txt

ComboFix 10-05-20.A1 - kjewell 05/22/2010 6:55.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.999 [GMT -6:00]
Running from: c:\documents and settings\kjewell.DESKTOP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kjewell.DESKTOP\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 02:21 . 2010-05-21 02:21 -------- d-----w- C:\rsit
2010-05-20 19:49 . 2010-05-20 19:49 -------- d-----w- c:\program files\ESET
2010-05-20 19:13 . 2010-05-20 19:13 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Local Settings\Application Data\Downloaded Installations
2010-05-20 19:13 . 2010-05-20 19:13 -------- d-----w- c:\program files\Carbonite
2010-05-20 19:12 . 2010-05-20 19:12 -------- d-----w- c:\program files\Seagate
2010-05-20 06:29 . 2010-05-20 18:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\nkftsuirk
2010-05-20 06:29 . 2010-05-20 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-20 06:29 . 2010-05-20 06:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-12 18:24 . 2010-05-12 18:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-21 23:45 . 2005-04-15 11:27 37620 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\wklnhst.dat
2010-05-21 22:50 . 2009-12-31 19:13 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Application Data\HPAppData
2010-05-21 12:08 . 2005-04-15 11:40 89336 ----a-w- c:\documents and settings\kjewell.DESKTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-21 02:21 . 2008-03-23 22:04 -------- d-----w- c:\program files\Trend Micro
2010-05-20 19:12 . 2004-09-03 07:24 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-05-20 19:12 . 2004-09-03 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-20 19:10 . 2005-04-30 12:02 8356 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-20 19:07 . 2009-05-15 22:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-19 21:50 . 2009-07-09 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-19 16:01 . 2009-01-23 02:26 -------- d-----w- c:\program files\RealArcade
2010-05-14 23:57 . 2010-01-03 23:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPAppData
2010-05-14 23:53 . 2005-10-03 02:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2010-05-12 09:02 . 2010-02-14 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-09 02:55 . 2010-03-14 03:00 -------- d-----w- c:\documents and settings\Brianna\Application Data\HPAppData
2010-05-02 16:23 . 2005-04-15 12:09 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Application Data\AdobeUM
2010-04-29 21:39 . 2009-07-09 17:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-07-09 17:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 20:44 . 2010-01-17 19:32 130 ----a-w- c:\documents and settings\Brianna\Local Settings\Application Data\fusioncache.dat
2010-04-01 13:51 . 2010-04-01 13:51 -------- d-----w- c:\program files\Coupons
2010-03-28 19:04 . 2010-03-28 19:04 85424 ----a-w- c:\documents and settings\Brianna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 03:52 . 2010-03-27 03:52 -------- d-----w- c:\documents and settings\Brianna\Application Data\Sonic
2010-03-26 16:33 . 2010-04-09 15:22 43008 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 16:33 . 2010-04-09 15:22 339456 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 16:33 . 2010-04-09 15:22 1496064 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 16:32 . 2010-04-09 15:22 346112 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-09 11:09 . 2004-09-10 23:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 18:59 . 2005-05-17 01:25 90128 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 05:43 . 2004-09-10 23:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-09-10 23:15 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2004-09-10 23:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-02 02:05 . 2009-01-23 02:28 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-01-02 02:05 . 2009-01-23 02:28 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-01-02 02:05 . 2009-01-23 02:28 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-01-02 02:05 . 2009-01-23 02:28 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-01-02 02:05 . 2009-01-23 02:28 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-04-03 19:45 . 2005-04-03 18:45 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-30 00:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-29 04:43 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-29 04:43 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"tmproxy"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1ca4ba67991be62"=2 (0x2)
"TrkWksNtmsSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 TmPfwRSVP;Trend Micro Personal Firewall TmPfwRSVP;c:\windows\system32\Adobeb.exe srv --> c:\windows\system32\Adobeb.exe srv [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/20/2007 9:42 AM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/20/2007 9:42 AM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [10/20/2007 9:42 AM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [10/20/2007 9:42 AM 23680]
S4 gupdate1ca4ba67991be62;Google Update Service (gupdate1ca4ba67991be62);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2009 7:42 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - kxldapow

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 06:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3048)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-05-22 07:01:34
ComboFix-quarantined-files.txt 2010-05-22 13:01
ComboFix2.txt 2010-05-21 12:50

Pre-Run: 101,519,396,864 bytes free
Post-Run: 101,507,362,816 bytes free

- - End Of File - - 7BA7A97BA24B6F69E6749C5A465F6D10


#13 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 22 May 2010 - 12:46 PM

Hello, kjewell.
QUOTE
1) I am still getting a pop up Media Center Receiver Service window saying 'has encountered a problem and needs to close. We are sorry for the inconvenence. Please tell Microsoft about this problem." 3 options to Debug, Send Error Report, or Don't Send. These pop up up routinely whenever I run something, and I've just been ignoring them, not clicking on any of the options.

Looks like a few program files are corrupt there. We'll look into it once the infection is cleaned up.

QUOTE
2) ComboFix pooped up a window saying a new version is available and asked if I wanted to update. I tried to kill that process so I couls ask you first, but I think it updated anyway.

Combofix constantly undergoes updates to ensure that it stays on top of malware and bugs in its working get fixed. So if at any time you're asked to update it, please do smile.gif

QUOTE
3) When I opened Firefox to ask you these questions, it popped up a window asking if I want to make Firefox my default browser. I ignored this as well, but it makes my Firefox unusable until I pick one of the options. I'm posting through Microsoft Internet explorer now.

Probably a registry entry that got deleted. Feel free to set Firefox back as your default browser.


We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    http://www.bleepingcomputer.com/forums/t/317895/backdoorbot-infection-windows-xp/

    Collect::
    c:\windows\system32\Adobeb.exe

    Driver::
    TmPfwRSVP
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#14 kjewell

kjewell
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:06:26 AM

Posted 22 May 2010 - 01:14 PM

OK, first things first. Closed all browsers (and everything else). Saved and dragged new ComboFix script from your last post into ComboFix executable. New version of ComboFix was updated. ComboFix initiated a computer reboot. Upon reboot, ComboFix ran automatically and generated the following log file, saved as ComboFixlog3.txt.

ComboFix 10-05-22.01 - kjewell 05/22/2010 11:53:34.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1535.1050 [GMT -6:00]
Running from: c:\documents and settings\kjewell.DESKTOP\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\kjewell.DESKTOP\Desktop\CFScript.txt
AV: Trend Micro PC-cillin Internet Security 2006 *On-access scanning disabled* (Outdated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TMPFWRSVP
-------\Service_TmPfwRSVP


((((((((((((((((((((((((( Files Created from 2010-04-22 to 2010-05-22 )))))))))))))))))))))))))))))))
.

2010-05-21 02:21 . 2010-05-21 02:21 -------- d-----w- C:\rsit
2010-05-20 19:49 . 2010-05-20 19:49 -------- d-----w- c:\program files\ESET
2010-05-20 19:13 . 2010-05-20 19:13 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Local Settings\Application Data\Downloaded Installations
2010-05-20 19:13 . 2010-05-20 19:13 -------- d-----w- c:\program files\Carbonite
2010-05-20 19:12 . 2010-05-20 19:12 -------- d-----w- c:\program files\Seagate
2010-05-20 06:29 . 2010-05-20 18:36 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\nkftsuirk
2010-05-20 06:29 . 2010-05-20 06:29 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-20 06:29 . 2010-05-20 06:29 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-12 18:24 . 2010-05-12 18:24 -------- d-s---w- c:\documents and settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-22 16:55 . 2005-04-15 11:27 38562 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\wklnhst.dat
2010-05-22 15:46 . 2009-01-23 02:26 -------- d-----w- c:\program files\RealArcade
2010-05-22 13:24 . 2009-12-31 19:13 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Application Data\HPAppData
2010-05-21 12:08 . 2005-04-15 11:40 89336 ----a-w- c:\documents and settings\kjewell.DESKTOP\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-21 02:21 . 2008-03-23 22:04 -------- d-----w- c:\program files\Trend Micro
2010-05-20 19:12 . 2004-09-03 07:24 -------- d-----w- c:\program files\Common Files\muvee Technologies
2010-05-20 19:12 . 2004-09-03 07:07 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-20 19:10 . 2005-04-30 12:02 8356 ----a-w- c:\windows\system32\d3d9caps.dat
2010-05-20 19:07 . 2009-05-15 22:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-19 21:50 . 2009-07-09 17:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-14 23:57 . 2010-01-03 23:16 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\HPAppData
2010-05-14 23:53 . 2005-10-03 02:13 -------- d-----w- c:\documents and settings\HP_Administrator\Application Data\AdobeUM
2010-05-12 09:02 . 2010-02-14 05:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-09 02:55 . 2010-03-14 03:00 -------- d-----w- c:\documents and settings\Brianna\Application Data\HPAppData
2010-05-02 16:23 . 2005-04-15 12:09 -------- d-----w- c:\documents and settings\kjewell.DESKTOP\Application Data\AdobeUM
2010-04-29 21:39 . 2009-07-09 17:40 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 21:39 . 2009-07-09 17:40 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 20:44 . 2010-01-17 19:32 130 ----a-w- c:\documents and settings\Brianna\Local Settings\Application Data\fusioncache.dat
2010-04-01 13:51 . 2010-04-01 13:51 -------- d-----w- c:\program files\Coupons
2010-03-28 19:04 . 2010-03-28 19:04 85424 ----a-w- c:\documents and settings\Brianna\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-27 03:52 . 2010-03-27 03:52 -------- d-----w- c:\documents and settings\Brianna\Application Data\Sonic
2010-03-26 16:33 . 2010-04-09 15:22 43008 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbarloader.dll
2010-03-26 16:33 . 2010-04-09 15:22 339456 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff2.dll
2010-03-26 16:33 . 2010-04-09 15:22 1496064 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
2010-03-26 16:32 . 2010-04-09 15:22 346112 ----a-w- c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\libraries\googletoolbar-ff3.dll
2010-03-09 11:09 . 2004-09-10 23:18 430080 ----a-w- c:\windows\system32\vbscript.dll
2010-02-28 18:59 . 2005-05-17 01:25 90128 ----a-w- c:\documents and settings\HP_Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-26 05:43 . 2004-09-10 23:18 667136 ----a-w- c:\windows\system32\wininet.dll
2010-02-26 05:43 . 2004-09-10 23:15 81920 ----a-w- c:\windows\system32\ieencode.dll
2010-02-24 13:11 . 2004-09-10 23:15 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-01-02 02:05 . 2009-01-23 02:28 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2010-01-02 02:05 . 2009-01-23 02:28 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2010-01-02 02:05 . 2009-01-23 02:28 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2010-01-02 02:05 . 2009-01-23 02:28 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2010-01-02 02:05 . 2009-01-23 02:28 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-04-03 19:45 . 2005-04-03 18:45 0 -csha-w- c:\windows\SMINST\HPCD.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"CarboniteSetupLite"="c:\program files\Carbonite\CarbonitePreinstaller.exe" [2009-08-04 318096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
2004-06-30 00:06 88363 ----a-w- c:\windows\AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
2004-09-07 19:47 57344 ----a-w- c:\windows\ALCXMNTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-08-05 20:56 64512 ----a-w- c:\windows\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-06-29 04:43 8466432 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-06-29 04:43 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2004-04-15 03:43 233472 ----a-w- c:\windows\SMINST\Recguard.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"WMPNetworkSvc"=3 (0x3)
"tmproxy"=2 (0x2)
"PcCtlCom"=2 (0x2)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"NVSvc"=2 (0x2)
"Microsoft Office Groove Audit Service"=3 (0x3)
"MDM"=2 (0x2)
"LeapFrog Connect Device Service"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1ca4ba67991be62"=2 (0x2)
"TrkWksNtmsSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Sony\\Media Manager for WALKMAN\\MediaManager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [10/20/2007 9:42 AM 17920]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [10/20/2007 9:42 AM 7680]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [10/20/2007 9:42 AM 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [10/20/2007 9:42 AM 23680]
S4 gupdate1ca4ba67991be62;Google Update Service (gupdate1ca4ba67991be62);c:\program files\Google\Update\GoogleUpdate.exe [10/12/2009 7:42 PM 133104]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q404&bd=pavilion&pf=desktop
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com
FF - component: c:\documents and settings\kjewell.DESKTOP\Application Data\Mozilla\Firefox\Profiles\5sshggxy.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\progra~1\MOZILL~1\extensions\talkback@mozilla.org\components\qfaservices.dll
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-22 12:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1352)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\eHome\ehSched.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\system32\dwwin.exe
.
**************************************************************************
.
Completion time: 2010-05-22 12:07:05 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-22 18:07
ComboFix2.txt 2010-05-22 13:01
ComboFix3.txt 2010-05-21 12:50

Pre-Run: 101,508,521,984 bytes free
Post-Run: 101,452,804,096 bytes free

- - End Of File - - A9B29FF2C19A843657E485A17649B05F


#15 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:26 PM

Posted 22 May 2010 - 02:45 PM

Hello, kjewell.
Looks good! How's your computer doing? Experiencing any problems? If not, please proceed with below

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 20 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run an ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "< button.
  13. Push Finish

In your next reply, please include the following:
  • Eset Scan Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users