Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirects to random sites


  • This topic is locked This topic is locked
16 replies to this topic

#1 mrkotter1

mrkotter1

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 01 June 2010 - 11:54 PM

It started last week with a couple of malware/virus attacks. I ran malwarebytes and got some removed. However, now when I click on Google searches I get redirected to random sites. Also since the attack I haven't been able to access Window Updates or get Spyware Doctor restore points. I don't know if this means anything. Anyways, here is my log file, PLEASE HELP.

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:49:23 PM, on 6/1/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\SmarThru Office\BackUpSvr.exe
C:\Program Files\SmarThru Office\LegacyLauncher.exe
C:\Windows\twain_32\Samsung\SCX4x26\Scan2Pc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetClient.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetPluginHost.exe
C:\Program Files\SmarThru Office\STOSysService.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [NetFxUpdate_v1.1.4322] "C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 1 v1.1.4322 GAC + NI NID
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [STO Backup Service] C:\Program Files\SmarThru Office\BackUpSvr.exe
O4 - HKLM\..\Run: [STO Launcher Service] C:\Program Files\SmarThru Office\LegacyLauncher.exe /run
O4 - HKLM\..\Run: [4x26 Scan2PC] "C:\Windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Gladinet Cloud Desktop.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingbox.com/plugin/download...SlingPlayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: GladFileMonSvc - Gladinet, INC - C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: QBCFMonitorService - Intuit - c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 12013 bytes

Edited by boopme, 02 June 2010 - 12:36 PM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 03 June 2010 - 01:12 PM

Hello, mrkotter1.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 05 June 2010 - 10:25 PM

I have tried several times to get RSIT to show the info.txt file but it doesn't come up. I ran it once before and the file did come up but at that time for some reason the bleepingcomputer site was not coming up on my computer. i think something was blocking it. Also the new problem that keeps coming up is that my User profile keep failing to load. Just another symptom I think. Anyways I'm posting the log.txt amd gmer.log (but as stated before teh info.txt doesn't come up). please advise.

Logfile of random's system information tool 1.07 (written by random/random)
Run by Marvin at 2010-06-05 22:20:48
Microsoft® Windows Vista™ Business Service Pack 2
System drive C: has 75 GB (53%) free of 143 GB
Total RAM: 2038 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:20:56 PM, on 6/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Program Files\SmarThru Office\BackUpSvr.exe
C:\Program Files\SmarThru Office\LegacyLauncher.exe
C:\Windows\twain_32\Samsung\SCX4x26\Scan2Pc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetClient.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetPluginHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Marvin\Desktop\RSIT.exe
C:\Program Files\trend micro\Marvin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [NetFxUpdate_v1.1.4322] "C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 1 v1.1.4322 GAC + NI NID
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [STO Backup Service] C:\Program Files\SmarThru Office\BackUpSvr.exe
O4 - HKLM\..\Run: [STO Launcher Service] C:\Program Files\SmarThru Office\LegacyLauncher.exe /run
O4 - HKLM\..\Run: [4x26 Scan2PC] "C:\Windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Gladinet Cloud Desktop.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingbox.com/plugin/download...SlingPlayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: GladFileMonSvc - Gladinet, INC - C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: QBCFMonitorService - Intuit - c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11810 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\User_Feed_Synchronization-{ADBC07D4-5ABE-40EE-8DD7-6C88F3CC9E7D}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-28 278128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-05-28 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark Printable Web - C:\Program Files\Lexmark Printable Web\bho.dll [2008-11-03 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-06 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-28 278128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"Google Quick Search Box"=C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe [2009-12-29 122880]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"lxdumon.exe"=C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe [2008-11-03 684712]
"lxduamon"=C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe [2008-11-03 16040]
"NetFxUpdate_v1.1.4322"=C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [2004-08-10 106496]
"Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 648072]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]
"SPIRunE"=Rundll32 SPIRunE.dll,RunDLLEntry []
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-12-12 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-12-12 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-12-12 81920]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2009-12-22 1092872]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2010-01-18 30192]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2009-01-21 4359600]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2009-01-21 960560]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2009-01-21 377248]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"Samsung PanelMgr"=C:\Windows\Samsung\PanelMgr\SSMMgr.exe [2008-08-18 536576]
"STO Backup Service"=C:\Program Files\SmarThru Office\BackUpSvr.exe [2008-08-05 192512]
"STO Launcher Service"=C:\Program Files\SmarThru Office\LegacyLauncher.exe [2008-08-05 331776]
"4x26 Scan2PC"=C:\Windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe [2008-07-23 495616]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2009-11-18 1243088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-12-29 39408]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Gladinet Cloud Desktop.lnk - C:\Windows\Installer\{D20D70E9-B4AE-4B33-BC4D-D50B20BF2E1F}\_E62DE6B4606D4EA85FFD8A.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-06-03 20:32:12 ----D---- C:\rsit
2010-06-01 23:26:39 ----D---- C:\Program Files\Trend Micro
2010-06-01 18:13:44 ----D---- C:\Samsung
2010-05-30 00:15:58 ----D---- C:\Windows\Minidump
2010-05-29 21:31:54 ----A---- C:\Windows\system32\gotomon.dll
2010-05-28 04:56:50 ----D---- C:\Users\Marvin\AppData\Roaming\Malwarebytes
2010-05-28 04:56:37 ----D---- C:\ProgramData\Malwarebytes
2010-05-28 04:56:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-05-26 00:04:52 ----D---- C:\Windows\Sun
2010-05-25 01:26:49 ----D---- C:\Users\Marvin\AppData\Roaming\Nik Software
2010-05-23 01:21:22 ----D---- C:\Program Files\EASEUS
2010-05-13 06:27:53 ----D---- C:\ProgramData\CitrixLogs
2010-05-13 06:27:52 ----D---- C:\Program Files\Citrix
2010-05-11 18:39:43 ----A---- C:\Windows\system32\inetcomm.dll
2010-05-10 22:15:59 ----A---- C:\Windows\system32\igfxres.dll

======List of files/folders modified in the last 1 months======

2010-06-05 22:20:54 ----D---- C:\Windows\Temp
2010-06-05 22:00:10 ----D---- C:\Windows\Prefetch
2010-06-05 20:50:44 ----AD---- C:\ProgramData\TEMP
2010-06-05 20:38:30 ----D---- C:\Program Files\Spyware Doctor
2010-06-05 20:31:24 ----D---- C:\Windows\System32
2010-06-05 20:31:24 ----D---- C:\Windows\inf
2010-06-05 20:31:24 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-06-05 20:26:56 ----D---- C:\Windows\Tasks
2010-06-05 20:23:45 ----D---- C:\Windows
2010-06-04 08:05:01 ----SHD---- C:\System Volume Information
2010-06-03 20:51:36 ----A---- C:\Windows\ntbtlog.txt
2010-06-01 23:26:39 ----SHD---- C:\Windows\Installer
2010-06-01 23:26:39 ----RD---- C:\Program Files
2010-06-01 18:21:20 ----D---- C:\Windows\system32\catroot2
2010-06-01 01:03:48 ----HD---- C:\ProgramData
2010-06-01 01:03:48 ----D---- C:\Program Files\Common Files
2010-05-30 12:27:01 ----D---- C:\Windows\system32\drivers
2010-05-30 12:27:01 ----D---- C:\Windows\L2Schemas
2010-05-27 00:28:59 ----D---- C:\Windows\system32\Msdtc
2010-05-27 00:28:50 ----D---- C:\Windows\system32\wbem
2010-05-27 00:27:35 ----D---- C:\Windows\system32\config
2010-05-27 00:27:03 ----D---- C:\Windows\system32\Tasks
2010-05-27 00:27:03 ----D---- C:\Windows\system32\spool
2010-05-27 00:27:02 ----D---- C:\Windows\system32\CodeIntegrity
2010-05-27 00:26:57 ----D---- C:\Users\Marvin\AppData\Roaming\BitTorrent
2010-05-27 00:26:40 ----D---- C:\Windows\registration
2010-05-13 14:28:07 ----D---- C:\Windows\LiveKernelReports
2010-05-13 14:26:36 ----D---- C:\Users\Marvin\AppData\Roaming\PrimoPDF
2010-05-13 06:27:52 ----HD---- C:\Program Files\InstallShield Installation Information
2010-05-12 21:41:26 ----D---- C:\Windows\winsxs
2010-05-12 21:26:18 ----D---- C:\Program Files\Windows Mail
2010-05-12 21:24:15 ----D---- C:\Windows\system32\catroot
2010-05-11 14:41:43 ----D---- C:\Program Files\Google
2010-05-06 10:36:38 ----A---- C:\Windows\system32\MpSigStub.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2009-04-10 351744]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376]
R2 SSPORT;SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [2008-07-21 5120]
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2010-02-03 44704]
R3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter; C:\Windows\system32\DRIVERS\ax88772.sys [2009-10-02 62976]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-10 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-10 29696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-20 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2010-01-07 47360]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-10 148992]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-20 654336]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S2 DgiVecp;DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [2008-07-21 41984]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-10 507904]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-20 2225664]
S3 t3;SB Xtreme Audio Notebook; C:\Windows\system32\drivers\t3.sys [2009-05-06 413208]
S3 usb_rndisx;USB RNDIS Adapter; C:\Windows\system32\DRIVERS\usb8023x.sys [2009-04-10 15872]
S3 uwryrfog;uwryrfog; \??\C:\Users\Marvin\AppData\Local\Temp\uwryrfog.sys []
S3 WSDPrintDevice;WSD Print Support via UMB; C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-20 16896]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2009-01-21 618944]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 GladFileMonSvc;GladFileMonSvc; C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe [2009-12-19 24296]
R2 lxdu_device;lxdu_device; C:\Windows\system32\lxducoms.exe [2009-10-16 589824]
R2 MSSQL$MICROSOFTSMLBIZ;MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [2005-05-04 9150464]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
R2 QBCFMonitorService;QBCFMonitorService; c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2009-12-16 45056]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-11-06 1141712]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S2 CTAudSvcService;Creative Audio Service; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2009-02-23 307200]
S2 GoToMyPC;GoToMyPC; C:\Program Files\Citrix\GoToMyPC\g2svc.exe [2009-12-15 557424]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-01 194032]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-29 31048]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-30 79360]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-20 523776]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2010-01-18 30192]
S3 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 QBFCService;Intuit QuickBooks FCS; c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2009-07-23 61440]
S3 SQLAgent$MICROSOFTSMLBIZ;SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [2005-05-03 323584]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-20 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2009-04-11 918528]

-----------------EOF-----------------


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-05 22:20:14
Windows 6.0.6002 Service Pack 2
Running: 6ddgp4vj.exe; Driver: C:\Users\Marvin\AppData\Local\Temp\uwryrfog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x89009CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x89009ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x89009984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8900A0D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 836F596C 8 Bytes [DE, 9C, 00, 89, D0, 9E, 00, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 836F5D84 4 Bytes [84, 99, 00, 89]
.text ntkrnlpa.exe!KeSetEvent + 6E5 836F5E48 4 Bytes [D8, A0, 00, 89]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1460] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0075000A
.text C:\Windows\system32\svchost.exe[1460] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[1460] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0070000A
.text C:\Windows\system32\svchost.exe[1460] ole32.dll!CoCreateInstance 76159EA6 3 Bytes JMP 00A1000A
.text C:\Windows\system32\svchost.exe[1460] ole32.dll!CoCreateInstance + 4 76159EAA 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1460] USER32.dll!GetCursorPos 763B0B88 5 Bytes JMP 0131000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2296] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0085000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2296] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0098000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2296] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0084000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0025000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0024000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogParamW 763972A2 5 Bytes JMP 6A75DE50 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!GetAsyncKeyState 7639863C 5 Bytes JMP 6A678EF7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetWindowsHookExW 763987AD 5 Bytes JMP 6A759A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CallNextHookEx 76398E3B 5 Bytes JMP 6A74D101 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!UnhookWindowsHookEx 763998DB 5 Bytes JMP 6A6C466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!EnableWindow 7639CD8B 5 Bytes JMP 6A75DCDD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateWindowExW 763A1305 5 Bytes JMP 6A75DAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!GetKeyState 763A8CB1 5 Bytes JMP 6A75D28B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!IsDialogMessageW 763B0745 5 Bytes JMP 6A685A17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogParamA 763B17AA 5 Bytes JMP 6A8553AB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!IsDialogMessage 763B1847 5 Bytes JMP 6A854C47 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogIndirectParamA 763B26F1 5 Bytes JMP 6A8553E2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogIndirectParamW 763B9A62 5 Bytes JMP 6A855419 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetKeyboardState 763C0987 5 Bytes JMP 6A854FB6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxParamW 763C10B0 5 Bytes JMP 6A685505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxIndirectParamW 763C2EF5 5 Bytes JMP 6A85473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SendInput 763C2F75 5 Bytes JMP 6A855B73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!EndDialog 763C326E 5 Bytes JMP 6A687EC2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetCursorPos 763D6FB2 5 Bytes JMP 6A855BC7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxParamA 763D8152 5 Bytes JMP 6A8546DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxIndirectParamA 763D847D 5 Bytes JMP 6A8547A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectA 763ED4D9 5 Bytes JMP 6A854671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectW 763ED5D3 5 Bytes JMP 6A854606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxExA 763ED639 5 Bytes JMP 6A8545A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxExW 763ED65D 5 Bytes JMP 6A854542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!keybd_event 763ED972 5 Bytes JMP 6A855EF7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] SHELL32.dll!SHRestricted + D95 76548988 4 Bytes [4D, 30, 9B, 68]
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] SHELL32.dll!SHRestricted + D9D 76548990 8 Bytes [57, 2F, 9B, 68, 9C, 5B, 9A, ...] {PUSH EDI; DAS ; WAIT ; PUSH 0x689a5b9c}
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ole32.dll!OleLoadFromStream 76121E12 5 Bytes JMP 6A854AA7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ole32.dll!CoCreateInstance 76159EA6 5 Bytes JMP 6A75DB20 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\Explorer.EXE[3636] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0018000A
.text C:\Windows\Explorer.EXE[3636] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0019000A
.text C:\Windows\Explorer.EXE[3636] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0017000A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4160] kernel32.dll!CreateThread + 1A 77BCC928 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[4916] kernel32.dll!CreateThread + 1A 77BCC928 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0047000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!CreateWindowExW 763A1305 5 Bytes JMP 6A75DAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxParamW 763C10B0 5 Bytes JMP 6A685505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxIndirectParamW 763C2EF5 5 Bytes JMP 6A85473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxParamA 763D8152 5 Bytes JMP 6A8546DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxIndirectParamA 763D847D 5 Bytes JMP 6A8547A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxIndirectA 763ED4D9 5 Bytes JMP 6A854671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxIndirectW 763ED5D3 5 Bytes JMP 6A854606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxExA 763ED639 5 Bytes JMP 6A8545A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxExW 763ED65D 5 Bytes JMP 6A854542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37adfacb
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37adfacb@0017831c2682 0x0D 0x9E 0x1C 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37adfacb@002376a1bc3d 0x01 0xE7 0x74 0x68 ...
Reg HKLM\SYSTEM\ControlSet035\Services\BTHPORT\Parameters\Keys\001e37adfacb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet035\Services\BTHPORT\Parameters\Keys\001e37adfacb@0017831c2682 0x0D 0x9E 0x1C 0x56 ...
Reg HKLM\SYSTEM\ControlSet035\Services\BTHPORT\Parameters\Keys\001e37adfacb@002376a1bc3d 0x01 0xE7 0x74 0x68 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\Temp\TMP00000064AF6CDD17EFFDA4D0 524288 bytes

---- EOF - GMER 1.0.15 ----


#4 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 06 June 2010 - 01:13 PM

Hi!

You probably run rsit multiple times (or some time in the past) and in this case, RSIT will only display the log.txt. You can find the info.txt in the C:\rsit folder.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#5 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 06 June 2010 - 08:16 PM

Thank you. Sure enough it was there. I am reposted as your directions call for.

Logfile of random's system information tool 1.07 (written by random/random)
Run by Marvin at 2010-06-05 22:20:48
Microsoft® Windows Vista™ Business Service Pack 2
System drive C: has 75 GB (53%) free of 143 GB
Total RAM: 2038 MB (34% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:20:56 PM, on 6/5/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18904)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Windows\Samsung\PanelMgr\SSMMgr.exe
C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe
C:\Program Files\SmarThru Office\BackUpSvr.exe
C:\Program Files\SmarThru Office\LegacyLauncher.exe
C:\Windows\twain_32\Samsung\SCX4x26\Scan2Pc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetClient.exe
C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladinetPluginHost.exe
C:\Windows\system32\DllHost.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10d.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Marvin\Desktop\RSIT.exe
C:\Program Files\trend micro\Marvin.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Preserve
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe" /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [lxdumon.exe] "C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe"
O4 - HKLM\..\Run: [lxduamon] "C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe"
O4 - HKLM\..\Run: [NetFxUpdate_v1.1.4322] "C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" 1 v1.1.4322 GAC + NI NID
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SPIRunE] Rundll32 SPIRunE.dll,RunDLLEntry
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\Windows\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [STO Backup Service] C:\Program Files\SmarThru Office\BackUpSvr.exe
O4 - HKLM\..\Run: [STO Launcher Service] C:\Program Files\SmarThru Office\LegacyLauncher.exe /run
O4 - HKLM\..\Run: [4x26 Scan2PC] "C:\Windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Gladinet Cloud Desktop.lnk = ?
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Web Capture - {7BDBFB9E-FD6E-43c2-937A-5C9F33FEBE5F} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Capture Selection - {A36A58CC-70D5-4462-9C90-C0E9D244B230} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save Selected Text - {A5183750-A927-4ec3-B027-C633A2D5418C} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra button: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O9 - Extra 'Tools' menuitem: Save as HTML - {BDC4DF0E-D605-48d6-B4AF-CA5927A463EE} - C:\Program Files\SmarThru Office\WebCapture.dll (HKCU)
O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} (WebSlingPlayer) - http://plugin.slingbox.com/plugin/download...SlingPlayer.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: intu-help-qb3 - {C5E479EA-0A65-4B05-8C6C-2FC8CC682EB4} - (no file)
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: GladFileMonSvc - Gladinet, INC - C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe
O23 - Service: Google Desktop Manager 5.9.911.3589 (GoogleDesktopManager-110309-193829) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: GoToMyPC - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToMyPC\g2svc.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxduCATSCustConnectService - Lexmark International, Inc. - C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe
O23 - Service: lxdu_device - - C:\Windows\system32\lxducoms.exe
O23 - Service: QBCFMonitorService - Intuit - c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 11810 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\User_Feed_Synchronization-{ADBC07D4-5ABE-40EE-8DD7-6C88F3CC9E7D}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live ID Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-03-30 403824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-28 278128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll [2010-05-28 814648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D2C5E510-BE6D-42CC-9F61-E4F939078474}]
Lexmark Printable Web - C:\Program Files\Lexmark Printable Web\bho.dll [2008-11-03 180224]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-02-06 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2010-05-28 278128]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-20 1008184]
"Google Quick Search Box"=C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe [2009-12-29 122880]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2009-02-27 35696]
"lxdumon.exe"=C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe [2008-11-03 684712]
"lxduamon"=C:\Program Files\Lexmark 5600-6600 Series\lxduamon.exe [2008-11-03 16040]
"NetFxUpdate_v1.1.4322"=C:\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [2004-08-10 106496]
"Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 648072]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2009-11-11 417792]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2009-11-12 141600]
"SPIRunE"=Rundll32 SPIRunE.dll,RunDLLEntry []
"IgfxTray"=C:\Windows\system32\igfxtray.exe [2006-12-12 98304]
"HotKeysCmds"=C:\Windows\system32\hkcmd.exe [2006-12-12 106496]
"Persistence"=C:\Windows\system32\igfxpers.exe [2006-12-12 81920]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2009-12-22 1092872]
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2010-01-18 30192]
"TrueImageMonitor.exe"=C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe [2009-01-21 4359600]
"AcronisTimounterMonitor"=C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe [2009-01-21 960560]
"Acronis Scheduler2 Service"=C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe [2009-01-21 377248]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-01-11 246504]
"Samsung PanelMgr"=C:\Windows\Samsung\PanelMgr\SSMMgr.exe [2008-08-18 536576]
"STO Backup Service"=C:\Program Files\SmarThru Office\BackUpSvr.exe [2008-08-05 192512]
"STO Launcher Service"=C:\Program Files\SmarThru Office\LegacyLauncher.exe [2008-08-05 331776]
"4x26 Scan2PC"=C:\Windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe [2008-07-23 495616]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2009-11-18 1243088]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1233920]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-01-20 202240]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-12-29 39408]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Gladinet Cloud Desktop.lnk - C:\Windows\Installer\{D20D70E9-B4AE-4B33-BC4D-D50B20BF2E1F}\_E62DE6B4606D4EA85FFD8A.exe
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GO333C~1\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\Windows\system32\igfxdev.dll [2006-12-12 212992]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"BindDirectlyToPropertySetStorage"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2010-06-03 20:32:12 ----D---- C:\rsit
2010-06-01 23:26:39 ----D---- C:\Program Files\Trend Micro
2010-06-01 18:13:44 ----D---- C:\Samsung
2010-05-30 00:15:58 ----D---- C:\Windows\Minidump
2010-05-29 21:31:54 ----A---- C:\Windows\system32\gotomon.dll
2010-05-28 04:56:50 ----D---- C:\Users\Marvin\AppData\Roaming\Malwarebytes
2010-05-28 04:56:37 ----D---- C:\ProgramData\Malwarebytes
2010-05-28 04:56:37 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-05-26 00:04:52 ----D---- C:\Windows\Sun
2010-05-25 01:26:49 ----D---- C:\Users\Marvin\AppData\Roaming\Nik Software
2010-05-23 01:21:22 ----D---- C:\Program Files\EASEUS
2010-05-13 06:27:53 ----D---- C:\ProgramData\CitrixLogs
2010-05-13 06:27:52 ----D---- C:\Program Files\Citrix
2010-05-11 18:39:43 ----A---- C:\Windows\system32\inetcomm.dll
2010-05-10 22:15:59 ----A---- C:\Windows\system32\igfxres.dll

======List of files/folders modified in the last 1 months======

2010-06-05 22:20:54 ----D---- C:\Windows\Temp
2010-06-05 22:00:10 ----D---- C:\Windows\Prefetch
2010-06-05 20:50:44 ----AD---- C:\ProgramData\TEMP
2010-06-05 20:38:30 ----D---- C:\Program Files\Spyware Doctor
2010-06-05 20:31:24 ----D---- C:\Windows\System32
2010-06-05 20:31:24 ----D---- C:\Windows\inf
2010-06-05 20:31:24 ----A---- C:\Windows\system32\PerfStringBackup.INI
2010-06-05 20:26:56 ----D---- C:\Windows\Tasks
2010-06-05 20:23:45 ----D---- C:\Windows
2010-06-04 08:05:01 ----SHD---- C:\System Volume Information
2010-06-03 20:51:36 ----A---- C:\Windows\ntbtlog.txt
2010-06-01 23:26:39 ----SHD---- C:\Windows\Installer
2010-06-01 23:26:39 ----RD---- C:\Program Files
2010-06-01 18:21:20 ----D---- C:\Windows\system32\catroot2
2010-06-01 01:03:48 ----HD---- C:\ProgramData
2010-06-01 01:03:48 ----D---- C:\Program Files\Common Files
2010-05-30 12:27:01 ----D---- C:\Windows\system32\drivers
2010-05-30 12:27:01 ----D---- C:\Windows\L2Schemas
2010-05-27 00:28:59 ----D---- C:\Windows\system32\Msdtc
2010-05-27 00:28:50 ----D---- C:\Windows\system32\wbem
2010-05-27 00:27:35 ----D---- C:\Windows\system32\config
2010-05-27 00:27:03 ----D---- C:\Windows\system32\Tasks
2010-05-27 00:27:03 ----D---- C:\Windows\system32\spool
2010-05-27 00:27:02 ----D---- C:\Windows\system32\CodeIntegrity
2010-05-27 00:26:57 ----D---- C:\Users\Marvin\AppData\Roaming\BitTorrent
2010-05-27 00:26:40 ----D---- C:\Windows\registration
2010-05-13 14:28:07 ----D---- C:\Windows\LiveKernelReports
2010-05-13 14:26:36 ----D---- C:\Users\Marvin\AppData\Roaming\PrimoPDF
2010-05-13 06:27:52 ----HD---- C:\Program Files\InstallShield Installation Information
2010-05-12 21:41:26 ----D---- C:\Windows\winsxs
2010-05-12 21:26:18 ----D---- C:\Program Files\Windows Mail
2010-05-12 21:24:15 ----D---- C:\Windows\system32\catroot
2010-05-11 14:41:43 ----D---- C:\Program Files\Google
2010-05-06 10:36:38 ----A---- C:\Windows\system32\MpSigStub.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2009-04-10 351744]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2006-11-14 37376]
R2 SSPORT;SSPORT; \??\C:\Windows\system32\Drivers\SSPORT.sys [2008-07-21 5120]
R2 tifsfilter;Acronis True Image FS Filter; C:\Windows\system32\DRIVERS\tifsfilt.sys [2010-02-03 44704]
R3 AX88772;ASIX AX88772 USB2.0 to Fast Ethernet Adapter; C:\Windows\system32\DRIVERS\ax88772.sys [2009-10-02 62976]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; C:\Windows\system32\DRIVERS\bcm4sbxp.sys [2006-11-02 45056]
R3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2009-04-10 22528]
R3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-20 92160]
R3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2009-04-10 29696]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-20 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2009-04-10 236544]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2008-01-20 987648]
R3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2008-01-20 200704]
R3 igfx;igfx; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
R3 NETw4v32;Intel® Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
R3 pcouffin;VSO Software pcouffin; C:\Windows\System32\Drivers\pcouffin.sys [2010-01-07 47360]
R3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2009-04-10 148992]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-10 89088]
R3 usbaudio;USB Audio Driver (WDM); C:\Windows\system32\drivers\usbaudio.sys [2009-04-10 73216]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-20 35328]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2008-01-20 654336]
R3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-20 83328]
S2 DgiVecp;DgiVecp; \??\C:\Windows\system32\Drivers\DgiVecp.sys [2008-07-21 41984]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2009-04-10 507904]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-20 5632]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-12-12 1476608]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-20 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-20 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-20 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-20 6016]
S3 NETw3v32;Intel® PRO/Wireless 3945ABG Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw3v32.sys [2008-01-20 2225664]
S3 t3;SB Xtreme Audio Notebook; C:\Windows\system32\drivers\t3.sys [2009-05-06 413208]
S3 usb_rndisx;USB RNDIS Adapter; C:\Windows\system32\DRIVERS\usb8023x.sys [2009-04-10 15872]
S3 uwryrfog;uwryrfog; \??\C:\Users\Marvin\AppData\Local\Temp\uwryrfog.sys []
S3 WSDPrintDevice;WSD Print Support via UMB; C:\Windows\system32\DRIVERS\WSDPrint.sys [2008-01-20 16896]
S4 ErrDev;Microsoft Hardware Error Device Driver; C:\Windows\system32\drivers\errdev.sys [2008-01-20 6656]
S4 MegaSR;MegaSR; C:\Windows\system32\drivers\megasr.sys [2008-01-20 386616]
S4 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\drivers\wmiacpi.sys [2008-01-20 11264]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AcrSch2Svc;Acronis Scheduler2 Service; C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe [2009-01-21 618944]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2009-08-28 144672]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-20 21504]
R2 GladFileMonSvc;GladFileMonSvc; C:\Program Files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe [2009-12-19 24296]
R2 lxdu_device;lxdu_device; C:\Windows\system32\lxducoms.exe [2009-10-16 589824]
R2 MSSQL$MICROSOFTSMLBIZ;MSSQL$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe [2005-05-04 9150464]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ); c:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2009-05-27 29262680]
R2 QBCFMonitorService;QBCFMonitorService; c:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2009-12-16 45056]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2009-11-06 1141712]
R2 SQLBrowser;SQL Server Browser; c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe [2008-11-24 239968]
R2 SQLWriter;SQL Server VSS Writer; c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe [2008-11-24 87904]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2008-01-20 21504]
R2 wlidsvc;Windows Live ID Sign-in Assistant; C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE [2009-03-30 1533808]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2009-11-12 545568]
S2 CTAudSvcService;Creative Audio Service; C:\Program Files\Creative\Shared Files\CTAudSvc.exe [2009-02-23 307200]
S2 GoToMyPC;GoToMyPC; C:\Program Files\Citrix\GoToMyPC\g2svc.exe [2009-12-15 557424]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2010-02-01 194032]
S2 lxduCATSCustConnectService;lxduCATSCustConnectService; C:\Windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2009-03-29 31048]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service; C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-30 79360]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-20 523776]
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-20 21504]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2010-01-18 30192]
S3 MSSQLServerADHelper;SQL Server Active Directory Helper; c:\Program Files\Microsoft SQL Server\90\Shared\sqladhlp90.exe [2008-11-24 45408]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 QBFCService;Intuit QuickBooks FCS; c:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2009-07-23 61440]
S3 SQLAgent$MICROSOFTSMLBIZ;SQLAgent$MICROSOFTSMLBIZ; C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlagent.EXE [2005-05-03 323584]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-20 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2009-04-11 918528]

-----------------EOF-----------------


info.txt logfile of random's system information tool 1.06 2010-06-03 20:32:30

======Uninstall list======

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{700932B3-A964-4878-82A2-96054622A1F7}\setup.exe" -l0x9 /remove
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AB55EC6-1158-41EF-B87D-90555A8F5C92}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAEF329E-F353-46C9-933D-24A571986093}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9
-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CC3D3A93-C433-4329-AC3A-7EFC52A332C2}\setup.exe" -l0x9 /remove
Acrobat.com-->msiexec /qb /x {6421F085-1FAA-DE13-D02A-CFB412C522A4}
Acrobat.com-->MsiExec.exe /I{6421F085-1FAA-DE13-D02A-CFB412C522A4}
Acronis True Image Home-->MsiExec.exe /X{37C8899D-FD70-481F-94AA-1F1B08765E22}
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 9.1-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A91000000001}
Apple Application Support-->MsiExec.exe /I{3FA365DF-2D68-45ED-8F83-8C8A33E65143}
Apple Mobile Device Support-->MsiExec.exe /I{AADEA55D-C834-4BCB-98A3-4B8D1C18F4EE}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
BitTorrent-->C:\Program Files\BitTorrent\uninst.exe
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
Creative Audio Control Panel-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{17E96A7F-AFE3-4171-87B1-583E376319E8}\setup.exe" -l0x9 /remove
Creative Software AutoUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88B1984E-36F0-47B8-B8DC-728966807A9C}\setup.exe" -l0x9 /remove
Creative Sound Blaster Properties-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7AB55EC6-1158-41EF-B87D-90555A8F5C92}\setup.exe" -l0x9 /remove
DVDFab 6.2.1.8 (31/12/2009)-->"C:\Program Files\DVDFab 6\unins000.exe"
GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)-->C:\Windows\SQL9_KB970892_ENU\Hotfix.exe /Uninstall
Gladinet Cloud Desktop-->MsiExec.exe /I{D20D70E9-B4AE-4B33-BC4D-D50B20BF2E1F}
Google Apps-->MsiExec.exe /I{C8E95BF5-C07F-4D98-BB42-F58FC98BC03E}
Google Chrome-->"C:\Program Files\Google\Chrome\Application\5.0.375.55\Installer\setup.exe" --uninstall --system-level
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth-->MsiExec.exe /X{F7B0939E-58DF-11DF-B3A6-005056806466}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_A22A7357696681C5.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
GoToMyPC-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F4D4FD-1814-4068-B316-C28FC776C6DD}\Setup.exe" -l0x9 AddRemovePrograms
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Host OpenAL-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AAEF329E-F353-46C9-933D-24A571986093}\setup.exe" -l0x9 /remove
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
HTC Touch Pro2 User Guide-->C:\Program Files\HTC Touch Pro2 User Guide\Windows Mobile Device Handbook\Bin\DHUninstall.exe
Intel® Graphics Media Accelerator Driver-->C:\Windows\system32\igxpun.exe -uninstall
iTunes-->MsiExec.exe /I{A6FDF86A-F541-4E7B-AEA0-8849A2A700D5}
Java™ 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216018FF}
Lexmark 5600-6600 Series-->C:\Program Files\Lexmark 5600-6600 Series\Install\x86\Uninst.exe
Lexmark Printable Web-->regsvr32.exe /s /u "C:\Program Files\Lexmark Printable Web\bho.dll"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Media Player Codec Pack 3.9.2-->C:\Windows\system32\C2MP\Uninst.exe
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->c:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office 2003 Primary Interop Assemblies-->MsiExec.exe /X{91490409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Accounting 2009 Equifax Addin-->MsiExec.exe /X{C6C148EC-55FB-4FDF-AD4F-ECEA579D040D}
Microsoft Office Accounting 2009 Fixed Asset Manager-->MsiExec.exe /X{53276F5A-85AB-4BEF-BAA2-2490975DC006}
Microsoft Office Accounting 2009 PayPal Addin-->MsiExec.exe /X{DC0C35E4-CD3D-4F12-95BB-7C74D9467BD7}
Microsoft Office Accounting 2009 Tax Integration Add-in-->MsiExec.exe /X{D9AE6BE1-5847-4962-86B0-2A290B7E6C43}
Microsoft Office Accounting 2009-->"C:\Program Files\Microsoft Small Business\Office Accounting 2009\SetupBootstrap\Setup.exe" /remove {5007E629-8769-44BB-BD51-A20B6DCC5CC9}
Microsoft Office Accounting 2009-->MsiExec.exe /X{5007E629-8769-44BB-BD51-A20B6DCC5CC9}
Microsoft Office Accounting ADP Payroll Addin-->MsiExec.exe /I{5FA793A6-0071-42C1-9355-8F69A428C44F}
Microsoft Office Live Add-in 1.4-->MsiExec.exe /I{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{91110409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Small Business Connectivity Components-->MsiExec.exe /X{A939D341-5A04-4E0A-BB55-3E65B386432D}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Express Edition (MSSMLBIZ)-->MsiExec.exe /I{2AFFFDD7-ED85-4A90-8C52-5DA9EBDC9B8F}
Microsoft SQL Server 2005-->"c:\Program Files\Microsoft SQL Server\90\Setup Bootstrap\ARPWrapper.exe" /Remove
Microsoft SQL Server Desktop Engine (MICROSOFTSMLBIZ)-->MsiExec.exe /X{E09B48B5-E141-427A-AB0C-D3605127224A}
Microsoft SQL Server Native Client-->MsiExec.exe /I{BD68F46D-8A82-4664-8E68-F87C55BDEFD4}
Microsoft SQL Server Setup Support Files (English)-->MsiExec.exe /X{53F5C3EE-05ED-4830-994B-50B2F0D50FCE}
Microsoft SQL Server VSS Writer-->MsiExec.exe /I{56B4002F-671C-49F4-984C-C760FE3806B5}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148-->MsiExec.exe /X{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual Studio 2005 Tools for Office Runtime-->c:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
Microsoft Visual Studio 2005 Tools for Office Runtime-->MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
Mozilla Firefox (3.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MyFax® Print-to-Fax Assistant-->MsiExec.exe /I{D0E0B6B6-7015-49F8-BBDB-0D31DE803644}
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
PrimoPDF -- by Nitro PDF Software-->"C:\Program Files\Nitro PDF\PrimoPDF\uninstaller.exe"
QuickBooks Conversion Tool-->MsiExec.exe /X{0E535628-6E21-44C6-988B-67D1943025A3}
QuickBooks Pro 2009-->msiexec.exe /I {9A2F0810-369F-4E86-9072-973FBE1679C5} UNIQUE_NAME="pro" QBFULLNAME="QuickBooks Pro 2009" ADDREMOVE=1
QuickBooks-->MsiExec.exe /I{9A2F0810-369F-4E86-9072-973FBE1679C5}
QuickTime-->MsiExec.exe /I{1451DE6B-ABE1-4F62-BE9A-B363A17588A2}
Readiris Pro 10-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{14D08502-FEE4-40E5-90D3-8A967A1D8BA2}\Setup.exe" -l0x9
Samsung SCX-4x26 Series-->C:\Program Files\Samsung\Samsung SCX-4x26 Series\Install\Setup.exe /R
SmarThru Office PC Fax-->C:\Windows\prinst.exe /m"Samsung" /u"SmarThru Office PC Fax"
SmarThru Office-->C:\Program Files\InstallShield Installation Information\{9BC1E722-AE07-46A3-B7A6-556DBE18E22A}\Setup.exe -runfromtemp -l0x0009uninstall -l0009 -removeonly
Spyware Doctor 7.0-->C:\Program Files\Spyware Doctor\unins000.exe /LOG
SupportSoft Assisted Service-->MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
WBFS Manager 3.0-->C:\Program Files\WBFS\WBFS Manager 3.0\uninstall.exe
WebSlingPlayer ActiveX-->"C:\ProgramData\Sling Media\WebSlingPlayer\{CEEB6FCD-2763-400B-B2B6-D42409C48034}\WBSPIESetup.exe" -u Uninstall.ini -d SlingPlayerAX.dll
Windows Live ID Sign-in Assistant-->MsiExec.exe /X{10A44844-4465-456E-8C97-80BDD4F68845}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Mobile Device Center Driver Update-->MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}
Windows Mobile Device Center-->MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
Windows Mobile Update KB975353 - DST Update August 2009-->MsiExec.exe /X{9FEA5804-A53D-4CD0-A508-96E85F7F024E}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xilisoft Video Converter Ultimate-->C:\Program Files\Xilisoft\Video Converter Ultimate\Uninstall.exe

======Security center information======

AS: Windows Defender

======System event log======

Computer Name: LIONELHUTZ
Event Code: 51
Message: An error was detected on device \Device\Harddisk1\DR3 during a paging operation.
Record Number: 35192
Source Name: disk
Time Written: 20100107074017.739663-000
Event Type: Warning
User:

Computer Name: LIONELHUTZ
Event Code: 51
Message: An error was detected on device \Device\Harddisk1\DR3 during a paging operation.
Record Number: 35191
Source Name: disk
Time Written: 20100107074017.709392-000
Event Type: Warning
User:

Computer Name: LIONELHUTZ
Event Code: 51
Message: An error was detected on device \Device\Harddisk1\DR3 during a paging operation.
Record Number: 35190
Source Name: disk
Time Written: 20100107074017.709392-000
Event Type: Warning
User:

Computer Name: LIONELHUTZ
Event Code: 51
Message: An error was detected on device \Device\Harddisk1\DR3 during a paging operation.
Record Number: 35189
Source Name: disk
Time Written: 20100107074017.709392-000
Event Type: Warning
User:

Computer Name: LIONELHUTZ
Event Code: 51
Message: An error was detected on device \Device\Harddisk1\DR3 during a paging operation.
Record Number: 35188
Source Name: disk
Time Written: 20100107074017.709392-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: LIONELHUTZ
Event Code: 1020
Message: Updates to the IIS metabase were aborted because IIS is either not installed or is disabled on this machine. To configure ASP.NET to run in IIS, please install or enable IIS and re-register ASP.NET using aspnet_regiis.exe /i.
Record Number: 130
Source Name: ASP.NET 1.1.4322.0
Time Written: 20091230002515.000000-000
Event Type: Warning
User:

Computer Name: LIONELHUTZ
Event Code: 11
Message: Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: A certificate chain could not be built to a trusted root authority.
.
Record Number: 107
Source Name: Microsoft-Windows-CAPI2
Time Written: 20091230000005.000000-000
Event Type: Error
User:

Computer Name: LIONELHUTZ
Event Code: 10
Message: Event filter with query "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 99" could not be reactivated in namespace "//./root/CIMV2" because of error 0x80041003. Events cannot be delivered through this filter until the problem is corrected.
Record Number: 26
Source Name: Microsoft-Windows-WMI
Time Written: 20091230010543.000000-000
Event Type: Error
User:

Computer Name: LIONELHUTZ
Event Code: 1008
Message: The Windows Search Service is attempting to remove the old catalog.

Record Number: 22
Source Name: Microsoft-Windows-Search
Time Written: 20091230010536.000000-000
Event Type: Warning
User:

Computer Name: 26L2233C2-11
Event Code: 1036
Message: InitializePrintProvider failed for provider inetpp.dll. This can occur because of system instability or a lack of system resources.
Record Number: 13
Source Name: Microsoft-Windows-SpoolerSpoolss
Time Written: 20091230005854.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

=====Security event log=====

Computer Name: 26L2233C2-11
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-18
Account Name: 26L2233C2-11$
Account Domain: WORKGROUP
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: localhost
Additional Information: localhost

Process Information:
Process ID: 0x22c
Process Name: C:\Windows\System32\services.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 5
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091230005611.218750-000
Event Type: Audit Success
User:

Computer Name: 26L2233C2-11
Event Code: 4902
Message: The Per-user audit policy table was created.

Number of Elements: 0
Policy ID: 0x59403
Record Number: 4
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091230005559.203125-000
Event Type: Audit Success
User:

Computer Name: 26L2233C2-11
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 0

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x4
Process Name:

Network Information:
Workstation Name: -
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: -
Authentication Package: -
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 3
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091230005556.687500-000
Event Type: Audit Success
User:

Computer Name: 26L2233C2-11
Event Code: 4608
Message: Windows is starting up.

This event is logged when LSASS.EXE starts and the auditing subsystem is initialized.
Record Number: 2
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091230005556.671875-000
Event Type: Audit Success
User:

Computer Name: 26L2233C2-11
Event Code: 4634
Message: An account was logged off.

Subject:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x1affa

Logon Type: 3

This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.
Record Number: 1
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20080121025823.552800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%CommonProgramFiles%\Microsoft Shared\Windows Live;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Microsoft SQL Server\80\Tools\Binn\;c:\Program Files\Microsoft SQL Server\90\Tools\binn\;C:\Program Files\QuickTime\QTSystem\;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;c:\Program Files\Common Files\Intuit\QBPOSSDKRuntime;C:\Program Files\Intuit\QuickBooks Conversion Tool\bin
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 14 Stepping 8, GenuineIntel
"PROCESSOR_REVISION"=0e08
"NUMBER_OF_PROCESSORS"=2
"TRACE_FORMAT_SEARCH_PATH"=\\NTREL202.ntdev.corp.microsoft.com\4F18C3A5-CA09-4DBD-B6FC-219FDD4C6BE0\TraceFormat
"DFSTRACINGON"=FALSE
"CLASSPATH"=.;C:\Program Files\QuickTime\QTSystem\QTJava.zip
"QTJAVA"=C:\Program Files\QuickTime\QTSystem\QTJava.zip

-----------------EOF-----------------



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-05 22:20:14
Windows 6.0.6002 Service Pack 2
Running: 6ddgp4vj.exe; Driver: C:\Users\Marvin\AppData\Local\Temp\uwryrfog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x89009CDE]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x89009ED0]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x89009984]
SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8900A0D8]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 209 836F596C 8 Bytes [DE, 9C, 00, 89, D0, 9E, 00, ...]
.text ntkrnlpa.exe!KeSetEvent + 621 836F5D84 4 Bytes [84, 99, 00, 89]
.text ntkrnlpa.exe!KeSetEvent + 6E5 836F5E48 4 Bytes [D8, A0, 00, 89]

---- User code sections - GMER 1.0.15 ----

.text C:\Windows\system32\svchost.exe[1460] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0075000A
.text C:\Windows\system32\svchost.exe[1460] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0097000A
.text C:\Windows\system32\svchost.exe[1460] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0070000A
.text C:\Windows\system32\svchost.exe[1460] ole32.dll!CoCreateInstance 76159EA6 3 Bytes JMP 00A1000A
.text C:\Windows\system32\svchost.exe[1460] ole32.dll!CoCreateInstance + 4 76159EAA 1 Byte [8A]
.text C:\Windows\system32\svchost.exe[1460] USER32.dll!GetCursorPos 763B0B88 5 Bytes JMP 0131000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2296] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0085000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2296] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0098000A
.text c:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe[2296] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0084000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0025000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0026000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0024000A
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogParamW 763972A2 5 Bytes JMP 6A75DE50 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!GetAsyncKeyState 7639863C 5 Bytes JMP 6A678EF7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetWindowsHookExW 763987AD 5 Bytes JMP 6A759A75 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CallNextHookEx 76398E3B 5 Bytes JMP 6A74D101 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!UnhookWindowsHookEx 763998DB 5 Bytes JMP 6A6C466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!EnableWindow 7639CD8B 5 Bytes JMP 6A75DCDD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateWindowExW 763A1305 5 Bytes JMP 6A75DAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!GetKeyState 763A8CB1 5 Bytes JMP 6A75D28B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!IsDialogMessageW 763B0745 5 Bytes JMP 6A685A17 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogParamA 763B17AA 5 Bytes JMP 6A8553AB C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!IsDialogMessage 763B1847 5 Bytes JMP 6A854C47 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogIndirectParamA 763B26F1 5 Bytes JMP 6A8553E2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!CreateDialogIndirectParamW 763B9A62 5 Bytes JMP 6A855419 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetKeyboardState 763C0987 5 Bytes JMP 6A854FB6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxParamW 763C10B0 5 Bytes JMP 6A685505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxIndirectParamW 763C2EF5 5 Bytes JMP 6A85473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SendInput 763C2F75 5 Bytes JMP 6A855B73 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!EndDialog 763C326E 5 Bytes JMP 6A687EC2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!SetCursorPos 763D6FB2 5 Bytes JMP 6A855BC7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxParamA 763D8152 5 Bytes JMP 6A8546DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!DialogBoxIndirectParamA 763D847D 5 Bytes JMP 6A8547A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectA 763ED4D9 5 Bytes JMP 6A854671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxIndirectW 763ED5D3 5 Bytes JMP 6A854606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxExA 763ED639 5 Bytes JMP 6A8545A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!MessageBoxExW 763ED65D 5 Bytes JMP 6A854542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] USER32.dll!keybd_event 763ED972 5 Bytes JMP 6A855EF7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] SHELL32.dll!SHRestricted + D95 76548988 4 Bytes [4D, 30, 9B, 68]
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] SHELL32.dll!SHRestricted + D9D 76548990 8 Bytes [57, 2F, 9B, 68, 9C, 5B, 9A, ...] {PUSH EDI; DAS ; WAIT ; PUSH 0x689a5b9c}
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ole32.dll!OleLoadFromStream 76121E12 5 Bytes JMP 6A854AA7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3400] ole32.dll!CoCreateInstance 76159EA6 5 Bytes JMP 6A75DB20 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Windows\Explorer.EXE[3636] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0018000A
.text C:\Windows\Explorer.EXE[3636] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0019000A
.text C:\Windows\Explorer.EXE[3636] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0017000A
.text C:\Program Files\Spyware Doctor\pctsTray.exe[4160] kernel32.dll!CreateThread + 1A 77BCC928 4 Bytes CALL 0044B8D9 C:\Program Files\Spyware Doctor\pctsTray.exe (PC Tools Tray Application/PC Tools)
.text C:\Program Files\Spyware Doctor\pctsSvc.exe[4916] kernel32.dll!CreateThread + 1A 77BCC928 4 Bytes CALL 0044BC05 C:\Program Files\Spyware Doctor\pctsSvc.exe (PC Tools Security Service/PC Tools)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] ntdll.dll!NtProtectVirtualMemory 77AB4D34 5 Bytes JMP 0036000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] ntdll.dll!NtWriteVirtualMemory 77AB5674 5 Bytes JMP 0047000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] ntdll.dll!KiUserExceptionDispatcher 77AB5DC8 5 Bytes JMP 0035000A
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!CreateWindowExW 763A1305 5 Bytes JMP 6A75DAC4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxParamW 763C10B0 5 Bytes JMP 6A685505 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxIndirectParamW 763C2EF5 5 Bytes JMP 6A85473F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxParamA 763D8152 5 Bytes JMP 6A8546DC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!DialogBoxIndirectParamA 763D847D 5 Bytes JMP 6A8547A2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxIndirectA 763ED4D9 5 Bytes JMP 6A854671 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxIndirectW 763ED5D3 5 Bytes JMP 6A854606 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxExA 763ED639 5 Bytes JMP 6A8545A4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[5212] USER32.dll!MessageBoxExW 763ED65D 5 Bytes JMP 6A854542 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37adfacb
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37adfacb@0017831c2682 0x0D 0x9E 0x1C 0x56 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37adfacb@002376a1bc3d 0x01 0xE7 0x74 0x68 ...
Reg HKLM\SYSTEM\ControlSet035\Services\BTHPORT\Parameters\Keys\001e37adfacb (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet035\Services\BTHPORT\Parameters\Keys\001e37adfacb@0017831c2682 0x0D 0x9E 0x1C 0x56 ...
Reg HKLM\SYSTEM\ControlSet035\Services\BTHPORT\Parameters\Keys\001e37adfacb@002376a1bc3d 0x01 0xE7 0x74 0x68 ...

---- Files - GMER 1.0.15 ----

File C:\Windows\Temp\TMP00000064AF6CDD17EFFDA4D0 524288 bytes

---- EOF - GMER 1.0.15 ----


#6 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 06 June 2010 - 11:29 PM

Hello, mrkotter1.
P2P Program Warning!

BitTorrent

P2P programs form a direct conduit onto your computer, their security measures are easily circumvented, and malware writers are increasingly exploiting them to spread their wares onto your computer. Further to that, if your P2P programme is not configured correctly you may be sharing more files than you realise. There have been cases where people's Passwords, Address Books and other personal, private, and financial details have been exposed to the file sharing network by a badly configured programme.

This article from InfoWorld illustrates perfectly the dangers of a poorly configured P2P program.
Here

Many of the programs come bundled with other unwanted programs, but even the ones free of any bundled software are not safe to use.
When you use them you are downloading software from an unknown source directly onto your computer, bypassing your Firewall and Anti-Virus software. Hardly surprising then that many of these Downloads are being targeted to carry infections.

Note: It is pretty much certain that if you continue to use P2P programs, then you will get infected again.
I would recommend that you uninstall the programs listed above, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.




We need to download and run ComboFix (by sUBs)
  1. Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
    They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". For more details, please check this thread
  2. Please download ComboFix from one of these locations:
    Link 1
    Link 2
    ** IMPORTANT !!! Save ComboFix.exe to your Desktop
  3. Double click on ComboFix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  5. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  6. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    The Recovery Console was successfully installed. Click 'Yes' to continue scanning for malware. Click 'No' to exit
  7. Click on Yes, to continue scanning for malware.
  8. When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.
**A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
**This tool is not a toy and not for everyday use.
**ComboFix SHOULD NOT be used unless requested by a forum helper


In your next reply, please include the following:
  • ComboFix.txt

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#7 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 08 June 2010 - 11:49 PM

I keep trying to run combofix but each time it starts scanning a window pops up that says Window Command Processor is stopping the program. I turned off the real time protection for spyware doctor and windows defender. Any suggestions?

#8 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 09 June 2010 - 12:25 AM

Hi!

Try running Combofix in safe mode smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#9 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 10 June 2010 - 08:03 PM

Tried running it in safemode and same problem. The program stops because of the Windows Command processor.

#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 10 June 2010 - 08:27 PM

Okay, let's try something else:
  1. Save all document or windows that are open because when running combofix you won't have internet connection and everything will be closed.
  2. Click on your Start Menu, then Run, In the run box type:
    CODE
    "%userprofile%\desktop\combofix.exe" /killall
  3. Combofix will now run
  4. When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 11 June 2010 - 12:25 AM

Genius! That seemed to work. Thank you.

ComboFix 10-06-10.03 - Marvin 06/10/2010 23:49:05.1.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2038.1304 [GMT -5:00]
Running from: c:\users\Marvin\Desktop\combofix.exe
Command switches used :: /killall
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Lexmark 5600-6600 Series\lxduamon.exe
c:\program files\Lexmark 5600-6600 Series\lxdumon.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\SmarThru Office\BackUpSvr.exe
c:\programdata\Microsoft\Network\Downloader\qmgr0.dat
c:\programdata\Microsoft\Network\Downloader\qmgr1.dat
c:\programdata\VFWfpP1V.exe
c:\users\Marvin\AppData\Local\syssvc.exe
c:\users\Marvin\AppData\Roaming\inst.exe
c:\windows\Fonts\HDPC47rlq.com
c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
c:\windows\system32\Icons
c:\windows\Tasks\At1.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe

CODE
<pre>
c:\program files\Acronis\TrueImageHome\TimounterMonitor .exe ---^> c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
c:\program files\Acronis\TrueImageHome\TrueImageMonitor .exe ---^> c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe ---^> c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
c:\program files\Common Files\Java\Java Update\jusched .exe ---^> c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe ---^> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---^> c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe ---^> c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
c:\program files\iTunes\iTunesHelper .exe ---^> c:\program files\iTunes\iTunesHelper.exe
c:\program files\Lexmark 5600-6600 Series\lxduamon .exe ---^> c:\program files\Lexmark 5600-6600 Series\lxduamon.exe
c:\program files\Lexmark 5600-6600 Series\lxdumon .exe ---^> c:\program files\Lexmark 5600-6600 Series\lxdumon.exe
c:\program files\QuickTime\QTTask .exe ---^> c:\program files\QuickTime\QTTask.exe
c:\program files\SmarThru Office\BackUpSvr .exe ---^> c:\program files\SmarThru Office\BackUpSvr.exe
c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate .exe ---^> c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
c:\windows\twain_32\Samsung\SCX4x26\Scan2pc .exe ---^> c:\windows\twain_32\Samsung\SCX4x26\Scan2pc.exe
</pre>

.
----- BITS: Possible infected sites -----

hxxp://farm5.static.flickr.com
hxxp://farm3.static.flickr.com
Infected copy of c:\windows\system32\DRIVERS\netbt.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_GoogleDesktopManager-110309-193829


((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 05:00 . 2010-06-11 05:06 -------- d-----w- c:\users\Marvin\AppData\Local\temp
2010-06-11 05:00 . 2010-06-11 05:00 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
2010-06-11 05:00 . 2010-06-11 05:00 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 01:07 . 2010-06-11 01:07 -------- d-----w- C:\Log
2010-06-04 01:32 . 2010-06-04 01:32 -------- d-----w- C:\rsit
2010-06-02 04:26 . 2010-06-06 03:27 -------- d-----w- c:\program files\Trend Micro
2010-06-01 23:13 . 2010-06-01 23:13 -------- d-----w- C:\Samsung
2010-05-30 06:59 . 2010-05-30 17:26 -------- d-----w- c:\users\Marvin\AppData\Local\clixledwk
2010-05-30 02:31 . 2010-02-22 20:58 111472 ----a-w- c:\windows\system32\gotomon.dll
2010-05-28 09:56 . 2010-05-28 09:56 -------- d-----w- c:\users\Marvin\AppData\Roaming\Malwarebytes
2010-05-28 09:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 09:56 . 2010-06-07 11:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 09:56 . 2010-05-28 09:56 -------- d-----w- c:\programdata\Malwarebytes
2010-05-28 09:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 05:04 . 2010-05-26 05:04 -------- d-----w- c:\windows\Sun
2010-05-25 06:26 . 2010-05-25 07:21 -------- d-----w- c:\users\Marvin\AppData\Roaming\Nik Software
2010-05-23 06:21 . 2010-05-23 06:21 -------- d-----w- c:\program files\EASEUS
2010-05-13 11:27 . 2009-12-15 23:13 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
2010-05-13 11:27 . 2010-05-13 11:27 -------- d-----w- c:\programdata\CitrixLogs
2010-05-13 11:27 . 2010-05-13 11:27 -------- d-----w- c:\program files\Citrix
2010-05-13 11:26 . 2010-05-13 11:26 7046096 ----a-w- c:\users\Marvin\gosetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 05:05 . 2010-03-09 03:08 -------- d-----w- c:\program files\SmarThru Office
2010-06-11 05:05 . 2009-12-30 04:17 -------- d-----w- c:\program files\iTunes
2010-06-11 05:05 . 2009-12-30 04:15 -------- d-----w- c:\program files\QuickTime
2010-06-11 05:05 . 2009-12-29 23:48 -------- d-----w- c:\program files\Lexmark 5600-6600 Series
2010-06-11 05:02 . 2009-12-30 02:12 3101 ----a-w- c:\windows\bthservsdp.dat
2010-06-10 06:06 . 2010-06-07 12:19 112 ----a-w- c:\programdata\TVwfU0.dat
2010-06-09 04:40 . 2009-12-29 23:52 -------- d-----w- c:\program files\Spyware Doctor
2010-06-05 22:32 . 2010-01-19 02:00 3616 ----a-w- c:\programdata\Intuit\QuickBooks 2009\qbbackup.sys
2010-06-02 04:26 . 2010-06-02 04:26 388096 ----a-r- c:\users\Marvin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-28 08:13 . 2010-05-28 08:13 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD69F.tmp.exe
2010-05-27 05:26 . 2010-04-30 18:12 -------- d-----w- c:\users\Marvin\AppData\Roaming\BitTorrent
2010-05-13 19:26 . 2010-01-18 02:09 -------- d-----w- c:\users\Marvin\AppData\Roaming\PrimoPDF
2010-05-13 11:27 . 2009-12-30 09:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-13 02:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 19:41 . 2009-12-29 23:43 -------- d-----w- c:\program files\Google
2010-05-06 15:36 . 2009-12-30 08:01 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-01 08:55 . 2010-05-01 08:55 -------- d-----w- c:\program files\WBFS
2010-04-30 18:12 . 2010-04-30 18:12 -------- d-----w- c:\program files\BitTorrent
2010-04-15 12:51 . 2010-01-09 21:52 1356 ----a-w- c:\users\Marvin\AppData\Local\d3d9caps.dat
2010-04-06 05:19 . 2010-01-20 08:11 211720 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 05:19 . 2010-01-20 08:11 1352968 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-02-04 01:24 . 2010-02-04 01:24 92624084 ----a-w- c:\program files\Acronis.True.Image.Home.2009.v12.0.09709.rar
.
CODE
<pre>
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\Spyware Doctor\pctsTray .exe
c:\windows\WindowsMobile\wmdc .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2009-12-19 15:50 192232 ----a-w- c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetUploading]
@="{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}"
[HKEY_CLASSES_ROOT\CLSID\{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}]
2009-12-19 15:53 192232 ----a-w- c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-11-03 684712]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-11-03 16040]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2010-06-07 38916]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-01-19 30192]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359600]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960560]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-18 536576]
"STO Backup Service"="c:\program files\SmarThru Office\BackUpSvr.exe" [2008-08-06 192512]
"STO Launcher Service"="c:\program files\SmarThru Office\LegacyLauncher.exe" [2008-08-06 331776]
"4x26 Scan2PC"="c:\windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe" [2008-07-23 495616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Gladinet Cloud Desktop.lnk - c:\windows\Installer\{D20D70E9-B4AE-4B33-BC4D-D50B20BF2E1F}\_E62DE6B4606D4EA85FFD8A.exe [2010-1-22 188478]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:8e,8b,1a,b4,50,a5,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-30 79360]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-05-06 413208]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S2 GladFileMonSvc;GladFileMonSvc;c:\program files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe [2009-12-19 24296]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2008-07-22 5120]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-29 01:42]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 23:45]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 23:45]

2010-06-10 c:\windows\Tasks\User_Feed_Synchronization-{ADBC07D4-5ABE-40EE-8DD7-6C88F3CC9E7D}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: google.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/plugin/downloads/pc/1.4.0.82/WebSlingPlayer.cab
FF - ProfilePath - c:\users\Marvin\AppData\Roaming\Mozilla\Firefox\Profiles\qvxn4pjx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-dmboot.sys
SafeBoot-dmio.sys
SafeBoot-dmload.sys
SafeBoot-dmadmin
SafeBoot-dmserver
SafeBoot-SRService



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 00:07
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,a1,3e,d6,33,42,32,45,a5,da,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,a1,3e,d6,33,42,32,45,a5,da,fe,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(6048)
c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlCopyHandler.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\program files\Windows Media Player\WMPNSCFG.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\sdclt.exe
.
**************************************************************************
.
Completion time: 2010-06-11 00:15:37 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 05:15

Pre-Run: 80,064,532,480 bytes free
Post-Run: 80,625,938,432 bytes free

- - End Of File - - 7233DB067E47A85C66B11BD64884A2FE


#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 11 June 2010 - 12:28 AM

Hello, mrkotter1.
Glad it worked smile.gif
We need to run a Combofix script
  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the codebox below into it. Do not copy the word "code".
    CODE
    KillAll::

    RenV::
    c:\program files\Malwarebytes' Anti-Malware\mbam .exe
    c:\program files\Spyware Doctor\pctsTray .exe
    c:\windows\WindowsMobile\wmdc .exe
  4. Save this as CFScript.txt, in the same location as ComboFix.exe
  5. Now, drag and drop CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
In your next reply, please include the following:
  • ComboFix.txt

Edited by aommaster, 11 June 2010 - 12:29 AM.

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 11 June 2010 - 01:04 AM

ComboFix 10-06-10.03 - Marvin 06/11/2010 0:39.2.2 - x86
Microsoft® Windows Vista™ Business 6.0.6002.2.1252.1.1033.18.2038.1046 [GMT -5:00]
Running from: c:\users\Marvin\Desktop\combofix.exe
Command switches used :: c:\users\Marvin\Desktop\CFScript.txt
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
c:\program files\iTunes\iTunesHelper.exe
c:\program files\Lexmark 5600-6600 Series\lxduamon.exe
c:\program files\Lexmark 5600-6600 Series\lxdumon.exe
c:\program files\QuickTime\QTTask.exe
c:\program files\SmarThru Office\BackUpSvr.exe
c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
c:\windows\twain_32\Samsung\SCX4x26\Scan2pc.exe

CODE
<pre>
c:\program files\Acronis\TrueImageHome\TimounterMonitor .exe ---^> c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe
c:\program files\Acronis\TrueImageHome\TrueImageMonitor .exe ---^> c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe ---^> c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
c:\program files\Common Files\Acronis\Schedule2\schedhlp .exe ---^> c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe
c:\program files\Common Files\Java\Java Update\jusched .exe ---^> c:\program files\Common Files\Java\Java Update\jusched.exe
c:\program files\Google\Google Desktop Search\GoogleDesktop .exe ---^> c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---^> c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
c:\program files\Google\Quick Search Box\GoogleQuickSearchBox .exe ---^> c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe
c:\program files\iTunes\iTunesHelper .exe ---^> c:\program files\iTunes\iTunesHelper.exe
c:\program files\Lexmark 5600-6600 Series\lxduamon .exe ---^> c:\program files\Lexmark 5600-6600 Series\lxduamon.exe
c:\program files\Lexmark 5600-6600 Series\lxdumon .exe ---^> c:\program files\Lexmark 5600-6600 Series\lxdumon.exe
c:\program files\QuickTime\QTTask .exe ---^> c:\program files\QuickTime\QTTask.exe
c:\program files\SmarThru Office\BackUpSvr .exe ---^> c:\program files\SmarThru Office\BackUpSvr.exe
c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate .exe ---^> c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
c:\windows\twain_32\Samsung\SCX4x26\Scan2pc .exe ---^> c:\windows\twain_32\Samsung\SCX4x26\Scan2pc.exe
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2010-05-11 to 2010-06-11 )))))))))))))))))))))))))))))))
.

2010-06-11 05:49 . 2010-06-11 05:55 -------- d-----w- c:\users\Marvin\AppData\Local\temp
2010-06-11 05:49 . 2010-06-11 05:49 -------- d-----w- c:\users\Stephanie\AppData\Local\temp
2010-06-11 05:49 . 2010-06-11 05:49 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-06-11 05:49 . 2010-06-11 05:49 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-06-11 01:07 . 2010-06-11 01:07 -------- d-----w- C:\Log
2010-06-04 01:32 . 2010-06-04 01:32 -------- d-----w- C:\rsit
2010-06-02 04:26 . 2010-06-06 03:27 -------- d-----w- c:\program files\Trend Micro
2010-06-01 23:13 . 2010-06-01 23:13 -------- d-----w- C:\Samsung
2010-05-30 06:59 . 2010-05-30 17:26 -------- d-----w- c:\users\Marvin\AppData\Local\clixledwk
2010-05-30 02:31 . 2010-02-22 20:58 111472 ----a-w- c:\windows\system32\gotomon.dll
2010-05-28 09:56 . 2010-05-28 09:56 -------- d-----w- c:\users\Marvin\AppData\Roaming\Malwarebytes
2010-05-28 09:56 . 2010-04-29 20:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-28 09:56 . 2010-06-11 05:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-28 09:56 . 2010-05-28 09:56 -------- d-----w- c:\programdata\Malwarebytes
2010-05-28 09:56 . 2010-04-29 20:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-26 05:04 . 2010-05-26 05:04 -------- d-----w- c:\windows\Sun
2010-05-25 06:26 . 2010-05-25 07:21 -------- d-----w- c:\users\Marvin\AppData\Roaming\Nik Software
2010-05-23 06:21 . 2010-05-23 06:21 -------- d-----w- c:\program files\EASEUS
2010-05-13 11:27 . 2009-12-15 23:13 52080 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\GoToPrintProcessor.dll
2010-05-13 11:27 . 2010-05-13 11:27 -------- d-----w- c:\programdata\CitrixLogs
2010-05-13 11:27 . 2010-05-13 11:27 -------- d-----w- c:\program files\Citrix
2010-05-13 11:26 . 2010-05-13 11:26 7046096 ----a-w- c:\users\Marvin\gosetup.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-11 05:55 . 2010-03-09 03:08 -------- d-----w- c:\program files\SmarThru Office
2010-06-11 05:55 . 2009-12-30 04:17 -------- d-----w- c:\program files\iTunes
2010-06-11 05:55 . 2009-12-30 04:15 -------- d-----w- c:\program files\QuickTime
2010-06-11 05:55 . 2009-12-29 23:48 -------- d-----w- c:\program files\Lexmark 5600-6600 Series
2010-06-11 05:49 . 2009-12-30 02:12 3101 ----a-w- c:\windows\bthservsdp.dat
2010-06-11 05:39 . 2009-12-29 23:52 -------- d-----w- c:\program files\Spyware Doctor
2010-06-10 06:06 . 2010-06-07 12:19 112 ----a-w- c:\programdata\TVwfU0.dat
2010-06-05 22:32 . 2010-01-19 02:00 3616 ----a-w- c:\programdata\Intuit\QuickBooks 2009\qbbackup.sys
2010-06-02 04:26 . 2010-06-02 04:26 388096 ----a-r- c:\users\Marvin\AppData\Roaming\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-05-28 08:13 . 2010-05-28 08:13 501872 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbD69F.tmp.exe
2010-05-27 05:26 . 2010-04-30 18:12 -------- d-----w- c:\users\Marvin\AppData\Roaming\BitTorrent
2010-05-13 19:26 . 2010-01-18 02:09 -------- d-----w- c:\users\Marvin\AppData\Roaming\PrimoPDF
2010-05-13 11:27 . 2009-12-30 09:10 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-05-13 02:26 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-05-11 19:41 . 2009-12-29 23:43 -------- d-----w- c:\program files\Google
2010-05-06 15:36 . 2009-12-30 08:01 221568 ----a-w- c:\windows\system32\MpSigStub.exe
2010-05-01 08:55 . 2010-05-01 08:55 -------- d-----w- c:\program files\WBFS
2010-04-30 18:12 . 2010-04-30 18:12 -------- d-----w- c:\program files\BitTorrent
2010-04-15 12:51 . 2010-01-09 21:52 1356 ----a-w- c:\users\Marvin\AppData\Local\d3d9caps.dat
2010-04-06 05:19 . 2010-01-20 08:11 211720 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManagerPatch.exe
2010-04-06 05:19 . 2010-01-20 08:11 1352968 ----a-w- c:\programdata\Intuit\QuickBooks 2009\Components\SyncMgr\OCD\IntuitSyncManager.exe
2010-02-04 01:24 . 2010-02-04 01:24 92624084 ----a-w- c:\program files\Acronis.True.Image.Home.2009.v12.0.09709.rar
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetIconOverlay]
@="{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}"
[HKEY_CLASSES_ROOT\CLSID\{3C3DC57A-7535-48AF-BB9E-C3576A4F34D0}]
2009-12-19 15:50 192232 ----a-w- c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GladinetUploading]
@="{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}"
[HKEY_CLASSES_ROOT\CLSID\{959A18D3-9CC9-41e8-B76F-34ED9A89D4EA}]
2009-12-19 15:53 192232 ----a-w- c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-12-29 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-12-29 122880]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"lxdumon.exe"="c:\program files\Lexmark 5600-6600 Series\lxdumon.exe" [2008-11-03 684712]
"lxduamon"="c:\program files\Lexmark 5600-6600 Series\lxduamon.exe" [2008-11-03 16040]
"NetFxUpdate_v1.1.4322"="c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe" [2004-08-10 106496]
"Windows Mobile Device Center"="c:\windows\WindowsMobile\wmdc.exe" [2007-05-31 648072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SPIRunE"="SPIRunE.dll" [2009-03-05 18432]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2009-12-22 1092872]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-01-19 30192]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-01-21 4359600]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-01-21 960560]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2009-01-21 377248]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"Samsung PanelMgr"="c:\windows\Samsung\PanelMgr\SSMMgr.exe" [2008-08-18 536576]
"STO Backup Service"="c:\program files\SmarThru Office\BackUpSvr.exe" [2008-08-06 192512]
"STO Launcher Service"="c:\program files\SmarThru Office\LegacyLauncher.exe" [2008-08-06 331776]
"4x26 Scan2PC"="c:\windows\Twain_32\Samsung\SCX4x26\Scan2pc.exe" [2008-07-23 495616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-11-03 257440]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Gladinet Cloud Desktop.lnk - c:\windows\Installer\{D20D70E9-B4AE-4B33-BC4D-D50B20BF2E1F}\_E62DE6B4606D4EA85FFD8A.exe [2010-1-22 188478]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-12-16 1153824]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(cool.gif:8e,8b,1a,b4,50,a5,ca,01

R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 135664]
R2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\DRIVERS\W32X86\3\\lxduserv.exe [2009-10-16 94208]
R3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [2009-12-30 79360]
R3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2009-10-30 359624]
R3 t3;SB Xtreme Audio Notebook;c:\windows\system32\drivers\t3.sys [2009-05-06 413208]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\DRIVERS\WSDPrint.sys [2008-01-21 16896]
S0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-11-09 207792]
S2 GladFileMonSvc;GladFileMonSvc;c:\program files\Gladinet\Gladinet Cloud Desktop\GladFileMonSvc.exe [2009-12-19 24296]
S2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe [2009-10-16 589824]
S2 SSPORT;SSPORT;c:\windows\system32\Drivers\SSPORT.sys [2008-07-22 5120]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-06-11 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-12-29 01:42]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 23:45]

2010-06-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-29 23:45]

2010-06-10 c:\windows\Tasks\User_Feed_Synchronization-{ADBC07D4-5ABE-40EE-8DD7-6C88F3CC9E7D}.job
- c:\windows\system32\msfeedssync.exe [2010-03-31 04:54]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>;127.0.0.1
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://www.google.com/search/?q=%s
Trusted Zone: google.com\www
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: microsoft.com\update
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/plugin/downloads/pc/1.4.0.82/WebSlingPlayer.cab
FF - ProfilePath - c:\users\Marvin\AppData\Roaming\Mozilla\Firefox\Profiles\qvxn4pjx.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1851.5542\npCIDetect14.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-11 00:55
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,a1,3e,d6,33,42,32,45,a5,da,fe,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,d0,a1,3e,d6,33,42,32,45,a5,da,fe,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5084)
c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIcon.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlOverlayIconU.dll
c:\program files\Gladinet\Gladinet Cloud Desktop\GlCopyHandler.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Creative\Shared Files\CTAudSvc.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\WUDFHost.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Windows Media Player\wmplayer.exe
c:\windows\servicing\TrustedInstaller.exe
c:\program files\Windows Media Player\wmpnscfg.exe
.
**************************************************************************
.
Completion time: 2010-06-11 01:02:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-11 06:02
ComboFix2.txt 2010-06-11 05:15

Pre-Run: 82,012,725,248 bytes free
Post-Run: 81,633,144,832 bytes free

- - End Of File - - A1A33FA02585297A29E69C857AF1E084


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:04:59 AM

Posted 11 June 2010 - 01:17 AM

Hello, mrkotter1.
Looks good! How's your computer doing now? Are you still experiencing problems?

If not, please proceed with the below
We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 20 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u20-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run an ESET Online Scan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "< button.
  13. Push Finish

In your next reply, please include the following:
  • Eset Scan Log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 mrkotter1

mrkotter1
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:59 PM

Posted 11 June 2010 - 03:26 AM

C:\Qoobox\Quarantine\C\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Common Files\Java\Java Update\jusched.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Google Desktop Search\GoogleDesktop.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Lexmark 5600-6600 Series\lxduamon.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\Lexmark 5600-6600 Series\lxdumon.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\QuickTime\QTTask.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Program Files\SmarThru Office\BackUpSvr.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Users\Marvin\AppData\Local\syssvc.exe.vir Win32/Fuclip.BI trojan
C:\Qoobox\Quarantine\C\Windows\Fonts\HDPC47rlq.com.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Qoobox\Quarantine\C\Windows\system32\Drivers\netbt.sys.vir Win32/Olmarik.ZC trojan
C:\Qoobox\Quarantine\C\Windows\twain_32\Samsung\SCX4x26\Scan2pc.exe.vir Win32/TrojanDownloader.Unruy.BN trojan
C:\Users\Marvin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YG5B4MJH\all[1].pdf JS/Exploit.Pdfka.OAF trojan
C:\Users\Marvin\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\47\2d38e76f-2a7b6fd7 a variant of Java/TrojanDownloader.Agent.NBE trojan
C:\Users\Marvin\Downloads\Complete Photoshop Plugin Collection 2010[H33T][NexTG]\Nik Plugin Suite for Adobe Photoshop.rar NSIS/TrojanDownloader.Agent.NBS.Gen trojan
C:\Windows\winsxs\x86_microsoft-windows-netbt_31bf3856ad364e35_6.0.6002.18005_none_6250416df465f2b1\netbt.sys Win32/Olmarik.ZC trojan





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users