Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

CRAZY HIJACKTHIS ENTRIES!!


  • This topic is locked This topic is locked
15 replies to this topic

#1 jackuars

jackuars

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 12 July 2010 - 07:44 AM

Hii tech guys... clapping.gif I have a situation down here. It all started when i couldn't access certain websites and then some of the programs like Comodo Firewall and MBAM wouldn't start up. in_love.gif I was having a free version of Avast then and at some point of time a rootkit was detected, the name of which i can't remember and i deleted it. whistling.gif I ran a scan with Sophos antirookit and it then found no rootkits and then i switched to using NOD32 and ran a scan which gave me a clean log. Also i ran SAS which gave me no infections. dance.gif

I downloaded the program HijackThis ran a scan and found so many crazy entries and also a screen popped up saying that i have a large amount of Hijacked Domains! wacko.gif



So i deleted the HOSTS file as recommended by HijackThis because there many entries corresponding to the pop up mentioned.This time i could access most websites. thumbup.gif But still some wouldn't work. The message i get is:-



Now i want to get the analysis of this HijackThis log and give me suitable suggestions on what i have to do next about if there is still any spyware's or hijacked entries. thumbup2.gif

Am a girl and i absolutely have no idea nor very good computer knowledge. crazy.gif So please i would prefer simple step by step recommendations and suggestions and not very logical techinical ones. I would be grateful to any kind of help. Thanking everyone in advance. I hope to solve my problem soon.



Diana


Why don't you check out thehijackthis log attached herewith. The first was the log before i deleted the HOSTS file and the second log is the one after i deleted the HOSTS file and O20 - AppInit_DLLs: and O3 - Toolbar: (no name)and O2 - BHO: (no name)

Attached Files


Edited by jackuars, 12 July 2010 - 08:11 AM.


BC AdBot (Login to Remove)

 


#2 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 16 July 2010 - 02:53 AM

Hello, jackuars.
My name is aommaster and I will be helping you with your log.

I apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having, I would appreciate you letting us know. If not please perform the following below so I can have a look at the current condition of your machine.

Thanks

Should you still require assistance, please take note of the points below:
  • Please track this topic by either adding it to your favourites or clicking the Options button at the top of this thread and then Track this topic.
  • Please disable word-wrap before posting logs. This can be done by clicking Format and un-ticking the word-wrap feature in notepad.
  • The logs that you post should be copied and pasted directly into the reply. Only attach them if requested or if they do not fit into the post.
  • If you do not reply within 5 days, I will have to close your topic. Should you not be able to meet this, please notify me so that I will leave the topic open.
  • Please do not install, update, or run any programs for the duration of the fix.
  • If you do not understand the instructions I provide, please don't hesitate to ask. That's what I'm here for smile.gif
  • Please continue to reply to this topic until I give you the all clean. Just because there are no symptoms of infection doesn't mean that the computer is clean.
  • If you are running Vista, please run all the fixes as an administrator. This is done by right-clicking the program and clicking "Run as Administrator".

Please do the following so I can take a look at the current state of your system.

We need to run RSIT
  1. Download random's system information tool (RSIT) by random/random and save it to your desktop.
  2. Double click on RSIT.exe.
  3. Click Continue at the disclaimer screen.
  4. Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

NEXT:
(This step may produce a blank log. Let me know if that is the case)
We need to run a GMER scan
  1. Download GMER and save to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.
  2. Close all other open programs as there is a slight chance your computer will crash.
  3. Double click the GMER program. Your security programs may detect GMER's driver trying to load. Allow it.
  4. You may see a warning saying "GMER has detected rootkit activity". If so, select NO.
  5. Make sure all options are checked except:
    • IAT/EAT
    • Drives/Partition other than Systemdrive, which is typically C:\
    • Show All (This is important, so do not miss it.)
    Note: If GMER crashes or hangs, please retry running a scan. Only this time, in addition to the options mentioned above, uncheck Devices as well.
  6. When the scan is complete, click Save and save the log onto your desktop.

In your next reply, please include the following:
  • Log.txt
  • info.txt
  • gmer.log

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#3 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 18 July 2010 - 11:58 PM

Hello jackuars
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#4 jackuars

jackuars
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 19 July 2010 - 02:39 AM

am sorry for my late reply too,i almost lost hope in this forum as i had been looking around for 3days. i was at college..i will come back home and run the scans that u told.. will post my log today or 'morrow

#5 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 19 July 2010 - 02:40 AM

Okay. Thanks for letting me know smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#6 jackuars

jackuars
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 19 July 2010 - 08:54 AM

Run the scans as you told and here are my logs attached. My computer is way too fine now,not experiencing the problems as before. Dunno if Comodo and MBAM would run. Didn't check that out. Anyway take a look at my log and please give me valuable suggestions

Diana

Logfile of random's system information tool 1.08 (written by random/random)
Run by Administrator at 2010-07-19 18:49:25
Microsoft Windows XP Professional Service Pack 2
System drive C: has 3 GB (27%) free of 10 GB
Total RAM: 254 MB (10% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:50:56 PM, on 7/19/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\OAcat.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\OAhlp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\RSIT.exe
C:\Program Files\trend micro\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - E:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - E:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Download by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://E:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1278919808125
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - E:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Online Armor Helper Service (OAcat) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\OAcat.exe
O23 - Service: Macrium Reflect Image Mounting Service (ReflectService) - Unknown owner - E:\Program Files\Macrium\Reflect\ReflectService.exe (file missing)
O23 - Service: Online Armor (SvcOnlineArmor) - Unknown owner - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5153 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\Scheduled Update for Ask Toolbar.job
C:\WINDOWS\tasks\User_Feed_Synchronization-{558B0221-7D73-4999-86D1-B9C68896A107}.job
C:\WINDOWS\tasks\Auslogics Boost Speed Disk Defrag Console Defragmentation.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000123B4-9B42-4900-B3F7-F4B073EFC214}]
Octh Class - E:\Program Files\Orbitdownloader\orbitcth.dll [2010-05-07 240912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}]
Groove GFS Browser Helper - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-05-03 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-05-03 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{C55BBCD6-41AD-48AD-9953-3609C48EACC7} - Grab Pro - E:\Program Files\Orbitdownloader\GrabPro.dll [2010-05-07 666816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2010-03-29 2145000]
"@OnlineArmor GUI"=C:\Program Files\Tall Emu\Online Armor\oaui.exe [2010-04-20 6678008]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
E:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-04 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
C:\WINDOWS\system32\igfxsrvc.dll [2002-10-16 315392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 2210608]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"=C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2010-04-20 925688]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=E:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoFolderOptions"=0
"NoRun"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=255
"NoFolderOptions"=0
"NoRun"=0
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE"="C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\Program Files\Microsoft Office\Office12\groove.exe"="C:\Program Files\Microsoft Office\Office12\groove.exe:*:Enabled:Microsoft Office Groove"
"C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE"="C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"
"E:\Program Files\uTorrent\uTorrent.exe"="E:\Program Files\uTorrent\uTorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"E:\Program Files\Orbitdownloader\orbitdm.exe"="E:\Program Files\Orbitdownloader\orbitdm.exe:*:Enabled:Orbit"
"E:\Program Files\Orbitdownloader\orbitnet.exe"="E:\Program Files\Orbitdownloader\orbitnet.exe:*:Enabled:Orbit"
"E:\Downloads\PROGRAMS\utorrent.exe"="E:\Downloads\PROGRAMS\utorrent.exe:*:Enabled:µTorrent"
"D:\Downloads\Programs\utorrent.exe"="D:\Downloads\Programs\utorrent.exe:*:Enabled:µTorrent"
"C:\WINDOWS\system32\wmpfx4.exe"="C:\WINDOWS\system32\wmpfx4.exe:*:Enabled:LAN Router"
"C:\Program Files\Internet Explorer\iexplore.exe"="C:\Program Files\Internet Explorer\iexplore.exe:*:Enabled:Internet Explorer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\WINDOWS\system32\wmpfx4.exe"="C:\WINDOWS\system32\wmpfx4.exe:*:Enabled:LAN Router"

======List of files/folders created in the last 1 months======

2010-07-19 18:49:25 ----D---- C:\rsit
2010-07-15 19:48:29 ----D---- C:\Documents and Settings\Administrator\Application Data\Opera
2010-07-15 19:01:24 ----D---- C:\Program Files\Mozilla Firefox
2010-07-15 02:47:50 ----D---- C:\WINDOWS\ServicePackFiles
2010-07-14 22:44:58 ----N---- C:\WINDOWS\system32\drivers\bthport.sys
2010-07-13 06:55:15 ----D---- C:\Documents and Settings\Administrator\Application Data\Mozilla
2010-07-12 22:51:38 ----D---- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2010-07-12 16:53:28 ----D---- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2010-07-12 16:53:28 ----D---- C:\Documents and Settings\Administrator\Application Data\OnlineArmor
2010-07-12 16:52:53 ----A---- C:\WINDOWS\system32\drivers\OAnet.sys
2010-07-12 16:52:53 ----A---- C:\WINDOWS\system32\drivers\OAmon.sys
2010-07-12 16:52:52 ----A---- C:\WINDOWS\system32\drivers\OADriver.sys
2010-07-12 16:52:38 ----D---- C:\Program Files\Tall Emu
2010-07-12 09:56:39 ----D---- C:\Program Files\ESET
2010-07-12 09:56:39 ----D---- C:\Documents and Settings\All Users\Application Data\ESET
2010-07-12 09:37:13 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-07-12 01:56:22 ----D---- C:\Documents and Settings\Administrator\Application Data\Mozilla(3)
2010-07-12 01:47:09 ----HD---- C:\WINDOWS\ie8
2010-07-11 23:22:48 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-07-02 23:31:43 ----D---- C:\Documents and Settings\Administrator\Application Data\Notepad++
2010-07-02 16:16:51 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2010-07-01 23:08:32 ----D---- C:\Documents and Settings\Administrator\Application Data\Bump Technologies, Inc
2010-07-01 23:08:03 ----A---- C:\WINDOWS\system32\XAudio2_7.dll
2010-07-01 23:08:03 ----A---- C:\WINDOWS\system32\XAPOFX1_5.dll
2010-07-01 23:08:02 ----A---- C:\WINDOWS\system32\xactengine3_7.dll
2010-07-01 23:08:01 ----A---- C:\WINDOWS\system32\d3dcsx_43.dll
2010-07-01 23:08:01 ----A---- C:\WINDOWS\system32\D3DCompiler_43.dll
2010-07-01 23:08:00 ----A---- C:\WINDOWS\system32\d3dx11_43.dll
2010-07-01 23:07:59 ----A---- C:\WINDOWS\system32\D3DX9_43.dll
2010-07-01 23:07:59 ----A---- C:\WINDOWS\system32\d3dx10_43.dll
2010-07-01 23:07:58 ----A---- C:\WINDOWS\system32\XAudio2_6.dll
2010-07-01 23:07:58 ----A---- C:\WINDOWS\system32\XAPOFX1_4.dll
2010-07-01 23:07:57 ----A---- C:\WINDOWS\system32\xactengine3_6.dll
2010-07-01 23:07:56 ----A---- C:\WINDOWS\system32\X3DAudio1_7.dll
2010-07-01 23:07:55 ----A---- C:\WINDOWS\system32\XAudio2_5.dll
2010-07-01 23:07:55 ----A---- C:\WINDOWS\system32\xactengine3_5.dll
2010-07-01 23:07:54 ----A---- C:\WINDOWS\system32\D3DCompiler_42.dll
2010-07-01 23:07:46 ----A---- C:\WINDOWS\system32\d3dcsx_42.dll
2010-07-01 23:07:45 ----A---- C:\WINDOWS\system32\d3dx11_42.dll
2010-07-01 23:07:44 ----A---- C:\WINDOWS\system32\d3dx10_42.dll
2010-07-01 23:07:43 ----A---- C:\WINDOWS\system32\D3DX9_42.dll
2010-07-01 23:07:41 ----A---- C:\WINDOWS\system32\d3dx10_41.dll
2010-07-01 23:07:41 ----A---- C:\WINDOWS\system32\D3DCompiler_41.dll
2010-07-01 23:07:40 ----A---- C:\WINDOWS\system32\D3DX9_41.dll
2010-07-01 23:07:36 ----A---- C:\WINDOWS\system32\XAudio2_4.dll
2010-07-01 23:07:36 ----A---- C:\WINDOWS\system32\XAPOFX1_3.dll
2010-07-01 23:07:36 ----A---- C:\WINDOWS\system32\xactengine3_4.dll
2010-07-01 23:07:35 ----A---- C:\WINDOWS\system32\X3DAudio1_6.dll
2010-07-01 23:07:34 ----A---- C:\WINDOWS\system32\d3dx10_40.dll
2010-07-01 23:07:34 ----A---- C:\WINDOWS\system32\D3DCompiler_40.dll
2010-07-01 23:07:33 ----A---- C:\WINDOWS\system32\D3DX9_40.dll
2010-07-01 23:07:32 ----A---- C:\WINDOWS\system32\XAudio2_3.dll
2010-07-01 23:07:32 ----A---- C:\WINDOWS\system32\XAPOFX1_2.dll
2010-07-01 23:07:32 ----A---- C:\WINDOWS\system32\xactengine3_3.dll
2010-07-01 23:07:31 ----A---- C:\WINDOWS\system32\X3DAudio1_5.dll
2010-07-01 23:07:30 ----A---- C:\WINDOWS\system32\XAudio2_2.dll
2010-07-01 23:07:30 ----A---- C:\WINDOWS\system32\XAPOFX1_1.dll
2010-07-01 23:07:30 ----A---- C:\WINDOWS\system32\xactengine3_2.dll
2010-07-01 23:07:29 ----A---- C:\WINDOWS\system32\d3dx10_39.dll
2010-07-01 23:07:29 ----A---- C:\WINDOWS\system32\D3DCompiler_39.dll
2010-07-01 23:07:28 ----A---- C:\WINDOWS\system32\D3DX9_39.dll
2010-07-01 23:07:27 ----A---- C:\WINDOWS\system32\XAudio2_1.dll
2010-07-01 23:07:27 ----A---- C:\WINDOWS\system32\XAPOFX1_0.dll
2010-07-01 23:07:26 ----A---- C:\WINDOWS\system32\xactengine3_1.dll
2010-07-01 23:07:25 ----A---- C:\WINDOWS\system32\X3DAudio1_4.dll
2010-07-01 23:07:24 ----A---- C:\WINDOWS\system32\d3dx10_38.dll
2010-07-01 23:07:24 ----A---- C:\WINDOWS\system32\D3DCompiler_38.dll
2010-07-01 23:07:23 ----A---- C:\WINDOWS\system32\XAudio2_0.dll
2010-07-01 23:07:23 ----A---- C:\WINDOWS\system32\D3DX9_38.dll
2010-07-01 23:07:22 ----A---- C:\WINDOWS\system32\xactengine3_0.dll
2010-07-01 23:07:21 ----A---- C:\WINDOWS\system32\X3DAudio1_3.dll
2010-07-01 23:07:20 ----A---- C:\WINDOWS\system32\D3DX9_37.dll
2010-07-01 23:07:20 ----A---- C:\WINDOWS\system32\d3dx10_37.dll
2010-07-01 23:07:20 ----A---- C:\WINDOWS\system32\D3DCompiler_37.dll
2010-07-01 23:07:18 ----A---- C:\WINDOWS\system32\xactengine2_10.dll
2010-07-01 23:07:17 ----A---- C:\WINDOWS\system32\d3dx10_36.dll
2010-07-01 23:07:16 ----A---- C:\WINDOWS\system32\d3dx9_36.dll
2010-07-01 23:07:16 ----A---- C:\WINDOWS\system32\D3DCompiler_36.dll
2010-07-01 23:07:14 ----A---- C:\WINDOWS\system32\xactengine2_9.dll
2010-07-01 23:07:14 ----A---- C:\WINDOWS\system32\d3dx10_35.dll
2010-07-01 23:07:14 ----A---- C:\WINDOWS\system32\D3DCompiler_35.dll
2010-07-01 23:07:13 ----A---- C:\WINDOWS\system32\d3dx9_35.dll
2010-07-01 23:07:10 ----A---- C:\WINDOWS\system32\xactengine2_8.dll
2010-07-01 23:07:10 ----A---- C:\WINDOWS\system32\X3DAudio1_2.dll
2010-07-01 23:07:09 ----A---- C:\WINDOWS\system32\d3dx10_34.dll
2010-07-01 23:07:09 ----A---- C:\WINDOWS\system32\D3DCompiler_34.dll
2010-07-01 23:07:07 ----A---- C:\WINDOWS\system32\d3dx9_34.dll
2010-07-01 23:07:06 ----A---- C:\WINDOWS\system32\xinput1_3.dll
2010-07-01 23:07:04 ----A---- C:\WINDOWS\system32\xactengine2_7.dll
2010-07-01 23:07:01 ----A---- C:\WINDOWS\system32\d3dx10_33.dll
2010-07-01 23:07:01 ----A---- C:\WINDOWS\system32\D3DCompiler_33.dll
2010-07-01 23:06:58 ----A---- C:\WINDOWS\system32\d3dx9_33.dll
2010-07-01 23:06:57 ----A---- C:\WINDOWS\system32\xactengine2_6.dll
2010-07-01 23:06:57 ----A---- C:\WINDOWS\system32\xactengine2_5.dll
2010-07-01 23:06:56 ----A---- C:\WINDOWS\system32\d3dx9_32.dll
2010-07-01 23:06:55 ----A---- C:\WINDOWS\system32\xactengine2_4.dll
2010-07-01 23:06:55 ----A---- C:\WINDOWS\system32\x3daudio1_1.dll
2010-07-01 23:06:54 ----A---- C:\WINDOWS\system32\d3dx9_31.dll
2010-07-01 23:06:53 ----A---- C:\WINDOWS\system32\xinput1_2.dll
2010-07-01 23:06:53 ----A---- C:\WINDOWS\system32\xactengine2_3.dll
2010-07-01 23:06:52 ----A---- C:\WINDOWS\system32\xinput1_1.dll
2010-07-01 23:06:52 ----A---- C:\WINDOWS\system32\xactengine2_2.dll
2010-07-01 23:06:51 ----A---- C:\WINDOWS\system32\xactengine2_1.dll
2010-07-01 23:06:47 ----A---- C:\WINDOWS\system32\d3dx9_30.dll
2010-07-01 23:06:45 ----A---- C:\WINDOWS\system32\xactengine2_0.dll
2010-07-01 23:06:45 ----A---- C:\WINDOWS\system32\x3daudio1_0.dll
2010-07-01 23:06:44 ----A---- C:\WINDOWS\system32\d3dx9_29.dll
2010-07-01 23:06:44 ----A---- C:\WINDOWS\system32\d3dx9_28.dll
2010-07-01 23:06:43 ----A---- C:\WINDOWS\system32\xinput9_1_0.dll
2010-07-01 23:06:42 ----A---- C:\WINDOWS\system32\d3dx9_27.dll
2010-07-01 23:06:41 ----A---- C:\WINDOWS\system32\d3dx9_26.dll
2010-07-01 23:06:40 ----A---- C:\WINDOWS\system32\d3dx9_25.dll
2010-07-01 23:06:37 ----A---- C:\WINDOWS\system32\d3dx9_24.dll
2010-07-01 21:51:26 ----D---- C:\WINDOWS\Logs
2010-07-01 16:38:01 ----D---- C:\Documents and Settings\Administrator\Application Data\codeblocks
2010-06-30 22:04:20 ----D---- C:\Program Files\Common Files\DirectX
2010-06-28 07:42:35 ----A---- C:\WINDOWS\system32\cmmgr32.exe
2010-06-28 07:34:16 ----D---- C:\Documents and Settings\Administrator\Application Data\Help
2010-06-28 06:47:48 ----D---- C:\WINDOWS\ERDNT
2010-06-27 22:51:31 ----D---- C:\Documents and Settings\Administrator\Application Data\InspireSoft
2010-06-27 22:24:21 ----D---- C:\Documents and Settings\Administrator\Application Data\Audacity
2010-06-27 00:52:58 ----D---- C:\Documents and Settings\Administrator\Application Data\PeaZip
2010-06-26 08:03:00 ----D---- C:\downloads
2010-06-26 08:02:44 ----D---- C:\Program Files\VideoLAN
2010-06-26 08:02:44 ----D---- C:\Program Files\Trend Micro
2010-06-26 08:02:44 ----D---- C:\Program Files\Sophos
2010-06-26 08:02:33 ----D---- C:\Config.Msiinfo.txt logfile of random's system information tool 1.08 2010-07-19 18:51:12
2010-06-25 23:02:54 ----D---- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware(2).com
2010-06-25 14:50:42 ----D---- C:\Documents and Settings\Administrator\Application Data\TeraCopy
2010-06-25 07:22:29 ----D---- C:\Program Files\NOS
2010-06-24 07:33:46 ----A---- C:\WINDOWS\system32\drivers\mcdbus.sys

======List of files/folders modified in the last 1 months======

2010-07-19 07:38:48 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-07-17 17:05:52 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-07-11 11:09:40 ----A---- C:\WINDOWS\win.ini

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 PxHelp20;PxHelp20; C:\WINDOWS\system32\DRIVERS\PxHelp20.sys [2003-10-28 20016]
R1 {6080A529-897E-4629-A488-ABA0C29B635E};Intel® Graphics Platform (SoftBIOS) Driver; C:\WINDOWS\system32\drivers\ialmsbw.sys [2002-10-25 91774]
R1 ehdrv;ehdrv; C:\WINDOWS\system32\DRIVERS\ehdrv.sys [2010-03-29 114984]
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2010-03-29 95872]
R1 OADevice;OADriver; \??\C:\WINDOWS\system32\drivers\OADriver.sys []
R1 OAmon;OAmon; \??\C:\WINDOWS\system32\drivers\OAmon.sys []
R1 OAnet;OAnet; \??\C:\WINDOWS\system32\drivers\OAnet.sys []
R1 SASDIFSV;SASDIFSV; \??\E:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\E:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 eamon;eamon; C:\WINDOWS\system32\DRIVERS\eamon.sys [2010-03-29 140216]
R2 mdmxsdk;mdmxsdk; C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys [2004-08-03 11868]
R3 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91};Intel® Graphics Chipset (KCH) Driver; C:\WINDOWS\system32\drivers\ialmkchw.sys [2002-10-25 71514]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter; C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 36224]
R3 HSF_DP;HSF_DP; C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys [2004-08-03 1041536]
R3 HSFHWBS2;HSFHWBS2; C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys [2004-08-03 220032]
R3 ialm;ialm; C:\WINDOWS\system32\DRIVERS\ialmnt5.sys [2002-10-25 80283]
R3 mcdbus;Driver for MagicISO SCSI Host Controller; C:\WINDOWS\system32\DRIVERS\mcdbus.sys [2009-02-24 116736]
R3 SMBios;Intel ® System Managment BIOS Service; C:\WINDOWS\system32\DRIVERS\SMBios.sys [2003-06-18 35012]
R3 STAC97;Audio Driver (WDM) - SigmaTel CODEC; C:\WINDOWS\system32\drivers\STAC97.sys [2002-08-12 179664]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 winachsf;winachsf; C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys [2004-08-03 685056]
S0 pssnap;Paramount Software Snapshot Filter; C:\WINDOWS\system32\DRIVERS\pssnap.sys []
S0 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2010-06-06 691696]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-23 9600]
S3 MEMSWEEP2;MEMSWEEP2; \??\C:\WINDOWS\system32\5.tmp []
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 PCIDATA;PCIDATA; \??\F:\PCIDATA.sys []
S3 PSMounter;Macrium Reflect Image Explorer Service; \??\C:\WINDOWS\system32\drivers\psmounter.sys []
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;ESET Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2010-03-29 810120]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-04-12 153376]
R2 OAcat;Online Armor Helper Service; C:\Program Files\Tall Emu\Online Armor\OAcat.exe [2010-04-20 1284600]
R2 SvcOnlineArmor;Online Armor; C:\Program Files\Tall Emu\Online Armor\oasrv.exe [2010-04-20 3364856]
S2 ReflectService;Macrium Reflect Image Mounting Service; E:\Program Files\Macrium\Reflect\ReflectService.exe []
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 EhttpSrv;ESET HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2010-03-29 33560]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 getPlusHelper;getPlus® Helper; C:\WINDOWS\System32\svchost.exe [2004-08-03 14336]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service; C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe [2006-10-27 65824]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2006-10-26 441136]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
7-Zip 9.15 beta-->"E:\Program Files\7-Zip\Uninstall.exe"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10h_Plugin.exe -maintain plugin
Auslogics Disk Defrag-->"E:\Program Files\Auslogics\Auslogics Disk Defrag\unins000.exe"
CCleaner-->"E:\Program Files\CCleaner\uninst.exe"
hp deskjet 3320 series (Remove only)-->C:\Program Files\hp deskjet 3320 series\hpfiui.exe -c -vdivid=HPF -vpnum=95 -vinstport=USB001 -vproduct=3320 -huninstall
hp deskjet 3320 series-->rundll32 hpzcon07.dll,VendorJettison hp deskjet 3320 series
ImgBurn-->"E:\Program Files\ImgBurn\uninstall.exe"
Intel® Extreme Graphics Driver Software-->RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx PCI\VEN_8086&DEV_2562
Java™ 6 Update 20-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216017FF}
MagicDisc 2.7.106-->E:\PROGRA~1\MAGICD~1\UNWISE.EXE E:\PROGRA~1\MAGICD~1\INSTALL.LOG
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007-->MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007-->MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007-->MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C# 2005 Express Edition - ENU-->D:\Program Files\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe
Microsoft Visual C# 2005 Express Edition - ENU-->MsiExec.exe /X{7E7D7935-B0C8-4032-80BA-2CDC9E43C3B8}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Mozilla Firefox (3.6.6)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6 Service Pack 2 (KB973686)-->MsiExec.exe /I{56EA8BC0-3751-4B93-BC9D-6651CC36E5AA}
MusicBee-->MsiExec.exe /X{0CA267D3-3CBC-4852-910C-5995698F4914}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Online Armor 4.0-->"C:\Program Files\Tall Emu\Online Armor\unins000.exe"
Orbit Downloader-->"E:\Program Files\Orbitdownloader\unins000.exe"
PDF-Viewer-->"C:\Program Files\Tracker Software\PDF Viewer\unins000.exe"
Revo Uninstaller 1.89-->E:\Program Files\VS Revo Group\Revo Uninstaller\uninst.exe
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
SigmaTel AC97 Audio Drivers-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7959721D-8268-4565-9E0E-C41A9F4848A9}\setup.exe" -l0x9 -nodialog -uninstall
SUPERAntiSpyware-->"E:\Program Files\SUPERAntiSpyware\SASUNINST.EXE" /NOUI
TeraCopy 2.12-->"E:\Program Files\TeraCopy\unins000.exe"
Teton Viewer-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Teton Data Systems\Teton Viewer\DeIsL2.isu" -c"C:\Program Files\Teton Data Systems\Teton Viewer\tdsun32.dll"
The KMPlayer (remove only)-->"E:\Program Files\The KMPlayer\uninstall.exe"
Unlocker 1.8.9-->E:\Program Files\Unlocker\uninst.exe
upapp-->MsiExec.exe /I{4EF69D40-4DC9-485E-95D3-B1C22F218FC8}
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Wise Registry Cleaner Free 5.41-->"E:\Program Files\Wise Registry Cleaner\unins000.exe"
Yahoo! Messenger-->C:\PROGRA~1\YAHOO!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\YAHOO!\MESSEN~1\INSTALL.LOG

Hosts File Missing
======Security center information======

AV: ESET NOD32 Antivirus 4.2
FW: Online Armor Firewall

======System event log======

Computer Name: GOD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 2969
Source Name: Tcpip
Time Written: 20100710180006.000000+330
Event Type: warning
User:

Computer Name: GOD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 2968
Source Name: Tcpip
Time Written: 20100710173247.000000+330
Event Type: warning
User:

Computer Name: GOD
Event Code: 7006
Message: The ScRegSetValueExW call failed for DeleteFlag with the following error:
Access is denied.


Record Number: 2967
Source Name: Service Control Manager
Time Written: 20100710172247.000000+330
Event Type: error
User:

Computer Name: GOD
Event Code: 7006
Message: The ScRegSetValueExW call failed for Start with the following error:
Access is denied.


Record Number: 2966
Source Name: Service Control Manager
Time Written: 20100710172247.000000+330
Event Type: error
User:

Computer Name: GOD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 2965
Source Name: Tcpip
Time Written: 20100710171903.000000+330
Event Type: warning
User:

=====Application event log=====

Computer Name: GOD
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: The specified server cannot perform the requested operation.


Record Number: 339
Source Name: crypt32
Time Written: 20100630200016.000000+330
Event Type: error
User:

Computer Name: GOD
Event Code: 8
Message: Failed auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt> with error: This operation returned because the timeout period expired.


Record Number: 338
Source Name: crypt32
Time Written: 20100630200015.000000+330
Event Type: error
User:

Computer Name: GOD
Event Code: 5000
Message: EventType clr20r3, P1 presmgr.exe, P2 0.7.6.9, P3 4bae5b8e, P4 system.windows.forms, P5 2.0.0.0, P6 471ebf68, P7 19a3, P8 2, P9 pszqoadhx1u5zahbhohghldgiy4qixhx, P10 NIL.

Record Number: 332
Source Name: .NET Runtime 2.0 Error Reporting
Time Written: 20100630072602.000000+330
Event Type: error
User:

Computer Name: GOD
Event Code: 1023
Message: .NET Runtime version 2.0.50727.1433 - Fatal Execution Engine Error (7A06491A) (0)

Record Number: 325
Source Name: .NET Runtime
Time Written: 20100630003222.000000+330
Event Type: error
User:

Computer Name: GOD
Event Code: 1000
Message: Faulting application gta-vc.exe, version 0.0.0.0, faulting module gta-vc.exe, version 0.0.0.0, fault address 0x000bb185.

Record Number: 323
Source Name: Application Error
Time Written: 20100629184138.000000+330
Event Type: error
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\WBEM
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 1 Stepping 2, GenuineIntel
"PROCESSOR_REVISION"=0102
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-19 19:13:16
Windows 5.1.2600 Service Pack 2
Running: 0k01fh43.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\pxtdqpow.sys


---- System - GMER 1.0.15 ----

SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAllocateVirtualMemory [0xF080F3E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwAssignProcessToJobObject [0xF080FC10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwConnectPort [0xF080D300]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateFile [0xF081CDD0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreatePort [0xF080CE40]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcess [0xF0809B80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateProcessEx [0xF0809F90]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateSection [0xF0809440]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwCreateThread [0xF080B480]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDebugActiveProcess [0xF080C0F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwDuplicateObject [0xF080CC50]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwLoadDriver [0xF080EA00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenFile [0xF081D450]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenProcess [0xF080AF80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenSection [0xF0809860]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwOpenThread [0xF080B980]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwProtectVirtualMemory [0xF080F860]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueryDirectoryFile [0xF080EF80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwQueueApcThread [0xF080FDB0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestPort [0xF080DF00]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRequestWaitReplyPort [0xF080E500]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwRestoreKey [0xF081C960]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwResumeThread [0xF080C8A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSecureConnectPort [0xF080D6F0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetContextThread [0xF080BED0]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xF0A4D650]
SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xF0A4D7D0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSetSystemInformation [0xF080C290]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwShutdownSystem [0xF080E8E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendProcess [0xF080CA80]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSuspendThread [0xF080C690]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwSystemDebugControl [0xF080C4A0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateProcess [0xF080B1E0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwTerminateThread [0xF080BCC0]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwUnloadDriver [0xF080ED10]
SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys (OA Helper Driver/Tall Emu) ZwWriteVirtualMemory [0xF080FA30]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2770 12 Bytes [40, CE, 80, F0, 80, 9B, 80, ...]
.text ntoskrnl.exe!_abnormal_termination + 430 804E2A9C 4 Bytes CALL F3401B21
.text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [80, CA, 80, F0, 90, C6, 80, ...]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Java\jre6\bin\jqs.exe[192] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\csrss.exe[376] KERNEL32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\winlogon.exe[412] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\services.exe[456] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\system32\lsass.exe[468] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text ...
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[940] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 009B0001
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[940] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Tall Emu\Online Armor\oasrv.exe[940] user32.dll!LoadStringA 7E42DFA8 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01A10001
.text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\Explorer.EXE[1144] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\Explorer.EXE[1144] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\Explorer.EXE[1144] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\Explorer.EXE[1144] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\system32\spoolsv.exe[1224] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71AF003D
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[1308] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 01270001
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[1308] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[1308] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Tall Emu\Online Armor\OAhlp.exe[1308] user32.dll!LoadStringA 7E42DFA8 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\svchost.exe[1628] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00E70001
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F130F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F160F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[1748] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[1784] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 015F0001
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[1784] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[1784] user32.dll!LoadStringW 7E419E36 6 Bytes JMP 5F0A0F5A
.text C:\Program Files\Tall Emu\Online Armor\oaui.exe[1784] user32.dll!LoadStringA 7E42DFA8 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[1848] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C10001
.text C:\WINDOWS\system32\ctfmon.exe[1848] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1848] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\ctfmon.exe[1848] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\ctfmon.exe[1848] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\ctfmon.exe[1848] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\ctfmon.exe[1848] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\ctfmon.exe[1848] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1856] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1856] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00CB0001
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] user32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] advapi32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F130F5A
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] advapi32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F160F5A
.text C:\Documents and Settings\Administrator\My Documents\Downloads\0k01fh43.exe[1960] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A
.text C:\WINDOWS\System32\alg.exe[2168] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!LoadLibraryExW + C4 7C801BB5 4 Bytes CALL 00C00001
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A
.text C:\WINDOWS\system32\wuauclt.exe[2876] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 71B0003D
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!CreateServiceA 77E370B9 6 Bytes JMP 5F130F5A
.text C:\WINDOWS\system32\wuauclt.exe[2876] ADVAPI32.dll!CreateServiceW 77E37251 6 Bytes JMP 5F160F5A
.text C:\WINDOWS\system32\wuauclt.exe[2876] USER32.dll!ExitWindowsEx 7E45A045 6 Bytes JMP 5F0D0F5A
.text C:\WINDOWS\system32\wuauclt.exe[2876] IPHLPAPI.DLL!IcmpSendEcho2 76D6B73C 6 Bytes JMP 5F100F5A

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)

Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Tall Emu)
Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Tall Emu)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x97 0x94 0xE3 0xBC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x94 0xAC 0x62 0x88 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x3C 0x04 0xFB ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x5D 0xB0 0xB0 0x30 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xAE 0xBD 0x0D 0xE5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x97 0x94 0xE3 0xBC ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x94 0xAC 0x62 0x88 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x3C 0x04 0xFB ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x5D 0xB0 0xB0 0x30 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xAE 0xBD 0x0D 0xE5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x97 0x94 0xE3 0xBC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x94 0xAC 0x62 0x88 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0A 0x3C 0x04 0xFB ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x5D 0xB0 0xB0 0x30 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xAE 0xBD 0x0D 0xE5 ...

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  info.txt   10.06KB   4 downloads
  • Attached File  log.txt   23.96KB   2 downloads
  • Attached File  gmer.log   24.31KB   5 downloads

Edited by aommaster, 19 July 2010 - 12:56 PM.


#7 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 19 July 2010 - 12:58 PM

Hello, jackuars.
The PC looks fine. I noticed, though, that you have a missing hosts file (I'm assuming you deleted it). We'll just reset the Hosts file in this step, update java, and have another check.

Also, please copy and paste logs directly into your reply, as they make it easier for me to read.

We need to run HostXpert
  1. Download HostsXpert.zip
  2. Extract (unzip) HostsXpert.zip to a a permanent folder on your hard drive such as C:\HostsXpert
  3. Double-click HostsXpert.exe to run the program.
  4. Click "Make Hosts Writable?" in the upper right corner (If available).
  5. Click "Restore Microsoft's Hosts file" and then click "OK".
  6. Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

NEXT:

We need to update your version of Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  1. Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  2. Look for "JDK 6 Update 21 (JDK or JRE)".
  3. Click the Download JRE button to the right.
  4. Select your Platform: "Windows".
  5. Select your Language: "Multi-language".
  6. Read the License Agreement, and then check the box that says: "Accept License Agreement".
  7. Click Continue and the page will refresh.
  8. Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  9. Close any programs you may have running - especially your web browser.
  10. Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  11. Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  12. Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  13. Repeat as many times as necessary to remove each Java versions.
  14. Reboot your computer once all Java components are removed.
  15. Then from your desktop double-click on jre-6u21-windows-i586-p.exe to install the newest version.
-- If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
-- If you choose to update via the Java applet in Control Panel, uncheck the option to install the Toolbar unless you want it.
-- The uninstaller incorporated in this release removes previous Updates 10 and above, but does not remove older versions, so they still need to be removed manually.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.

Please make sure you turn on the Java Automatic Update Feature

Then you will not have to remember to update it when Java introduces a new version.
Java is updated very frequently, and the old versions are malware magnets.

Note: This feature is available only on Windows XP, 2003, 2000 (SP2 or higher) and set by default for these operating systems.

NEXT:

We need to run a Panda Active Scan
(Note that this step may take a while to complete)
  1. Please go here to run Panda's ActiveScan
  2. Once you are on the Panda site click the Scan your PC button
  3. Click the big Scan Now button
  4. If it wants to install an ActiveX component allow it
  5. It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  6. When download is complete, click on My Computer to start the scan
  7. When the scan completes, if anything malicious is detected, click the Export to button, Post the contents of the ActiveScan report

In your next reply, please include the following:
  • ActiveScan Report

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#8 jackuars

jackuars
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 20 July 2010 - 12:35 AM

Thanks for your replies and helping me AOMMASTER. Am relieved that everything that i need to do is so simple and straight forward. I will post you the logs soon today.

Diana

#9 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 20 July 2010 - 12:55 AM

No problem!

Thanks for letting me know smile.gif

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#10 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 23 July 2010 - 12:24 AM

Hello jackuars
Are you still with us?

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#11 jackuars

jackuars
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 23 July 2010 - 11:34 AM

Ran the Hosts Expert file and the update of Java as per your recommendation. But the Panda Active Scan isn't starting after the downloading of files,as the plugin gets crashed.

#12 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 23 July 2010 - 01:22 PM

Okay, no problem.

Let's run another online scanner:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the ESET Online Scanner button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on Export to text file... to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the Eset Smart Installer icon on your desktop.
  4. Check the "YES, I accept the Terms of Use"
  5. Click the Start button.
  6. Accept any security warnings from your browser.
  7. Check Scan archives
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push "List of found threats"
  11. Push "Export to text file", and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the "<<Back" button.
  13. Push Finish

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#13 jackuars

jackuars
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 23 July 2010 - 04:32 PM

Anyway i got Panda Online scan working on Internet Explorer though not Mozilla. Am using ESET antivirus presently.

Here is my log results of Panda Active Scan


;***********************************************************************************************************************************************************************************
ANALYSIS: 2010-07-24 02:45:45
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET NOD32 Antivirus 4.2 4.2 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@atdmt[2].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@serving-sys[1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No c:\documents and settings\administrator\cookies\administrator@bs.serving-sys[1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description
;===================================================================================================================================================================================
179553 HIGH MS07-061
;===================================================================================================================================================================================

Attached Files


Edited by aommaster, 23 July 2010 - 07:14 PM.


#14 aommaster

aommaster

    I !<3 malware


  • Malware Response Team
  • 5,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dubai
  • Local time:03:13 AM

Posted 23 July 2010 - 07:15 PM

Hello, jackuars.
There's no need to trouble yourself with running an ESET scan. The items found in the Panda ActiveScan are cookies and are harmless.

Your Log looks Clean please take the time to read below to secure your machine and take the necessary steps to keep it clean smile.gif
Hiding Hidden Files
Please set your system to hide all hidden files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, uncheck Show hidden files and folders.
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Purging System Restore Points
Now you should Set a New Restore Point to prevent possible reinfection from an old one. Some of the malware you picked up could have been saved in System Restore. Since System Restore is a protected directory, your tools can not access it to delete these bad files which sometimes can reinfect your system. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
  2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
  3. Then go to Start > Run and type: Cleanmgr
  4. Click "OK".
  5. Click the "More Options" Tab.
  6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.
There are many ways to reduce the chance of getting infected in the future. Below, I have listed a few:
  1. Practice Safe Internet
    • Be weary about attachments in emails. Avoid opening .exe, .com, .bat, or .pif files.
    • Watch out for Foistware. More info can be found on Foistware, And how to avoid it.
    • Do not fall for Rogue/Suspect Anti-Spyware Products & Web Sites
    • Do not go to adult sites.
    • When using an Instant Messaging program be cautious about clicking on links people send to you.
    • Stay away from Warez and Crack sites. In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections.
    • Use McAfee Siteadvisor to look up info on a site if you are not sure whether it is legitimate
    • Do not install any software without first reading the End User License Agreement, otherwise known as the EULA.
  2. Make Internet Explorer more secure
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt

        When all these settings have been made, click on the OK button. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  3. Make Firefox more secure
    Firefox is a relatively safe browser compared to Internet Explorer. However, if you'd still like to enhance security, consider some of these extensions:
    • NoScript: Add-on which automatically blocks Javascript and Java from running on sites.
    • Firekeeper: Add-on which aims to protect your from malicious websites which may exploit browser and code security flaws.
    • KeyScrambler: Add-on that protects your passwords from being detected by keyloggers.
  4. Keep Windows updated
    Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer. Therefore, please, visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install.
  5. Install and update the following programs frequently
    1. An outbound firewall
      A comprehensive tutorial and a list of possible firewalls can be found here
    2. An antivirus software
      It is imperative that you update your AntiVirus Software on regular basis.If you do not update your AntiVirus Software then it will not be able to catch the latest threats. Three good antivirus programs free for non-commercial home use are Avast! and Antivir and AVG Antivirus
    3. An antispyware program
      Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates. SUPERAntiSpyware is another good scanner with high detection and removal rates. Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
    4. SpywareBlaster
      A tutorial for Spywareblaster can be found here. If you wish, the commercial version provides automatic updating.
    5. MVPs hosts file
      A tutorial for MVPs hosts file can be found here. If you would like automatic updates you might want to take a look at HostMan host file manager. For more information on thehosts file, and what it can do for you,please consult the Tutorial on the Hosts file
  6. Keep your other software updated too
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on yourmachine.

Some more links you might find of interest:

My website: http://aommaster.com
unite_blue.png
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM


#15 jackuars

jackuars
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:India
  • Local time:04:43 AM

Posted 24 July 2010 - 10:22 PM

Thanks for taking pain in helping me! clapping.gif

Diana




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users