Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tons of trojans and whatnot


  • Please log in to reply
20 replies to this topic

#1 MintyColor

MintyColor

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 30 December 2012 - 11:27 PM

Hey there! I've run MBAM several times and it's come up with some really strange stuff, reported as trojans and backdoor agents. It keeps saying it'll delete all the stuff on reboot, but it never does. When I scan in safe mode, nothing comes up. I'll attach my MBAM log (normal boot with all reported trojans and problems) along with my dds and its attachment. Please help!!

Here is my DDS log and its attachment:

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.6001.18702
Run by IEC870012 at 19:26:45 on 2012-12-30
Microsoft Windows XP Professional 5.1.2600.3.950.886.1033.18.3070.2087 [GMT 8:00]
.
AV: Trend Micro OfficeScan 防毒 *Enabled/Updated* {13327328-7A1E-4DDF-841E-9A004AF58A15}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\program files\allotclient\clientinfo.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\SmartIT\smss.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
C:\WINDOWS\system32\TPSMain.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://tw.yahoo.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
mSearch Bar = hxxp://www.google.com/ie
uProxyServer = proxy.iec.inventec:80
uProxyOverride = 10.*;*.inventec;*.inventec.com;<local>;*.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo!奇摩捷徑列: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
uURLSearchHooks: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - <orphaned>
BHO: &Yahoo! Toolbar Helper: {02478D38-C3F9-4efb-9B51-7695ECA05670} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
BHO: HP Print Enhancer: {0347C33E-8762-4905-BF09-768834316C61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - <orphaned>
BHO: Windows Live 登入小幫手: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - c:\program files\google\googletoolbarnotifier\5.7.7529.1424\swg.dll
BHO: taiwanradio Toolbar: {b0a9d42c-7ad5-4f81-b8cf-90445806b653} - c:\program files\taiwanradio\prxtbtai0.dll
BHO: PDFCreator Toolbar Helper: {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - c:\program files\yahoo!\companion\installs\cpn1\YTSingleInstance.dll
BHO: HP Smart BHO Class: {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: PDFCreator Toolbar: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: Yahoo!奇摩捷徑列: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: Google Toolbar: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: taiwanradio Toolbar: {B0A9D42C-7AD5-4F81-B8CF-90445806B653} - c:\program files\taiwanradio\prxtbtai0.dll
TB: PDFCreator Toolbar: {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - c:\program files\pdfcreator toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
TB: Dr.eye WebPage Translation: {92B255FE-94E2-4BCA-958D-3926CE38913F} - c:\program files\inventec\dreye\dreyemt\DreyeIEBar.dll
TB: Yahoo!奇摩捷徑列: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - c:\program files\yahoo!\companion\installs\cpn1\yt.dll
TB: taiwanradio Toolbar: {b0a9d42c-7ad5-4f81-b8cf-90445806b653} - c:\program files\taiwanradio\prxtbtai0.dll
TB: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
EB: HP Smart Web Printing: {555D4D79-4BD2-4094-A395-CFC534424A05} - c:\program files\hp\digital imaging\smart web printing\hpswp_bho.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [adawarebp] reg.exe delete "HKCU\Software\AppDataLow\Software\adawarebp" /f
uRunOnce: [adawarebp_XP] reg.exe delete "HKCU\Software\adawarebp" /f
uRunOnce: [adawarebp_DATA_FOLDER] cmd.exe /c rmdir "c:\documents and settings\all users\application data\Ad-Aware Browsing Protection" /s /q
uRunOnce: [adawarebp_INSTALL_FOLDER] cmd.exe /c rmdir "c:\documents and settings\iec870012\local settings\application data\adawarebp" /s /q
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [THotkey] c:\program files\toshiba\toshiba applet\thotkey.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [OfficeScanNT Monitor] "c:\program files\trend micro\officescan client\pccntmon.exe" -HideWindow
mRun: [TPSMain] TPSMain.exe
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SmartIT Client] c:\smartit\lsass.exe
mRunOnce: [Malwarebytes Anti-Malware (cleanup)] rundll32.exe "c:\documents and settings\all users\application data\malwarebytes\malwarebytes' anti-malware\cleanup.dll",ProcessCleanupScript
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Windows\System: Allow-LogonScript-NetbiosDisabled = dword:1
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: Foxy ?? - c:\program files\foxy\Foxy.exe/download.htm
IE: Foxy 下載 - c:\program files\foxy\Foxy.exe/download.htm
IE: Foxy 搜尋 - c:\program files\foxy\Foxy.exe/search.htm
IE: 匯出至 Microsoft Office Excel(&X) - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: pps.tv
Trusted Zone: ppstream.com
Trusted Zone: webscache.com
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/A/7/D/A7D1EBE3-8E78-4CBE-B22B-EEECF9E3A1BC/fhg.CAB
DPF: {8AFB38D0-67A4-49D3-8822-401755FC6573} - hxxp://tw.beanfun.com/beanfun_block/embeds/BFService.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 192.168.0.1
TCP: Interfaces\{6E546BFA-7076-48C7-A549-CE46DCF3C410} : DHCPNameServer = 10.1.1.5 10.1.1.6
TCP: Interfaces\{BEDDC8DB-0705-4605-95F7-FC749C88FA03} : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{DFD90AC2-101C-4B3B-8211-D7981D5EB19F} : DHCPNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
Notify: NavLogon - <no file>
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\iec870012\application data\mozilla\firefox\profiles\vkz4jha3.default\
FF - prefs.js: browser.startup.homepage - hxxp://udn.com/NEWS/mainpage.shtml
FF - prefs.js: network.proxy.ftp - proxy.iec.inventec
FF - prefs.js: network.proxy.ftp_port - 80
FF - prefs.js: network.proxy.http - proxy.iec.inventec
FF - prefs.js: network.proxy.http_port - 80
FF - prefs.js: network.proxy.socks - proxy.iec.inventec
FF - prefs.js: network.proxy.socks_port - 80
FF - prefs.js: network.proxy.ssl - proxy.iec.inventec
FF - prefs.js: network.proxy.ssl_port - 80
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\iec870012\local settings\application data\unity\webplayer\loader\npUnity3D32.dll
FF - plugin: c:\documents and settings\iec870012\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\ahnlab\asp\mykeydefense 2.5\npmkd25aos.dll
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBFPlugin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_5_502_135.dll
FF - ExtSQL: 2012-12-30 17:16; jid1-yZwVFzbsyfMrqQ@jetpack; c:\documents and settings\iec870012\application data\mozilla\firefox\profiles\vkz4jha3.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
FF - ExtSQL: !HIDDEN! 2010-08-04 09:38; smartwebprinting@hp.com; c:\program files\hp\digital imaging\smart web printing\MozillaAddOn3
.
============= SERVICES / DRIVERS ===============
.
R0 gfibto;gfibto;c:\windows\system32\drivers\gfibto.sys [2012-12-30 13560]
R2 ClientInfo;ClientInfo;c:\program files\allotclient\ClientInfo.exe [2010-1-4 73728]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2011-3-20 233472]
R2 ITClientSvs;ITClientSvs;c:\smartit\smss.exe [2009-11-11 543824]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2007-3-27 105856]
R2 TmFilter;Trend Micro Filter;c:\program files\trend micro\officescan client\TmXPFlt.sys [2009-11-20 264504]
R2 TmPreFilter;Trend Micro PreFilter;c:\program files\trend micro\officescan client\tmpreflt.sys [2009-11-20 36664]
R2 trudf;TOSHIBA DVD-RAM UDF File System Driver;c:\windows\system32\drivers\trudf.sys [2007-2-20 134016]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2011-3-20 36608]
R3 FwLnk;FwLnk Driver;c:\windows\system32\drivers\FwLnk.sys [2007-1-19 5888]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-27 21104]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-12-30 40776]
S2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-27 398184]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-27 682344]
S3 EagleXNt;EagleXNt;\??\c:\windows\system32\drivers\eaglexnt.sys --> c:\windows\system32\drivers\EagleXNt.sys [?]
S3 EZUSB;EZUSB PC/SC Smart Card Reader;c:\windows\system32\drivers\ezusb.sys [2008-6-3 63288]
S3 hidshim;Service for HID-KMDF Shim layer;c:\windows\system32\drivers\hidshim.sys [2007-3-19 5632]
S3 ITFF;ITFF;c:\windows\system32\drivers\ITFF.sys [2009-11-11 24576]
S3 LsCDft;LsCDft;c:\windows\system32\drivers\LsCDft.sys [2010-1-4 7168]
S3 Mkd2kfNt;Mkd2kfNt;c:\windows\system32\drivers\Mkd2kfNT.sys [2010-1-20 133632]
S3 Mkd2Nadr;Mkd2Nadr;c:\windows\system32\drivers\Mkd2Nadr.sys [2010-1-20 79360]
S3 RTL8187B;Realtek RTL8187B Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187B.sys [2007-3-19 288000]
S3 RTL8192cu;Realtek RTL8192CU Wireless LAN 802.11n USB 2.0 Network Adapter;c:\windows\system32\drivers\RTL8192cu.sys [2011-2-11 987904]
S3 ss_bbus;SAMSUNG USB Mobile Device (WDM);c:\windows\system32\drivers\ss_bbus.sys [2011-3-20 90112]
S3 ss_bmdfl;SAMSUNG USB Mobile Modem (Filter);c:\windows\system32\drivers\ss_bmdfl.sys [2011-3-20 14976]
S3 ss_bmdm;SAMSUNG USB Mobile Modem;c:\windows\system32\drivers\ss_bmdm.sys [2011-3-20 121856]
S3 TmProxy;OfficeScan NT Proxy Service;c:\program files\trend micro\officescan client\TmProxy.exe [2009-7-15 689416]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S3 winbondhidcir;Winbond HID CIR Receiver;c:\windows\system32\drivers\winbondhidcir.sys [2007-3-19 21504]
.
=============== Created Last 30 ================
.
2012-12-30 11:18:08 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-12-30 11:14:51 54016 ----a-w- c:\windows\system32\drivers\csabk.sys
2012-12-30 10:02:32 -------- d-----w- c:\documents and settings\iec870012\Doctor Web
2012-12-30 09:25:51 -------- d-----w- c:\documents and settings\iec870012\application data\LavasoftStatistics
2012-12-30 09:17:27 44424 ----a-w- c:\windows\system32\sbbd.exe
2012-12-30 09:17:27 13560 ----a-w- c:\windows\system32\drivers\gfibto.sys
2012-12-30 09:16:55 -------- d-----w- c:\documents and settings\all users\application data\blekko toolbars
2012-12-30 09:16:54 -------- d-----w- c:\documents and settings\iec870012\local settings\application data\adawarebp
2012-12-30 09:16:54 -------- d-----w- c:\documents and settings\all users\application data\Ad-Aware Browsing Protection
2012-12-30 09:16:49 -------- d-----w- c:\program files\adawaretb
2012-12-30 09:16:49 -------- d-----w- c:\documents and settings\iec870012\application data\adawaretb
2012-12-30 09:16:48 -------- d-----w- c:\program files\Toolbar Cleaner
2012-12-30 09:00:48 -------- d-----w- c:\documents and settings\iec870012\application data\SUPERAntiSpyware.com
2012-12-30 00:00:57 -------- d-----w- c:\program files\Mozilla Maintenance Service
2012-12-30 00:00:48 588728 ----a-w- c:\program files\mozilla firefox\gkmedias.dll
2012-12-30 00:00:47 43960 ----a-w- c:\program files\mozilla firefox\mozglue.dll
2012-12-30 00:00:47 157352 ----a-w- c:\program files\mozilla firefox\maintenanceservice_installer.exe
2012-12-30 00:00:47 129976 ----a-w- c:\program files\mozilla firefox\maintenanceservice.exe
2012-12-30 00:00:46 626688 ----a-w- c:\program files\mozilla firefox\msvcr80.dll
2012-12-30 00:00:46 548864 ----a-w- c:\program files\mozilla firefox\msvcp80.dll
2012-12-30 00:00:46 479232 ----a-w- c:\program files\mozilla firefox\msvcm80.dll
2012-12-29 08:04:25 -------- d-----w- c:\documents and settings\iec870012\.shsh
2012-12-29 06:49:29 54016 ----a-w- c:\windows\system32\drivers\okst.sys
.
==================== Find3M ====================
.
2012-12-30 10:46:52 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-12-30 10:46:52 17408 -c--a-w- c:\windows\system32\rpcnetp.dll
2012-12-30 10:35:48 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2012-12-29 06:21:13 73656 -c--a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-12-29 06:21:13 697272 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-12-14 08:49:28 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
.
============= FINISH: 19:27:22.04 ===============

Attached Files


Edited by MintyColor, 31 December 2012 - 02:37 AM.


BC AdBot (Login to Remove)

 


#2 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 01 January 2013 - 06:55 PM

Welcome to BleepingComputer MintyColor,

Your system seems very infected. Let's run some different scans, then effect some repairs.

To make sure you have an accurate view of files there, make sure you can View Hidden Files. Also uncheck "Hide Extensions for Known File Types"



To keep them from interfering with the repairs, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Here are some antivirus disable tips if needed.

-------

If by chance you can locate and upload either/both of these files, please do so:

c:\windows\temp\lover.exe
c:\documents and settings\administrator\application data\winlogin.exe

Just zip a copy of it, and send it to jintan AT malwarecrypt.com as an attachment. Please place "Submitted Files - MintyColor/bc/files" as the email Subject.

------

Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/) to your desktop. Click the RogueKiller icon next to:

(Download link) : Lien de téléchargement:).

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
When prompted, type 1, and press Enter.
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.

Edited by Jintan, 01 January 2013 - 06:56 PM.

Ad eundum quo no duck ante iit

#3 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 03 January 2013 - 04:59 PM

I was not able to find the lover.exe and winlogin.exe files. I went to the directories but they simply were not there.

Here are the contents of the RKreport.txt:

RogueKiller V8.4.2 [Dec 31 2012] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : IEC870012 [Admin rights]
Mode : Scan -- Date : 01/03/2013 12:59:38

¤¤¤ Bad processes : 2 ¤¤¤
[DLL] explorer.exe -- C:\WINDOWS\explorer.exe : C:\Documents and Settings\iec870012\Application Data\Foxy\LinkMaker.dll -> UNLOADED
[Microsoft][HJNAME] smss.exe -- C:\SmartIT\smss.exe -> KILLED [TermProc]

¤¤¤ Registry Entries : 5 ¤¤¤
[RUN][HJNAME] HKLM\[...]\Run : SmartIT Client (C:\SmartIT\lsass.exe) -> FOUND
[Services][HJNAME] HKLM\[...]\ControlSet001\Services\ITClientSvs (C:\SmartIT\smss.exe) -> FOUND
[Services][HJNAME] HKLM\[...]\ControlSet002\Services\ITClientSvs (C:\SmartIT\smss.exe) -> FOUND
[PROXY IE] HKCU\[...]\Internet Settings : ProxyServer (proxy.iec.inventec:80) -> FOUND
[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: FUJITSU MHY2200BH +++++
--- User ---
[MBR] e497252ed96be656a478fa464ae4b2d2
[BSP] 81938f0a18bcc78dc72b78e4ca18e4b4 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 68338 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 139958280 | Size: 122440 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[1]_S_01032013_02d1259.txt >>
RKreport[1]_S_01032013_02d1259.txt

#4 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 03 January 2013 - 06:32 PM

Nothing really found in that. I suspect those files are remnants. before we try a different scan/removal tool, let's check installed softwares. The logs suggest too many security programs.

Download HijackThis from Here. Then click on the downloaded file, and install HijackThis.

In HijackThis, click Config - Misc Tools - Open Uninstall Manager.

Click on Save List, then save that to a location you can locate again (such as the desktop). Copy/paste the contents of that back here please.
Ad eundum quo no duck ante iit

#5 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 03 January 2013 - 08:33 PM

Here it is:

32 Bit HP CIO Components Installer
7-Zip 4.65
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Reader 8.2.5 - Chinese Traditional
AhnLab Online Security
AMD Processor Driver
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Atheros Client Utility
Atheros Driver Installation Program
ATI - Software Uninstall Utility
ATI Display Driver
beanfun!
Bluetooth Stack for Windows by Toshiba
Bonjour
Camera Assistant Software for Toshiba
Catalyst Control Center - Branding
CCC
CD/DVD Drive Acoustic Silencer
Cisco Systems VPN Client 5.0.01.0600
Compatibility Pack for the 2007 Office system
DcOo CS1.6
Dr.eye 8.0 Professional for Multi-users
Dr.eye 8.0 Professional for Multi-users Dict
Foxy v1.9.8
GamaniaSafe
GearDrvs
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Customer Participation Program 13.0
HP Deskjet F4400 Printer Driver Software 13.0 Rel .5
HP Imaging Device Functions 13.0
HP Print Projects 1.0
HP Smart Web Printing 4.5
HP Solution Center 13.0
HP Update
HxD Hex Editor version 1.7.7.0
IBM ViaVoice TTS Runtime v6.701 - US English
Insaniquarium Deluxe 1.0
InterVideo WinDVD for TOSHIBA
iTunes
Java™ 6 Update 20
Java™ 6 Update 3
K-Lite Mega Codec Pack 1.64
Little Fighter 2 version 2.0a
LiveUpdate 3.3 (Symantec Corporation)
Malwarebytes Anti-Malware version 1.70.0.1100
MapleStory
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Choice Guard
Microsoft Conferencing Add-in for Microsoft Office Outlook
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Office Communicator 2007
Microsoft Office Communicator 2007, MUI
Microsoft Office Live Meeting 2007
Microsoft Office Professional Edition 2003
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
MOICA ICC Setup
Mozilla Firefox 12.0 (x86 en-US)
Mozilla Maintenance Service
MSN
MSVCRT
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero 9
neroxml
Norton 360
OGA Notifier 2.0.0048.0
OJOsoft Total Video Converter
PC Connectivity Solution
PDFCreator
PDFCreator Toolbar
PLAYSAFECard-1.0.9.1006
PowerQuest PartitionMagic 8.0
PPSOII· V1.0.1.270
Presto! BizCard 5 SE (English Version)
RC?y-μ
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02
Safari
SAMSUNG Mobile Composite Device Software
Samsung Mobile Modem Device Software
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung New PC Studio
Samsung New PC Studio
SAMSUNG SYMBIAN USB Download Driver
SAMSUNG USB Mobile Device Software
SamsungConnectivityCableDriver
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
Segoe UI
Shop for HP Supplies
Skype™ 4.1
taiwanradio Toolbar
TOSHIBA Assist
TOSHIBA ConfigFree
TOSHIBA Direct Disc Writer
TOSHIBA Disc Creator
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Recovery Disc Creator
TOSHIBA SD Memory Utilities
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Utilities
TOSHIBA V.92 MoH Application
TOSHIBA Zooming Utility
Trend Micro OfficeScan ¥I?aoY
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
VoiceOver Kit
Winbond CIR Device Drivers
Windows AX°Eμ{|!?E﹐E - MobileTop (sshpmdm) Modem (02/23/2007 2.5.0.0)
Windows AX°Eμ{|!?E﹐E - MobileTop (sshpusb) USB (02/23/2007 2.5.0.0)
Windows AX°Eμ{|!?E﹐E - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Internet Explorer 8
Windows Live ?v13???s
Windows Live ?W﹐u?u‥a
Windows Live Call
Windows Live Communications Platform
Windows Live Messenger
Windows Live Sync
Windows Live Writer
Windows Live μ{|!?°
Windows Live μ{|!?°
Windows Live μn?J?pA°?a
Windows Media Format Runtime
Windows Media Player 10
Windows Rights Management ¥I?aoY Service Pack 2
Windows Rights Management ¥I?aoY|^·1?URecE SP2
Windows XP Service Pack 3
WinRAR 4.20 (32-bit)
Yahoo! Software Update
Yahoo!c_?¯±?R||C
Yahoo!c_?¯§YRE3q
Yahoo!c_?¯·j’M3]cw?OA@

#6 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 03 January 2013 - 08:55 PM

Yes, too much security, and in the worst way. Two cumbersome antivirus programs attacking each other, and causing system damage. Both will need to be uninstalled.


Be sure to continue to temporarily disable any protective software when running the scan tools we use here.

Be sure to save any registration keys to reinstall the antivirus of your choice (once we have finished our work here).

Go to Start – Settings – Control Panel. Click on Add/Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on Remove. Then close the Control Panel.

Trend Micro OfficeScan

That is an enterprise business edition, so hopefully you are able to uninstall it. Reboot after.

----------

Then follow the steps here to download and run the Trend Micro Diagnostic Toolkit, to complete the removal, and reboot again.

----------

Then uninstall Norton 360, and reboot.

----------

Then Go here:

https://www-secure.symantec.com/norton-support/jsp/help-solutions.jsp?docid=kb20080710133834EN_EndUserProfile_en_us&product=home&pvid=f-home&version=1&lg=en&ct=us

and download the Norton Removal Tool that is appropriate for your version. Then close all open windows and disable all protective software, and click the downloaded file to completely remove Norton from your system. If the removal does not cause a reboot, reboot after the tool has completed the removal. Be sure to save all registration keys before running the tool if you plan to reinstall Norton later.

Note - Norton 360 requires you run a BUdump.exe tool first.

Then reboot.

Run and post a new OTL scan log please, as well as a new Gmer scan log.

Edited by Jintan, 03 January 2013 - 08:58 PM.

Ad eundum quo no duck ante iit

#7 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 04 January 2013 - 12:24 AM

As it turns out, I wasn't able to uninstall the Trend Micro OfficeScan because it requires a password that I didn't know (I actually received this computer from somebody else a few years ago, and most of the programs had already been installed by then). Norton 360 was already uninstalled but I ran the Removal Tool anyway and rebooted.
After I rebooted, this SmartWebPrinting installation thing keeps popping up every time I open my computer folders.

I ran the OTL and Gmer scans using default settings.
Here is the OTL log (I have attached the extras as an attachment):

OTL logfile created on: 1/3/2013 8:01:40 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\iec870012\My Documents\Downloads
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: 美國 | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.27 Gb Available Physical Memory | 75.88% Memory free
4.84 Gb Paging File | 4.25 Gb Available in Paging File | 87.77% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 66.74 Gb Total Space | 30.82 Gb Free Space | 46.18% Space Free | Partition Type: NTFS
Drive D: | 119.57 Gb Total Space | 101.12 Gb Free Space | 84.57% Space Free | Partition Type: NTFS

Computer Name: IEC1-870012-POM | User Name: IEC870012 | NOT logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/03 19:41:59 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\iec870012\My Documents\Downloads\OTL.exe
PRC - [2012/12/30 08:00:48 | 000,924,600 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2011/06/14 12:27:00 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\system32\rpcnet.exe
PRC - [2010/01/05 16:49:58 | 001,308,648 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe
PRC - [2010/01/05 16:47:50 | 001,381,672 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe
PRC - [2009/11/13 16:33:22 | 000,543,824 | R--- | M] (Light Star Information) -- C:\SmartIT\smss.exe
PRC - [2009/10/21 14:23:18 | 000,849,192 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\PccNTMon.exe
PRC - [2009/06/10 12:17:34 | 000,435,584 | ---- | M] (Trend Micro Inc.) -- C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
PRC - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) -- C:\WINDOWS\system32\FsUsbExService.Exe
PRC - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
PRC - [2008/11/05 15:21:20 | 000,073,728 | ---- | M] ( ) -- c:\Program Files\AllotClient\ClientInfo.exe
PRC - [2008/09/30 12:48:28 | 000,935,208 | ---- | M] (Nero AG) -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
PRC - [2008/04/14 20:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/14 20:42:16 | 000,027,648 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\conime.exe
PRC - [2008/01/09 16:16:46 | 000,356,352 | ---- | M] (TOSHIBA) -- C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe
PRC - [2007/12/06 00:25:16 | 000,467,028 | ---- | M] (Atheros) -- C:\WINDOWS\system32\acs.exe
PRC - [2007/11/22 09:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TODDSrv.exe
PRC - [2007/10/08 13:02:46 | 000,262,144 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSMain.exe
PRC - [2007/10/08 13:02:46 | 000,032,768 | ---- | M] (TOSHIBA Corporation) -- C:\WINDOWS\system32\TPSBattM.exe
PRC - [2007/09/29 08:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
PRC - [2007/07/16 11:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
PRC - [2007/04/13 18:50:00 | 000,590,712 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\CCM\CcmExec.exe
PRC - [2007/04/10 10:07:02 | 000,159,744 | ---- | M] (TOSHIBA Corporation) -- C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe
PRC - [2007/04/10 08:45:20 | 000,035,840 | ---- | M] (TOSHIBA Corp.) -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe
PRC - [2005/01/17 16:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe


========== Modules (No Company Name) ==========

MOD - [2012/12/30 08:00:47 | 001,952,696 | ---- | M] () -- C:\Program Files\Mozilla Firefox\mozjs.dll
MOD - [2012/12/29 14:21:12 | 014,586,296 | ---- | M] () -- C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll
MOD - [2011/06/24 22:56:36 | 000,087,328 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
MOD - [2011/06/24 22:56:14 | 001,241,888 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
MOD - [2009/11/11 10:02:21 | 003,391,488 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_e94f3b75\mscorlib.dll
MOD - [2009/11/11 10:02:02 | 001,966,080 | ---- | M] () -- c:\windows\assembly\nativeimages1_v1.1.4322\system\1.0.5000.0__b77a5c561934e089_d9f4b184\system.dll
MOD - [2009/11/11 10:01:52 | 001,232,896 | ---- | M] () -- c:\windows\assembly\gac\system\1.0.5000.0__b77a5c561934e089\system.dll
MOD - [2007/07/16 11:58:10 | 000,197,408 | ---- | M] () -- C:\WINDOWS\system32\vpnapi.dll
MOD - [2007/04/03 18:21:34 | 000,049,152 | ---- | M] () -- C:\Program Files\Toshiba\TOSHIBA Applet\TouchPad_ONOFF.dll
MOD - [2007/01/19 05:50:36 | 000,126,976 | ---- | M] () -- c:\windows\assembly\gac\system.serviceprocess\1.0.5000.0__b03f5f7f11d50a3a\system.serviceprocess.dll


========== Services (SafeList) ==========

SRV - [2012/12/30 08:00:47 | 000,129,976 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/12/29 14:21:13 | 000,250,808 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2011/06/14 12:27:00 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\WINDOWS\system32\rpcnet.exe -- (rpcnet)
SRV - [2010/01/05 16:49:58 | 001,308,648 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\TmListen.exe -- (tmlisten)
SRV - [2010/01/05 16:47:50 | 001,381,672 | ---- | M] (Trend Micro Inc.) [Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\NTRtScan.exe -- (ntrtscan)
SRV - [2009/11/13 16:33:22 | 000,543,824 | R--- | M] (Light Star Information) [Auto | Running] -- C:\SmartIT\smss.exe -- (ITClientSvs)
SRV - [2009/07/15 17:37:18 | 000,689,416 | ---- | M] (Trend Micro Inc.) [On_Demand | Stopped] -- C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe -- (TmProxy)
SRV - [2009/04/07 09:39:44 | 000,233,472 | ---- | M] (Teruten) [Auto | Running] -- C:\WINDOWS\system32\FsUsbExService.Exe -- (FsUsbExService)
SRV - [2008/11/10 04:48:14 | 000,602,392 | ---- | M] (Yahoo! Inc.) [Auto | Running] -- C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe -- (YahooAUService)
SRV - [2008/11/05 15:21:20 | 000,073,728 | ---- | M] ( ) [Auto | Running] -- c:\Program Files\AllotClient\ClientInfo.exe -- (ClientInfo)
SRV - [2008/09/30 12:48:28 | 000,935,208 | ---- | M] (Nero AG) [Auto | Running] -- C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe -- (Nero BackItUp Scheduler 4.0)
SRV - [2008/04/07 09:17:30 | 000,430,592 | ---- | M] (Nokia.) [On_Demand | Stopped] -- C:\Program Files\PC Connectivity Solution\ServiceLayer.exe -- (ServiceLayer)
SRV - [2007/12/06 00:25:16 | 000,467,028 | ---- | M] (Atheros) [Auto | Running] -- C:\WINDOWS\system32\acs.exe -- (ACS)
SRV - [2007/11/22 09:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\WINDOWS\system32\TODDSrv.exe -- (TODDSrv)
SRV - [2007/09/29 08:05:16 | 000,128,360 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service)
SRV - [2007/07/16 11:58:02 | 001,524,512 | ---- | M] (Cisco Systems, Inc.) [Auto | Running] -- C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe -- (CVPND)
SRV - [2007/04/13 18:50:00 | 000,590,712 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\system32\CCM\CcmExec.exe -- (CcmExec)
SRV - [2007/04/10 08:45:20 | 000,035,840 | ---- | M] (TOSHIBA Corp.) [Auto | Running] -- C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe -- (TAPPSRV)
SRV - [2005/01/17 16:38:00 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\Toshiba\ConfigFree\CFSvcs.exe -- (CFSvcs)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleXNt.sys -- (EagleXNt)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\EagleNT.sys -- (EagleNT)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - [2012/12/30 17:17:27 | 000,013,560 | ---- | M] (GFI Software) [Kernel | Boot | Running] -- C:\WINDOWS\system32\drivers\gfibto.sys -- (gfibto)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/07/17 12:40:38 | 000,264,504 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys -- (TmFilter)
DRV - [2012/07/17 12:40:18 | 000,036,664 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\tmpreflt.sys -- (TmPreFilter)
DRV - [2012/07/17 12:09:50 | 001,515,232 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\Program Files\Trend Micro\OfficeScan Client\vsapiNT.sys -- (VSApiNt)
DRV - [2011/02/11 01:34:28 | 000,987,904 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RTL8192cu.sys -- (RTL8192cu)
DRV - [2010/07/19 18:02:54 | 000,163,408 | ---- | M] (Trend Micro Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\tmcomm.sys -- (tmcomm)
DRV - [2009/10/13 16:50:00 | 000,133,632 | ---- | M] (AhnLab, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mkd2kfNT.sys -- (Mkd2kfNt)
DRV - [2009/07/15 17:37:40 | 000,089,872 | ---- | M] (Trend Micro Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tmtdi.sys -- (tmtdi)
DRV - [2009/07/13 16:37:00 | 000,079,360 | ---- | M] (AhnLab, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\Mkd2Nadr.sys -- (Mkd2Nadr)
DRV - [2009/04/07 09:39:44 | 000,036,608 | ---- | M] () [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\FsUsbExDisk.Sys -- (FsUsbExDisk)
DRV - [2009/03/20 10:01:26 | 000,121,856 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_bmdm.sys -- (ss_bmdm)
DRV - [2009/03/20 10:01:26 | 000,090,112 | ---- | M] (MCCI) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_bbus.sys -- (ss_bbus)
DRV - [2009/03/20 10:01:26 | 000,014,976 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ss_bmdfl.sys -- (ss_bmdfl)
DRV - [2008/10/27 18:20:00 | 000,024,576 | ---- | M] (LightStar Information Co.,LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ITFF.sys -- (ITFF)
DRV - [2008/09/16 23:34:00 | 000,007,168 | R--- | M] (LightStar Information Co.,LTD) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\LsCDft.sys -- (LsCDft)
DRV - [2008/06/03 23:22:16 | 000,063,288 | ---- | M] (Castles Technology Co.,Ltd) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\ezusb.sys -- (EZUSB)
DRV - [2008/01/31 07:21:12 | 002,846,720 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ati2mtag.sys -- (ati2mtag)
DRV - [2008/01/04 13:10:16 | 000,105,856 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Rtenicxp.sys -- (RTLE8023xp)
DRV - [2007/12/27 01:20:18 | 000,288,000 | ---- | M] (Realtek Semiconductor Corporation ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8187B.sys -- (RTL8187B)
DRV - [2007/12/05 17:30:36 | 004,632,576 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService)
DRV - [2007/12/01 12:45:04 | 000,131,328 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbd.sys -- (tosrfbd)
DRV - [2007/11/30 08:47:36 | 000,074,240 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\Tosrfhid.sys -- (Tosrfhid)
DRV - [2007/11/30 01:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfbnp.sys -- (tosrfbnp)
DRV - [2007/11/29 01:00:32 | 001,329,728 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\athw.sys -- (AR5416)
DRV - [2007/11/07 09:34:36 | 000,057,344 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\wsimd.sys -- (WSIMD)
DRV - [2007/10/19 06:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfusb.sys -- (Tosrfusb)
DRV - [2007/10/03 03:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\tosrfcom.sys -- (Tosrfcom)
DRV - [2007/09/17 15:53:26 | 000,021,632 | ---- | M] (Nokia) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\pccsmcfd.sys -- (pccsmcfd)
DRV - [2007/08/09 12:42:08 | 000,045,568 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimmptsk.sys -- (rimmptsk)
DRV - [2007/07/31 03:54:02 | 000,038,400 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rixdptsk.sys -- (rismxdp)
DRV - [2007/07/31 02:42:58 | 000,043,008 | ---- | M] (REDC) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\rimsptsk.sys -- (rimsptsk)
DRV - [2007/07/16 11:57:12 | 000,306,299 | ---- | M] (Cisco Systems, Inc.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\CVPNDRVA.sys -- (CVPNDRVA)
DRV - [2007/07/11 22:01:18 | 000,005,632 | ---- | M] (Windows ® Codename Longhorn DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\hidshim.sys -- (hidshim)
DRV - [2007/07/11 22:01:14 | 000,021,504 | ---- | M] (Winbond Electronics Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\winbondhidcir.sys -- (winbondhidcir)
DRV - [2007/05/14 10:12:28 | 003,526,464 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\RtHDMI.sys -- (RTHDMIAzAudService)
DRV - [2007/04/17 01:19:10 | 000,011,776 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\UVCFTR_S.SYS -- (UVCFTR)
DRV - [2007/04/13 18:50:00 | 000,023,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\CCM\PrepDrv.sys -- (prepdrvr)
DRV - [2007/04/04 08:56:48 | 000,005,888 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\FwLnk.sys -- (FwLnk)
DRV - [2007/03/27 04:22:18 | 000,105,856 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\tdudf.sys -- (tdudf)
DRV - [2007/02/23 07:10:30 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\tdcmdpst.sys -- (tdcmdpst)
DRV - [2007/02/20 04:15:32 | 000,134,016 | ---- | M] (TOSHIBA Corporation) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\trudf.sys -- (trudf)
DRV - [2007/01/31 13:45:06 | 000,127,376 | ---- | M] (Deterministic Networks, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\dne2000.sys -- (DNE)
DRV - [2007/01/18 15:28:02 | 000,005,275 | ---- | M] (Cisco Systems, Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\CVirtA.sys -- (CVirtA)
DRV - [2006/10/24 08:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfec.sys -- (tosrfec)
DRV - [2006/10/11 11:33:00 | 000,041,600 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosporte.sys -- (tosporte)
DRV - [2006/07/02 14:39:40 | 000,036,864 | ---- | M] (Advanced Micro Devices) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AmdK8.sys -- (AmdK8)
DRV - [2005/01/26 09:22:20 | 000,280,344 | ---- | M] (Zone Labs LLC) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2005/01/07 21:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\tosrfnds.sys -- (tosrfnds)
DRV - [2004/08/04 20:00:00 | 000,012,160 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\fsvga.sys -- (FsVga)
DRV - [2003/01/29 14:35:00 | 000,012,032 | ---- | M] (TOSHIBA Corporation.) [Kernel | Auto | Running] -- C:\WINDOWS\system32\drivers\Netdevio.sys -- (Netdevio)
DRV - [2002/09/16 17:14:32 | 000,004,228 | ---- | M] (PowerQuest Corporation) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\PQNTDRV.sys -- (PQNTDrv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://tw.yahoo.com/
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKCU\..\URLSearchHook: {6c97a91e-4524-4019-86af-2aa2d567bf5c} - No CLSID value found
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
IE - HKCU\..\SearchScopes,DefaultScope = {8A7ED1EC-AB02-4E4F-921B-4AA581FF1E4B}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src=IE-SearchBox&Form=IE8SRC
IE - HKCU\..\SearchScopes\{8A7ED1EC-AB02-4E4F-921B-4AA581FF1E4B}: "URL" = http://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2583886
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 10.*;*.inventec;*.inventec.com;<local>;*.local
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = proxy.iec.inventec:80

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://udn.com/NEWS/mainpage.shtml"
FF - prefs.js..network.proxy.ftp: "proxy.iec.inventec"
FF - prefs.js..network.proxy.ftp_port: 80
FF - prefs.js..network.proxy.http: "proxy.iec.inventec"
FF - prefs.js..network.proxy.http_port: 80
FF - prefs.js..network.proxy.no_proxies_on: "10.*,*.inventec,*.inventec.com,localho,t,127.0.0.1,*.local"
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.socks: "proxy.iec.inventec"
FF - prefs.js..network.proxy.socks_port: 80
FF - prefs.js..network.proxy.ssl: "proxy.iec.inventec"
FF - prefs.js..network.proxy.ssl_port: 80
FF - prefs.js..network.proxy.type: 0


FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_5_502_135.dll ()
FF - HKLM\Software\MozillaPlugins\@ahnlab.com/asp/npmkd25aos: C:\Program Files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll (AhnLab, Inc.)
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found
FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll ()
FF - HKLM\Software\MozillaPlugins\@messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6: C:\Program Files\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=14.0.8081.0709: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@raidcall.com/RCplugin: C:\Documents and Settings\iec870012\Application Data\RCTW\plugins\nprcplugin.dll File not found
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.11.2571: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.1739: C:\Program Files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@ahnlab.com/asp/npmkd25aos: C:\Program Files\AhnLab\ASP\MyKeyDefense 2.5\npmkd25aos.dll (AhnLab, Inc.)
FF - HKCU\Software\MozillaPlugins\@unity3d.com/UnityPlayer,version=1.0: C:\Documents and Settings\iec870012\Local Settings\Application Data\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF - HKCU\Software\MozillaPlugins\@yahoo.com/BrowserPlus,version=2.9.8: C:\Documents and Settings\iec870012\Local Settings\Application Data\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll (Yahoo! Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/08/04 09:38:37 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/30 17:16:56 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 12.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/11/24 21:49:55 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2010/08/04 09:38:37 | 000,000,000 | ---D | M]

[2011/12/10 07:37:15 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\iec870012\Application Data\Mozilla\Extensions
[2012/12/30 17:16:45 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\iec870012\Application Data\Mozilla\Firefox\Profiles\vkz4jha3.default\extensions
[2012/12/30 17:16:47 | 000,000,000 | ---D | M] (Lavasoft Search Plugin) -- C:\Documents and Settings\iec870012\Application Data\Mozilla\Firefox\Profiles\vkz4jha3.default\extensions\jid1-yZwVFzbsyfMrqQ@jetpack
[2011/12/10 07:36:19 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/12/30 08:00:49 | 000,097,208 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/04/27 15:24:00 | 000,050,336 | ---- | M] ( ) -- C:\Program Files\mozilla firefox\plugins\npBFPlugin.dll
[2012/12/30 08:00:41 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/12/30 08:00:41 | 000,002,040 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

O1 HOSTS File: ([2012/12/30 18:30:33 | 000,000,786 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7529.1424\swg.dll (Google Inc.)
O2 - BHO: (taiwanradio Toolbar) - {b0a9d42c-7ad5-4f81-b8cf-90445806b653} - C:\Program Files\taiwanradio\prxtbtai0.dll (Conduit Ltd.)
O2 - BHO: (PDFCreator Toolbar Helper) - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\YTSingleInstance.dll (Yahoo! Inc)
O3 - HKLM\..\Toolbar: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O3 - HKLM\..\Toolbar: (Dr.eye WebPage Translation) - {92B255FE-94E2-4BCA-958D-3926CE38913F} - C:\Program Files\Inventec\Dreye\DreyeMT\DreyeIEBar.dll ()
O3 - HKLM\..\Toolbar: (taiwanradio Toolbar) - {b0a9d42c-7ad5-4f81-b8cf-90445806b653} - C:\Program Files\taiwanradio\prxtbtai0.dll (Conduit Ltd.)
O3 - HKLM\..\Toolbar: (Yahoo!奇摩捷徑列) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (PDFCreator Toolbar) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll ()
O3 - HKCU\..\Toolbar\WebBrowser: (taiwanradio Toolbar) - {B0A9D42C-7AD5-4F81-B8CF-90445806B653} - C:\Program Files\taiwanradio\prxtbtai0.dll (Conduit Ltd.)
O3 - HKCU\..\Toolbar\WebBrowser: (Yahoo!奇摩捷徑列) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [APSDaemon] C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe (Apple Inc.)
O4 - HKLM..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\imekrmig.exe (Microsoft Corporation)
O4 - HKLM..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE (Microsoft Corporation)
O4 - HKLM..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe ()
O4 - HKLM..\Run: [OfficeScanNT Monitor] C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe (Trend Micro Inc.)
O4 - HKLM..\Run: [SmartIT Client] C:\SmartIT\lsass.exe File not found
O4 - HKLM..\Run: [SmoothView] C:\Program Files\Toshiba\TOSHIBA Zooming Utility\SmoothView.exe (TOSHIBA Corporation)
O4 - HKLM..\Run: [THotkey] C:\Program Files\Toshiba\TOSHIBA Applet\THotkey.exe (TOSHIBA)
O4 - HKLM..\Run: [TPSMain] C:\WINDOWS\System32\TPSMain.exe (TOSHIBA Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O8 - Extra context menu item: Foxy ?? - C:\Program Files\Foxy\Foxy.exe (Foxy, Inc.)
O8 - Extra context menu item: Foxy 下載 - C:\Program Files\Foxy\Foxy.exe (Foxy, Inc.)
O8 - Extra context menu item: Foxy 搜尋 - C:\Program Files\Foxy\Foxy.exe (Foxy, Inc.)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKCU\..Trusted Domains: beanfun.com ([tw] http in Trusted sites)
O15 - HKCU\..Trusted Domains: facebook.com ([apps] http in Local intranet)
O15 - HKCU\..Trusted Domains: inventec.com ([portal] http in Trusted sites)
O15 - HKCU\..Trusted Domains: ipad4.asia ([apt] http in Trusted sites)
O15 - HKCU\..Trusted Domains: pps.tv ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: ppstream.com ([]http in Trusted sites)
O15 - HKCU\..Trusted Domains: webscache.com ([]http in Trusted sites)
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/A/7/D/A7D1EBE3-8E78-4CBE-B22B-EEECF9E3A1BC/fhg.CAB (Reg Error: Key error.)
O16 - DPF: {8AFB38D0-67A4-49D3-8822-401755FC6573} http://tw.beanfun.com/beanfun_block/embeds/BFService.cab (BFServiceX Control)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab (Shockwave Flash Object)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = iec.inventec
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{6E546BFA-7076-48C7-A549-CE46DCF3C410}: DhcpNameServer = 10.1.1.5 10.1.1.6
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{BEDDC8DB-0705-4605-95F7-FC749C88FA03}: DhcpNameServer = 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{DFD90AC2-101C-4B3B-8211-D7981D5EB19F}: DhcpNameServer = 192.168.1.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O20 - Winlogon\Notify\AtiExtEvent: DllName - (Ati2evxx.dll) - C:\WINDOWS\System32\ati2evxx.dll (ATI Technologies Inc.)
O20 - Winlogon\Notify\NavLogon: DllName - (Reg Error: Value error.) - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\iec870012\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\iec870012\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/01/19 05:43:06 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2011/06/14 19:11:14 | 000,000,077 | ---- | M] () - D:\AUTORUN.INF -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/03 19:58:10 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2013/01/03 12:58:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\iec870012\Desktop\RK_Quarantine
[2013/01/03 12:57:29 | 000,000,000 | ---D | C] -- C:\RK_Quarantine
[2012/12/30 18:02:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\iec870012\Doctor Web
[2012/12/30 17:25:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\iec870012\Application Data\LavasoftStatistics
[2012/12/30 17:17:27 | 000,044,424 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\sbbd.exe
[2012/12/30 17:17:27 | 000,013,560 | ---- | C] (GFI Software) -- C:\WINDOWS\System32\drivers\gfibto.sys
[2012/12/30 17:16:55 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\blekko toolbars
[2012/12/30 17:16:49 | 000,000,000 | ---D | C] -- C:\Program Files\adawaretb
[2012/12/30 17:16:49 | 000,000,000 | ---D | C] -- C:\Documents and Settings\iec870012\Application Data\adawaretb
[2012/12/30 17:16:48 | 000,000,000 | ---D | C] -- C:\Program Files\Toolbar Cleaner
[2012/12/30 17:00:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\iec870012\Application Data\SUPERAntiSpyware.com
[2012/12/30 08:00:57 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Maintenance Service
[2012/12/30 08:00:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Mozilla
[2012/12/29 20:29:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
[2012/12/29 16:04:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\iec870012\.shsh
[2012/12/29 14:51:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Foxy
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

File not found -- C:\Documents and Settings\iec870012\Desktop\CAUTGJ0V.
[2013/01/03 19:58:50 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2013/01/03 19:58:50 | 000,000,505 | ---- | M] () -- C:\WINDOWS\smscfg.ini
[2013/01/03 19:58:44 | 000,000,938 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2013/01/03 19:58:43 | 000,001,034 | ---- | M] () -- C:\WINDOWS\System32\webdeny.html
[2013/01/03 19:58:07 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.exe
[2013/01/03 19:58:04 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\WINDOWS\System32\rpcnet.dll
[2013/01/03 19:57:58 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2013/01/03 19:57:54 | 3218,735,104 | -HS- | M] () -- C:\hiberfil.sys
[2013/01/03 19:25:00 | 000,000,942 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2013/01/03 19:21:00 | 000,000,526 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2013/01/03 12:54:25 | 000,000,104 | RHS- | M] () -- C:\Documents and Settings\All Users\Application Data\3002.xml
[2013/01/03 12:51:32 | 000,017,408 | ---- | M] () -- C:\WINDOWS\System32\rpcnetp.dll
[2012/12/30 18:30:33 | 000,000,786 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2012/12/30 17:17:27 | 000,044,424 | ---- | M] (GFI Software) -- C:\WINDOWS\System32\sbbd.exe
[2012/12/30 17:17:27 | 000,013,560 | ---- | M] (GFI Software) -- C:\WINDOWS\System32\drivers\gfibto.sys
[2012/12/29 21:03:53 | 000,000,593 | ---- | M] () -- C:\Documents and Settings\iec870012\Desktop\Shortcut to Download.lnk
[2012/12/29 20:29:04 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2012/12/29 16:22:33 | 000,000,787 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.umbrella
[2012/12/29 14:51:24 | 000,000,655 | ---- | M] () -- C:\Documents and Settings\iec870012\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxy.lnk
[2012/12/29 14:51:24 | 000,000,637 | ---- | M] () -- C:\Documents and Settings\iec870012\Desktop\Foxy.lnk
[2012/12/29 14:49:29 | 000,054,016 | ---- | M] () -- C:\WINDOWS\System32\drivers\okst.sys
[2012/12/29 14:21:13 | 000,697,272 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/12/29 14:21:13 | 000,073,656 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/12/29 13:48:40 | 000,000,795 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

File not found -- C:\Documents and Settings\iec870012\Desktop\CAUTGJ0V.
[2012/12/30 18:46:41 | 3218,735,104 | -HS- | C] () -- C:\hiberfil.sys
[2012/12/29 21:03:53 | 000,000,593 | ---- | C] () -- C:\Documents and Settings\iec870012\Desktop\Shortcut to Download.lnk
[2012/12/29 14:51:24 | 000,000,655 | ---- | C] () -- C:\Documents and Settings\iec870012\Application Data\Microsoft\Internet Explorer\Quick Launch\Foxy.lnk
[2012/12/29 14:51:24 | 000,000,637 | ---- | C] () -- C:\Documents and Settings\iec870012\Desktop\Foxy.lnk
[2012/12/29 14:49:29 | 000,054,016 | ---- | C] () -- C:\WINDOWS\System32\drivers\okst.sys
[2012/10/24 18:32:30 | 000,000,104 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\3002.xml
[2012/10/24 18:32:26 | 000,011,904 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\3002.abs
[2011/11/24 21:49:45 | 000,765,952 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2011/11/24 21:49:45 | 000,180,224 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2011/11/24 21:49:44 | 003,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2011/11/24 21:49:40 | 000,010,752 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2011/07/01 20:06:51 | 000,000,000 | ---- | C] () -- C:\WINDOWS\nsreg.dat
[2011/06/14 19:07:15 | 000,000,000 | ---- | C] () -- C:\WINDOWS\tosOBEX.INI
[2011/06/14 18:51:36 | 000,000,097 | ---- | C] () -- C:\WINDOWS\WirelessFTP.INI
[2011/03/20 17:23:09 | 000,110,592 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDevice.Dll
[2011/03/20 17:23:09 | 000,036,608 | ---- | C] () -- C:\WINDOWS\System32\FsUsbExDisk.Sys
[2011/03/20 17:22:59 | 000,002,528 | ---- | C] () -- C:\Documents and Settings\iec870012\Application Data\$_hpcst$.hpc
[2011/01/05 23:10:16 | 000,000,086 | ---- | C] () -- C:\WINDOWS\cpmagi7.INI
[2009/12/20 23:19:21 | 000,027,648 | ---- | C] () -- C:\Documents and Settings\iec870012\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009/12/20 15:03:32 | 000,000,128 | ---- | C] () -- C:\Documents and Settings\iec870012\Application Data\default.rss
[2009/09/15 18:22:28 | 000,014,290 | ---- | C] () -- C:\Program Files\settings.dat
[2009/09/15 18:22:27 | 000,000,132 | ---- | C] () -- C:\Documents and Settings\iec870012\Local Settings\Application Data\fusioncache.dat
[2009/09/11 16:00:23 | 000,030,663 | RHS- | C] () -- C:\Documents and Settings\All Users\ntuser.pol
[2009/09/11 15:31:47 | 000,009,062 | RHS- | C] () -- C:\Documents and Settings\iec870012\ntuser.pol

========== ZeroAccess Check ==========

[2007/01/19 05:49:16 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2010/03/10 12:33:41 | 001,509,888 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\fastprox.dll -- [2009/02/09 20:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = C:\WINDOWS\system32\wbem\wbemess.dll -- [2008/04/14 20:42:10 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >


--------------------------------------------------------------------------------------------


Here is the Gmer scan log:

GMER 2.0.18327 - http://www.gmer.net
Rootkit scan 2013-01-03 20:28:27
Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHY2200BH rev.0040020B 186.31GB
Running: b88ok3rl.exe; Driver: C:\DOCUME~1\IEC870~1\LOCALS~1\Temp\awlyrpog.sys


---- Kernel code sections - GMER 2.0 ----

.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9071000, 0x17C7B4, 0xE8000020]

---- User code sections - GMER 2.0 ----

.aspack C:\SmartIT\smss.exe[716] C:\SmartIT\smss.exe entry point in ".aspack" section [0x00589001]
.adata C:\SmartIT\smss.exe[716] C:\SmartIT\smss.exe unknown last section [0x0058B000, 0x1000, 0xC0000040]
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[944] USER32.dll!SetWindowLongA 7E42C29D 5 Bytes JMP 10665EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[944] USER32.dll!SetWindowLongW 7E42C2BB 5 Bytes JMP 10665E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[944] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 10454822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[944] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10454DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3392] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0127C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3392] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 014AE0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3392] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 014AE083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3392] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 014AE00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Registry - GMER 2.0 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries\{1a1b23e1-20cd-4374-b80f-44e570f3675b}@?\xe9f5X[>el\'`\0 33
Reg HKLM\SYSTEM\ControlSet002\Services\SysmonLog\Log Queries\{1a1b23e1-20cd-4374-b80f-44e570f3675b}@?\xe9f5X[>el\'`\0 33
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FriendlyName Indeo? video 5.10 Compression Filter
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@CLSID {1F73E9B1-8C3A-11D0-A3BE-00A0C9244436}
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@FilterData 0x02 0x00 0x00 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{33D9A760-90C8-11d0-BD43-00A0C911CE86}\Instance\Indeo?video 5.10 Compression Filter@EncoderType 1

---- EOF - GMER 2.0 ----

Edited by MintyColor, 04 January 2013 - 12:25 AM.


#8 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 04 January 2013 - 06:20 PM

You have to remove trend Micro, no doubts about it. Let's check if there is a Registry change we can make to help with that.

Open Notepad (Start Search, type notepad and press Enter).

@ECHO OFF
if exist Regsearch1.txt del /q Regsearch1.txt
regedit /e Regsearch1.txt "HKEY_LOCAL_MACHINE\SOFTWARE\trendmicro/pc-cillinntcorp"
Notepad Regsearch1.txt

Copy/paste the above text (inside the Code box) into the open text box, then save this to your desktop as "look.bat"

Be sure to include the "" quotes in the name. Then click on look.bat. When the scan completes a textbox will open - copy/paste those contents back here please.
Ad eundum quo no duck ante iit

#9 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 04 January 2013 - 06:42 PM

I clicked on look.bat and it gives me "Cannot find the Regsearch1.txt file. Do you want to create a new file?" along with an empty notepad.

#10 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 04 January 2013 - 06:48 PM

Gonna have to search for it the hard way then.

Click here to download Bobbi Flekman's Regsearch.zip to your desktop. Then unzip that, and click on the regsearch.exe to run the tool. In the display panel, copy and paste the following into the upper box:

trendmicro

Then click Okay. Once the scan completes a textbox will open - copy/paste those contents back here please (the RegSearch.txt log can also be found in the same location as the regsearch.exe file you clicked).

I suspect that will be a very large log file. If so, instead of posting it, zip a copy of it, and send it to jintan AT malwarecrypt.com as an attachment. Please place "Submitted Files -MintyColor/bc/reg" as the email Subject.
Ad eundum quo no duck ante iit

#11 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 04 January 2013 - 08:47 PM

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman ?2005
; Version: 2.0.6.0

; Results at 1/4/2013 4:49:20 PM for strings:
; 'trendmicro'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OfficeScanNT]
"URLInfoAbout"="http://www.trendmicro.com/"

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\AEGIS]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\HijackThis]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\aim]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\aim\redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\aim\redirect\aim-out]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\AOL]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\AOL11523]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\Explorer]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\Firefox]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\IE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\Netscape7]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\Others80]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\Others8080]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\http\redirect\Others81]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\icq]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\icq\redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\icq\redirect\icq-in]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\icq\redirect\icq-out]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\msn]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\msn\redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\msn\redirect\msmsgs]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\msn\redirect\msmsgs80]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\msn\redirect\msnmsgr]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\msn\redirect\msnmsgr80]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\pop3]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\pop3\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\pop3\Redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\pop3\Redirect\Pop3Mailer]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\smtp]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\smtp\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\smtp\redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\smtp\redirect\SmtpMailer]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\smtp\redirect\Submission]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\ymsg]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\ymsg\redirect]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\ymsg\redirect\ymsg70-in]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\ymsg\redirect\ymsg70-out]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\ymsg\redirect\ymsg75-in]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\ProtocolHandler\ymsg\redirect\ymsg75-out]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\AntiSpam]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\AntiSpam\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\HostFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\HostFilter\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\HttpManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\HttpManager\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\ImManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\MailManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\MailManager\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\PrivacyProtection]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\PrivacyProtection\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\URLFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\URLFilter\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\Virus]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Common\Virus\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\HostFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\HttpFileScan]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\HttpManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\PrivacyProtection]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\PrivacyProtection\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\URLFilter]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\Virus]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\http\Virus\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\im]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\im\ImManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\im\PrivacyProtection]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\im\PrivacyProtection\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Pop3]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Pop3\AntiSpam]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Pop3\AntiSpam\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Pop3\MailManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Pop3\Virus]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\Pop3\Virus\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\smtp]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\smtp\MailManager]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\smtp\PrivacyProtection]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\smtp\PrivacyProtection\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\smtp\Virus]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\Scan\smtp\Virus\config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\000OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\001OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\002OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\003OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\004OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\005OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\006OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\007OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\008OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\009OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\010OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\011OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\012OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\013OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\014OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\015OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\016OSCE]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\CWAT]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\ISASERVER]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\NSC\TmProxy\WhiteList\TOMCAT]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS\Add PIDs]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AEGIS\Delete PIDs]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AntiSpam Toolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\AoS]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\DelayedSending]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory\10.0]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory\10.0\HF_1158]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory\10.0\HF_1806]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory\10.0\HF_1839]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory\10.0\HF_1855]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\HotfixHistory\10.0\ServicePack1_B1788]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\iCRC Scan]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\iCRC Scan\Scan Server]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\iCRC Scan\Scan Server]
"GlobalScanServerUrl"="https://osce10.icrc.trendmicro.com/tmcss"
"GlobalScanServerAddress"="osce10.icrc.trendmicro.com"

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Internet Settings]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\LoadHTTP]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Location Awareness Setting]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Manual Scan Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Manual Scan Configuration\Spyware Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
"UpdateFrom"="http://osce10-p.activeupdate.trendmicro.com/activeupdate"

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\PFW]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\POP3 AntiSpam]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\POP3 AntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Prescheduled Scan Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Prescheduled Scan Configuration\Spyware Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\PrivacyProtection]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration\Add PIDs]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration\Delete PIDs]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Real Time Scan Configuration\Spyware Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Scan Now Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Scan Now Configuration\Spyware Configuration]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Schedule Clean]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Schedule Update]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\SPN]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\SPN\Config]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\SPN\FeedbackModule]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Spyware Clean]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\TSC Status]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\URL Filtering]

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\URL Filtering]
"ReclassifyURL"="http://reclassify.wrs.trendmicro.com"

; End Of The Log...

#12 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 04 January 2013 - 09:25 PM

Not there. Was looking for a means to disable the password. I will have to research this - understand that just normally uninstalling trend micro regular products run into all sorts of problems, never less uninstalling a passworded enterprise install. Should have more info tomorrow.
Ad eundum quo no duck ante iit

#13 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 04 January 2013 - 10:16 PM

Okay, no problem. Thanks!

#14 Jintan

Jintan

  • Malware Response Team
  • 531 posts
  • OFFLINE
  •  
  • Local time:12:38 PM

Posted 05 January 2013 - 06:00 PM

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\TrendMicro\PC-cillinNTCorp\CurrentVersion\Misc.]
"AllowUninstall"=1

Go to Start Search, type notepad.exe in the Start Search box. Notepad.exe will appear at the top of the Menu. Rightclick on it and choose "Run as administrator"., and copy the text inside the box above and paste it into the open Notepad textbox.

Save this to your desktop as "fixer.reg"

Be sure to include the "" quotes in the name.

Then right click fixer.reg, select Merge, and allow it to merge the new information with the Registry.

Reboot, then try to uninstall Trend Micro again.
Ad eundum quo no duck ante iit

#15 MintyColor

MintyColor
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:08:38 AM

Posted 05 January 2013 - 07:33 PM

When uninstalling, it still gives me a popup box asking me to "Type the password to uninstall the Trend Micro Officescan client."




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users