Pls help in removing Antivirus System Pro

[wiired]

My computer has been infected with the Antivirus System Pro bug. I keep getting annoying pop-ups, and my internet explorer has been hijacked.

What's worse though is that I cannot run either Malwarebytes or Hijack this. When I try to run these programs, I get a message saying: "Application cannot be executed. The file hijackthis.exe is infected. Do you want to activate your antivirus software now?"

Thanks in advance for your help!

[Kenny94]

Hi wiired and Welcome back again.

Before we move on, what ever happen back in July:

http://www.malwarebytes.org/forums/index.p...amp;#entry98797

You never finished?

[wiired]

Hi wiired and Welcome back again.

Before we move on, what ever happen back in July:

http://www.malwarebytes.org/forums/index.p...amp;#entry98797

You never finished?

Dear Kenny

Thank you for your response. I am not sure what happened back in July. I posted the various logs etc and then lost track of the thread! But the problem did get fixed. I am sorry for leaving the admins hanging.

Do you think purchasing Malwarebytes and running real time protection will help me avoid some of these viruses that I am running into?

Also thank you in advance if you are able to help me with my current issue! I have signed up for e-mail alerts, that way I will not lose track of the thread and will be able to make sure I keep you updated. Thanks again.

[Kenny94]

No problem.... Lets try to fix your computer.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

1. rkill.exe
   
2. rkill.com
   
3. rkill.scr
   
4. rkill.pif
   

Then

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

[wiired]

No problem.... Lets try to fix your computer.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click and choose Run as Admin

You only need to get one of them to run, not all of them.

1. rkill.exe
   
2. rkill.com
   
3. rkill.scr
   
4. rkill.pif
   

Then

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Thank you for your message. I dowloaded rkill.scr, rkill.com, and rkill.exe to my desktop. Neither file worked. When I double clicked, it looked like the program started to work but then it quickly went to the "application cannot be executd. The file is infected. Do you want to activate your antivirus software now" message.

As for rkill.pif, after I download it I can't actually see the file on my desktop. Also the "dowloads" window of firefox shows it to be some sort of a "shortcut" file. When I double-click, nothing happens.

Thanks again for your help

[Kenny94]

Thank you for your message. I dowloaded rkill.scr, rkill.com, and rkill.exe to my desktop. Neither file worked. When I double clicked, it looked like the program started to work but then it quickly went to the "application cannot be executd. The file is infected. Do you want to activate your antivirus software now" message.

As for rkill.pif, after I download it I can't actually see the file on my desktop. Also the "dowloads" window of firefox shows it to be some sort of a "shortcut" file. When I double-click, nothing happens.

Thanks again for your help

Lets try a different approach.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

[Kenny94]

Do you think purchasing Malwarebytes and running real time protection will help me avoid some of these viruses that I am running into?

Yes I do. Lets see if you can get ComboFix to run and we may have a chance to fix your computer. Your computer looks to be badly infected.

[wiired]

Lets try a different approach.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

1. If you are using Firefox, make sure that your download settings are as follows:
   
   • Tools->Options->Main tab
     
   • Set to "Always ask me where to Save the files".
     

[*]During the download, rename Combofix to Combo-Fix as follows:

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  
• Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  

  -----------------------------------------------------------

  
  

• Close any open browsers.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  
• If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

If you still cannot get this to run, try booting into Safe Mode, and run it there.

To boot into Safe Mode, tap F8 after BIOS, and just before the Windows logo appears. A list of options will appear, select "Safe Mode."

If this doesn't work either, try the same method (above method), but name Combofix.exe to iexplore.exe instead, or winlogon.exe..

This because It also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe...

Thanks. I renamed the Combo-Fix file to iexplore, and that worked. I then ran Hijack This. I will post both logs. In this message I'll post the combofix log:

ComboFix 09-11-25.05 - vtewari 11/26/2009 13:14.4.2 - x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1015.502 [GMT -5:00]

Running from: c:\documents and settings\vtewari\Desktop\ComboFix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\vtewari\Local Settings\Application Data\qpqait

c:\documents and settings\vtewari\Local Settings\Application Data\qpqait\wtixsysguard.exe

c:\windows\system32\11478.exe

c:\windows\system32\11942.exe

c:\windows\system32\12382.exe

c:\windows\system32\14604.exe

c:\windows\system32\153.exe

c:\windows\system32\15724.exe

c:\windows\system32\16827.exe

c:\windows\system32\17421.exe

c:\windows\system32\18467.exe

c:\windows\system32\18716.exe

c:\windows\system32\19169.exe

c:\windows\system32\19718.exe

c:\windows\system32\19895.exe

c:\windows\system32\23281.exe

c:\windows\system32\24464.exe

c:\windows\system32\26500.exe

c:\windows\system32\26962.exe

c:\windows\system32\28145.exe

c:\windows\system32\292.exe

c:\windows\system32\29358.exe

c:\windows\system32\2995.exe

c:\windows\system32\32391.exe

c:\windows\system32\3902.exe

c:\windows\system32\4827.exe

c:\windows\system32\491.exe

c:\windows\system32\5436.exe

c:\windows\system32\5447.exe

c:\windows\system32\5705.exe

c:\windows\system32\612250469.dat

c:\windows\system32\6334.exe

c:\windows\system32\9961.exe

c:\windows\Tasks\lnmeraec.job

c:\windows\system32\proquota.exe . . . is missing!!

.

((((((((((((((((((((((((( Files Created from 2009-10-26 to 2009-11-26 )))))))))))))))))))))))))))))))

.

2009-11-11 05:28 . 2009-11-11 05:28 247280 ----a-w- c:\documents and settings\vtewari\Application Data\Mozilla\plugins\npgoogletalk.dll

2009-11-03 01:23 . 2009-11-03 01:23 -------- d-----w- c:\windows\system32\wbem\Repository

2009-10-31 14:55 . 2009-10-31 14:55 1794456 ----a-w- c:\documents and settings\vtewari\Application Data\Move Networks\MoveMediaPlayerWin_071701000002.exe

2009-10-29 18:14 . 2003-03-31 11:00 138752 ----a-w- c:\windows\system32\sndvol32.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-11-26 13:32 . 2008-12-13 16:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-11-03 01:22 . 2008-01-27 22:33 -------- d-----w- c:\documents and settings\vtewari\Application Data\Move Networks

2009-11-01 19:01 . 2007-12-30 17:27 -------- d-----w- c:\program files\Lx_cats

2009-11-01 13:49 . 2008-12-02 01:01 0 ----a-w- c:\windows\system32\drivers\lvuvc.hs

2009-11-01 13:49 . 2008-12-02 01:01 0 ----a-w- c:\windows\system32\drivers\logiflt.iad

2009-10-31 14:55 . 2009-10-17 23:28 143976 ----a-w- c:\documents and settings\vtewari\Application Data\Move Networks\uninstall.exe

2009-10-31 14:55 . 2009-10-15 00:50 5642688 ----a-w- c:\documents and settings\vtewari\Application Data\Move Networks\plugins\npqmp071701000002.dll

2009-10-25 12:22 . 2009-10-25 12:22 -------- d-----w- c:\documents and settings\All Users\Application Data\2DBoy

2009-10-24 15:16 . 2009-10-24 15:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SmartSound Software Inc

2009-10-24 15:08 . 2008-06-24 01:24 -------- d-----w- c:\documents and settings\vtewari\Application Data\CyberLink

2009-10-24 15:08 . 2006-09-16 13:37 112224 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-10-24 15:07 . 2006-09-16 13:05 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-10-24 15:04 . 2009-10-24 15:04 -------- d-----w- c:\program files\SmartSound Software

2009-10-24 14:59 . 2008-06-24 01:22 -------- d-----w- c:\program files\CyberLink

2009-10-24 14:58 . 2009-10-24 14:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Temp

2009-10-24 14:58 . 2009-10-24 14:58 36864 ----a-w- c:\documents and settings\All Users\Application Data\Temp\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\PostBuild.exe

2009-10-24 14:22 . 2009-08-11 18:23 -------- d-----w- c:\program files\MAGIX

2009-10-24 14:22 . 2009-08-11 18:24 -------- d-----w- c:\documents and settings\All Users\Application Data\MAGIX

2009-10-24 14:18 . 2009-08-11 18:25 -------- d-----w- c:\program files\Common Files\MAGIX Shared

2009-10-23 14:21 . 2009-10-23 14:20 -------- d-----w- c:\program files\WorldOfGoo

2009-10-17 23:28 . 2009-08-03 21:48 4187512 ----a-w- c:\documents and settings\vtewari\Application Data\Move Networks\plugins\npqmp071505000010.dll

2009-10-15 00:50 . 2009-10-15 00:50 97216 ----a-w- c:\documents and settings\vtewari\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe

2009-09-10 19:54 . 2008-12-13 16:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-10 19:53 . 2008-12-13 16:16 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

.

((((((((((((((((((((((((((((( SnapShot_2009-07-15_01.59.18 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-11-26 18:28 . 2009-11-26 18:28 16384 c:\windows\temp\Perflib_Perfdata_fc4.dat

+ 2004-08-04 00:56 . 2004-08-04 04:56 23552 c:\windows\system32\wdmaud(5).drv

+ 2004-08-04 00:56 . 2004-08-04 04:56 23552 c:\windows\system32\wdmaud(2).drv

+ 2009-08-11 18:25 . 2003-03-14 15:32 24576 c:\windows\system32\TTIC32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:32 24576 c:\windows\system32\TTI32.dll

+ 2009-08-11 18:25 . 2008-10-18 19:55 32768 c:\windows\system32\STRING32.dll

+ 2009-10-29 18:08 . 2006-06-30 20:00 28160 c:\windows\system32\ReinstallBackups\0000\DriverFiles\PostProc.dll

+ 2009-10-29 18:08 . 2004-08-04 04:56 23552 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\wdmaud.drv

+ 2009-10-29 18:08 . 2004-08-04 04:08 48640 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\stream.sys

+ 2009-10-29 18:08 . 2004-08-04 04:08 60288 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\drmk.sys

+ 2009-10-29 18:08 . 2007-07-13 14:26 94976 c:\windows\system32\ReinstallBackups\0000\DriverFiles\aeaudio.sys

+ 2006-02-28 12:00 . 2009-11-26 18:16 62638 c:\windows\system32\perfc009.dat

- 2006-08-10 21:05 . 2006-08-10 21:05 82432 c:\windows\system32\msxml4r.dll

+ 2006-08-10 21:05 . 2003-04-18 20:29 82432 c:\windows\system32\msxml4r.dll

- 2006-08-10 21:05 . 2006-08-10 21:05 44544 c:\windows\system32\msxml4a.dll

+ 2006-08-10 21:05 . 2003-04-18 20:29 44544 c:\windows\system32\msxml4a.dll

- 2008-10-21 18:42 . 2009-03-18 10:41 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

+ 2008-10-21 18:42 . 2009-09-30 22:25 84661 c:\windows\system32\Macromed\Flash\uninstall_plugin.exe

+ 2008-06-19 23:46 . 2009-09-01 22:23 88589 c:\windows\system32\Macromed\Flash\uninstall_activeX.exe

- 2004-08-03 23:08 . 2004-08-04 04:08 48640 c:\windows\system32\drivers\stream.sys

+ 2004-08-03 23:08 . 2004-08-04 03:08 48640 c:\windows\system32\drivers\stream.sys

+ 2009-07-17 13:39 . 2009-05-11 14:12 28520 c:\windows\system32\drivers\ssmdrv.sys

- 2006-09-16 13:35 . 2004-08-04 04:08 60288 c:\windows\system32\drivers\drmk.sys

+ 2006-09-16 13:35 . 2004-08-04 03:08 60288 c:\windows\system32\drivers\drmk.sys

+ 2009-07-17 13:39 . 2009-03-30 14:33 96104 c:\windows\system32\drivers\avipbb.sys

+ 2009-07-17 13:39 . 2009-02-13 16:29 22360 c:\windows\system32\drivers\avgntmgr.sys

+ 2009-07-04 14:50 . 2009-08-05 18:10 55656 c:\windows\system32\drivers\avgntflt.sys

+ 2009-07-17 13:39 . 2009-02-13 16:17 45416 c:\windows\system32\drivers\avgntdd.sys

- 2005-06-07 18:53 . 2007-07-13 14:26 94976 c:\windows\system32\drivers\aeaudio.sys

+ 2005-06-07 18:53 . 2007-07-13 19:26 94976 c:\windows\system32\drivers\aeaudio.sys

+ 2009-08-11 18:25 . 2003-03-14 15:32 57344 c:\windows\system32\DLLTPO32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:35 40960 c:\windows\system32\DLLRD32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:32 65536 c:\windows\system32\DLLPTL32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:33 53248 c:\windows\system32\DLLPRJ32.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 49152 c:\windows\system32\DLLPRF32.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 40960 c:\windows\system32\DLLPNT32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:32 32768 c:\windows\system32\DLLMSC32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:32 24576 c:\windows\system32\DLLIX.dll

+ 2009-08-11 18:25 . 2003-03-14 15:32 32768 c:\windows\system32\DLLISO32.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 53248 c:\windows\system32\DLLIO32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:33 45056 c:\windows\system32\DLLIMG32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:32 32768 c:\windows\system32\DLLDIR32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:33 61440 c:\windows\system32\DLLCDF32.dll

- 2004-08-03 23:08 . 2004-08-04 04:08 48640 c:\windows\system32\dllcache\stream.sys

+ 2004-08-03 23:08 . 2004-08-04 03:08 48640 c:\windows\system32\dllcache\stream.sys

- 2006-09-16 13:35 . 2004-08-04 04:08 60288 c:\windows\system32\dllcache\drmk.sys

+ 2006-09-16 13:35 . 2004-08-04 03:08 60288 c:\windows\system32\dllcache\drmk.sys

+ 2009-07-07 00:34 . 2007-07-31 00:19 53080 c:\windows\system32\dllcache\cache\wuauclt.exe

+ 2009-07-07 00:34 . 2006-02-28 12:00 82944 c:\windows\system32\dllcache\cache\ws2_32.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 24576 c:\windows\system32\dllcache\cache\userinit.exe

+ 2009-07-07 00:34 . 2006-02-28 12:00 14336 c:\windows\system32\dllcache\cache\svchost.exe

+ 2009-07-07 00:34 . 2005-06-10 23:53 57856 c:\windows\system32\dllcache\cache\spoolsv.exe

+ 2009-07-15 02:02 . 2006-02-28 12:00 89088 c:\windows\system32\dllcache\cache\rasauto.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 17408 c:\windows\system32\dllcache\cache\powrprof.dll

+ 2009-07-15 02:02 . 2006-02-28 12:00 33792 c:\windows\system32\dllcache\cache\msgsvc.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 13312 c:\windows\system32\dllcache\cache\lsass.exe

+ 2009-07-15 02:02 . 2006-02-28 12:00 22016 c:\windows\system32\dllcache\cache\lpk.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 24576 c:\windows\system32\dllcache\cache\kbdclass.sys

+ 2009-07-07 00:34 . 2006-02-28 12:00 29056 c:\windows\system32\dllcache\cache\ip6fw.sys

+ 2009-07-07 00:34 . 2006-02-28 12:00 15360 c:\windows\system32\dllcache\cache\ctfmon.exe

+ 2009-07-15 02:02 . 2006-02-28 12:00 11648 c:\windows\system32\dllcache\cache\acpiec.sys

+ 2009-08-06 23:24 . 2009-08-06 23:24 44768 c:\windows\SoftwareDistribution\WebSetup\wups2.dll

+ 2009-08-06 23:24 . 2009-08-06 23:24 35552 c:\windows\SoftwareDistribution\WebSetup\wups.dll

+ 2009-08-06 23:24 . 2009-08-06 23:24 53472 c:\windows\SoftwareDistribution\WebSetup\wuauclt.exe

+ 2009-08-06 23:24 . 2009-08-06 23:24 96480 c:\windows\SoftwareDistribution\WebSetup\cdm.dll

+ 2009-10-24 15:03 . 2009-10-24 15:03 86641 c:\windows\Installer\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\ARPPRODUCTICON.exe

+ 2009-07-15 12:24 . 2009-07-15 12:24 90112 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 90112 c:\windows\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 81920 c:\windows\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 81920 c:\windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 32768 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 12800 c:\windows\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 28672 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 77824 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 36864 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 77824 c:\windows\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 13312 c:\windows\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 10752 c:\windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 72192 c:\windows\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 69120 c:\windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 8192 c:\windows\WinSxS\MSIL_IEExecRemote_b03f5f7f11d50a3a_2.0.0.0_x-ww_6e57c34e\IEExecRemote.dll

+ 2009-10-29 18:08 . 2004-08-04 04:56 4096 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\ksuser.dll

+ 2009-07-15 02:02 . 2006-02-28 12:00 5120 c:\windows\system32\dllcache\cache\sfc.dll

+ 2009-07-15 02:02 . 2006-02-28 12:00 2944 c:\windows\system32\dllcache\cache\null.sys

+ 2009-07-15 02:02 . 2006-02-28 12:00 4224 c:\windows\system32\dllcache\cache\beep.sys

- 2009-07-07 17:48 . 2009-07-07 17:48 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 7168 c:\windows\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll

- 2009-07-07 17:48 . 2009-07-07 17:48 5632 c:\windows\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll

- 2009-07-07 17:48 . 2009-07-07 17:48 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 6656 c:\windows\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 8192 c:\windows\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 113664 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.Wrapper.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 258048 c:\windows\WinSxS\x86_System.EnterpriseServices_b03f5f7f11d50a3a_2.0.0.0_x-ww_7d5f3790\System.EnterpriseServices.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 655872 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcr90.dll

+ 2008-07-29 12:05 . 2008-07-29 12:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

- 2008-07-29 13:05 . 2008-07-29 13:05 572928 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcp90.dll

- 2008-07-29 08:54 . 2008-07-29 08:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2008-07-29 07:54 . 2008-07-29 07:54 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.1_x-ww_6f74963e\msvcm90.dll

+ 2009-11-26 18:28 . 2008-07-26 13:25 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

- 2009-07-15 01:58 . 2009-07-15 01:59 109080 c:\windows\temp\logishrd\LVPrcInj01.dll

+ 2006-09-15 19:57 . 2009-08-06 23:23 209624 c:\windows\system32\wuweb.dll

+ 2009-10-29 18:08 . 2007-07-23 19:39 286720 c:\windows\system32\ReinstallBackups\0000\DriverFiles\smwdmif.dll

+ 2009-10-29 18:08 . 2007-01-05 21:36 872448 c:\windows\system32\ReinstallBackups\0000\DriverFiles\smax4pnp.exe

+ 2009-10-29 18:08 . 2005-03-22 03:43 145920 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\portcls.sys

+ 2009-10-29 18:08 . 2004-08-04 04:15 140928 c:\windows\system32\ReinstallBackups\0000\DriverFiles\i386\ks.sys

+ 2009-10-29 18:08 . 2007-07-23 19:37 281600 c:\windows\system32\ReinstallBackups\0000\DriverFiles\ADIHdAud.sys

+ 2006-02-28 12:00 . 2009-11-26 18:16 404100 c:\windows\system32\perfh009.dat

+ 2009-08-11 18:25 . 2006-03-31 19:57 430080 c:\windows\system32\MXRestore.exe

+ 2008-10-16 19:07 . 2009-08-06 23:23 215904 c:\windows\system32\muweb.dll

+ 2009-08-11 18:22 . 2009-05-29 20:00 872448 c:\windows\system32\mgxoschk.dll

+ 2009-07-18 03:21 . 2009-07-18 03:21 257440 c:\windows\system32\Macromed\Flash\NPSWF32_FlashUtil.exe

+ 2009-07-18 03:12 . 2009-07-18 03:12 257440 c:\windows\system32\Macromed\Flash\FlashUtil10c.exe

+ 2006-09-15 15:41 . 2009-10-25 02:17 338648 c:\windows\system32\FNTCACHE.DAT

- 2004-08-03 23:15 . 2004-08-04 04:15 140928 c:\windows\system32\drivers\ks.sys

+ 2004-08-03 23:15 . 2004-08-04 03:15 140928 c:\windows\system32\drivers\ks.sys

- 2006-02-28 18:36 . 2007-07-23 19:37 281600 c:\windows\system32\drivers\ADIHdAud.sys

+ 2006-02-28 18:36 . 2007-10-01 22:27 281600 c:\windows\system32\drivers\ADIHdAud.sys

+ 2009-08-11 18:25 . 2008-10-18 19:55 233472 c:\windows\system32\DLLRES32.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 163840 c:\windows\system32\DLLDRV32.dll

+ 2009-08-11 18:23 . 2007-04-27 14:43 120200 c:\windows\system32\DLLDEV32i.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 167936 c:\windows\system32\DLLDEV32.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 106496 c:\windows\system32\DLLCPY32.dll

+ 2009-08-11 18:25 . 2003-03-14 15:33 114688 c:\windows\system32\DLLCDA32.dll

- 2006-09-15 19:51 . 2006-02-28 12:00 138752 c:\windows\system32\dllcache\sndvol32.exe

+ 2006-09-15 19:51 . 2003-03-31 11:00 138752 c:\windows\system32\dllcache\sndvol32.exe

+ 2004-08-03 23:15 . 2004-08-04 03:15 140928 c:\windows\system32\dllcache\ks.sys

- 2004-08-03 23:15 . 2004-08-04 04:15 140928 c:\windows\system32\dllcache\ks.sys

+ 2009-07-07 00:34 . 2006-02-28 12:00 502272 c:\windows\system32\dllcache\cache\winlogon.exe

+ 2009-07-07 00:34 . 2008-12-20 23:15 826368 c:\windows\system32\dllcache\cache\wininet.dll

+ 2009-07-07 00:34 . 2007-03-08 15:36 577536 c:\windows\system32\dllcache\cache\user32.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 295424 c:\windows\system32\dllcache\cache\termsrv.dll

+ 2009-07-07 00:34 . 2006-04-20 11:51 359808 c:\windows\system32\dllcache\cache\tcpip.sys

+ 2009-07-07 00:34 . 2006-02-28 12:00 108032 c:\windows\system32\dllcache\cache\services.exe

+ 2009-07-15 02:02 . 2005-07-26 04:39 397824 c:\windows\system32\dllcache\cache\rpcss.dll

+ 2009-07-15 02:02 . 2006-02-28 12:00 435200 c:\windows\system32\dllcache\cache\ntmssvc.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 182912 c:\windows\system32\dllcache\cache\ndis.sys

+ 2009-07-15 02:02 . 2006-11-01 19:17 927504 c:\windows\system32\dllcache\cache\mfc40u.dll

+ 2009-07-07 00:34 . 2007-04-16 15:52 984576 c:\windows\system32\dllcache\cache\kernel32.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 110080 c:\windows\system32\dllcache\cache\imm32.dll

+ 2009-07-15 02:02 . 2006-02-28 12:00 792064 c:\windows\system32\dllcache\cache\comres.dll

+ 2009-07-15 02:02 . 2006-08-25 15:45 617472 c:\windows\system32\dllcache\cache\comctl32.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 167936 c:\windows\system32\dllcache\cache\appmgmts.dll

+ 2009-08-11 18:25 . 2008-10-18 19:56 643072 c:\windows\system32\DLLAV32.dll

+ 2006-09-15 20:08 . 2009-10-25 02:17 112224 c:\windows\system32\config\systemprofile\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

+ 2009-08-06 23:24 . 2009-08-06 23:24 327896 c:\windows\SoftwareDistribution\WebSetup\wucltui.dll

+ 2009-08-06 23:23 . 2009-08-06 23:23 575704 c:\windows\SoftwareDistribution\WebSetup\wuapi.dll

+ 2009-11-22 22:37 . 2009-11-22 22:37 297472 c:\windows\Installer\b17c4.msi

+ 2009-10-24 15:04 . 2009-10-24 15:04 884224 c:\windows\Installer\74f2d3.msi

+ 2005-09-23 17:48 . 2005-09-23 17:48 356352 c:\windows\eSellerateEngine.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 839680 c:\windows\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 884736 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 884736 c:\windows\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 114688 c:\windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 258048 c:\windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 131072 c:\windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 299008 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 299008 c:\windows\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 258048 c:\windows\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 372736 c:\windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 630784 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 630784 c:\windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 401408 c:\windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 188416 c:\windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 933888 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 933888 c:\windows\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 741376 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 741376 c:\windows\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 425984 c:\windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 110592 c:\windows\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 671744 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 671744 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 372736 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 110592 c:\windows\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 749568 c:\windows\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 655360 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 348160 c:\windows\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 507904 c:\windows\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 261120 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 261120 c:\windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 113664 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 258048 c:\windows\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 483840 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 483840 c:\windows\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll

+ 2009-11-03 00:49 . 2009-11-03 01:24 1483460 c:\windows\system32\Restore\rstrlog.dat

+ 2009-07-18 03:21 . 2009-07-18 03:21 3883424 c:\windows\system32\Macromed\Flash\NPSWF32.dll

+ 2009-07-07 00:34 . 2006-02-28 12:00 1580544 c:\windows\system32\dllcache\cache\sfcfiles.dll

+ 2009-07-07 00:34 . 2007-02-28 09:53 2137600 c:\windows\system32\dllcache\cache\ntoskrnl.exe

+ 2009-07-07 00:34 . 2007-02-28 09:15 2017280 c:\windows\system32\dllcache\cache\ntkrnlpa.exe

+ 2009-07-07 00:34 . 2007-06-13 10:23 1033216 c:\windows\system32\dllcache\cache\explorer.exe

+ 2009-08-06 23:23 . 2009-08-06 23:23 1929952 c:\windows\SoftwareDistribution\WebSetup\wuaueng.dll

+ 2009-10-24 15:03 . 2009-10-24 15:03 7028736 c:\windows\Installer\74f2cb.msi

+ 2009-07-15 12:23 . 2009-07-15 12:23 3076096 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 3076096 c:\windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 2068480 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 2068480 c:\windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 5013504 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 5013504 c:\windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 5070848 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll

+ 2009-07-15 12:24 . 2009-07-15 12:24 5070848 c:\windows\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 5431296 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 5431296 c:\windows\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 3036160 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 3036160 c:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll

- 2009-07-07 17:48 . 2009-07-07 17:48 4444160 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

+ 2009-07-15 12:23 . 2009-07-15 12:23 4444160 c:\windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll

+ 2009-09-27 01:13 . 2009-09-27 01:13 15709696 c:\windows\Installer\d1dcf.msp

+ 2009-08-27 00:37 . 2009-08-27 00:37 15705600 c:\windows\Installer\53f55d.msp

.

-- Snapshot reset to current date --

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2005-11-16 1200128]

"Google Update"="c:\documents and settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]

"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]

"TabletTip"="c:\program files\Common Files\microsoft shared\ink\tabtip.exe" [2005-04-26 271872]

"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2006-02-22 40960]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-08-08 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-08-08 162328]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-08-08 137752]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-12 827392]

"lxddmon.exe"="c:\program files\Lexmark 2500 Series\lxddmon.exe" [2007-06-12 291760]

"lxddamon"="c:\program files\Lexmark 2500 Series\lxddamon.exe" [2007-04-30 20480]

"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2008-03-21 83240]

"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2007-12-14 50472]

"BDRegion"="c:\program files\Cyberlink\Shared Files\brs.exe" [2008-05-19 91432]

"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-11-10 157312]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]

"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2008-08-14 565008]

"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-08-14 2407184]

"AmazonGSDownloaderTray"="c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe" [2009-05-20 223744]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" [2008-12-04 218408]

"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-01-05 872448]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\J8PQ9Jzaz.exe" [2009-11-25 1312080]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\AGRSMMSG.exe [2005-12-12 88203]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

VPN Client.lnk - c:\windows\Installer\{A7091E1D-36A4-47F1-A739-173CC341414F}\Icon3E5562ED7.ico [2008-12-25 6144]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"ForceStartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]

"NoAutoUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\loginkey]

2004-08-04 12:00 47104 ----a-w- c:\program files\Common Files\Microsoft Shared\Ink\LoginKey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\TabBtnWL]

2002-08-29 07:41 11776 ----a-w- c:\windows\system32\tabbtnwl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tpgwlnotify]

2004-08-04 12:00 30208 ----a-w- c:\windows\system32\tpgwlnot.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager

"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager

"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\lxddcoms.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddamon.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\App4R.exe"=

"c:\\Program Files\\CyberLink\\PowerDVD8\\PowerDVD8.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Documents and Settings\\vtewari\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\vtewari\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\WINDOWS\\keyacc32.exe"=

"c:\\WINDOWS\\system32\\wisptis.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddpswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddjswx.exe"=

"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\lxddtime.exe"=

"c:\\Program Files\\Logitech\\QuickCam\\Quickcam.exe"=

"c:\\Program Files\\Common Files\\Microsoft Shared\\Ink\\tabtip.exe"=

"c:\\Program Files\\Lexmark 2500 Series\\lxddmon.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 sptd;sptd;c:\windows\system32\drivers\sptd.sys [6/23/2008 7:37 PM 717296]

R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};c:\program files\CyberLink\PowerDVD8\000.fcl [5/15/2008 11:07 AM 61424]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/17/2009 8:39 AM 108289]

R2 lxdd_device;lxdd_device;c:\windows\system32\lxddcoms.exe -service --> c:\windows\system32\lxddcoms.exe -service [?]

R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2/28/2006 4:05 PM 87808]

R3 wisdpen;Wacom Penabled MiniDriver;c:\windows\system32\drivers\wisdpen.sys [1/22/2007 1:09 PM 34736]

S2 lxddCATSCustConnectService;lxddCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxddserv.exe [12/30/2007 12:27 PM 99248]

S3 Amazon Download Agent;Amazon Download Agent;c:\program files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe [6/20/2009 7:38 AM 297472]

S3 CBEN5;Xircom CardBus Ethernet 10/100 Adapter family Driver;c:\windows\system32\drivers\cben5.sys [2/13/2009 7:07 PM 46108]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\MAGIX\Common\Database\bin\fbserver.exe [8/11/2009 1:26 PM 1527900]

S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [4/17/2005 11:30 AM 124608]

S3 WacomISDPen;Wacom Penabled HID MiniDriver;c:\windows\system32\drivers\wacomisdpen.sys [7/14/2005 12:19 PM 23936]

S3 WacomPen;Wacom Serial Pen HID Driver;c:\windows\system32\drivers\wacompen.sys [9/15/2006 10:44 AM 13568]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI7

.

Contents of the 'Scheduled Tasks' folder

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1333544005-732890874-926709054-2869Core.job

- c:\documents and settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-20 13:04]

2009-11-26 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1333544005-732890874-926709054-2869UA.job

- c:\documents and settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-20 13:04]

.

.

------- Supplementary Scan -------

.

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyServer = http=127.0.0.1:5555

uInternet Settings,ProxyOverride = <local>

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

TCP: {CEEDBCB4-4E3A-4D8B-9A4B-472F41939AFC} = 202.149.208.92,202.149.208.11

DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} - /Touchworks/AHSCompressionEngine.cab

DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} - hxxp://emr.bgpma.com/IDXICW/IDXM/idxssl.cab

DPF: {27B87596-448E-40CB-B3B4-4F329FF540EC} - /TouchWorks/ResultWorks/CHWorks/VitalSigns/wavitalsigns.cab

DPF: {46965FE7-2129-407B-938C-BE358A56D11E} - /touchworks/docworks/chworks/note/aicviewer3.cab

DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} - hxxp://d.64.69.14.142.downloads.estara.com./as/OneCCDM.php?template=83205&sessionid=1053845106_72.221.65.205_60883&=&req=1228491227562OneCC.cab

DPF: {77C84519-8818-4E32-9540-653A9905C9F6} - hxxp://tw.bgpma.com/Touchworks/DictationController.cab

DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} - /TouchWorks/ResultWorks/chworks/flowsheets/pe32.cab

DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} - hxxp://emr.bgpma.com/IDXICW/IDXM/FlowcastLDAP.cab

DPF: {9A0CA502-7DA4-4B72-B5D4-D280DE8D4512} - /Touchworks/DictionaryManager.CAB

DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab

DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} - hxxp://emr.bgpma.com/IDXICW/IDXM/icw.CAB

DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} - /TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab

DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} - hxxps://tw.bgpma.com/Touchworks/DictateBar.cab

DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} - hxxp://emr.bgpma.com/IDXICW/IDXM/idxcsvr.cab

DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} - /TouchWorks/docworks/chworks/note/aic_viewer2.cab

FF - ProfilePath - c:\documents and settings\vtewari\Application Data\Mozilla\Firefox\Profiles\ae0283l9.default\

FF - plugin: c:\documents and settings\vtewari\Application Data\Move Networks\plugins\npqmp071505000010.dll

FF - plugin: c:\documents and settings\vtewari\Application Data\Move Networks\plugins\npqmp071701000002.dll

FF - plugin: c:\documents and settings\vtewari\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\vtewari\Local Settings\Application Data\Google\Update\1.2.183.13\npGoogleOneClick8.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Photosynth\npPhotosynthMozilla.dll

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-bbiysexv - c:\documents and settings\vtewari\Local Settings\Application Data\qpqait\wtixsysguard.exe

HKLM-Run-bbiysexv - c:\documents and settings\vtewari\Local Settings\Application Data\qpqait\wtixsysguard.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-11-26 13:30

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ???pT??????(?@???????@

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys hal.dll ACPI.sys >>UNKNOWN [0x865651F8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xf75cbfc3

\Driver\ACPI -> ACPI.sys @ 0xf7346cb8

\Driver\atapi -> 0x865651f8

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582490

ParseProcedure -> ntkrnlpa.exe @ 0x805815d0

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x80582490

ParseProcedure -> ntkrnlpa.exe @ 0x805815d0

NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf71b3ba0

PacketIndicateHandler -> NDIS.sys @ 0xf71c0b21

SendHandler -> NDIS.sys @ 0xf719e87b

Warning: possible MBR rootkit infection !

user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}]

"ImagePath"="\??\c:\program files\CyberLink\PowerDVD8\000.fcl"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1216)

c:\program files\windows journal\nbmaptip.dll

c:\windows\IME\SPGRMR.DLL

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\btncopy.dll

c:\windows\system32\PortableDeviceTypes.dll

c:\windows\system32\PortableDeviceApi.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

c:\program files\Common Files\Symantec Shared\ccSetMgr.exe

c:\windows\System32\SCardSvr.exe

c:\windows\SYSTEM32\WISPTIS.EXE

c:\windows\System32\tabbtnu.exe

c:\program files\Common Files\Microsoft Shared\Ink\TCServer.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\progra~1\MI3AA1~1\rapimgr.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

c:\program files\Cisco Systems\VPN Client\cvpnd.exe

c:\program files\Symantec AntiVirus\DefWatch.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\program files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

c:\windows\system32\lxddcoms.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\program files\CyberLink\Shared Files\RichVideo.exe

c:\windows\system32\ZuneBusEnum.exe

c:\program files\Hewlett-Packard\Shared\hpqwmiex.exe

c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe

.

**************************************************************************

.

Completion time: 2009-11-26 13:36 - machine was rebooted

ComboFix-quarantined-files.txt 2009-11-26 18:36

ComboFix2.txt 2009-07-15 02:03

ComboFix3.txt 2009-07-07 00:38

Pre-Run: 25,886,900,224 bytes free

Post-Run: 26,631,299,072 bytes free

- - End Of File - - F4672104FB736A9923E4B6DEDCD8D621

[wiired]

And here is the Hijack This log.

Again thank you immensely for your help:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 1:38:22 PM, on 11/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Cyberlink\Shared Files\brs.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: IDXHlprObj Class - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Web Desktop\IDXIEController.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\Downloaded Program Files\DictateBar.dll

O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\Downloaded Program Files\DictateBar.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [updatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\J8PQ9Jzaz.exe" /runcleanupscript

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - /Touchworks/AHSCompressionEngine.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://emr.bgpma.com/IDXICW/IDXM/idxssl.cab

O16 - DPF: {27B87596-448E-40CB-B3B4-4F329FF540EC} (WAVSCtl.WAVitalSignsCtl) - /TouchWorks/ResultWorks/CHWorks/VitalSigns/wavitalsigns.cab

O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - TouchWorks/Common/Components/AtalaSoft/ImgXDialog61.cab

O16 - DPF: {46965FE7-2129-407B-938C-BE358A56D11E} (AICViewer.Viewer) - /touchworks/docworks/chworks/note/aicviewer3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1253966660890

O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.64.69.14.142.downloads.estara.com...227562OneCC.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1253970825937

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {77C84519-8818-4E32-9540-653A9905C9F6} (DictationController Class) - http://tw.bgpma.com/Touchworks/DictationController.cab

O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl) - /TouchWorks/Common/Components/AtalaSoft/ImgX61.cab

O16 - DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} (Pesgoa Control) - /TouchWorks/ResultWorks/chworks/flowsheets/pe32.cab

O16 - DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} (Flowcast LDAP Class) - http://emr.bgpma.com/IDXICW/IDXM/FlowcastLDAP.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A0CA502-7DA4-4B72-B5D4-D280DE8D4512} (DictionaryManager.Dictionary) - /Touchworks/DictionaryManager.CAB

O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab

O16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://emr.bgpma.com/IDXICW/IDXM/icw.CAB

O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - /TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab

O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://tw.bgpma.com/Touchworks/DictateBar.cab

O16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://emr.bgpma.com/IDXICW/IDXM/idxcsvr.cab

O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - /TouchWorks/docworks/chworks/note/aic_viewer2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bgpma.com

O17 - HKLM\Software\..\Telephony: DomainName = bgpma.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEEDBCB4-4E3A-4D8B-9A4B-472F41939AFC}: NameServer = 202.149.208.92,202.149.208.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bgpma.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bgpma.com

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\BrownSW\VPNCLN~1\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX

[Kenny94]

Nice Job wiired......

We have a file missing, "proquota.exe" I'll see if I can get a copy of it off a XP OS for you to installed. But we need to remove some more infections..

I see you have Avira and Symantec Anti-Virus in your computer.Two Anti-Virus Programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them. If you paid for Symantec and it has not expire keep it. If nor remove it. Here's how:

To remove Norton, Click on Start > Settings > Control Panel

double click on Add/Remove Programs, search for every item that belongs to Norton, Symantec, or LiveUpdate and remove them, reboot when prompt, or reboot manually if your computer hasn't automatically rebooted. To remove the leftovers download and run the Norton Removal Tool, read HERE

Now, if you want to keep Symantec, remove Avira from Add/Remove Programs in the Control Panel.

Lets run Malwarebytes before we do anything else...

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

MBAM Report

HijackThis log (new)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

[wiired]

Nice Job wiired......

We have a file missing, "proquota.exe" I'll see if I can get a copy of it off a XP OS for you to installed. But we need to remove some more infections..

I see you have Avira and Symantec Anti-Virus in your computer.Two Anti-Virus Programs take up an enormous amount of your computer's resources when they are actively scanning your computer. Having two anti-virus programs running at the same time can cause your computer to run very slow, become unstable and even, in rare cases, crash. Please remove one of them. If you paid for Symantec and it has not expire keep it. If nor remove it. Here's how:

To remove Norton, Click on Start > Settings > Control Panel

double click on Add/Remove Programs, search for every item that belongs to Norton, Symantec, or LiveUpdate and remove them, reboot when prompt, or reboot manually if your computer hasn't automatically rebooted. To remove the leftovers download and run the Norton Removal Tool, read HERE

Now, if you want to keep Symantec, remove Avira from Add/Remove Programs in the Control Panel.

Lets run Malwarebytes before we do anything else...

• Launch Malwarebytes' Anti-Malware
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In your next reply, please include these log(s):

MBAM Report

HijackThis log (new)

I ran a Malwarebytes quick scan, and no malicious items were detected. I will run Hijack This shortly. Here is my Malwarebytes log:

Malwarebytes' Anti-Malware 1.41

Database version: 3225

Windows 5.1.2600 Service Pack 2

11/26/2009 2:51:33 PM

mbam-log-2009-11-26 (14-51-33).txt

Scan type: Quick Scan

Objects scanned: 135555

Time elapsed: 5 minute(s), 40 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Also, please let me know how things are running now and if you encountered any problems while you were following the instructions I posted.

[wiired]

And here is my Hijack This log. What is the proquota file that is missing?

Once again thank you for all of your help. I have taken your advice and purchased the malware bytes protectyion module

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:56:29 PM, on 11/26/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\KeyboardSurrogate.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\SYSTEM32\WISPTIS.EXE

C:\WINDOWS\System32\tabbtnu.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TCServer.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Common Files\Microsoft Shared\Ink\TabTip.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Lexmark 2500 Series\lxddmon.exe

C:\Program Files\Lexmark 2500 Series\lxddamon.exe

C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe

C:\Program Files\Cyberlink\Shared Files\brs.exe

C:\Program Files\Zune\ZuneLauncher.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\Program Files\Analog Devices\Core\smax4pnp.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\lxddcoms.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\Program Files\CyberLink\Shared Files\RichVideo.exe

C:\WINDOWS\system32\svchost.exe

c:\WINDOWS\system32\ZuneBusEnum.exe

C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\vtewari\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5555

O2 - BHO: IDXHlprObj Class - {31816979-F864-4acf-919F-D0B3B56432E6} - C:\Program Files\IDX Web Desktop\IDXIEController.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: DictateBHO - {E12A882B-F14F-4440-9BC0-84A5EB766605} - C:\WINDOWS\Downloaded Program Files\DictateBar.dll

O3 - Toolbar: TouchWorks Dictate - {6F60C5C5-61B3-4378-8902-ED9497663AC9} - C:\WINDOWS\Downloaded Program Files\DictateBar.dll

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [lxddmon.exe] "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

O4 - HKLM\..\Run: [lxddamon] "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

O4 - HKLM\..\Run: [RemoteControl8] "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

O4 - HKLM\..\Run: [PDVD8LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

O4 - HKLM\..\Run: [bDRegion] C:\Program Files\Cyberlink\Shared Files\brs.exe

O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [AmazonGSDownloaderTray] C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

O4 - HKLM\..\Run: [updatePDRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"

O4 - HKLM\..\Run: [soundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\J8PQ9Jzaz.exe" /runcleanupscript

O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: VPN Client.lnk = ?

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {019D5592-3928-4DE4-BAA2-1F2E5EEF4CF6} (Engine Class) - /Touchworks/AHSCompressionEngine.cab

O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.1...toUploader5.cab

O16 - DPF: {18D0680E-E927-11D3-B34E-00C04FAC4E43} (IDXssl Class) - http://emr.bgpma.com/IDXICW/IDXM/idxssl.cab

O16 - DPF: {27B87596-448E-40CB-B3B4-4F329FF540EC} (WAVSCtl.WAVitalSignsCtl) - /TouchWorks/ResultWorks/CHWorks/VitalSigns/wavitalsigns.cab

O16 - DPF: {45EEDB84-57BC-4FBD-8065-7AB8E971B545} (ImgXDialog6.ImgXDialog) - TouchWorks/Common/Components/AtalaSoft/ImgXDialog61.cab

O16 - DPF: {46965FE7-2129-407B-938C-BE358A56D11E} (AICViewer.Viewer) - /touchworks/docworks/chworks/note/aicviewer3.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1253966660890

O16 - DPF: {65FDEDF3-8ED9-4F5B-825E-18C2D44191A7} (OneCCCtl Class) - http://d.64.69.14.142.downloads.estara.com...227562OneCC.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1253970825937

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {77C84519-8818-4E32-9540-653A9905C9F6} (DictationController Class) - http://tw.bgpma.com/Touchworks/DictationController.cab

O16 - DPF: {7E8DC73D-69CD-4F67-99B1-8DC6E42F6246} (Atalasoft ImgXCtrl6.ImgXCtrl) - /TouchWorks/Common/Components/AtalaSoft/ImgX61.cab

O16 - DPF: {860FFAFE-5AAA-11D2-81EB-006008A2E49D} (Pesgoa Control) - /TouchWorks/ResultWorks/chworks/flowsheets/pe32.cab

O16 - DPF: {9192D4F0-C65C-43C9-9160-D0DA5F9934B8} (Flowcast LDAP Class) - http://emr.bgpma.com/IDXICW/IDXM/FlowcastLDAP.cab

O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab

O16 - DPF: {9A0CA502-7DA4-4B72-B5D4-D280DE8D4512} (DictionaryManager.Dictionary) - /Touchworks/DictionaryManager.CAB

O16 - DPF: {ACEFFC26-4628-11D1-B14A-105C01C13001} (WSpell Spelling Checker Control) - /TouchWorks/DocWorks/CHWorks/Note/wspell.cab

O16 - DPF: {B50B4ECE-666C-11D1-8DB2-000000000000} (IDX TermWin Control) - http://emr.bgpma.com/IDXICW/IDXM/icw.CAB

O16 - DPF: {B7B8B614-6A5C-4140-A303-43CEB589D6A5} (TWRTFControl) - /TouchWorks/DocWorks/CHWorks/Note/TWRTF.cab

O16 - DPF: {B7EA9615-586E-4193-9C3C-A29CA577E040} (DictateBandInstaller) - https://tw.bgpma.com/Touchworks/DictateBar.cab

O16 - DPF: {C0FFB157-3B62-477B-8DEA-203247B88C04} (IDXcsvr Control Class) - http://emr.bgpma.com/IDXICW/IDXM/idxcsvr.cab

O16 - DPF: {CE10AD66-84BC-46A9-9424-C863199C0408} (AIC_ViewerAS2.Viewer) - /TouchWorks/docworks/chworks/note/aic_viewer2.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab

O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/Facebo...Uploader4_5.cab

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bgpma.com

O17 - HKLM\Software\..\Telephony: DomainName = bgpma.com

O17 - HKLM\System\CCS\Services\Tcpip\..\{CEEDBCB4-4E3A-4D8B-9A4B-472F41939AFC}: NameServer = 202.149.208.92,202.149.208.11

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bgpma.com

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = bgpma.com

O23 - Service: Amazon Download Agent - Amazon.com - C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderService.exe

O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe

O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Cisco Systems, Inc. Installer service (CiscoVpnInstallService) - Unknown owner - C:\BrownSW\VPNCLN~1\INSTAL~1.EXE

O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe

O23 - Service: Firebird Server - MAGIX Instance (FirebirdServerMAGIXInstance) - MAGIX

[wiired]

One more question, do I need to be running Avira AntiVir Personal if Malwarebytes protection is running?

[Kenny94]

One more question, do I need to be running Avira AntiVir Personal if Malwarebytes protection is running?

Yes you can use both for On-Access Scanners

Have Malwarebytes protection (to monitor activity on your machine) is fine with most Anti-Virus Programs/Avira AntiVir Personal as well....

[Kenny94]

proquota.exe monitor applications, manipulate other programs. I look at your logs and post back later......

[Kenny94]

Hi wiired.

Open Notepad and copy and paste the text in the code box below into it:

File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\system32\drivers\logiflt.iad
c:\documents and settings\All Users\Application Data\Temp
c:\documents and settings\All Users\Application Data\Temp\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}

Driver::
lvuvc
logiflt

SRPeek::
c:\windows\system32\proquota.exe

Save the file to your desktop and name it CFScript.txt

Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.

Note: These instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system.

[wiired]

Hi

I have uploaded the latest log. thanks again

ComboFix.txt

[Kenny94]

Smile we are getting closer. Please do not attach your logs, it makes it harder to read.....

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1

Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  :filefind
  *proquota*

  
  

• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next

I should have had run GMER to check for a rootkit early, but had to many people talking yesterday and forgot....

GMER

• Download GMER by GMER from one of the links below:
  Link1
  Link2
  
• Unzip it to a folder on your desktop
  
• Double click on gmer.exe to launch GMER
  
• If asked, allow the gmer.sys driver load
  
• If it warns you about rootkit activity and asks if you want to run scan, click OK
  
• If you don't get a warning then
  
  • Click the rootkit tab
    
  • Click Scan
    

  [*]Once the scan has finished, click copy

  [*]Paste the log into notepad using Ctrl+V

  [*]Save it to your desktop as gmerrk.txt

  [*]Click on the >>> tab

  [*]This will open up the rest of the tabs for you

  [*]Click on the Autostart tab

  [*]Click on Scan

  [*]Once the scan has finished, click copy

  [*]Paste the log into notepad using Ctrl+V

  [*]Save it to your desktop as gmerautos.txt

  [*]Send the contents of gmerautos.txt and gmerrk.txt as a reply to this topic

In your next reply, please include these log(s):

SystemLook.txt

gmerautos.txt

[Kenny94]

I edited SystemLook wiired.

[wiired]

Here is my systemlook log:

SystemLook v1.0 by jpshortstuff (29.08.09)

Log created at 13:22 on 27/11/2009 by vtewari (Administrator - Elevation successful)

========== filefind ==========

Searching for "*proquota*"

No files found.

-=End Of File=-

[Kenny94]

I was hoping the report show us a copy of "C:\WINDOWS\ServicePackFiles\i386\proquota.exe" And I do not have a copy of proquota.exe for XP SP2.... Oh well, it's not a important file and your computer will run fine without it.

Can you post the log from GMER?

[wiired]

Here is gmerkk.txt :

GMER 1.0.15.15252 - http://www.gmer.net

Rootkit scan 2009-11-27 14:53:32

Windows 5.1.2600 Service Pack 2

Running: gmer.exe; Driver: C:\DOCUME~1\vtewari\LOCALS~1\Temp\uftoapob.sys

---- System - GMER 1.0.15 ----

SSDT F7C1DC8E ZwCreateKey

SSDT F7C1DC84 ZwCreateThread

SSDT F7C1DC93 ZwDeleteKey

SSDT F7C1DC9D ZwDeleteValueKey

SSDT spim.sys ZwEnumerateKey [0xF73E5CA2]

SSDT spim.sys ZwEnumerateValueKey [0xF73E6030]

SSDT F7C1DCA2 ZwLoadKey

SSDT spim.sys ZwOpenKey [0xF73C70C0]

SSDT F7C1DC70 ZwOpenProcess

SSDT F7C1DC75 ZwOpenThread

SSDT spim.sys ZwQueryKey [0xF73E6108]

SSDT spim.sys ZwQueryValueKey [0xF73E5F88]

SSDT F7C1DCAC ZwReplaceKey

SSDT F7C1DCA7 ZwRestoreKey

SSDT F7C1DC98 ZwSetValueKey

SSDT F7C1DC7F ZwTerminateProcess

INT 0x62 ? 86B66BF8

INT 0x82 ? 86B66BF8

INT 0x83 ? 869F4BF8

INT 0x84 ? 869F4BF8

INT 0x94 ? 869F4BF8

INT 0xB4 ? 869F4BF8

---- Kernel code sections - GMER 1.0.15 ----

? spim.sys The system cannot find the file specified. !

.text USBPORT.SYS!DllUnload F610662C 5 Bytes JMP 869F41D8

init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF60EAEBF]

C:\Program Files\CyberLink\PowerDVD8\000.fcl entry point in "" section [0xA8EC641C]

.clc C:\Program Files\CyberLink\PowerDVD8\000.fcl unknown last code section [0xA8EC7000, 0x1000, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!DialogBoxParamW 7E42555F 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!DialogBoxIndirectParamW 7E432032 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!MessageBoxIndirectA 7E43A04A 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!DialogBoxParamA 7E43B10C 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!MessageBoxExW 7E4505D8 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!MessageBoxExA 7E4505FC 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!DialogBoxIndirectParamA 7E456B50 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

.text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] USER32.dll!MessageBoxIndirectW 7E4662AB 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73C8040] spim.sys

IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73C813C] spim.sys

IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73C80BE] spim.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73C87FC] spim.sys

IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73C86D2] spim.sys

IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73D8048] spim.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01C62F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01C62CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01C62D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[764] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01C62CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Mozilla Firefox\firefox.exe[852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01162F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Mozilla Firefox\firefox.exe[852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01162CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Mozilla Firefox\firefox.exe[852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01162D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Mozilla Firefox\firefox.exe[852] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01162CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [016D2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [016D2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [016D2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\Explorer.EXE[1072] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [016D2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A22F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A22CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A22D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2012] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A22CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A02F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A02CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A02D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[3444] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A02CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\notepad.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009C2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\notepad.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009C2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\notepad.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009C2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\WINDOWS\notepad.exe[4032] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009C2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\vtewari\Desktop\gmer.exe[4460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\vtewari\Desktop\gmer.exe[4460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\vtewari\Desktop\gmer.exe[4460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

IAT C:\Documents and Settings\vtewari\Desktop\gmer.exe[4460] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 86B651F8

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\usbuhci \Device\USBPDO-0 8690B1F8

Device \Driver\dmio \Device\DmControl\DmIoDaemon 86BD61F8

Device \Driver\dmio \Device\DmControl\DmConfig 86BD61F8

Device \Driver\dmio \Device\DmControl\DmPnP 86BD61F8

Device \Driver\dmio \Device\DmControl\DmInfo 86BD61F8

Device \Driver\usbuhci \Device\USBPDO-1 8690B1F8

Device \Driver\usbuhci \Device\USBPDO-2 8690B1F8

Device \Driver\usbuhci \Device\USBPDO-3 8690B1F8

Device \Driver\usbehci \Device\USBPDO-4 868F41F8

Device \Driver\Ftdisk \Device\HarddiskVolume1 86B671F8

Device \Driver\atapi \Device\Ide\IdePort0 86B661F8

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 86B661F8

Device \Driver\atapi \Device\Ide\IdePort1 86B661F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{5DAD3988-CC49-4034-8B6F-C12AAACB4144} 84DDB1F8

Device \Driver\NetBT \Device\NetBt_Wins_Export 84DDB1F8

Device \Driver\NetBT \Device\NetbiosSmb 84DDB1F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{3B46B061-1F9E-423D-ABBD-BF8D7D5D9CB1} 84DDB1F8

Device \Driver\usbuhci \Device\USBFDO-0 8690B1F8

Device \Driver\usbuhci \Device\USBFDO-1 8690B1F8

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 84DC11F8

Device \Driver\usbuhci \Device\USBFDO-2 8690B1F8

Device \FileSystem\MRxSmb \Device\LanmanRedirector 84DC11F8

Device \Driver\usbuhci \Device\USBFDO-3 8690B1F8

Device \Driver\usbehci \Device\USBFDO-4 868F41F8

Device \Driver\Ftdisk \Device\FtControl 86B671F8

Device \Driver\NetBT \Device\NetBT_Tcpip_{CEEDBCB4-4E3A-4D8B-9A4B-472F41939AFC} 84DDB1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016417f864d

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641861598

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641861e9e

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641861ea3

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641862c98

Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 11822

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0xFF 0x23 0x1A ...

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016417f864d (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641861598 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641861e9e (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641861ea3 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641862c98 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0

Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFD 0xFF 0x23 0x1A ...

---- EOF - GMER 1.0.15 ----

[wiired]

And here is gmerautos.txt :

GMER 1.0.15.15252 - http://www.gmer.net

Autostart scan 2009-11-27 14:55:34

Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ >>>

igfxcui@DLLName = igfxdev.dll

loginkey@DLLName = C:\Program Files\Common Files\Microsoft Shared\Ink\loginkey.dll

TabBtnWL@DLLName = TabBtnWL.dll

tpgwlnotify@DLLName = tpgwlnot.dll

WgaLogon@DLLName = WgaLogon.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>

AntiVirSchedulerService@ = "C:\Program Files\Avira\AntiVir Desktop\sched.exe"

AntiVirService@ = "C:\Program Files\Avira\AntiVir Desktop\avguard.exe"

Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"

Bonjour Service@ = "C:\Program Files\Bonjour\mDNSResponder.exe"

btwdins@ = C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

CiscoVpnInstallService@ = C:\BrownSW\VPNCLN~1\INSTAL~1.EXE

CVPND@ = "C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"

hpqwmiex@ = C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe

JavaQuickStarterService@ = "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

LightScribeService@ = "C:\Program Files\Common Files\LightScribe\LSSrvc.exe"

LVCOMSer@ = "C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe"

LVPrcSrv@ = "C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe"

lxddCATSCustConnectService@ = C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\lxddserv.exe

lxdd_device@ = C:\WINDOWS\system32\lxddcoms.exe -service

MBAMService@ = "C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe"

MDM@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"

RichVideo@ = "C:\Program Files\CyberLink\Shared Files\RichVideo.exe" ??????????????????????????????????????????????????????

SCardSvr@ = %SystemRoot%\System32\SCardSvr.exe

ZuneBusEnum@ = c:\WINDOWS\system32\ZuneBusEnum.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>

@AGRSMMSGAGRSMMSG.exe = AGRSMMSG.exe

@TabletTip"C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume = "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume

@CpqsetC:\Program Files\HPQ\Default Settings\cpqset.exe ? ??@ ? ????@ ??pT? (?@ ??@ = C:\Program Files\HPQ\Default Settings\cpqset.exe ? ??@ ? ????@ ??pT? (?@ ??@

@IgfxTrayC:\WINDOWS\system32\igfxtray.exe = C:\WINDOWS\system32\igfxtray.exe

@HotKeysCmdsC:\WINDOWS\system32\hkcmd.exe = C:\WINDOWS\system32\hkcmd.exe

@PersistenceC:\WINDOWS\system32\igfxpers.exe = C:\WINDOWS\system32\igfxpers.exe

@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

@lxddmon.exe"C:\Program Files\Lexmark 2500 Series\lxddmon.exe" = "C:\Program Files\Lexmark 2500 Series\lxddmon.exe"

@lxddamon"C:\Program Files\Lexmark 2500 Series\lxddamon.exe" = "C:\Program Files\Lexmark 2500 Series\lxddamon.exe"

@RemoteControl8"C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe" = "C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe"

@PDVD8LanguageShortcut"C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe" = "C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe"

@BDRegionC:\Program Files\Cyberlink\Shared Files\brs.exe = C:\Program Files\Cyberlink\Shared Files\brs.exe

@Zune Launcher"c:\Program Files\Zune\ZuneLauncher.exe" = "c:\Program Files\Zune\ZuneLauncher.exe"

@QuickTime Task"C:\Program Files\QuickTime\qttask.exe" -atboottime = "C:\Program Files\QuickTime\qttask.exe" -atboottime

@LogitechCommunicationsManager"C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" = "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

@LogitechQuickCamRibbon"C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide = "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

@AmazonGSDownloaderTrayC:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe = C:\Program Files\Amazon\Amazon Games & Software Downloader\AmazonGSDownloaderTray.exe

@avgnt"C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min = "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min

@UpdatePDRShortCut"C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0" = "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "Software\CyberLink\PowerDirector\8.0"

@SoundMAXPnPC:\Program Files\Analog Devices\Core\smax4pnp.exe = C:\Program Files\Analog Devices\Core\smax4pnp.exe

@Malwarebytes' Anti-Malware"C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray = "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>

@H/PC Connection Agent"C:\Program Files\Microsoft ActiveSync\wcescomm.exe" = "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"

@Google Update"C:\Documents and Settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c = "C:\Documents and Settings\vtewari\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad@WPDShServiceObj = C:\WINDOWS\system32\WPDShServiceObj.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>

@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/

@{88895560-9AA2-1069-930E-00AA0030EBC8} /*HyperTerminal Icon Ext*/C:\WINDOWS\system32\hticons.dll /*file not found*/ = C:\WINDOWS\system32\hticons.dll /*file not found*/

@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll

@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll

@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =

@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\WINDOWS\system32\extmgr.dll = C:\WINDOWS\system32\extmgr.dll

@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll

@(null) =

@{6af09ec9-b429-11d4-a1fb-0090960218cb} /*My Bluetooth Places*/C:\WINDOWS\system32\btneighborhood.dll = C:\WINDOWS\system32\btneighborhood.dll

@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL

@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL

@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll

@{49BF5420-FA7F-11cf-8011-00A0C90A8F78} /*Mobile Device*/C:\PROGRA~1\MI3AA1~1\Wcesview.dll = C:\PROGRA~1\MI3AA1~1\Wcesview.dll

@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll

@{2D140D0A-ED49-11D3-93DF-0010A4F52FF6} /*BitZipperShellExt*/(null) =

@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll

@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll

@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft.XPS.Shell.Metadata.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft.XPS.Shell.Thumbnail.1*/%SystemRoot%\System32\XPSSHHDR.DLL = %SystemRoot%\System32\XPSSHHDR.DLL

@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\WINDOWS\system32\dfshim.dll = C:\WINDOWS\system32\dfshim.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>

MBAMShlExt@{57CE581A-0CB6-4266-9CA0-19364C90A0B3} = C:\Program Files\Malwarebytes' Anti-Malware\mbamext.dll

WinRAR@{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>

@{31816979-F864-4acf-919F-D0B3B56432E6}C:\Program Files\IDX Web Desktop\IDXIEController.dll = C:\Program Files\IDX Web Desktop\IDXIEController.dll

@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

@{E12A882B-F14F-4440-9BC0-84A5EB766605}C:\WINDOWS\Downloaded Program Files\DictateBar.dll = C:\WINDOWS\Downloaded Program Files\DictateBar.dll

HKLM\Software\Microsoft\Internet Explorer\Main >>>

@Default_Page_URLhttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>

@Start Pagehttp://go.microsoft.com/fwlink/?LinkId=69157 = http://go.microsoft.com/fwlink/?LinkId=69157

@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>

dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll

its@CLSID = C:\WINDOWS\system32\itss.dll

mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll

ms-its@CLSID = C:\WINDOWS\system32\itss.dll

ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL

mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL

mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL

tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

wia@CLSID = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@Domain = bgpma.com

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CEEDBCB4-4E3A-4D8B-9A4B-472F41939AFC} /*Local Area Connection*/ >>>

@IPAddress192.168.1.42 = 192.168.1.42

@NameServer202.149.208.92,202.149.208.11 = 202.149.208.92,202.149.208.11

@DefaultGateway192.168.1.1 = 192.168.1.1

@Domain =

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>

000000000004@LibraryPath = %SystemRoot%\system32\wshbth.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000005@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\Documents and Settings\All Users\Start Menu\Programs\Startup = VPN Client.lnk

---- EOF - GMER 1.0.15 ----

[Kenny94]

All looks good wiired!

I have a link containing a copy of proquota.exe from an XP machine.

Lets disable AVIRA. Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background. right click it-> untick the option AntiVir Guard enable. Click on the link below to download proquota.exe at:

http://rapidshare.com/files/313075805/proquota.exe.html

And "Click free user to start download and download it to your Desktop.

Click START then RUN Now type C:\Windows\System32 Now, Copy and paste proquota.exe into your C:\Windows\System32 folder. Close the C:\Windows\System32 folder and reboot your computer. Let me know how this goes and how your computer is running?

[wiired]

All looks good wiired!

I have a link containing a copy of proquota.exe from an XP machine.

Lets disable AVIRA. Please navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background. right click it-> untick the option AntiVir Guard enable. Click on the link below to download proquota.exe at:

http://rapidshare.com/files/313075805/proquota.exe.html

And "Click free user to start download and download it to your Desktop.

Click START then RUN Now type C:\Windows\System32 Now, Copy and paste proquota.exe into your C:\Windows\System32 folder. Close the C:\Windows\System32 folder and reboot your computer. Let me know how this goes and how your computer is running?

Thanks again for all your help Kenny94. I am in the process of trying to download the file. Just waiting for a slot to open up.