Jump to content

My turn to be infected, I guess


Recommended Posts

Help! I'm infected. I've done what rudimentary steps I know. Any help would be most appreciated. Thank you.

My set-up...

- Windows XP Pro, SP3

- I use Firefox 3.5.7 the vast majority of the time.

- I use the Windows firewall. It (in Control Panel) says it's on and active.

What has been done...

- mbam.exe was removed (by this malware, not me), and wouldn't re-install. I installed the renamed copy per this website and ran the program. It found several problems and fixed them, but it took several times to do this completely.

- I can now use the properly-named program, but Malwarebytes now finds nothing when I do a quick scan.

- My anti-virus program, AVG, finds nothing at all.

- I ran both AVG and Malwarebytes in Safe Mode... no difference, found nothing.

Yet, I still have the following problems...

- Occasional nefarious pop-ups, not often, but seemingly out of nowhere.

- Windows Security Alerts and Automatic Updates seems to be disabled, and nothing will happen when I click on an icon to turn it back on. I cannot access Automatic Updates at all. It just won't take me there, not even in Safe Mode.

- When I click on a Google search link relating to any of these problems I get re-directed somewhere else. I have to right-click and "copy link location" and paste the link directly. Other non-related searches work fine when I click on them.

This doesn't seem to be a debilitating malware or whatever... yet... but it's obviously not right and it needs to be eliminated. Whatever this is, it seems to know it's way around and what to block and/or disable to keep itself active.

- - - - - - - - -

Here is this morning's Malwarebytes log...

s at all.Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/10/2010 9:27:58 AM

mbam-log-2010-04-10 (09-27-58).txt

Scan type: Quick scan

Objects scanned: 102000

Time elapsed: 3 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

- - - - - - - - -

Here is this morning's HJT log...

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:33:40 AM, on 4/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\MsiExec.exe

C:\Program Files\TextPad 5\TextPad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://www.siteadvisor.com/download/postin...amp;client_type

=IEPlugin&suite=true&aff_id=0&locale=en-us&os_ver=5.1.3.0&pip=true&installchoice=2

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} -

C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program

Files\Winamp Toolbar\winamptb.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {4de765e8-acef-4e26-8a75-e30cd2038e5e} - rotuseni.dll (file missing)

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program

Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program

Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program

Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program

Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat

6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp

Toolbar\winamptb.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program

Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements

4.0\apdproxy.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes'

Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower

PowerPanel Personal Edition\pppeuser.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application

Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat

6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application

Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program

Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...ab?125609715925

0

O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) -

http://www.bldgportal.com/saxfile.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} -

http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program

Files\AVG\AVG9\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} -

c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: pefivebe.dll ,zilafaba.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O21 - SSODL: dukapewew - {314a9a3c-16f5-44fb-87ca-c6731a28988b} -

c:\windows\system32\wafadagi.dll (file missing)

O21 - SSODL: galedezav - {80334b72-dfbf-47b5-ba91-370f69ec9678} -

c:\windows\system32\pivojobe.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {314a9a3c-16f5-44fb-87ca-c6731a28988b} -

c:\windows\system32\wafadagi.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {80334b72-dfbf-47b5-ba91-370f69ec9678} -

c:\windows\system32\pivojobe.dll (file missing)

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner -

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk

Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program

Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple

Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common

Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program

Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program

Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program

Files\CyberPower PowerPanel Personal Edition\ppped.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe

--

End of file - 10395 bytes

Link to post
Share on other sites

Hello and :)

  • My name is xixo_12 and I will guide you.
  • Refrain from running self fixes as this will hinder the malware removal process.
  • You may wish to print them off or copy the instruction into Notepad.
  • If you have any question please don't hesitate to ask.
  • The instructions that I will give to you are specific to your current problem and shouldn't be used on other systems.
  • If you are receiving help or have received help on this problem elsewhere, please let us know.
  • Keep interact with me until your computer is clean.

Please! If you need more time to do all the instructions, let me know before 72hours is done. Otherwise, your thread will be closed

Next,

RSIT by random/random.

Please download from HERE and save to the desktop.

  • Double-click on RSIT.exe to run the tool.
  • Click Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized

    [*]Please post the contents of both logs in your next post.

***You can find manually the log at C:\rsit

Next,

GMER.

Please download from HERE and save to the desktop.

  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Next,

Checklist.

Please post.

  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt

Link to post
Share on other sites

Hello xixo_12

Thank you for your assistance.

The problem has gotten worse since I first posted. I woke up this morning to find that I could not open any programs. I kept getting the "Open with..." dialog box. According to some quick research I did this seems to have something to do with "autorun". Also, when I tried to do anything in Safe Mode, I got this XP Anti-Malware 2010 garbage that is obviously a virus or malware unto itself. These developments are all new since last night.

Anyway, I was able to download the programs you suggested, and ran them according to your instructions. RSIT ran fine. The two log files you requested are below.

GMER ran fine for about 2.5 hours, then suddenly the computer re-botted on its own and lost everything it had scanned up to that point. The (probably incomplete) initial log file is at the bottom. The computer was disconnected from the internet, btw. Should I try it again, or does this help?

I should note that I am posting this from another uninfected computer. This... whatever it is... will not allow me to post to your site.

RSIT log.txt

Logfile of random's system information tool 1.06 (written by random/random)

Run by Owner at 2010-04-12 10:23:16

Microsoft Windows XP Professional Service Pack 3

System drive C: has 447 GB (94%) free of 477 GB

Total RAM: 3069 MB (82% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:33:40 AM, on 4/10/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\AVG\AVG9\avgtray.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Java\jre6\bin\jucheck.exe

C:\WINDOWS\system32\msiexec.exe

C:\WINDOWS\system32\MsiExec.exe

C:\Program Files\TextPad 5\TextPad.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.siteadvisor.com/download/postin...installchoice=2

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: (no name) - {4de765e8-acef-4e26-8a75-e30cd2038e5e} - rotuseni.dll (file missing)

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1256097159250

O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.bldgportal.com/saxfile.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - AppInit_DLLs: pefivebe.dll ,zilafaba.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O21 - SSODL: dukapewew - {314a9a3c-16f5-44fb-87ca-c6731a28988b} - c:\windows\system32\wafadagi.dll (file missing)

O21 - SSODL: galedezav - {80334b72-dfbf-47b5-ba91-370f69ec9678} - c:\windows\system32\pivojobe.dll (file missing)

O22 - SharedTaskScheduler: kupuhivus - {314a9a3c-16f5-44fb-87ca-c6731a28988b} - c:\windows\system32\wafadagi.dll (file missing)

O22 - SharedTaskScheduler: tokatiluy - {80334b72-dfbf-47b5-ba91-370f69ec9678} - c:\windows\system32\pivojobe.dll (file missing)

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe

--

End of file - 10395 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003Core.job

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003UA.job

C:\WINDOWS\tasks\kirnawxc.job

C:\WINDOWS\tasks\User_Feed_Synchronization-{320E46DB-C483-4E92-9B2F-6D0729D8D9D0}.job

C:\WINDOWS\tasks\vmpnnnkd.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

Winamp Toolbar Loader - C:\Program Files\Winamp Toolbar\winamptb.dll [2009-05-06 1262888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-04-01 1602912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4de765e8-acef-4e26-8a75-e30cd2038e5e}]

rotuseni.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]

EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-02-23 1664256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]

McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-12-23 251416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-12-23 251416]

{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - C:\Program Files\Winamp Toolbar\winamptb.dll [2009-05-06 1262888]

{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-02-23 1664256]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-03-28 13684736]

"nwiz"=nwiz.exe /install []

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-20 149280]

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-03-28 86016]

"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]

"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]

"WrtMon.exe"=C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [2006-09-20 20480]

""= []

"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [2005-09-09 57344]

"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2009-07-01 37888]

"AVG9_TRAY"=C:\PROGRA~1\AVG\AVG9\avgtray.exe [2010-04-01 2064224]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-03 1086856]

"UserFaultCheck"=C:\WINDOWS\system32\dumprep 0 -u []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]

"PowerPanel Personal Edition User Interaction"=C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [2005-10-24 262144]

"MSMSGS"=C:\Program Files\Messenger\msmsgs.exe [2008-04-14 1695232]

"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-02 135664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

"AppInit_DLLS"="pefivebe.dll ,zilafaba.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

C:\WINDOWS\system32\avgrsstx.dll [2010-03-13 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

dukapewew - {314a9a3c-16f5-44fb-87ca-c6731a28988b} - c:\windows\system32\wafadagi.dll []

galedezav - {80334b72-dfbf-47b5-ba91-370f69ec9678} - c:\windows\system32\pivojobe.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]

kupuhivus - {314a9a3c-16f5-44fb-87ca-c6731a28988b} - c:\windows\system32\wafadagi.dll []

tokatiluy - {80334b72-dfbf-47b5-ba91-370f69ec9678} - c:\windows\system32\pivojobe.dll []

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]

"notification packages"=scecli

pefivebe.dll

zilafaba.dll

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\AVG\AVG8\avgemc.exe"="C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe"

"C:\Program Files\AVG\AVG8\avgupd.exe"="C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe"

"C:\Program Files\AVG\AVG8\avgnsx.exe"="C:\Program Files\AVG\AVG8\avgnsx.exe:*:Enabled:avgnsx.exe"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\CrossLoop\CrossLoopConnect.exe"="C:\Program Files\CrossLoop\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing"

"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"

"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"

"C:\WINDOWS\explorer.exe"="C:\WINDOWS\explorer.exe:*:Enabled:Explorer"

"C:\WINDOWS\system32\logonui.exe"="C:\WINDOWS\system32\logonui.exe:*:Enabled:logonui"

"C:\Program Files\McAfee\SiteAdvisor\McSACore.exe"="C:\Program Files\McAfee\SiteAdvisor\McSACore.exe:*:Enabled:McSACore"

"C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe"="C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe:*:Enabled:ppped"

"C:\WINDOWS\system32\winlogon.exe"="C:\WINDOWS\system32\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{189c1ab8-bdf2-11de-a83d-001cc0a1a6aa}]

shell\AutoRun\command - J:\LaunchU3.exe -a

======File associations======

.exe - open - "C:\Documents and Settings\Owner\Local Settings\Application Data\ave.exe" /START "%1" %*

.scr - open - C:\WINDOWS\system32\notepad.exe "%1"

.scr - install -

.scr - config -

======List of files/folders created in the last 1 months======

2010-04-12 10:23:16 ----D---- C:\rsit

2010-04-08 09:47:49 ----A---- C:\WINDOWS\ntbtlog.txt

2010-04-03 23:39:17 ----D---- C:\Program Files\Trend Micro

2010-03-13 10:31:10 ----A---- C:\WINDOWS\system32\avgrsstx.dll

======List of files/folders modified in the last 1 months======

2010-04-12 10:23:15 ----D---- C:\WINDOWS\Prefetch

2010-04-12 10:22:19 ----D---- C:\WINDOWS\Temp

2010-04-12 10:19:04 ----D---- C:\WINDOWS\system32

2010-04-12 10:19:04 ----D---- C:\Program Files\TextPad 5

2010-04-12 10:17:50 ----D---- C:\Program Files\Mozilla Firefox

2010-04-12 10:17:32 ----D---- C:\Program Files\CyberPower PowerPanel Personal Edition

2010-04-12 09:51:27 ----A---- C:\WINDOWS\SchedLgU.Txt

2010-04-12 09:40:29 ----D---- C:\Documents and Settings

2010-04-12 08:44:01 ----D---- C:\Documents and Settings\All Users\Application Data\avg9

2010-04-12 05:59:29 ----D---- C:\WINDOWS

2010-04-11 12:03:36 ----SHD---- C:\WINDOWS\Installer

2010-04-11 12:03:36 ----A---- C:\WINDOWS\ODBC.INI

2010-04-09 19:17:23 ----D---- C:\Documents and Settings\Owner\Application Data\Facebook

2010-04-09 15:35:28 ----RSHDC---- C:\WINDOWS\system32\dllcache

2010-04-09 15:35:23 ----D---- C:\WINDOWS\system32\CatRoot2

2010-04-06 08:59:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$

2010-04-06 08:59:03 ----D---- C:\WINDOWS\system32\drivers

2010-04-05 20:47:36 ----D---- C:\WINDOWS\Help

2010-04-05 20:32:22 ----SD---- C:\WINDOWS\Tasks

2010-04-05 11:05:20 ----A---- C:\WINDOWS\win.ini

2010-04-05 11:05:17 ----D---- C:\Documents and Settings\Owner\Application Data\Canon

2010-04-04 12:19:54 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$

2010-04-04 12:13:56 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$

2010-04-03 23:55:29 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$

2010-04-03 23:39:17 ----RD---- C:\Program Files

2010-04-03 23:30:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2010-04-03 23:28:34 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$

2010-03-31 12:11:17 ----D---- C:\LandProjects

2010-03-31 03:00:43 ----HD---- C:\WINDOWS\inf

2010-03-31 03:00:38 ----D---- C:\Program Files\Internet Explorer

2010-03-31 03:00:29 ----HD---- C:\WINDOWS\$hf_mig$

2010-03-18 17:09:41 ----D---- C:\WINDOWS\Debug

2010-03-15 12:19:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2010-03-14 02:52:14 ----D---- C:\temp

2010-03-13 13:02:45 ----HD---- C:\$AVG

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-13 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-13 29512]

R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-03-13 242696]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]

R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2008-01-31 254872]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]

R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-03-13 44672]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-03-28 6280416]

R3 STHDA;IDT High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2008-04-10 1271032]

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]

R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]

R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]

R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]

R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]

S3 PciCon;PciCon; \??\E:\PciCon.sys []

S3 scsiscan;SCSI Scanner Driver; C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2008-04-14 11520]

S3 sfng32;Sonic Focus Plugin for Sigmatel HDA; C:\WINDOWS\system32\drivers\sfng32.sys [2008-01-31 54272]

S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]

R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-20 153376]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]

R2 ppped;PowerPanel Personal Edition Service; C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe [2005-10-24 479232]

S2 STacSV;Audio Service; C:\WINDOWS\system32\STacSV.exe [2008-04-10 212992]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2009-11-06 82584]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-10-20 654848]

S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-03-28 163908]

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

RSIT info.txt

info.txt logfile of random's system information tool 1.06 2010-04-12 10:23:52

======Uninstall list======

-->C:\Program Files\AutoCAD Civil 3D 2008\Setup\Setup.exe /P {5783F2D7-6000-0409-0002-0060B0CE6BBA} /M C3D

-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}

-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}

-->MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{329899E1-CBBA-49BC-9FFE-199E94316727}\setup.exe" -l0x9 -removeonly

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"

Adobe Acrobat 6.0 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}

Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}

Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}

Adobe Audition 1.0-->MsiExec.exe /I{81E76DE9-BBCB-449C-91BB-6E4E5436D496}

Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}

Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}

Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}

Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}

Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}

Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}

Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}

Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}

Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}

Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}

Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}

Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}

Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}

Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}

Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}

Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}

Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}

Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe

Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}

Adobe Photoshop Elements 4.0-->msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}

Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}

Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log

Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}

Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}

Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}

Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}

Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}

Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}

AutoCAD Civil 3D 2009-->C:\Program Files\AutoCAD Civil 3D 2009\Setup\Setup.exe /P {5783F2D7-7000-0409-0002-0060B0CE6BBA} /M C3D

AutoCAD Civil 3D Land Desktop Companion 2008-->C:\Program Files\AutoCAD Civil 3D Land Desktop Companion 2008\Setup\Setup.exe /P {5783F2D7-6018-0409-0002-0060B0CE6BBA} /M ACAD

AutoCAD Civil 3D Land Desktop Companion 2009-->C:\Program Files\AutoCAD Civil 3D Land Desktop Companion 2009\Setup\Setup.exe /P {5783F2D7-7018-0409-0002-0060B0CE6BBA} /M ACAD

Autodesk Design Review 2009-->C:\Program Files\Autodesk\Autodesk Design Review\Setup\Setup.exe /P {450063AA-643B-417C-8CF5-405BA3F4EF40} /M ADR

Autodesk DWF Viewer 7-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}

Autodesk Vault 2009 (Client)-->C:\Program Files\Autodesk\Vault 2009\Setup\setup.exe /p {B4013E5D-C833-4C8D-A942-AD7BBDFD9389} /M VAULT

Autodesk Vault 2009 (Client)-->MsiExec.exe /X{B4013E5D-C833-4C8D-A942-AD7BBDFD9389}

AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL

Brother P-touch Address Book 1.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{98E9B724-0E62-4812-B6CC-C6A228BBC562}

Brother P-touch Editor 4.2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{003447F5-0058-4B77-9C1E-50488F77C4A7}

Brother QL-Series User's Guide-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7CCC6E23-0E35-480B-8F0C-8D06F882D5D3}

C3D_2009_VE_HF1-->C:\WINDOWS\system32\msiexec.exe /promptrestart /qb /uninstall {C1AF94A8-7539-43EF-9857-B641D7FACFF5} /package {B4013E5D-C833-4C8D-A942-AD7BBDFD9389} SETUP=1

Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B9B9863A-32FD-4133-ADB7-46244ED77694} /l1033

Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}

Canon i9900-->C:\WINDOWS\system32\CNMCP5p.exe "-PRINTERNAMECanon i9900" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i9900 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i9900 Installer\Inst2\cnmi0409.dll"

Canon MP Navigator 2.2-->"C:\Program Files\Canon\MP Navigator 2.2\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.2\uninst.ini

Canon MP830 User Registration-->C:\Program Files\Canon\IJEREG\MP830\UNINST.EXE

Canon MP830-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{0D25F7CC-B99C-44ee-9945-B14532B2BB7B}\DelDrv.exe" /U:{0D25F7CC-B99C-44ee-9945-B14532B2BB7B} /L0x0009

Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}

Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{16976C6C-F8D5-4317-9DE8-1F6352B66725}

Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{821DC151-4691-4E26-AE7E-522921D0FD54}

Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini

Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

CrossLoop 2.51-->"C:\Program Files\CrossLoop\unins000.exe"

CuteFTP 8 Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9

CyberPower PowerPanel Personal Edition-->MsiExec.exe /I{6165536A-3F9D-46FF-8E4F-993DDB4C7DCD}

Defraggler-->"C:\Program Files\Defraggler\uninst.exe"

DWG TrueView 2009-->C:\Program Files\DWG TrueView 2009\Setup\Setup.exe /P {5783F2D6-7028-0409-0000-0060B0CE6BBA} /M AOEM

Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"

Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"

Intel® Management Engine Interface-->C:\WINDOWS\system32\heciudlg.exe -uninstall

Intel® PRO Network Connections 12.1.12.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1

Java 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}

K-Lite Mega Codec Pack 5.1.0-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"

Lightroom-->MsiExec.exe /I{D4134B0B-EA9B-4835-A77A-60BEE6277101}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

McAfee SiteAdvisor-->C:\Program Files\McAfee\SiteAdvisor\Uninstall.exe

Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}

Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Office 2000 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}

Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}

Mozilla Firefox (3.5.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}

MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}

MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}

Nikon Scan-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AE4AC96-A5F4-4F19-9D13-066C8B3CE034}\Setup.exe" -l0x9 UNINSTALL

NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI

Nvu 1.0-->"C:\Program Files\Nvu\unins000.exe"

PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}

Powerprint Request v.5.5.126-->MsiExec.exe /I{C2AF1BD0-6548-4419-A9E3-548D46DD0277}

Presto! PageManager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anything -removeonly

Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}

QuickTime Alternative 2.9.2-->"C:\Program Files\QuickTime Alternative\unins000.exe"

QuikPik-->C:\PROGRA~1\ManuSoft\QuikPik\UNWISE.EXE C:\PROGRA~1\ManuSoft\QuikPik\INSTALL.LOG

ScanSoft OmniPage SE 4.0-->MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184}

Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"

Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"

Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"

Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"

Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"

Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}

SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly

TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}

TextPad Lexicons-->MsiExec.exe /I{190E09FD-F08A-444F-B97E-FE482EC5D06C}

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"

Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"

Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"

Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"

Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"

Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"

Winamp Toolbar-->"C:\Program Files\Winamp Toolbar\uninstall.exe"

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"

Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"

WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

WordPerfect Office 11-->MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}

=====HijackThis Backups=====

O20 - AppInit_DLLs: kuvewawe.dll c:\windows\system32\wafadagi.dll [2010-04-03]

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7268

Source Name: Disk

Time Written: 20100304214912.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7267

Source Name: Disk

Time Written: 20100304201546.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7266

Source Name: Disk

Time Written: 20100304193533.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7265

Source Name: Disk

Time Written: 20100304193533.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7264

Source Name: Disk

Time Written: 20100304182844.000000-360

Event Type: warning

User:

=====Application event log=====

Computer Name: OWNER-C117E8A61

Event Code: 5603

Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 15

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 5603

Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 14

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 63

Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 63

Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 63

Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11

Source Name: WinMgmt

Time Written: 20091020033720.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Intel\DMIX

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel

"PROCESSOR_REVISION"=170a

"NUMBER_OF_PROCESSORS"=2

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

GMER log file (partial, initial)

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit quick scan 2010-04-12 12:38:10

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxroraob.sys

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 899F0AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi,

Let's proceed.

First,

Discussion

Is it business machine? I saw a lot of expensive programs. Am I right?

Next,

ExeFix.

Please download from HERE and save to the desktop.

  • Double-click the file to run it.
  • Click No when prompt to visit webpage.

Next,

DeFogger - Disable

Please download from HERE and save to the desktop.

  • Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK

IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.

Next,

SystemLook by jpshortstuff.

Please download from one of the links below and save it to the Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *iaStor*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next,

ERUNT by Lars Hederer

Download ERUNT and save to the desktop.

  • Double click on erunt-setup.exe to install the program.
  • Follow the prompts > uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • Click No when you are prompted about creating an ERUNT entry in the startup folder.
  • Next screen, uncheck Show documentation and check Launch ERUNT.
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process

Note:

The backups can be restored from here:

C:\windows\ERDNT\<todays date>\ERDNT.exe

Next,

OTM by Old Timer.

Please download from HERE and save to the desktop.

  • Double-click on OTM.exe.
  • Copy the lines in the codebox below.
    :processes
    :reg
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4de765e8-acef-4e26-8a75-e30cd2038e5e}]
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
    ""=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLS"=""
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
    "{314a9a3c-16f5-44fb-87ca-c6731a28988b}"=-
    "{80334b72-dfbf-47b5-ba91-370f69ec9678}"=-
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
    "{314a9a3c-16f5-44fb-87ca-c6731a28988b}"=-
    "{80334b72-dfbf-47b5-ba91-370f69ec9678}"-
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
    "notification packages"=hex(7):73,63,65,63,6c,69,00,00
    :files
    C:\WINDOWS\tasks\kirnawxc.job
    C:\WINDOWS\tasks\vmpnnnkd.job
    c:\windows\system32\pivojobe.dll
    c:\windows\system32\wafadagi.dll
    c:\windows\system32\pivojobe.dll
    c:\windows\system32\wafadagi.dll
    c:\windows\system32\pefivebe.dll
    c:\windows\system32\zilafaba.dll
    :commands
    [emptytemp]
    [start explorer]
    [reboot]
  • Return to OTM, right click in the Paste Instructions for Items to be Moved window (under the yellow bar, Code box into OTMoveIt3 (1).) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTM.

Note:

  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
  • If you are asked to reboot the machine choose Yes.
  • In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Next,

Checklist.

Please post.

  • Respond to our discussion
  • Content of SystemLook.txt
  • Content of OTM log

Link to post
Share on other sites

Ok, here we go...

- re: business machine question: Yes, in a way. It's my personal home computer, but I work from home and do drafting for a living, so I use AutoCAD for my work. I also use Photoshop and other associated programs for my photography business. The computer gets alot of use, obviously. All programs are legal, fwiw.

- For the most part, everything worked well, except as noted below...

--- Defogger did not ask me to reboot, so I manually rebooted.

--- OTM did everything just fine right up until the end, then locked up (Not Responding) and wouldn't move. I had to go into task manager and manually reboot again.

----- OTM did not produce a log file, but in the other pane it did say...

All processes killed

=== Processes ===

=== Registry ===

(then went on to list a bunch of registry keys)

- The SystemLook log is below...

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 19:55 on 12/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iaStor*"

C:\WINDOWS\OemDir\iaStor.cat --a--- 11694 bytes [15:28 18/10/2007] [21:32 17/10/2007] 648DC3401A410A1A15DB9AB5FD0D61A6

C:\WINDOWS\OemDir\iaStor.sys --a--- 308248 bytes [15:28 18/10/2007] [23:03 29/09/2007] E5A0034847537EAEE3C00349D5C34C5F

C:\WINDOWS\system32\drivers\iaStor.sys --a--- 308248 bytes [15:28 18/10/2007] [23:03 29/09/2007] E5A0034847537EAEE3C00349D5C34C5F

-=End Of File=-

Link to post
Share on other sites

Hi,

Good.

Let's proceed.

First,

ComboFix

Download ComboFix from one of these locations (DO NOT download ComboFix from anywhere else but one of the provided links)

Save as Combo-Fix.exe <<Please have a look on file name. You have to change.

Link 1

Link 2

**IMPORTANT !!! Save Combo-Fix.exe to your Desktop**

  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
    A guide to do this can be found here
  • Double click on Combo-Fix.exe & follow the prompts
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console

Query_RC.gif

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

RC_successful.gif

  • Click on Yes, to continue scanning for malware.
  • When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply

A word of warning: Neither I nor sUBs are responsible for any damage you may cause to your machine by running ComboFix on your own. This tool is not a toy and not for everyday use.

ComboFix SHOULD NOT be used unless requested by a forum helper

Next,

Checklist.

Please post.

  • Content of ComboFix.txt

Link to post
Share on other sites

A couple notes:

- Combofix prompted for an updated version, and I chose 'yes'.

- I re-enabled the AVG anti-virus protection after it was all finished. I also disconnected the ethernet connection. Just to be safe for the moment. I figured I can reconnect it again at the next step, if necessary.

Other than that, it went well. Ok, here's the combofix log.

ComboFix 10-04-12.03 - Owner 04/12/2010 21:54:59.1.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2462 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\Administrator\Local Settings\Application Data\ave.exe

C:\Images

c:\images\KIP Color Wheel_1.plt

c:\images\Sc-c3-a1.plt

c:\windows\system32\kuvewawe.dll.tmp

c:\windows\Tasks\kirnawxc.job

c:\windows\Tasks\vmpnnnkd.job

.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))

.

2010-04-13 01:01 . 2010-04-13 01:01 -------- d-----w- C:\_OTM

2010-04-13 00:58 . 2010-04-13 00:59 -------- d-----w- c:\program files\ERUNT

2010-04-12 15:30 . 2010-04-12 15:30 -------- d-----w- C:\gmer

2010-04-12 15:23 . 2010-04-12 15:24 -------- d-----w- C:\rsit

2010-04-12 15:09 . 2010-04-12 15:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2010-04-12 15:08 . 2010-04-12 15:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-04-12 15:08 . 2010-04-12 15:10 182272 --sha-w- c:\documents and settings\Administrator\Local Settings\Application Data\2747461249.dll

2010-04-08 20:01 . 2010-04-12 14:56 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-08 14:08 . 2010-04-08 14:08 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-04-08 08:16 . 2010-04-08 08:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-04-04 04:39 . 2010-04-04 04:39 -------- d-----w- c:\program files\Trend Micro

2010-04-04 04:13 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-04 04:13 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-01 14:35 . 2010-04-01 14:35 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-04-01 14:35 . 2010-04-01 14:35 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe

2010-04-01 14:35 . 2010-04-01 14:35 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-04-01 14:35 . 2010-04-01 14:35 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll

2010-04-01 14:35 . 2010-04-01 14:35 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2010-04-01 14:35 . 2010-04-01 14:35 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll

2010-04-01 14:35 . 2010-04-01 14:35 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll

2010-04-01 14:35 . 2010-04-01 14:35 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll

2010-04-01 14:35 . 2010-04-01 14:35 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll

2010-04-01 14:35 . 2010-04-01 14:35 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-04-01 14:35 . 2010-04-01 14:35 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll

2010-04-01 14:35 . 2010-04-01 14:35 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe

2010-04-01 14:34 . 2010-04-01 14:34 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-01 14:34 . 2010-04-01 14:34 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 03:03 . 2009-10-21 00:43 -------- d-----w- c:\program files\CyberPower PowerPanel Personal Edition

2010-04-13 00:52 . 2009-10-21 17:14 576752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-12 21:21 . 2009-10-20 03:29 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-04-12 15:19 . 2009-10-21 15:17 -------- d-----w- c:\program files\TextPad 5

2010-04-12 14:40 . 2010-04-12 14:40 82120 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-12 13:44 . 2009-11-13 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-10 00:17 . 2010-01-18 04:39 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe

2010-04-10 00:17 . 2010-01-18 04:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook

2010-04-05 16:05 . 2009-10-23 19:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon

2010-04-04 04:30 . 2009-10-21 19:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-13 15:31 . 2009-10-21 06:10 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-13 15:31 . 2010-03-13 15:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-13 15:31 . 2009-10-21 06:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-13 15:30 . 2009-10-21 06:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-12 23:26 . 2010-03-12 23:26 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll

2010-02-18 17:34 . 2009-10-21 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-02-23 19:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-10-24 262144]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-02 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]

"nwiz"="nwiz.exe" [2009-03-28 1657376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-21 149280]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-04 1086856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-13 15:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\McAfee\\SiteAdvisor\\McSACore.exe"=

"c:\\Program Files\\CyberPower PowerPanel Personal Edition\\ppped.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/21/2009 1:10 AM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/21/2009 1:10 AM 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 10:31 AM 308064]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/20/2009 10:38 PM 93320]

S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [10/30/2009 10:05 PM 11520]

.

Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-02 05:38]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-02 05:38]

2010-04-13 c:\windows\Tasks\User_Feed_Synchronization-{320E46DB-C483-4E92-9B2F-6D0729D8D9D0}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://www.siteadvisor.com/download/postinstall.html?premium=false&client_ver=2.9.258&client_type=IEPlugin&suite=true&aff_id=0&locale=en-us&os_ver=5.1.3.0&pip=true&installchoice=2

uInternet Settings,ProxyOverride = *.local

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxp://www.bldgportal.com/saxfile.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rchdn1u7.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rchdn1u7.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_0.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

.

------- File Associations -------

.

.scr=AutoCADScriptFile

.

- - - - ORPHANS REMOVED - - - -

SharedTaskScheduler-{80334b72-dfbf-47b5-ba91-370f69ec9678} - c:\windows\system32\pivojobe.dll

AddRemove-AutoCAD Civil 3D 2008 - c:\program files\AutoCAD Civil 3D 2008\Setup\Setup.exe

AddRemove-AutoCAD Civil 3D Land Desktop Companion 2008 - c:\program files\AutoCAD Civil 3D Land Desktop Companion 2008\Setup\Setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-12 22:04

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89943AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

\Driver\iaStor -> iaStor.sys @ 0xb9e7e002

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Intel® 82566DC-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d55bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d62a21

SendHandler -> NDIS.sys @ 0xb9d4087b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(888)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3324)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\AVG\AVG9\avgchsvx.exe

c:\program files\AVG\AVG9\avgrsx.exe

c:\program files\AVG\AVG9\avgcsrvx.exe

c:\program files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\AVG\AVG9\avgnsx.exe

c:\program files\CyberPower PowerPanel Personal Edition\ppped.exe

c:\windows\system32\RUNDLL32.EXE

c:\windows\system32\spool\drivers\w32x86\3\WrtProc.exe

.

**************************************************************************

.

Completion time: 2010-04-12 22:08:14 - machine was rebooted

ComboFix-quarantined-files.txt 2010-04-13 03:08

Pre-Run: 469,093,236,736 bytes free

Post-Run: 469,182,746,624 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - DDF05E2B0A00769E650FA82F07B0E89F

Link to post
Share on other sites

Hi,

Look good.

Let's perform this.

First,

CFScript

  • Close any open browsers.
  • Open notepad and copy/paste the text in the code box below into it:
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"=dword:00000001
    "DisableNotifications"=dword:00000000
    FCopy::
    C:\WINDOWS\OemDir\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys


  • Save this as CFScript.txt, in the same location as ComboFix.exe
  • Disable your AntiVirus/AntiSpyware/Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. A guide to do this can be found here
    CFScriptB-4.gif
  • Refering to the picture above, drag CFScript into ComboFix.exe
  • When finished, it shall produce a log for you at "C:\ComboFix.txt"

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

If it does, open Task Manager > Processes tab (press ctrl+alt+del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.

If that happened, we want to know, and also what process you had to end.

Next,

Malwarebytes' Anti-Malware - Run

  • Double-click Malwarebytes' Anti-Malware to run the program.
  • Click on Update tab > Check for Updates.
  • Once done, click on Scanner tab, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

Checklist.

Please post.

  • Content of ComboFix.txt
  • Content of MBAM log

Link to post
Share on other sites

Done. Another note...

- Malwarebytes would not allow me to update. I got a "MBAM_ERROR_UPDATING (0,0,SHRegGetPath) error message. However, I think I have the current version anyway. The Database Version #3930 is the same as my other computer that I updated just today.

Here's the log files.

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3930

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/13/2010 12:31:02 AM

mbam-log-2010-04-13 (00-31-02).txt

Scan type: Full scan (C:\|)

Objects scanned: 205423

Time elapsed: 27 minute(s), 39 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\LocalService\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Mozilla Firefox\firefox.exe" -safe-mode) Good: (firefox.exe -safe-mode) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

-----------------------------

ComboFix 10-04-12.03 - Owner 04/12/2010 23:27:57.2.2 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3069.2485 [GMT -5:00]

Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

.

--------------- FCopy ---------------

c:\windows\OemDir\iaStor.sys --> c:\windows\system32\drivers\iaStor.sys

.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))

.

2010-04-13 01:01 . 2010-04-13 01:01 -------- d-----w- C:\_OTM

2010-04-13 00:58 . 2010-04-13 00:59 -------- d-----w- c:\program files\ERUNT

2010-04-12 15:30 . 2010-04-12 15:30 -------- d-----w- C:\gmer

2010-04-12 15:23 . 2010-04-12 15:24 -------- d-----w- C:\rsit

2010-04-12 15:09 . 2010-04-12 15:09 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar

2010-04-12 15:08 . 2010-04-12 15:08 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla

2010-04-12 15:08 . 2010-04-12 15:10 182272 --sha-w- c:\documents and settings\Administrator\Local Settings\Application Data\2747461249.dll

2010-04-08 20:01 . 2010-04-12 14:56 664 ----a-w- c:\windows\system32\d3d9caps.dat

2010-04-08 14:08 . 2010-04-08 14:08 4255072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll

2010-04-08 08:16 . 2010-04-08 08:16 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2010-04-04 04:39 . 2010-04-04 04:39 -------- d-----w- c:\program files\Trend Micro

2010-04-04 04:13 . 2010-03-29 20:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-04 04:13 . 2010-03-29 20:24 20824 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-04-01 14:35 . 2010-04-01 14:35 4076824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe

2010-04-01 14:35 . 2010-04-01 14:35 2059544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe

2010-04-01 14:35 . 2010-04-01 14:35 1274136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe

2010-04-01 14:35 . 2010-04-01 14:35 598296 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgsrmx.dll

2010-04-01 14:35 . 2010-04-01 14:35 556824 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll

2010-04-01 14:35 . 2010-04-01 14:35 459544 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcclix.dll

2010-04-01 14:35 . 2010-04-01 14:35 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgxch32.dll

2010-04-01 14:35 . 2010-04-01 14:35 313112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avglogx.dll

2010-04-01 14:35 . 2010-04-01 14:35 301336 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchclx.dll

2010-04-01 14:35 . 2010-04-01 14:35 1598744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgssie.dll

2010-04-01 14:35 . 2010-04-01 14:35 1515224 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgwd.dll

2010-04-01 14:35 . 2010-04-01 14:35 1086744 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchsvx.exe

2010-04-01 14:34 . 2010-04-01 14:34 1685784 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll

2010-04-01 14:34 . 2010-04-01 14:34 1035032 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-04-13 03:03 . 2009-10-21 00:43 -------- d-----w- c:\program files\CyberPower PowerPanel Personal Edition

2010-04-13 00:52 . 2009-10-21 17:14 576752 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2010-04-12 21:21 . 2009-10-20 03:29 57600 ----a-w- c:\windows\system32\drivers\redbook.sys

2010-04-12 15:19 . 2009-10-21 15:17 -------- d-----w- c:\program files\TextPad 5

2010-04-12 14:40 . 2010-04-12 14:40 82120 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2010-04-12 13:44 . 2009-11-13 18:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

2010-04-10 00:17 . 2010-01-18 04:39 50354 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\uninstall.exe

2010-04-10 00:17 . 2010-01-18 04:39 -------- d-----w- c:\documents and settings\Owner\Application Data\Facebook

2010-04-05 16:05 . 2009-10-23 19:51 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon

2010-04-04 04:30 . 2009-10-21 19:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-03-13 15:31 . 2009-10-21 06:10 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2010-03-13 15:31 . 2010-03-13 15:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll

2010-03-13 15:31 . 2009-10-21 06:10 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2010-03-13 15:30 . 2009-10-21 06:10 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2010-03-12 23:26 . 2010-03-12 23:26 79488 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll

2010-03-06 05:30 . 2010-03-06 05:30 5582848 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

2010-02-25 06:24 . 2008-04-14 12:00 916480 ------w- c:\windows\system32\wininet.dll

2010-02-18 17:34 . 2009-10-21 02:56 -------- d-----w- c:\documents and settings\Owner\Application Data\AdobeUM

2010-02-01 22:04 . 2010-02-01 22:04 847040 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\axfbootloader.dll

2010-02-01 22:04 . 2010-02-01 22:04 5578752 ----a-w- c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]

"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

2010-02-23 19:04 1664256 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]

"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-02-23 1664256]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"PowerPanel Personal Edition User Interaction"="c:\program files\CyberPower PowerPanel Personal Edition\pppeuser.exe" [2005-10-24 262144]

"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-02-02 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-03-28 13684736]

"nwiz"="nwiz.exe" [2009-03-28 1657376]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-21 149280]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-03-28 86016]

"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]

"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]

"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 20480]

"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 57344]

"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-07-01 37888]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-04 1086856]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [2009-11-18 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2010-03-13 15:31 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\CrossLoop\\CrossLoopConnect.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

"c:\\Program Files\\McAfee\\SiteAdvisor\\McSACore.exe"=

"c:\\Program Files\\CyberPower PowerPanel Personal Edition\\ppped.exe"=

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [10/21/2009 1:10 AM 216200]

R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [10/21/2009 1:10 AM 242696]

R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [3/13/2010 10:31 AM 308064]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/20/2009 10:38 PM 93320]

S3 PciCon;PciCon;\??\e:\pcicon.sys --> e:\PciCon.sys [?]

S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [10/30/2009 10:05 PM 11520]

.

Contents of the 'Scheduled Tasks' folder

2010-04-11 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003Core.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-02 05:38]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003UA.job

- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-02 05:38]

2010-04-13 c:\windows\Tasks\User_Feed_Synchronization-{320E46DB-C483-4E92-9B2F-6D0729D8D9D0}.job

- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uInternet Connection Wizard,ShellNext = hxxp://www.siteadvisor.com/download/postinstall.html?premium=false&client_ver=2.9.258&client_type=IEPlugin&suite=true&aff_id=0&locale=en-us&os_ver=5.1.3.0&pip=true&installchoice=2

uInternet Settings,ProxyOverride = *.local

IE: &Winamp Search - c:\documents and settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} - hxxp://www.bldgportal.com/saxfile.cab

FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rchdn1u7.default\

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - component: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\rchdn1u7.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll

FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_0.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_1.dll

FF - plugin: c:\documents and settings\Owner\Application Data\Facebook\npfbplugin_1_0_3.dll

FF - plugin: c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll

FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-04-12 23:35

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully

user: MBR read successfully

called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x89943AC8]<<

kernel: MBR read successfully

detected MBR rootkit hooks:

\Driver\Disk -> CLASSPNP.SYS @ 0xba10cf28

\Driver\ACPI -> ACPI.sys @ 0xb9f7fcb8

\Driver\atapi -> atapi.sys @ 0xb9f11852

\Driver\iaStor -> iaStor.sys @ 0xb9e7e002

IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8

ParseProcedure -> ntkrnlpa.exe @ 0x805827e8

NDIS: Intel® 82566DC-2 Gigabit Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xb9d55bb0

PacketIndicateHandler -> NDIS.sys @ 0xb9d62a21

SendHandler -> NDIS.sys @ 0xb9d4087b

user & kernel MBR OK

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(824)

c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(888)

c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1344)

c:\windows\system32\WININET.dll

c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll

c:\windows\system32\ieframe.dll

.

Completion time: 2010-04-12 23:38:32

ComboFix-quarantined-files.txt 2010-04-13 04:38

ComboFix2.txt 2010-04-13 03:08

Pre-Run: 469,192,409,088 bytes free

Post-Run: 469,169,340,416 bytes free

- - End Of File - - 1B20956A7ED992CDFA44A97ABE5D2E10

Link to post
Share on other sites

Hi,

I will take care about the MBAM problem soon.

Let's take a look different ways. Seem like the infection is still there.

First,

RSIT.

  • Copy the code as below by highlight > right click > copy:
    "%userprofile%\desktop\rsit.exe" /info


  • Click on start > Run....
  • Paste the code into the box and click OK.
  • Click on Continue at the disclaimer screen.
  • Once it finishes, two logs will open.
    • log.txt will be opened maximized
    • info.txt will be opened minimized

    [*]Please post the contents of both logs in your next post.

***You can find manually the log at C:\rsit

Next,

GMER.

Please run it again.

Please download from HERE and save to the desktop.

  • Unzip/extract the file to its own folder.
  • Disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan,click NO.
  • Click on >>> symbol and choose on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the Scan and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Next,

Checklist.

Please post.

  • Content of log.txt and info.txt (Find both in c:\rsit)
  • Content of GMER.txt

Link to post
Share on other sites

That GMER scan took over 5 hours! Wow.

It did bomb out of GMER and reboot almost immediately, but I had also removed a thumb-drive from a USB port, so I think that may have caused that. It ran fine the second time, albeit rather long. If I have to do that one again, it's going to go overnight while I'm sleeping.

I should note one piece of incremental progress... I no longer seem to be getting the "Open with..." dialog boxes when I want to open a program. I know that doesn't mean it's fully fixed, just noting some progress.

I was also going to mention that I was now able to post to this site from the infected computer. I did last post, but it wouldn't let me this post, so I had to take the thumb drive with the log files to the other computer... again.

Anyway, here's the various log files...

RSIT log file

Logfile of random's system information tool 1.06 (written by random/random)

Run by Owner at 2010-04-13 09:10:08

Microsoft Windows XP Professional Service Pack 3

System drive C: has 447 GB (94%) free of 477 GB

Total RAM: 3069 MB (76% free)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:10:08 AM, on 4/13/2010

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\AVG\AVG9\avgchsvx.exe

C:\Program Files\AVG\AVG9\avgrsx.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\AVG\AVG9\avgcsrvx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtProc.exe

C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

C:\Program Files\AVG\AVG9\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\AVG\AVG9\avgnsx.exe

C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe

C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

C:\Program Files\WinZip\WZQKPICK.EXE

C:\WINDOWS\system32\svchost.exe

C:\Documents and Settings\Owner\desktop\rsit.exe

C:\Program Files\Trend Micro\HijackThis\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.siteadvisor.com/download/postin...installchoice=2

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll

O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [sSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot

O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"

O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"

O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKCU\..\Run: [PowerPanel Personal Edition User Interaction] "C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe"

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE

O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html

O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html

O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html

O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html

O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1256097159250

O16 - DPF: {B82FA17C-F3A9-11D2-B5DD-0050041B7FF6} (SAXFile FileDownload ActiveX Control) - http://www.bldgportal.com/saxfile.cab

O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab

O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll

O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PowerPanel Personal Edition Service (ppped) - Unknown owner - C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe

O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\WINDOWS\system32\STacSV.exe

--

End of file - 9204 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003Core.job

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1343024091-1454471165-682003330-1003UA.job

C:\WINDOWS\tasks\User_Feed_Synchronization-{320E46DB-C483-4E92-9B2F-6D0729D8D9D0}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]

AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll [2003-05-15 50376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]

Winamp Toolbar Loader - C:\Program Files\Winamp Toolbar\winamptb.dll [2009-05-06 1262888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]

AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-04-01 1602912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68F9551E-0411-48E4-9AAF-4BC42A6A46BE}]

EWPBrowseObject Class - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll [2006-06-09 34304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]

AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-02-23 1664256]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]

AcroIEToolbarHelper Class - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B164E929-A1B6-4A06-B104-2CD0E90A88FF}]

McAfee SiteAdvisor BHO - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-12-23 251416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]

Java Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-10-20 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]

JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-10-20 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]

{0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - McAfee SiteAdvisor Toolbar - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll [2009-12-23 251416]

{327C2873-E90D-4c37-AA9D-10AC9BABA46C} - Easy-WebPrint - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll [2006-06-09 552960]

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - Adobe PDF - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll [2003-05-15 147456]

{EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - Winamp Toolbar - C:\Program Files\Winamp Toolbar\winamptb.dll [2009-05-06 1262888]

{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-02-23 1664256]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-03-28 13684736]

"nwiz"=nwiz.exe /install []

"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-10-20 149280]

"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-03-28 86016]

"SSBkgdUpdate"=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]

"OpwareSE4"=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]

"WrtMon.exe"=C:\WINDOWS\system32\spool\drivers\w32x86\3\WrtMon.exe [2006-09-20 20480]

"Adobe Photo Downloader"=C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe [2005-09-09 57344]

"WinampAgent"=C:\Program Files\Winamp\winampa.exe [2009-07-01 37888]

"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-03 1086856]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

"PowerPanel Personal Edition User Interaction"=C:\Program Files\CyberPower PowerPanel Personal Edition\pppeuser.exe [2005-10-24 262144]

"Google Update"=C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-02 135664]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe

Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE

WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]

C:\WINDOWS\system32\avgrsstx.dll [2010-03-13 12464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 239496]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]

"dontdisplaylastusername"=0

"legalnoticecaption"=

"legalnoticetext"=

"shutdownwithoutlogon"=1

"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"NoDriveTypeAutoRun"=323

"NoDriveAutoRun"=67108863

"NoDrives"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]

"HonorAutoRunSetting"=

"NoDriveAutoRun"=

"NoDriveTypeAutoRun"=

"NoDrives"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"

"C:\Program Files\CrossLoop\CrossLoopConnect.exe"="C:\Program Files\CrossLoop\CrossLoopConnect.exe:*:Enabled:CrossLoop - Simple Secure Screen Sharing"

"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"

"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"

"C:\Program Files\McAfee\SiteAdvisor\McSACore.exe"="C:\Program Files\McAfee\SiteAdvisor\McSACore.exe:*:Enabled:McSACore"

"C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe"="C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe:*:Enabled:ppped"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

======File associations======

.scr - open - C:\WINDOWS\system32\notepad.exe "%1"

.scr - install -

.scr - config -

======List of files/folders created in the last 1 months======

2010-04-12 23:38:35 ----A---- C:\ComboFix.txt

2010-04-12 21:53:18 ----A---- C:\Boot.bak

2010-04-12 21:53:13 ----RASHD---- C:\cmdcons

2010-04-12 21:50:49 ----A---- C:\WINDOWS\zip.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\SWXCACLS.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\SWSC.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\SWREG.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\sed.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\PEV.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\NIRCMD.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\MBR.exe

2010-04-12 21:50:49 ----A---- C:\WINDOWS\grep.exe

2010-04-12 21:48:22 ----D---- C:\Qoobox

2010-04-12 20:01:41 ----D---- C:\_OTM

2010-04-12 19:59:51 ----D---- C:\WINDOWS\ERDNT

2010-04-12 19:58:59 ----D---- C:\Program Files\ERUNT

2010-04-12 12:25:06 ----D---- C:\WINDOWS\Minidump

2010-04-12 10:30:00 ----D---- C:\gmer

2010-04-12 10:23:16 ----D---- C:\rsit

2010-04-08 09:47:49 ----A---- C:\WINDOWS\ntbtlog.txt

2010-04-03 23:39:17 ----D---- C:\Program Files\Trend Micro

======List of files/folders modified in the last 1 months======

2010-04-13 09:07:31 ----D---- C:\WINDOWS\Temp

2010-04-13 09:07:31 ----D---- C:\WINDOWS

2010-04-13 08:53:56 ----D---- C:\Program Files\Mozilla Firefox

2010-04-13 08:48:49 ----D---- C:\WINDOWS\system32

2010-04-13 06:02:44 ----A---- C:\WINDOWS\SchedLgU.Txt

2010-04-13 00:34:33 ----D---- C:\Program Files\CyberPower PowerPanel Personal Edition

2010-04-12 23:36:06 ----A---- C:\WINDOWS\system.ini

2010-04-12 23:33:07 ----D---- C:\WINDOWS\system32\drivers

2010-04-12 23:33:07 ----D---- C:\WINDOWS\AppPatch

2010-04-12 23:33:06 ----D---- C:\Program Files\Common Files

2010-04-12 23:26:09 ----D---- C:\WINDOWS\system32\CatRoot2

2010-04-12 22:08:21 ----D---- C:\WINDOWS\Prefetch

2010-04-12 22:01:58 ----D---- C:\WINDOWS\system32\config

2010-04-12 22:00:53 ----SD---- C:\WINDOWS\Tasks

2010-04-12 21:53:18 ----RASH---- C:\boot.ini

2010-04-12 19:58:59 ----RD---- C:\Program Files

2010-04-12 16:40:09 ----D---- C:\AutoTURN

2010-04-12 16:21:30 ----RSHDC---- C:\WINDOWS\system32\dllcache

2010-04-12 10:19:04 ----D---- C:\Program Files\TextPad 5

2010-04-12 09:40:29 ----D---- C:\Documents and Settings

2010-04-12 08:44:01 ----D---- C:\Documents and Settings\All Users\Application Data\avg9

2010-04-11 12:03:36 ----SHD---- C:\WINDOWS\Installer

2010-04-11 12:03:36 ----A---- C:\WINDOWS\ODBC.INI

2010-04-09 19:17:23 ----D---- C:\Documents and Settings\Owner\Application Data\Facebook

2010-04-06 08:59:03 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$

2010-04-05 20:47:36 ----D---- C:\WINDOWS\Help

2010-04-05 11:05:20 ----A---- C:\WINDOWS\win.ini

2010-04-05 11:05:17 ----D---- C:\Documents and Settings\Owner\Application Data\Canon

2010-04-04 12:19:54 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$

2010-04-04 12:13:56 ----HDC---- C:\WINDOWS\$NtUninstallKB976098-v2$

2010-04-03 23:55:29 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$

2010-04-03 23:30:46 ----D---- C:\Program Files\Malwarebytes' Anti-Malware

2010-04-03 23:28:34 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$

2010-03-31 12:11:17 ----D---- C:\LandProjects

2010-03-31 03:00:43 ----HD---- C:\WINDOWS\inf

2010-03-31 03:00:38 ----D---- C:\Program Files\Internet Explorer

2010-03-31 03:00:29 ----HD---- C:\WINDOWS\$hf_mig$

2010-03-18 17:09:41 ----D---- C:\WINDOWS\Debug

2010-03-15 12:19:49 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

2010-03-14 02:52:14 ----D---- C:\temp

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-03-13 216200]

R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-03-13 29512]

R1 AvgTdiX;AVG Free8 Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-03-13 242696]

R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-14 36352]

R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-14 14592]

R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]

R3 e1express;Intel® PRO/1000 PCI Express Network Connection Driver; C:\WINDOWS\system32\DRIVERS\e1e5132.sys [2008-01-31 254872]

R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-14 144384]

R3 HECI;Intel® Management Engine Interface; C:\WINDOWS\system32\DRIVERS\HECI.sys [2007-03-13 44672]

R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-14 10368]

R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2008-04-14 12160]

R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]

R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-03-28 6280416]

R3 STHDA;IDT High Definition Audio CODEC; C:\WINDOWS\system32\drivers\sthda.sys [2008-04-10 1271032]

R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-14 32128]

R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-14 30208]

R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-14 59520]

R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2008-04-14 17152]

R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2008-04-14 25856]

R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-14 15104]

R3 usbstor;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-14 26368]

R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-14 20608]

S3 catchme;catchme; \??\C:\Combo-Fix\catchme.sys []

S3 PciCon;PciCon; \??\E:\PciCon.sys []

S3 scsiscan;SCSI Scanner Driver; C:\WINDOWS\system32\DRIVERS\scsiscan.sys [2008-04-14 11520]

S3 sfng32;Sonic Focus Plugin for Sigmatel HDA; C:\WINDOWS\system32\drivers\sfng32.sys [2008-01-31 54272]

S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]

S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AdobeActiveFileMonitor4.0;Adobe Active File Monitor V4; C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe [2005-09-09 102400]

R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-03-13 308064]

R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]

R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-10-20 153376]

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service; C:\Program Files\McAfee\SiteAdvisor\McSACore.exe [2009-12-23 93320]

R2 ppped;PowerPanel Personal Edition Service; C:\Program Files\CyberPower PowerPanel Personal Edition\ppped.exe [2005-10-24 479232]

R3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]

S2 STacSV;Audio Service; C:\WINDOWS\system32\STacSV.exe [2008-04-10 212992]

S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]

S3 Autodesk Licensing Service;Autodesk Licensing Service; C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe [2009-11-06 82584]

S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; c:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]

S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-10-20 654848]

S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]

S3 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-03-28 163908]

S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]

S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]

S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------

RSIT info.txt

info.txt logfile of random's system information tool 1.06 2010-04-13 09:10:09

======Uninstall list======

-->MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}

-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}

-->MsiExec.exe /I{C98E5F1B-5C2B-4FD1-BDF9-F3779DCAAA16}

-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{329899E1-CBBA-49BC-9FFE-199E94316727}\setup.exe" -l0x9 -removeonly

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf

7-Zip 4.57-->"C:\Program Files\7-Zip\Uninstall.exe"

Adobe Acrobat 6.0 Professional-->MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}

Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}

Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}

Adobe Audition 1.0-->MsiExec.exe /I{81E76DE9-BBCB-449C-91BB-6E4E5436D496}

Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}

Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}

Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}

Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}

Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}

Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}

Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}

Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}

Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}

Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}

Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}

Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}

Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe

Adobe Flash Player 9 ActiveX-->MsiExec.exe /X{BB65C393-C76E-4F06-9B0C-2124AA8AF97B}

Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}

Adobe Help Center 2.0-->MsiExec.exe /I{8FFC924C-ED06-44CB-8867-3CA778ECE903}

Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}

Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}

Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}

Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe

Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}

Adobe Photoshop Elements 4.0-->msiexec /I {EBB7C1C1-D439-4D9B-9FDC-954C10F266B0}

Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}

Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log

Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}

Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}

Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}

Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}

Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}

Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}

AutoCAD Civil 3D 2009-->C:\Program Files\AutoCAD Civil 3D 2009\Setup\Setup.exe /P {5783F2D7-7000-0409-0002-0060B0CE6BBA} /M C3D

AutoCAD Civil 3D Land Desktop Companion 2009-->C:\Program Files\AutoCAD Civil 3D Land Desktop Companion 2009\Setup\Setup.exe /P {5783F2D7-7018-0409-0002-0060B0CE6BBA} /M ACAD

Autodesk Design Review 2009-->C:\Program Files\Autodesk\Autodesk Design Review\Setup\Setup.exe /P {450063AA-643B-417C-8CF5-405BA3F4EF40} /M ADR

Autodesk DWF Viewer 7-->MsiExec.exe /I{9A346205-EA92-4406-B1AB-50379DA3F057}

Autodesk Vault 2009 (Client)-->C:\Program Files\Autodesk\Vault 2009\Setup\setup.exe /p {B4013E5D-C833-4C8D-A942-AD7BBDFD9389} /M VAULT

Autodesk Vault 2009 (Client)-->MsiExec.exe /X{B4013E5D-C833-4C8D-A942-AD7BBDFD9389}

AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL

Brother P-touch Address Book 1.0-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{98E9B724-0E62-4812-B6CC-C6A228BBC562}

Brother P-touch Editor 4.2-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{003447F5-0058-4B77-9C1E-50488F77C4A7}

Brother QL-Series User's Guide-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{7CCC6E23-0E35-480B-8F0C-8D06F882D5D3}

C3D_2009_VE_HF1-->C:\WINDOWS\system32\msiexec.exe /promptrestart /qb /uninstall {C1AF94A8-7539-43EF-9857-B641D7FACFF5} /package {B4013E5D-C833-4C8D-A942-AD7BBDFD9389} SETUP=1

Canon Camera Support Core Library-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{B9B9863A-32FD-4133-ADB7-46244ED77694} /l1033

Canon Camera Window for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{F37942A8-B21B-4C5A-A1D2-B676BF55EAE0}

Canon i9900-->C:\WINDOWS\system32\CNMCP5p.exe "-PRINTERNAMECanon i9900" "-HELPERDLLC:\BJPrinter\CNMWINDOWS\Canon i9900 Installer\Inst2\cnmis.dll" "-RCDLLC:\BJPrinter\CNMWINDOWS\Canon i9900 Installer\Inst2\cnmi0409.dll"

Canon MP Navigator 2.2-->"C:\Program Files\Canon\MP Navigator 2.2\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator 2.2\uninst.ini

Canon MP830 User Registration-->C:\Program Files\Canon\IJEREG\MP830\UNINST.EXE

Canon MP830-->"C:\WINDOWS\system32\CanonIJ Uninstaller Information\{0D25F7CC-B99C-44ee-9945-B14532B2BB7B}\DelDrv.exe" /U:{0D25F7CC-B99C-44ee-9945-B14532B2BB7B} /L0x0009

Canon PhotoRecord-->MsiExec.exe /X{BEF56F2D-56ED-4176-BF72-7B68D4A3B98D}

Canon RAW Image Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{16976C6C-F8D5-4317-9DE8-1F6352B66725}

Canon RemoteCapture Task for ZoomBrowser EX-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{821DC151-4691-4E26-AE7E-522921D0FD54}

Canon Utilities Easy-PhotoPrint-->C:\Program Files\Canon\Easy-PhotoPrint\uninst.exe uninst.ini

Canon Utilities ZoomBrowser EX-->MsiExec.exe /X{C1D76D7A-F3BB-47EA-A746-5B1E2FFC1DF2}

CCleaner (remove only)-->"C:\Program Files\CCleaner\uninst.exe"

CrossLoop 2.51-->"C:\Program Files\CrossLoop\unins000.exe"

CuteFTP 8 Professional-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{91F34319-08DE-457A-99C0-0BCDFAC145B9}\Setup.exe" -l0x9

CyberPower PowerPanel Personal Edition-->MsiExec.exe /I{6165536A-3F9D-46FF-8E4F-993DDB4C7DCD}

Defraggler-->"C:\Program Files\Defraggler\uninst.exe"

DWG TrueView 2009-->C:\Program Files\DWG TrueView 2009\Setup\Setup.exe /P {5783F2D6-7028-0409-0000-0060B0CE6BBA} /M AOEM

Easy-WebPrint-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Canon\Easy-WebPrint\Uninst.isu"

ERUNT 1.1j-->"C:\Program Files\ERUNT\unins000.exe"

Foxit Reader-->C:\Program Files\Foxit Software\Foxit Reader\Uninstall.exe

HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""

Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"

Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB970653-v3)-->"C:\WINDOWS\$NtUninstallKB970653-v3$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB976098-v2)-->"C:\WINDOWS\$NtUninstallKB976098-v2$\spuninst\spuninst.exe"

Hotfix for Windows XP (KB979306)-->"C:\WINDOWS\$NtUninstallKB979306$\spuninst\spuninst.exe"

Intel® Management Engine Interface-->C:\WINDOWS\system32\heciudlg.exe -uninstall

Intel® PRO Network Connections 12.1.12.0-->MsiExec.exe /i{777CA40C-0206-4EF6-A0FC-618BF06BF8D0} ARPREMOVE=1

Java 6 Update 16-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216016FF}

K-Lite Mega Codec Pack 5.1.0-->"C:\Program Files\K-Lite Codec Pack\unins000.exe"

Lightroom-->MsiExec.exe /I{D4134B0B-EA9B-4835-A77A-60BEE6277101}

Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"

McAfee SiteAdvisor-->C:\Program Files\McAfee\SiteAdvisor\Uninstall.exe

Microsoft .NET Framework 1.1 Security Update (KB953297)-->"C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Updates\M953297\M953297Uninstall.msp"

Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}

Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}

Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe

Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}

Microsoft Base Smart Card Cryptographic Service Provider Package-->"C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"

Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"

Microsoft Office 2000 Small Business-->MsiExec.exe /I{00030409-78E1-11D2-B60F-006097C998E7}

Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"

Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}

Microsoft WSE 3.0 Runtime-->MsiExec.exe /X{E3E71D07-CD27-46CB-8448-16D4FB29AA13}

Mozilla Firefox (3.5.7)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe

MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}

MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}

MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}

MSXML 6.0 Parser-->MsiExec.exe /I{AEB9948B-4FF2-47C9-990E-47014492A0FE}

Nikon Scan-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9AE4AC96-A5F4-4F19-9D13-066C8B3CE034}\Setup.exe" -l0x9 UNINSTALL

NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI

Nvu 1.0-->"C:\Program Files\Nvu\unins000.exe"

PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}

Powerprint Request v.5.5.126-->MsiExec.exe /I{C2AF1BD0-6548-4419-A9E3-548D46DD0277}

Presto! PageManager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D2D6B9EB-C6DC-4DAA-B4DE-BB7D9735E7DA}\PMSetup.exe" -l0x9 anything -removeonly

Quicken 2006-->MsiExec.exe /X{2818095F-FB6C-42C8-827E-0A406CC9AFF5}

QuickTime Alternative 2.9.2-->"C:\Program Files\QuickTime Alternative\unins000.exe"

QuikPik-->C:\PROGRA~1\ManuSoft\QuikPik\UNWISE.EXE C:\PROGRA~1\ManuSoft\QuikPik\INSTALL.LOG

ScanSoft OmniPage SE 4.0-->MsiExec.exe /I{C1E693A4-B1D5-4DCD-B68D-2087835B7184}

Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB974455)-->"C:\WINDOWS\ie8updates\KB974455-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB976325)-->"C:\WINDOWS\ie8updates\KB976325-IE8\spuninst\spuninst.exe"

Security Update for Windows Internet Explorer 8 (KB978207)-->"C:\WINDOWS\ie8updates\KB978207-IE8\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB968816)-->"C:\WINDOWS\$NtUninstallKB968816_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9$\spuninst\spuninst.exe"

Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"

Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"

Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"

Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"

Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"

Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"

Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"

Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"

Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"

Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961371-v2)-->"C:\WINDOWS\$NtUninstallKB961371-v2$\spuninst\spuninst.exe"

Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"

Security Update for Windows XP (KB968537)-->"C:\WINDOWS\$NtUninstallKB968537$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"

Security Update for Windows XP (KB969947)-->"C:\WINDOWS\$NtUninstallKB969947$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"

Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971486)-->"C:\WINDOWS\$NtUninstallKB971486$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971557)-->"C:\WINDOWS\$NtUninstallKB971557$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971633)-->"C:\WINDOWS\$NtUninstallKB971633$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"

Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"

Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973354)-->"C:\WINDOWS\$NtUninstallKB973354$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973525)-->"C:\WINDOWS\$NtUninstallKB973525$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"

Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974455)-->"C:\WINDOWS\$NtUninstallKB974455$\spuninst\spuninst.exe"

Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"

Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"

Security Update for Windows XP (KB977165)-->"C:\WINDOWS\$NtUninstallKB977165$\spuninst\spuninst.exe"

Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978251)-->"C:\WINDOWS\$NtUninstallKB978251$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978262)-->"C:\WINDOWS\$NtUninstallKB978262$\spuninst\spuninst.exe"

Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"

Shared Add-in Support Update for Microsoft .NET Framework 2.0 (KB908002)-->MsiExec.exe /X{64F3B15C-24C7-4B2B-9B72-65CCBBD7F06B}

SigmaTel Audio-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A462213D-EED4-42C2-9A60-7BDD4D4B0B17}\setup.exe" -l0x9 -remove -removeonly

TextPad 5-->MsiExec.exe /X{B6EC7388-E277-4A5B-8C8F-71067A41BA64}

TextPad Lexicons-->MsiExec.exe /I{190E09FD-F08A-444F-B97E-FE482EC5D06C}

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""

Update for Windows Internet Explorer 8 (KB973874)-->"C:\WINDOWS\ie8updates\KB973874-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB976749)-->"C:\WINDOWS\ie8updates\KB976749-IE8\spuninst\spuninst.exe"

Update for Windows Internet Explorer 8 (KB980182)-->"C:\WINDOWS\ie8updates\KB980182-IE8\spuninst\spuninst.exe"

Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"

Update for Windows XP (KB943729)-->"C:\WINDOWS\$NtUninstallKB943729$\spuninst\spuninst.exe"

Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"

Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"

Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"

Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"

Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"

Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"

Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"

Winamp Toolbar-->"C:\Program Files\Winamp Toolbar\uninstall.exe"

Winamp-->"C:\Program Files\Winamp\UninstWA.exe"

Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"

Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll

Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"

Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall

Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"

WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall

WordPerfect Office 11-->MsiExec.exe /I{54F90B55-BEB3-4F0D-8802-228822FA5921}

=====HijackThis Backups=====

O20 - AppInit_DLLs: kuvewawe.dll c:\windows\system32\wafadagi.dll [2010-04-03]

======Security center information======

AV: AVG Anti-Virus Free (disabled)

======System event log======

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7456

Source Name: Disk

Time Written: 20100308003809.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7455

Source Name: Disk

Time Written: 20100308000356.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7454

Source Name: Disk

Time Written: 20100307225708.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7453

Source Name: Disk

Time Written: 20100307215537.000000-360

Event Type: warning

User:

Computer Name: OWNER-C117E8A61

Event Code: 51

Message: An error was detected on device \Device\Harddisk7\D during a paging operation.

Record Number: 7451

Source Name: Disk

Time Written: 20100307211114.000000-360

Event Type: warning

User:

=====Application event log=====

Computer Name: OWNER-C117E8A61

Event Code: 5603

Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 15

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 5603

Message: A provider, Rsop Planning Mode Provider, has been registered in the WMI namespace, root\RSOP, but did not specify the HostingModel property. This provider will be run using the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests. Ensure that provider has been reviewed for security behavior and update the HostingModel property of the provider registration to an account with the least privileges possible for the required functionality.

Record Number: 14

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 63

Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 13

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 63

Message: A provider, CmdTriggerConsumer, has been registered in the WMI namespace, Root\cimv2, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 12

Source Name: WinMgmt

Time Written: 20091020033722.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

Computer Name: OWNER-C117E8A61

Event Code: 63

Message: A provider, HiPerfCooker_v1, has been registered in the WMI namespace, Root\WMI, to use the LocalSystem account. This account is privileged and the provider may cause a security violation if it does not correctly impersonate user requests.

Record Number: 11

Source Name: WinMgmt

Time Written: 20091020033720.000000-300

Event Type: warning

User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe

"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Intel\DMIX

"windir"=%SystemRoot%

"FP_NO_HOST_CHECK"=NO

"OS"=Windows_NT

"PROCESSOR_ARCHITECTURE"=x86

"PROCESSOR_LEVEL"=6

"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 10, GenuineIntel

"PROCESSOR_REVISION"=170a

"NUMBER_OF_PROCESSORS"=2

"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

"TEMP"=%SystemRoot%\TEMP

"TMP"=%SystemRoot%\TEMP

-----------------EOF-----------------

GMER log file:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-13 14:30:34

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxroraob.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9186380, 0x34C81F, 0xE8000020]

.rsrc C:\WINDOWS\system32\DRIVERS\redbook.sys entry point in ".rsrc" section [0xBA233F94]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A

.text C:\WINDOWS\System32\svchost.exe[1200] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

.text C:\WINDOWS\Explorer.EXE[1920] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A

.text C:\WINDOWS\Explorer.EXE[1920] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A

.text C:\WINDOWS\Explorer.EXE[1920] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

.text C:\WINDOWS\system32\wuauclt.exe[2248] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A

.text C:\WINDOWS\system32\wuauclt.exe[2248] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A

.text C:\WINDOWS\system32\wuauclt.exe[2248] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device -> \Driver\iaStor \Device\Harddisk0\DR0 8998DAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\DRIVERS\redbook.sys suspicious modification

File C:\WINDOWS\system32\drivers\iaStor.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

Hi,

Obviously, you have some rootkit infection.

I will try to think some steps and consult with my other colleague regarding this.

Meanwhile, have this to be run, and let us see the result.

First,

Analyze file(s).

Please visit Jotti.

Click on browse > copy below link (one by one) and paste on the File name box > Click Open:

C:\WINDOWS\system32\DRIVERS\redbook.sys

C:\WINDOWS\system32\drivers\iaStor.sys

  • Press Submit file - this will submit the file for testing.
  • Please wait for all the scanners to finish then copy and paste the permalink (web address) in your next response.

Example of web address :

58701951.jpg

Next,

SystemLook by jpshortstuff.

Please download from one of the links below and save it to the Desktop.

Download Mirror #1

Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    *iaStor*
    *redbook*


  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

Next,

TDSSKiller

  • Download the file TDSSKiller.zip and save it on your desktop
  • Extract the file tdskiller.zip, it will create a folder named tdsskiller on your desktop
  • Next double-click the tdsskiller Folder on your desktop.
  • Next right-click on tdsskiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
    "%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"


  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • Wait for the scan and disinfection process to be over.
  • Open tdsskiller.txt on your desktop and post the contents in your next reply

Next,

Checklist.

Please post.

  • Web Links (Total - 2)
  • Content of SystemLook.txt
  • Content of tdsskiller.txt

Link to post
Share on other sites

Here ya go...

Jotti results

C:\WINDOWS\system32\DRIVERS\redbook.sys

http://virusscan.jotti.org/en/scanresult/8...7f08c893970d832

C:\WINDOWS\system32\drivers\iaStor.sys

http://virusscan.jotti.org/en/scanresult/6...aaff020f90aac96

------------------

SystemLook v1.0 by jpshortstuff (11.01.10)

Log created at 21:50 on 13/04/2010 by Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*iaStor*"

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\iaStor.sys.vir --a--- 308248 bytes [15:28 18/10/2007] [23:03 29/09/2007] E5A0034847537EAEE3C00349D5C34C5F

C:\WINDOWS\OemDir\iaStor.cat --a--- 11694 bytes [15:28 18/10/2007] [21:32 17/10/2007] 648DC3401A410A1A15DB9AB5FD0D61A6

C:\WINDOWS\OemDir\iaStor.sys ------ 308248 bytes [15:28 18/10/2007] [23:03 29/09/2007] E5A0034847537EAEE3C00349D5C34C5F

C:\WINDOWS\system32\drivers\iaStor.sys --a--- 308248 bytes [15:28 18/10/2007] [23:03 29/09/2007] E5A0034847537EAEE3C00349D5C34C5F

Searching for "*redbook*"

C:\WINDOWS\system32\dllcache\redbook.sys --a--c 57600 bytes [03:29 20/10/2009] [21:21 12/04/2010] F828DD7E1419B6653894A8F97A0094C5

C:\WINDOWS\system32\drivers\redbook.sys --a--- 57600 bytes [03:29 20/10/2009] [21:21 12/04/2010] F828DD7E1419B6653894A8F97A0094C5

-=End Of File=-

------------------

21:59:59:902 1976 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

21:59:59:902 1976 ================================================================================

21:59:59:902 1976 SystemInfo:

21:59:59:902 1976 OS Version: 5.1.2600 ServicePack: 3.0

21:59:59:902 1976 Product type: Workstation

21:59:59:902 1976 ComputerName: OWNER-C117E8A61

21:59:59:902 1976 UserName: Owner

21:59:59:902 1976 Windows directory: C:\WINDOWS

21:59:59:902 1976 Processor architecture: Intel x86

21:59:59:902 1976 Number of processors: 2

21:59:59:902 1976 Page size: 0x1000

21:59:59:902 1976 Boot type: Normal boot

21:59:59:902 1976 ================================================================================

21:59:59:902 1976 UnloadDriverW: NtUnloadDriver error 1

21:59:59:902 1976 ForceUnloadDriverW: UnloadDriverW(klmd21) error 1

21:59:59:917 1976 LoadDriverW: Driver already loaded

21:59:59:917 1976 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

21:59:59:917 1976 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

21:59:59:917 1976 wfopen_ex: Trying to KLMD file open

21:59:59:917 1976 wfopen_ex: File opened ok (Flags 2)

21:59:59:917 1976 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

21:59:59:917 1976 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

21:59:59:917 1976 wfopen_ex: Trying to KLMD file open

21:59:59:917 1976 wfopen_ex: File opened ok (Flags 2)

21:59:59:917 1976 Initialize success

21:59:59:917 1976

21:59:59:917 1976 Scanning Services ...

21:59:59:949 1976 Raw services enum returned 324 services

21:59:59:964 1976

21:59:59:964 1976 Scanning Kernel memory ...

21:59:59:964 1976 Devices to scan: 20

21:59:59:964 1976

21:59:59:964 1976 Driver Name: Disk

21:59:59:964 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:964 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:964 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:964 1976 IRP_MJ_READ : BA108D1F

21:59:59:964 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:964 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:964 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:964 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:964 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:964 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:964 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:964 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:964 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:964 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:964 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:964 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:964 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:964 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:964 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:964 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:964 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:964 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:964 1976 IRP_MJ_POWER : BA10AC82

21:59:59:964 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:964 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:964 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:964 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:980 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:980 1976

21:59:59:980 1976 Driver Name: usbstor

21:59:59:980 1976 IRP_MJ_CREATE : AAEA2218

21:59:59:980 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:980 1976 IRP_MJ_CLOSE : AAEA2218

21:59:59:980 1976 IRP_MJ_READ : AAEA223C

21:59:59:980 1976 IRP_MJ_WRITE : AAEA223C

21:59:59:980 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:980 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:980 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:980 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:980 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

21:59:59:980 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:980 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:980 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:980 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:980 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

21:59:59:980 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

21:59:59:980 1976 IRP_MJ_SHUTDOWN : 804F4562

21:59:59:980 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:980 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:980 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:980 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:980 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:980 1976 IRP_MJ_POWER : AAEA15F0

21:59:59:980 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

21:59:59:980 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:980 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:980 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

21:59:59:995 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

21:59:59:995 1976

21:59:59:995 1976 Driver Name: Disk

21:59:59:995 1976 IRP_MJ_CREATE : BA10EBB0

21:59:59:995 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

21:59:59:995 1976 IRP_MJ_CLOSE : BA10EBB0

21:59:59:995 1976 IRP_MJ_READ : BA108D1F

21:59:59:995 1976 IRP_MJ_WRITE : BA108D1F

21:59:59:995 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_EA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_EA : 804F4562

21:59:59:995 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

21:59:59:995 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

21:59:59:995 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

21:59:59:995 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

21:59:59:995 1976 IRP_MJ_SHUTDOWN : BA1092E2

21:59:59:995 1976 IRP_MJ_LOCK_CONTROL : 804F4562

21:59:59:995 1976 IRP_MJ_CLEANUP : 804F4562

21:59:59:995 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_SET_SECURITY : 804F4562

21:59:59:995 1976 IRP_MJ_POWER : BA10AC82

21:59:59:995 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

21:59:59:995 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

21:59:59:995 1976 IRP_MJ_QUERY_QUOTA : 804F4562

21:59:59:995 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: Disk

22:00:00:011 1976 IRP_MJ_CREATE : BA10EBB0

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : BA10EBB0

22:00:00:011 1976 IRP_MJ_READ : BA108D1F

22:00:00:011 1976 IRP_MJ_WRITE : BA108D1F

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

22:00:00:011 1976 IRP_MJ_SHUTDOWN : BA1092E2

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : BA10AC82

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: usbstor

22:00:00:011 1976 IRP_MJ_CREATE : AAEA2218

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : AAEA2218

22:00:00:011 1976 IRP_MJ_READ : AAEA223C

22:00:00:011 1976 IRP_MJ_WRITE : AAEA223C

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_DEVICE_CONTROL : AAEA2180

22:00:00:011 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : AAE9D9E6

22:00:00:011 1976 IRP_MJ_SHUTDOWN : 804F4562

22:00:00:011 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:011 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:011 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:011 1976 IRP_MJ_POWER : AAEA15F0

22:00:00:011 1976 IRP_MJ_SYSTEM_CONTROL : AAE9FA6E

22:00:00:011 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:011 1976 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

22:00:00:011 1976

22:00:00:011 1976 Driver Name: Disk

22:00:00:011 1976 IRP_MJ_CREATE : BA10EBB0

22:00:00:011 1976 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

22:00:00:011 1976 IRP_MJ_CLOSE : BA10EBB0

22:00:00:011 1976 IRP_MJ_READ : BA108D1F

22:00:00:011 1976 IRP_MJ_WRITE : BA108D1F

22:00:00:011 1976 IRP_MJ_QUERY_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_QUERY_EA : 804F4562

22:00:00:011 1976 IRP_MJ_SET_EA : 804F4562

22:00:00:011 1976 IRP_MJ_FLUSH_BUFFERS : BA1092E2

22:00:00:011 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

22:00:00:011 1976 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

22:00:00:027 1976 IRP_MJ_DIRECTORY_CONTROL : 804F4562

22:00:00:027 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

22:00:00:027 1976 IRP_MJ_DEVICE_CONTROL : BA1093BB

22:00:00:027 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

22:00:00:027 1976 IRP_MJ_SHUTDOWN : BA1092E2

22:00:00:027 1976 IRP_MJ_LOCK_CONTROL : 804F4562

22:00:00:027 1976 IRP_MJ_CLEANUP : 804F4562

22:00:00:027 1976 IRP_MJ_CREATE_MAILSLOT : 804F4562

22:00:00:027 1976 IRP_MJ_QUERY_SECURITY : 804F4562

22:00:00:027 1976 IRP_MJ_SET_SECURITY : 804F4562

22:00:00:027 1976 IRP_MJ_POWER : BA10AC82

22:00:00:027 1976 IRP_MJ_SYSTEM_CONTROL : BA10F99E

22:00:00:027 1976 IRP_MJ_DEVICE_CHANGE : 804F4562

22:00:00:027 1976 IRP_MJ_QUERY_QUOTA : 804F4562

22:00:00:027 1976 IRP_MJ_SET_QUOTA : 804F4562

22:00:00:027 1976 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

22:00:00:027 1976

22:00:00:027 1976 Driver Name: iaStor

22:00:00:027 1976 IRP_MJ_CREATE : 899C5AC8

22:00:00:027 1976 IRP_MJ_CREATE_NAMED_PIPE : 899C5AC8

22:00:00:027 1976 IRP_MJ_CLOSE : 899C5AC8

22:00:00:027 1976 IRP_MJ_READ : 899C5AC8

22:00:00:027 1976 IRP_MJ_WRITE : 899C5AC8

22:00:00:027 1976 IRP_MJ_QUERY_INFORMATION : 899C5AC8

22:00:00:027 1976 IRP_MJ_SET_INFORMATION : 899C5AC8

22:00:00:027 1976 IRP_MJ_QUERY_EA : 899C5AC8

22:00:00:027 1976 IRP_MJ_SET_EA : 899C5AC8

22:00:00:027 1976 IRP_MJ_FLUSH_BUFFERS : 899C5AC8

22:00:00:027 1976 IRP_MJ_QUERY_VOLUME_INFORMATION : 899C5AC8

22:00:00:027 1976 IRP_MJ_SET_VOLUME_INFORMATION : 899C5AC8

22:00:00:027 1976 IRP_MJ_DIRECTORY_CONTROL : 899C5AC8

22:00:00:027 1976 IRP_MJ_FILE_SYSTEM_CONTROL : 899C5AC8

22:00:00:027 1976 IRP_MJ_DEVICE_CONTROL : 899C5AC8

22:00:00:027 1976 IRP_MJ_INTERNAL_DEVICE_CONTROL : 899C5AC8

22:00:00:027 1976 IRP_MJ_SHUTDOWN : 899C5AC8

22:00:00:027 1976 IRP_MJ_LOCK_CONTROL : 899C5AC8

22:00:00:027 1976 IRP_MJ_CLEANUP : 899C5AC8

22:00:00:027 1976 IRP_MJ_CREATE_MAILSLOT : 899C5AC8

22:00:00:027 1976 IRP_MJ_QUERY_SECURITY : 899C5AC8

22:00:00:027 1976 IRP_MJ_SET_SECURITY : 899C5AC8

22:00:00:027 1976 IRP_MJ_POWER : 899C5AC8

22:00:00:027 1976 IRP_MJ_SYSTEM_CONTROL : 899C5AC8

22:00:00:027 1976 IRP_MJ_DEVICE_CHANGE : 899C5AC8

22:00:00:027 1976 IRP_MJ_QUERY_QUOTA : 899C5AC8

22:00:00:027 1976 IRP_MJ_SET_QUOTA : 899C5AC8

22:00:00:027 1976 Driver "iaStor" infected by TDSS rootkit!

22:00:00:027 1976 C:\WINDOWS\system32\drivers\tsk1ED.tmp - Verdict: 3

22:00:00:027 1976

22:00:00:027 1976 Completed

22:00:00:027 1976

22:00:00:027 1976 Results:

22:00:00:027 1976 Memory objects infected / cured / cured on reboot: 1 / 0 / 0

22:00:00:027 1976 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

22:00:00:027 1976 File objects infected / cured / cured on reboot: 0 / 0 / 0

22:00:00:027 1976

22:00:00:027 1976 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

22:00:00:027 1976 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

22:00:00:027 1976 UnloadDriverW: NtUnloadDriver error 1

22:00:00:027 1976 KLMD(ARK) unloaded successfully

Link to post
Share on other sites

Hi,

Let's proceed :)

First,

Copy File.

  • Open Notepad.exe
  • Copy and paste below code into the notepad.
    COPY /Y C:\WINDOWS\OemDir\iaStor.sys c:\iaStor.sys
    COPY /Y C:\WINDOWS\system32\dllcache\redbook.sys c:\redbook.sys
    DEL %0


  • Click on File > Save As
    Save in : Desktop
    File name : xixo.bat
    Save as type : All Files
  • It will look like this :
    batqb.jpg
  • Double click on xixo.bat and the batch file will perform the task and auto delete itself.

Next,

Avenger2

Download Avenger by Swandog and unzip it to your Desktop.

Note: This programme must be run from an account with Administrator priviledges.

  • Open the Avenger folder and double click Avenger.exe to launch the programme.
  • Copy the text in the code box below and Paste it into the Input script here: box.

Files to move:
c:\iaStor.sys | C:\WINDOWS\system32\drivers\iaStor.sys
c:\redbook.sys | C:\WINDOWS\system32\DRIVERS\redbook.sys

Note: the above code was created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system.

  • Ensure the following:
    • Scan for Rootkits is checked.
    • Automatically disable any rootkits found is Unchecked.

    [*]Press the Execute key.

    [*]Avenger will now process the script you've pasted (this may involve more than one re-boot), when finished it will produce a log file.

    [*]Post the log back here please. (it can also be found at C:\avenger.txt)

Next,

GMER.

Please run again GMER and provide the log.

Next,

Checklist.

Please post.

  • Content of avenger.txt
  • Content of GMER.txt

Link to post
Share on other sites

I'm not sure I like this GMER program. I'm going to have to explain this to you...

- Did the xixo/bat. Worked fine.

- Did the avenger.exe. Worked fine. Log file below (after GMER info).

- Now, to gmer..

-1 It crashed and re-booted the computer on it's own the first time about 2 hrs in.

-2 Re-ran the program. It seemed to finish. There were no more files being scanned at the bottom. This took 3 hrs instead of 5 hrs, but there wasn't nearly as much stuff as before in the dialog box. The computer froze up while trying to save the log file, so I lost the log information. Had to re-boot myself.

-3 Ran the program a 3rd time. It immediately finds something in red that it states is a suspected rootkit that it did not find before. (It is noted below)

-3a. Program runs for 3 hours, last 2 hrs of which it seems snagged on "SOFTWARE\Classes/asf", and will not move. I'm thinking it is frozen, so I try to quit, but I get a warning box telling it's still running, so I let it go even though there is no indication it actually is running. (It is still there, as I write this)

-3b. The only two items in the box are...

TYPE NAME VALUE

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8610380,ox34C81F,oxE8000020]

Service C:\WINDOWS\system32\svchost.exe (***hidden***) [AUTO]BITS

And that was/is it. The part in red shown in really in red. I hope this helps, but I don't know.

Ok, now the Avenger log:

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "c:\iaStor.sys|C:\WINDOWS\system32\drivers\iaStor.sys" completed successfully.

File move operation "c:\redbook.sys|C:\WINDOWS\system32\DRIVERS\redbook.sys" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

Hi,

Try this.

First,

ATF by Atribune

Please download HERE and save to the desktop. Double-click ATF Cleaner.exe to open it.

Under Main choose:

  • choose: Select All
    Click the Empty Selected button.

if you use Firefox:

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

Next,

Kaspersky Online AV Scan

Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.

  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases

    [*]Click on My Computer under Scan and then put the kettle on!

    [*]Once the scan is complete, it will display the results. Click on View Scan Report.

    [*]You will see a list of infected items there. Click on Save Report As....

    [*]Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.

    [*]Copy and paste the report into your next.

Next,

Checklist.

Please post.

  • Content of kaspersky scan log

Link to post
Share on other sites

ATF Cleaner worked fine.

Kaspersky worked fine. I have a note in the middle of the report that will explain why I stopped the scan.

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0: scan report

Thursday, April 15, 2010

Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Last database update: Thursday, April 15, 2010 01:07:18

Records in database: 3945038

--------------------------------------------------------------------------------

Scan settings:

scan using the following database: extended

Scan archives: yes

Scan e-mail databases: yes

Scan area - My Computer:

C:\

D:\

E:\

F:\

G:\

H:\

I:\

J:\

K:\

L:\

M:\

N:\

O:\

Scan statistics:

Objects scanned: 306645

Threats found: 2

Infected objects found: 19

Suspicious objects found: 0

Scan duration: 05:09:25

File name / Threat / Threats count

C:\PROGRAMS\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

C:\Qoobox\Quarantine\C\Documents and Settings\Administrator\Local Settings\Application Data\ave.exe.vir Infected: Packed.Win32.Katusha.j 1

C:\WINDOWS\Downloaded Installations\{C9FA30CE-41FA-4178-877E-13F88828DC63}\Powerprint Request v.5.5.126.msi Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

My note: The followng files are on external hard drives that are from older computers. These files pre-date, by a large time frame, the current issues. I hope I have not caused any problems by doing this, but I deleted these files and directories. They are of no use to me anyway. The files above are still there, and I guess more relevant.

I stopped the scan for two reasons... 1) It was into the "L" drive, meaning the "C" drive had long since been done, which is where all our previous efforts have been, and 2) A Windows Automatic Update was actually working and was about to reboot the computer itself anyway. I take this as a good sign, though after it re-booted I was still unable to open the Windows Automatic Update program itself, so that has not changed.

K:\KDB\Programs\Acad\SetupRequester.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Programs-Old\Work\PowerPrint55126_Request.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Programs-Old\Work\PP55126_Request.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Work\Acad-2008\KipDrivers-2007(2008)\KIPRequest_v6.2.5.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Work\Acad-2008\KipDrivers-2007(2008)\KIPRequest_v6.2.5.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Work\Acad-Misc\KipDrivers\PP55126_Request.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Work\Powerprint Programs\PowerPrint55126_Request.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

K:\KDB\Work\Powerprint Programs\PP55126_Request.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Programs\Acad\SetupRequester.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Programs-Old\Work\PowerPrint55126_Request.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Programs-Old\Work\PP55126_Request.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Work\Acad-2008\KipDrivers-2007(2008)\KIPRequest_v6.2.5.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Work\Acad-2008\KipDrivers-2007(2008)\KIPRequest_v6.2.5.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Work\Acad-Misc\KipDrivers\PP55126_Request.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Work\Powerprint Programs\PowerPrint55126_Request.zip Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

L:\KDB\Work\Powerprint Programs\PP55126_Request.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 1

Scanning stopped by the user.

Link to post
Share on other sites

Hi,

Let's proceed.

I hope this time, GMER's scan will not consume a lot of time, and no crash.

First,

MBAM - clean

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer <-Important.
  • Download from HERE and run the utility.
  • It will ask to restart your computer (please allow it to).

Next,

Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware here and save to the desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    Update Malwarebytes' Anti-Malware
    Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
    mbam1.png
  • Refer to above image and then click Remove Selected to proceed.
  • When completed, a log will open in Notepad. Please copy and paste the log back into your next reply

Note:

  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Or via the Logs tab when Malwarebytes' Anti-Malware is started.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.

Click OK to either and let MBAM proceed with the disinfection process.

If asked to restart the computer, please do so. Failure to reboot will prevent MBAM from removing all the malware.

Next,

TDSSKiller

Please run it again.

Next,

GMER

Important : Please refer the previous instructions that I gave to you on how to save the log

Run a new scan with gmer and leave sections checked (there is a new version of this virus out)

Gmer_initScan2.gif

  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections <--leave this checked please
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)

Next,

Checklist.

Please post.

  • Content of MBAM log
  • Content of tdsskiller.txt
  • Content of GMER.txt

Link to post
Share on other sites

First,

MBAM - clean

  • Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
  • Restart your computer <-Important.
  • Download from HERE and run the utility.
  • It will ask to restart your computer (please allow it to).

Did not work. When I run mbam-clean.exe I get a "SHGetValue failed with error code 0" box. I did not proceed beyond this as it seemed pointless to install mbam again if the old version was still lingering.

Link to post
Share on other sites

I have to ask... Are we making any progress?

Here's the log files...

15:51:53:046 0580 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04

15:51:53:046 0580 ================================================================================

15:51:53:046 0580 SystemInfo:

15:51:53:046 0580 OS Version: 5.1.2600 ServicePack: 3.0

15:51:53:046 0580 Product type: Workstation

15:51:53:046 0580 ComputerName: OWNER-C117E8A61

15:51:53:046 0580 UserName: Owner

15:51:53:046 0580 Windows directory: C:\WINDOWS

15:51:53:046 0580 Processor architecture: Intel x86

15:51:53:046 0580 Number of processors: 2

15:51:53:046 0580 Page size: 0x1000

15:51:53:046 0580 Boot type: Normal boot

15:51:53:046 0580 ================================================================================

15:51:53:046 0580 UnloadDriverW: NtUnloadDriver error 2

15:51:53:046 0580 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2

15:51:53:062 0580 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system

15:51:53:062 0580 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:51:53:062 0580 wfopen_ex: Trying to KLMD file open

15:51:53:062 0580 wfopen_ex: File opened ok (Flags 2)

15:51:53:062 0580 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software

15:51:53:062 0580 wfopen_ex: MyNtCreateFileW error 32 (C0000043)

15:51:53:062 0580 wfopen_ex: Trying to KLMD file open

15:51:53:062 0580 wfopen_ex: File opened ok (Flags 2)

15:51:53:062 0580 Initialize success

15:51:53:062 0580

15:51:53:062 0580 Scanning Services ...

15:51:53:109 0580 Raw services enum returned 323 services

15:51:53:109 0580

15:51:53:109 0580 Scanning Kernel memory ...

15:51:53:109 0580 Devices to scan: 18

15:51:53:109 0580

15:51:53:109 0580 Driver Name: Disk

15:51:53:109 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:109 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:109 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:109 0580 IRP_MJ_READ : BA108D1F

15:51:53:109 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:109 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:109 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:109 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:109 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:109 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:109 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:109 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:109 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:109 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:109 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:109 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:109 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:109 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:109 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:109 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:109 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:109 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:109 0580 IRP_MJ_POWER : BA10AC82

15:51:53:109 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:109 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:109 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:109 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:140 0580 Driver Name: Disk

15:51:53:140 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:140 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:140 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:140 0580 IRP_MJ_READ : BA108D1F

15:51:53:140 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:140 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:140 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:140 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:140 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:140 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:140 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:140 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_POWER : BA10AC82

15:51:53:140 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:140 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:140 0580 Driver Name: Disk

15:51:53:140 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:140 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:140 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:140 0580 IRP_MJ_READ : BA108D1F

15:51:53:140 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:140 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:140 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:140 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:140 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:140 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:140 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:140 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_POWER : BA10AC82

15:51:53:140 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:140 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:140 0580 Driver Name: Disk

15:51:53:140 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:140 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:140 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:140 0580 IRP_MJ_READ : BA108D1F

15:51:53:140 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:140 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:140 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:140 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:140 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:140 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:140 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:140 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_POWER : BA10AC82

15:51:53:140 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:140 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:140 0580 Driver Name: Disk

15:51:53:140 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:140 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:140 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:140 0580 IRP_MJ_READ : BA108D1F

15:51:53:140 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:140 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:140 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:140 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:140 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:140 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:140 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:140 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_POWER : BA10AC82

15:51:53:140 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:140 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:140 0580 Driver Name: Disk

15:51:53:140 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:140 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:140 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:140 0580 IRP_MJ_READ : BA108D1F

15:51:53:140 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:140 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:140 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:140 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:140 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:140 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:140 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:140 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_POWER : BA10AC82

15:51:53:140 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:140 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:140 0580 Driver Name: Disk

15:51:53:140 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:140 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:140 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:140 0580 IRP_MJ_READ : BA108D1F

15:51:53:140 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:140 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:140 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:140 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:140 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:140 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:140 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:140 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:140 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:140 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:140 0580 IRP_MJ_POWER : BA10AC82

15:51:53:140 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:140 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:140 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:140 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:140 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:140 0580

15:51:53:156 0580 Driver Name: usbstor

15:51:53:156 0580 IRP_MJ_CREATE : B312B218

15:51:53:156 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:156 0580 IRP_MJ_CLOSE : B312B218

15:51:53:156 0580 IRP_MJ_READ : B312B23C

15:51:53:156 0580 IRP_MJ_WRITE : B312B23C

15:51:53:156 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:156 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:156 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:156 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:156 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:156 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:156 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:156 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:156 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:156 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:156 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:156 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:156 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:156 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:156 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:156 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:156 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:156 0580 IRP_MJ_POWER : B312A5F0

15:51:53:156 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:156 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:156 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:156 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:187 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:187 0580

15:51:53:187 0580 Driver Name: usbstor

15:51:53:187 0580 IRP_MJ_CREATE : B312B218

15:51:53:187 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:187 0580 IRP_MJ_CLOSE : B312B218

15:51:53:187 0580 IRP_MJ_READ : B312B23C

15:51:53:187 0580 IRP_MJ_WRITE : B312B23C

15:51:53:187 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:187 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:187 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:187 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:187 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:187 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_POWER : B312A5F0

15:51:53:187 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:187 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:187 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:187 0580

15:51:53:187 0580 Driver Name: usbstor

15:51:53:187 0580 IRP_MJ_CREATE : B312B218

15:51:53:187 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:187 0580 IRP_MJ_CLOSE : B312B218

15:51:53:187 0580 IRP_MJ_READ : B312B23C

15:51:53:187 0580 IRP_MJ_WRITE : B312B23C

15:51:53:187 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:187 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:187 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:187 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:187 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:187 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_POWER : B312A5F0

15:51:53:187 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:187 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:187 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:187 0580

15:51:53:187 0580 Driver Name: usbstor

15:51:53:187 0580 IRP_MJ_CREATE : B312B218

15:51:53:187 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:187 0580 IRP_MJ_CLOSE : B312B218

15:51:53:187 0580 IRP_MJ_READ : B312B23C

15:51:53:187 0580 IRP_MJ_WRITE : B312B23C

15:51:53:187 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:187 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:187 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:187 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:187 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:187 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_POWER : B312A5F0

15:51:53:187 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:187 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:187 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:187 0580

15:51:53:187 0580 Driver Name: usbstor

15:51:53:187 0580 IRP_MJ_CREATE : B312B218

15:51:53:187 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:187 0580 IRP_MJ_CLOSE : B312B218

15:51:53:187 0580 IRP_MJ_READ : B312B23C

15:51:53:187 0580 IRP_MJ_WRITE : B312B23C

15:51:53:187 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:187 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:187 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:187 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:187 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:187 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_POWER : B312A5F0

15:51:53:187 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:187 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:187 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:187 0580

15:51:53:187 0580 Driver Name: usbstor

15:51:53:187 0580 IRP_MJ_CREATE : B312B218

15:51:53:187 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:187 0580 IRP_MJ_CLOSE : B312B218

15:51:53:187 0580 IRP_MJ_READ : B312B23C

15:51:53:187 0580 IRP_MJ_WRITE : B312B23C

15:51:53:187 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:187 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:187 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:187 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:187 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:187 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:187 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:187 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:187 0580 IRP_MJ_POWER : B312A5F0

15:51:53:187 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:187 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:187 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:187 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:203 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:203 0580

15:51:53:203 0580 Driver Name: usbstor

15:51:53:203 0580 IRP_MJ_CREATE : B312B218

15:51:53:203 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:203 0580 IRP_MJ_CLOSE : B312B218

15:51:53:203 0580 IRP_MJ_READ : B312B23C

15:51:53:203 0580 IRP_MJ_WRITE : B312B23C

15:51:53:203 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:203 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:203 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:203 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:203 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:203 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_POWER : B312A5F0

15:51:53:203 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:203 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:203 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:203 0580

15:51:53:203 0580 Driver Name: Disk

15:51:53:203 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:203 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:203 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:203 0580 IRP_MJ_READ : BA108D1F

15:51:53:203 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:203 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:203 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:203 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:203 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:203 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:203 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:203 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_POWER : BA10AC82

15:51:53:203 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:203 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:203 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:203 0580

15:51:53:203 0580 Driver Name: usbstor

15:51:53:203 0580 IRP_MJ_CREATE : B312B218

15:51:53:203 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:203 0580 IRP_MJ_CLOSE : B312B218

15:51:53:203 0580 IRP_MJ_READ : B312B23C

15:51:53:203 0580 IRP_MJ_WRITE : B312B23C

15:51:53:203 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:203 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_DEVICE_CONTROL : B312B180

15:51:53:203 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B31269E6

15:51:53:203 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:203 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:203 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_POWER : B312A5F0

15:51:53:203 0580 IRP_MJ_SYSTEM_CONTROL : B3128A6E

15:51:53:203 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:203 0580 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1

15:51:53:203 0580

15:51:53:203 0580 Driver Name: Disk

15:51:53:203 0580 IRP_MJ_CREATE : BA10EBB0

15:51:53:203 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:203 0580 IRP_MJ_CLOSE : BA10EBB0

15:51:53:203 0580 IRP_MJ_READ : BA108D1F

15:51:53:203 0580 IRP_MJ_WRITE : BA108D1F

15:51:53:203 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:203 0580 IRP_MJ_FLUSH_BUFFERS : BA1092E2

15:51:53:203 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_DEVICE_CONTROL : BA1093BB

15:51:53:203 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : BA10CF28

15:51:53:203 0580 IRP_MJ_SHUTDOWN : BA1092E2

15:51:53:203 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:203 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_POWER : BA10AC82

15:51:53:203 0580 IRP_MJ_SYSTEM_CONTROL : BA10F99E

15:51:53:203 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:203 0580 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1

15:51:53:203 0580

15:51:53:203 0580 Driver Name: iaStor

15:51:53:203 0580 IRP_MJ_CREATE : B9E82FBA

15:51:53:203 0580 IRP_MJ_CREATE_NAMED_PIPE : 804F4562

15:51:53:203 0580 IRP_MJ_CLOSE : B9E82FBA

15:51:53:203 0580 IRP_MJ_READ : 804F4562

15:51:53:203 0580 IRP_MJ_WRITE : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_EA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_EA : 804F4562

15:51:53:203 0580 IRP_MJ_FLUSH_BUFFERS : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562

15:51:53:203 0580 IRP_MJ_DIRECTORY_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_DEVICE_CONTROL : B9E808E8

15:51:53:203 0580 IRP_MJ_INTERNAL_DEVICE_CONTROL : B9E7E002

15:51:53:203 0580 IRP_MJ_SHUTDOWN : 804F4562

15:51:53:203 0580 IRP_MJ_LOCK_CONTROL : 804F4562

15:51:53:203 0580 IRP_MJ_CLEANUP : 804F4562

15:51:53:203 0580 IRP_MJ_CREATE_MAILSLOT : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_SET_SECURITY : 804F4562

15:51:53:203 0580 IRP_MJ_POWER : B9E79FBC

15:51:53:203 0580 IRP_MJ_SYSTEM_CONTROL : B9E7950A

15:51:53:203 0580 IRP_MJ_DEVICE_CHANGE : 804F4562

15:51:53:203 0580 IRP_MJ_QUERY_QUOTA : 804F4562

15:51:53:203 0580 IRP_MJ_SET_QUOTA : 804F4562

15:51:53:234 0580 C:\WINDOWS\system32\drivers\iaStor.sys - Verdict: 1

15:51:53:234 0580

15:51:53:234 0580 Completed

15:51:53:234 0580

15:51:53:234 0580 Results:

15:51:53:234 0580 Memory objects infected / cured / cured on reboot: 0 / 0 / 0

15:51:53:234 0580 Registry objects infected / cured / cured on reboot: 0 / 0 / 0

15:51:53:234 0580 File objects infected / cured / cured on reboot: 0 / 0 / 0

15:51:53:234 0580

15:51:53:234 0580 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system

15:51:53:234 0580 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software

15:51:53:234 0580 KLMD(ARK) unloaded successfully

---------------------

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-04-15 22:11:54

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kxroraob.sys

---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8DFF380, 0x34C81F, 0xE8000020]

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs AB5A7400

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

I have to ask... Are we making any progress?

Good news for you. It's clear. :o

Nice jobs from you too B)

Ok, I have a question to ask, regarding MBAM. Seem like it's fail to uninstall.

If you like to continue, just allow me to consult with my colleague about this error.

If not, I would give final instruction as you set to be free from any malware :D

Regards and do let me know your decision

Link to post
Share on other sites

Good news for you. It's clear. :o

Nice jobs from you too B)

Ok, I have a question to ask, regarding MBAM. Seem like it's fail to uninstall.

If you like to continue, just allow me to consult with my colleague about this error.

If not, I would give final instruction as you set to be free from any malware :D

Regards and do let me know your decision

This is indeed good news. Thank you very much for your help.

Yes, I would like to continue and get everything in proper order. What still seems to be remaining...

1) mbam-clean.exe still gets the same error message and will not complete the un-installation... which means I cannot install a new copy, which I would like. I am fine with you consulting with your colleagues about this.

2) While Windows Updates did do an automatic update last night... which is good... I still get nothing when I click on the icon in Control Panel. I can click on Windows Firewall and it says it's on. When I click on Security Center in Control Panel nothing happens at all. If I recall correctly, this is where I check and set my options for automatic updates, etc., and I would like to have that ability back.

Thanks.

Link to post
Share on other sites

Hi,

Let's proceed

First,

Dial-A-Fix by DjLizard.

  • Please download Dial-A-Fix from one of the following mirrors:

    [*]Extract the zip file to your desktop.

    [*]Double click Dial-a-Fix.exe to start the program.

    [*]Press the green double checkmark box (Looks like this: checkmark.png)

    [*]UNcheck Empty Temp Folders, as well as Adjust Time/Date in the prep section. The prep section should then look like this:

    toUncheck.png

    [*]When the window looks like this, press the GO button in the bottom of the window.

    mainWindow.png

    [*]Exit/Close Dial-A-Fix

Next,

Reboot

Next,

Please give temporary disable towards your antivirus.

Next,

Please try on MBAM again (start from the mbam-clean and get a new copy)

Next,

Checklist.

Please post.

  • Any improvement on current issue?

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.