Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bagle virus [RESOLVED]

Started by kifera , Apr 26 2008 02:18 AM

  • This topic is locked This topic is locked

#1
kifera
Posted 26 April 2008 - 02:18 AM

kifera

    Member

  • Member
  • PipPip
  • 22 posts
I have read one of the threads dedicated to Bagle, and it seems that I have it as well. Due to this, laptop became disconnected from internet, I can't connect at all. Can't run SpyBot, AVG and other antivirus as it gives error messages. Running Superantispyware led to computer freeze, stop error screen. I was able to run Malwarebytes that detected Bagle, but it couldn't remove it permanently.
As i can't connect to internet, I was not able to rename ComboFix into Combo-Fix, as the system tells me I can't give this name, but the nameComboFix2 was accepted (shortcut from a memory stick to the desktop).

I am posting the logs in the order I obtained them. Please advise on how to remove the virus. Thank you.


Deckard's System Scanner v20071014.68
Run by NK on 2008-04-26 09:54:15
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 83% (more than 75%).
Total Physical Memory: 503 MiB (512 MiB recommended).

-- HijackThis (run as Nkulik.exe) ----------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-26 09:55:20
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd2.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\acrotray.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Microsoft ActiveSync\rapimgr.exe
C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\CF7090.exe
C:\ComboFix\nircmd.com
G:\dss.exe
C:\Program Files\Hijackthis\Nkulik.exe
C:\WINDOWS\system32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.192:8080
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O1 - Hosts: 172.16.1.54 antivirus
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: iFormat.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.micros...ntent/opuc3.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145496174593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.ma...ash/swflash.cab
O17 - HKLM\Software\..\Telephony: DomainName = Alghanim.com
O17 - HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: Domain = Alghanim.com
O17 - HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: Domain = Alghanim.com
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: mso-offdap11 - {32505114-5902-49B2-880A-1F7738E5A384} - C:\Program Files\Common Files\Microsoft Shared\Web Components\11\OWC11.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll
O18 - Filter: text/xml - {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPCap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SavRoam - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 12216 bytes


Extra.txt file:

-- Files created between 2008-03-26 and 2008-04-26 -----------------------------

2008-04-26 09:53:29 68096 --a------ C:\WINDOWS\zip.exe
2008-04-26 09:53:29 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-26 09:53:29 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-26 09:53:29 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-26 09:53:29 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-26 09:53:29 98816 --a------ C:\WINDOWS\sed.exe
2008-04-26 09:53:29 80412 --a------ C:\WINDOWS\grep.exe
2008-04-26 09:53:29 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-26 00:18:52 0 d--hs---- C:\FOUND.000
2008-04-25 23:26:25 0 d-------- C:\Program Files\McAfee.com
2008-04-25 23:26:17 0 d-------- C:\Program Files\Common Files\McAfee
2008-04-25 23:26:10 0 d-------- C:\Program Files\McAfee
2008-04-25 23:07:21 0 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 22:28:55 0 d-------- C:\Documents and Settings\nruskulik\Application Data\Malwarebytes
2008-04-25 22:28:16 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:27:58 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 22:17:43 0 d-------- C:\Documents and Settings\nruskulik\Application Data\U3

-- Find3M Report ---------------------------------------------------------------

2008-04-26 04:37:22 12 --a------ C:\WINDOWS\bthservsdp.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-06-01 10:09]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 20:29]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 19:40]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-26 04:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-04-26 04:30]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-09-27 12:37]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-09-27 12:37]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-09-27 12:41]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49]
"TempRemove"="C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" [1998-12-19 11:06]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"@"="" []
"CaISSDT"="C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe" [2006-04-21 14:42]
"eTrustPPAP"="C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe" [2006-04-20 18:17]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-04-26 04:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 16:13]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" []
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-29 15:36]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
iFormat.lnk - C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe [2007-02-11 11:16:54]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-20 08:32:06]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe [2007-06-13 17:23:23]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^IT^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
c:\acer\epm\epm-dm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
C:\Acer\ePM\ePM.exe boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
C:\Acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
HDAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
"C:\Program Files\Acer\Acer Arcade\PCMService.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"lanmanworkstation"=2 (0x2)
"W32Time"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.3.70#GLOBAL]
Auto\command- N:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c186efd-12fb-11dd-895a-0013ceec6868}]
AutoRun\command- G:\h2.com
explore\Command- G:\h2.com
open\Command- G:\h2.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2c753e-c6a6-11dc-8953-0016ceefd597}]
AutoRun\command- wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b9e0985-af60-11db-88ca-0013ceec6868}]
Auto\command- F:\setup.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe
-- End of Deckard's System Scanner: finished at 2008-04-26 09:55:58 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1.70GHz
Percentage of Memory in Use: 50%
Physical Memory (total/avail): 502.05 MiB / 246.79 MiB
Pagefile Memory (total/avail): 1225.55 MiB / 776.09 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1934.6 MiB

C: is Fixed (FAT32) - 29.23 GiB total, 14.75 GiB free.
D: is Fixed (FAT32) - 23.7 GiB total, 23.57 GiB free.
E: is Fixed (NTFS) - 111.79 GiB total, 34.35 GiB free.
F: is CDROM (CDFS)
G: is Removable (FAT)
W: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - HTS541060G9AT00 - 55.89 GiB - 3 partitions
\PARTITION0 - Unknown - 2.93 GiB
\PARTITION1 (bootable) - Unknown - 29.25 GiB - C:
\PARTITION2 - Unknown - 23.71 GiB - D:

\\.\PHYSICALDRIVE1 - Generic USB Disk USB Device - 111.79 GiB - 1 partition
\PARTITION0 - Installable File System - 111.79 GiB - E:

\\.\PHYSICALDRIVE2 - SanDisk U3 Cruzer Micro USB Device - 1953.22 MiB - 1 partition
\PARTITION0 - MS-DOS V4 Huge - 1952.88 MiB - G:


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.
FirstRunDisabled is set.
AV: Symantec AntiVirus Corporate Edition v10.1.0.394 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\palmOne\\Hotsync.exe"="C:\\Program Files\\palmOne\\Hotsync.exe:*:Enabled:HotSync® Manager Application"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe:*:Enabled:javaw"
"C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"="C:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe:*:Enabled:OTI@Home User Interface"
"C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe"="C:\\Program Files\\Common Files\\Nokia\\Service Layer\\nsl_host_process.exe:*:Enabled:Nokia Service Layer Host Process "
"C:\\Program Files\\utorrent\\utorrent.exe"="C:\\Program Files\\utorrent\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"="C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\palmOne\\Hotsync.exe"="C:\\Program Files\\palmOne\\Hotsync.exe:*:Enabled:HotSync® Manager Application"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 7.0"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"="C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe:*:Disabled:javaw"
"C:\\Program Files\\UTORRENT\\utorrent.exe"="C:\\Program Files\\UTORRENT\\utorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\nruskulik\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=CHAHINE-LT3217
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\nruskulik
LOGONSERVER=\\ALGHODC01
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\Intel\Wireless\Bin\;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 13 Stepping 6, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0d06
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\NRUSKU~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\NRUSKU~1\LOCALS~1\Temp
USERDNSDOMAIN=ALGHANIM.COM
USERDOMAIN=AI
USERNAME=Nkulik
USERPROFILE=C:\Documents and Settings\nruskulik
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

IT (admin)
Administrator (new local, admin)
nruskulik (admin)
mchahine (admin)


-- Add/Remove Programs ---------------------------------------------------------

->
--> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Acer Inc.\Acer English Online Help Creator\Uninst.isu"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{13E613EF-BB55-11D9-9D77-000129760D75}\setup.exe" -uninstall
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FC4F90EC-B1DA-11D9-9D77-000129760D75}\setup.exe" -uninstall
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uninstall.exe"
Acer Arcade --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2637C347-9DAD-11D6-9EA2-00055D0CA761}\setup.exe" -uninstall
Acer eManager for Notebook -->
Acer eManager for Notebook --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{827289F5-B44F-4E49-9993-840741585A62}
Acer eNetManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\Setup.exe" -l0x9
Acer ePowerManagement --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\Setup.exe" -l0x9
Acer GridVista --> C:\WINDOWS\UnInst32.exe GridV.UNI
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 7.0 Professional - English, Français, Deutsch -->
Adobe Acrobat 7.0 Professional - English, Français, Deutsch --> msiexec /I {AC76BA86-1033-F400-7760-100000000002}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\UninstFl.exe -q
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Advanced Flash Player --> C:\WINDOWS\iun6002.exe "C:\Program Files\Mohsoft\Advanced Flash Player\irunin.ini"
Available Domains Standard Edition 4.0.3 --> "C:\Program Files\Available Domains Standard\unins000.exe"
CA eTrust PestPatrol Anti-Spyware --> "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\cauninst.exe" /u
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
Crystal Ball 2000 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Crystal Ball\Uninst.isu"
Crystal Ball Tutorial 2.0 --> MsiExec.exe /I{5EEEE1A1-68F6-4D9A-8A1C-F377061F9B59}
DBF Manager (remove only) --> C:\Program Files\DBF Manager\Uninst.exe
Domain Finder Demo --> MsiExec.exe /I{8483B04B-EF40-4F97-8A93-0233CBED274A}
Flash Saving Plugin --> "C:\Program Files\UnH Solutions\Flash Saving Plugin\unins000.exe"
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_AcrS009E\HXFSETUP.EXE -U -IAcrS009E.inf
HDAUDIO Soft Data Fax Modem with SmartCP --> C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFA&SUBSYS_1025008F\HXFSETUP.EXE -U -IAcr008FK.inf
Hijackthis 1.99.1 --> "C:\Program Files\Hijackthis\unins000.exe"
HijackThis 1.99.1 --> C:\Program Files\Hijackthis\HijackThis.exe /uninstall
hp LaserJet 1160/1320 series --> MsiExec.exe /x {7F04B272-E0DD-47E7-8B55-D97483DB0EBD}
HP Software Update --> MsiExec.exe /X{90B5E602-1867-449D-86FD-FC9DEA4434BF}
Intel® Graphics Media Accelerator Driver for Mobile --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2792 PCI\VEN_8086&DEV_2592
Intel® PROSet/Wireless Software --> C:\WINDOWS\Installer\iProInst.exe
Launch Manager --> C:\WINDOWS\UnInst32.exe QtZgAcer.UNI
LiveUpdate 3.0 (Symantec Corporation) --> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
Malwarebytes' Anti-Malware --> "C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
mCore --> MsiExec.exe /I{E81667C6-2856-46D6-ABEA-6A2F42166779}
mDriver --> MsiExec.exe /I{A0F925BF-5C55-44C2-A4E7-5A4C59791C29}
mDrWiFi --> MsiExec.exe /I{F6090A17-0967-4A8A-B3C3-422A1B514D49}
mEoU --> MsiExec.exe /I{B502B428-3386-40A9-98DB-079AAB72E64F}
mHelp --> MsiExec.exe /I{8C6BB412-D3A8-4AAE-A01B-35B681789D68}
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
mIWA --> MsiExec.exe /I{3E9D596A-61D4-4239-BD19-2DB984D2A16F}
mLogView --> MsiExec.exe /I{0E2B0B41-7E08-4F9F-B21F-41C4133F43B7}
mMHouse --> MsiExec.exe /I{F0BFC7EF-9CF8-44EE-91B0-158884CD87C5}
mPfMgr --> MsiExec.exe /I{8B928BA1-EDEC-4227-A2DA-DD83026C36F5}
mPfWiz --> MsiExec.exe /I{90B0D222-8C21-4B35-9262-53B042F18AF9}
mProSafe --> MsiExec.exe /I{23FB368F-1399-4EAC-817C-4B83ECBE3D83}
mWlsSafe --> MsiExec.exe /I{FCA651F3-5BDA-4DDA-9E4A-5D87D6914CC4}
mXML --> MsiExec.exe /I{9CC89556-3578-48DD-8408-04E66EBEF401}
mZConfig --> MsiExec.exe /I{94658027-9F16-4509-BBD7-A59FE57C3023}
Nokia Connectivity Cable Driver --> MsiExec.exe /X{0FF1922C-B6C4-40BB-AF30-BEF75A482444}
Nokia PC Suite --> MsiExec.exe /I{FF059F2A-62A7-4E6A-B305-559591D2769E}
Nokia Software Updater --> MsiExec.exe /X{DDE986ED-87F8-41AA-A27E-120CAB0700F6}
NTI Backup NOW! 4 -->
NTI Backup NOW! 4 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{385979FE-DC4F-4140-8EAD-A59625000D72} /l1033 BUN4
NTI CD & DVD-Maker -->
NTI CD & DVD-Maker --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
Panda ActiveScan --> C:\WINDOWS\system32\ASUninst.exe Panda ActiveScan
PowerVideoMaker Professional 2.6.6 --> "C:\Program Files\Presentersoft PowerVideoMaker\unins000.exe"
PrintScreen -->
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\setup.exe" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
Skype 3.0 --> "C:\Program Files\Skype\Phone\unins000.exe"
Skype Plugin Manager --> MsiExec.exe /I{3D5E5C0A-5B36-4F98-99A7-287F7DBDCE03}
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
SWF Extractor 2.2 --> "C:\Program Files\GlobFX Technologies\SWF Extractor\unins000.exe"
SWF Opener --> "C:\Program Files\UnH Solutions\SWF Opener\unins000.exe"
Symantec AntiVirus --> MsiExec.exe /I{A011A1DC-7F1D-4EA8-BD11-0C5F9718E428}
Synaptics Pointing Device Driver --> rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
UFDisk Format Tool Uninstaller --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87FB32FC-E7A5-456C-A38B-39D3D9A7B7DB}\setup.exe" -uninst
UltraISO Premium V8.61 --> "C:\Program Files\UltraISO\unins000.exe"
WebFldrs XP -->
Windows Driver Package - Intel (w29n51) net (09/12/2005 9.0.3.9) --> C:\PROGRA~1\DIFX\DPInst.exe /d /u C:\WINDOWS\system32\DRVSTORE\w29n51_B4DB085D140C6265DCA5E78CC26122444CD2D577\w29n51.inf
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
Xvid 1.1.3 final uninstall --> "C:\Program Files\Xvid\unins000.exe"

-- Application Event Log -------------------------------------------------------

Event Record #/Type11009 / Error
Event Submitted/Written: 04/26/2008 03:33:52 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The workstation driver is not installed. ). Group Policy processing aborted.

Event Record #/Type11008 / Error
Event Submitted/Written: 04/26/2008 01:58:44 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The workstation driver is not installed. ). Group Policy processing aborted.

Event Record #/Type11007 / Error
Event Submitted/Written: 04/26/2008 01:58:44 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The workstation driver is not installed. ). Group Policy processing aborted.

Event Record #/Type11003 / Error
Event Submitted/Written: 04/26/2008 00:24:41 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The workstation driver is not installed. ). Group Policy processing aborted.

Event Record #/Type11002 / Error
Event Submitted/Written: 04/26/2008 00:24:41 AM
Event ID/Source: 1054 / Userenv
Event Description:
Windows cannot obtain the domain controller name for your computer network. (The workstation driver is not installed. ). Group Policy processing aborted.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type18999 / Error
Event Submitted/Written: 04/26/2008 00:26:08 AM
Event ID/Source: 7034 / Service Control Manager
Event Description:
The CyberLink Task Scheduler (CTS) service terminated unexpectedly. It has done this 1 time(s).

Event Record #/Type18998 / Error
Event Submitted/Written: 04/26/2008 00:26:08 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Bluetooth Port Client Driver service failed to start due to the following error:
%%2

Event Record #/Type18997 / Error
Event Submitted/Written: 04/26/2008 00:26:08 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Computer Browser service depends on the Workstation service which failed to start because of the following error:
%%1058

Event Record #/Type18996 / Error
Event Submitted/Written: 04/26/2008 00:26:08 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Net Logon service depends on the Workstation service which failed to start because of the following error:
%%1058

Event Record #/Type18995 / Error
Event Submitted/Written: 04/26/2008 00:26:08 AM
Event ID/Source: 7001 / Service Control Manager
Event Description:
The Wireless Zero Configuration service depends on the NDIS Usermode I/O Protocol service which failed to start because of the following error:
%%1058

-- End of Deckard's System Scanner: finished at 2008-04-26 03:35:03 ------------
  • 0

Advertisements

#2
kifera
Posted 26 April 2008 - 02:23 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
ComboFix 08-04-24.1 - NK 2008-04-26 10:27:12.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.100 [GMT 3:00]
Running from: C:\Documents and Settings\nruskulik\Desktop\Combo-Fix2.exe
Command switches used :: C:\Documents and Settings\nruskulik\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\down
.
((((((((((((((((((((((((( Files Created from 2008-03-26 to 2008-04-26 )))))))))))))))))))))))))))))))
.

2008-04-26 10:13 . 2008-04-26 10:13 <DIR> d-------- C:\Combo-Fix
2008-04-26 10:01 . 2008-04-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 10:00 . 2008-02-24 10:13 113,669 -r-hs---- C:\h2.com
2008-04-26 03:24 . 2008-04-26 03:24 <DIR> d-------- C:\Deckard
2008-04-26 00:18 . 2008-04-26 00:18 <DIR> d--hs---- C:\FOUND.000
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-25 23:07 . 2008-04-25 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\Malwarebytes
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:27 . 2008-04-25 22:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 22:17 . 2008-04-25 22:17 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 01:20 68,096 ----a-w C:\WINDOWS\system32\dllcache\sysinfo.exe
2008-04-26 01:20 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_10.09.58.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 07:07:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-26 07:19:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 16:13 1207080]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-29 15:36 25370152]
"XPRepairPro2007"="C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"epm-dm"="c:\acer\epm\epm-dm.exe" [2005-06-01 10:09 741827]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 20:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 19:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02 49152]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-04-26 10:04 53408]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2008-04-26 10:04 124656]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-09-27 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-09-27 12:37 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-09-27 12:41 569413]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"TempRemove"="C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" [1998-12-19 11:06 7680]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-04-26 10:04 582992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
iFormat.lnk - C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe [2007-02-11 11:16:54 798720]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-20 08:32:06 389120]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe [2007-06-13 17:23:23 25214]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^IT^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AzMixerSel]
--a------ 2005-06-11 19:51 53248 C:\Program Files\Realtek\InstallShield\AzMixerSel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-04-26 10:04 53408 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-03 23:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPM-DM]
--a------ 2005-06-01 10:09 741827 c:\acer\epm\epm-dm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePowerManagement]
--a------ 2005-03-15 10:03 2893824 C:\Acer\ePM\ePM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2008-04-26 04:31 385024 C:\Acer\Empowering Technology\eRecovery\Monitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--a------ 2005-07-18 20:06 77824 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--a------ 2005-07-18 20:10 114688 C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--a------ 2005-07-18 20:09 94208 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-04 05:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2005-10-11 14:04 462848 C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2005-08-31 19:59 147456 C:\Program Files\Acer\Acer Arcade\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2005-08-09 15:17 14743552 C:\WINDOWS\RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
--a------ 2007-01-29 15:36 25370152 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2004-10-08 14:43 688218 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPLpr]
--a------ 2004-10-08 14:44 98394 C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]
--a------ 2008-04-26 10:04 124656 C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"lanmanworkstation"=2 (0x2)
"W32Time"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\UTORRENT\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.3.70#GLOBAL]
\Shell\Auto\command - N:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2c753e-c6a6-11dc-8953-0016ceefd597}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b9e0985-af60-11db-88ca-0013ceec6868}]
\Shell\Auto\command - F:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 10:28:34
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe\"\00|5\01\00À\00\00\00\00\0c\00\00\00D\00\00\00\00\00R\02\18î|\00\00\00\00~\00\00\00¨-
[\02’“€|~\00\00\00x\01\15\00€è\13\00E\1d€|ö\1b"

.
Completion time: 2008-04-26 10:29:00
ComboFix-quarantined-files.txt 2008-04-26 07:29:00
ComboFix2.txt 2008-04-26 07:10:38

Pre-Run: 15,397,453,824 bytes free
Post-Run: 15,393,390,592 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

195



********************************


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:01, on 2008-04-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe
C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\CF7090.exe
C:\ComboFix\nircmd.com
C:\PROGRA~1\HIJACK~1\Nkulik.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.192:8080
O1 - Hosts: 172.16.1.54 antivirus
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [epm-dm] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [CaISSDT] "C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe"
O4 - HKLM\..\Run: [eTrustPPAP] "C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [XPRepairPro2007] C:\Program Files\XP Repair Pro 2007\XPRepairPro.exe /r
O4 - HKCU\..\Run: [kava] C:\WINDOWS\system32\kavo.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: iFormat.lnk = C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145496174593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Alghanim.com
O17 - HKLM\Software\..\Telephony: DomainName = Alghanim.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Alghanim.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10117 bytes
  • 0

#3
Rorschach112
Posted 27 April 2008 - 06:13 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Delete ComboFix.exe and the folders C:\ComboFix and C:\qoobox then do this


Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

for more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. once you install the Recovery Console, when you reboot your computer, right after reboot, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. that is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#4
kifera
Posted 28 April 2008 - 01:39 PM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
I have followed your instructions, deleted and re-launched ComboFix, and here are new logs:


ComboFix 08-04-24.1 - Nkulik 2008-04-28 22:26:43.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.108 [GMT 3:00]
Running from: C:\Documents and Settings\nruskulik\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\drivers\down

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-26 21:23 . 2008-04-26 21:23 <DIR> d-------- C:\Documents and Settings\nruskulik\DoctorWeb
2008-04-26 21:13 . 2008-04-26 21:13 <DIR> d--hs---- C:\FOUND.001
2008-04-26 21:07 . 2008-04-26 05:40 <DIR> d-------- C:\SDFix
2008-04-26 20:32 . 2008-04-26 20:32 <DIR> d-------- C:\Program Files\doc
2008-04-26 10:01 . 2008-04-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 10:00 . 2008-02-24 10:13 113,669 -r-hs---- C:\h2.com
2008-04-26 03:24 . 2008-04-26 03:24 <DIR> d-------- C:\Deckard
2008-04-26 00:18 . 2008-04-26 00:18 <DIR> d--hs---- C:\FOUND.000
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-25 23:07 . 2008-04-25 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\Malwarebytes
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:27 . 2008-04-25 22:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 22:17 . 2008-04-25 22:17 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 01:20 68,096 ----a-w C:\WINDOWS\system32\dllcache\sysinfo.exe
2008-04-26 01:20 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
2008-02-12 13:14 78,756 ----a-w C:\Program Files\release_notes_kav7.0mp1cf1_en.html
2008-02-08 16:04 72,264 ----a-w C:\Program Files\setup.exe
2008-02-08 16:03 30,529,024 ----a-w C:\Program Files\kav.en.msi
2007-08-02 13:53 536 ----a-w C:\Program Files\setup.reg
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 16:13 1207080]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-29 15:36 25370152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 20:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 19:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02 49152]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-09-27 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-09-27 12:37 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-09-27 12:41 569413]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"TempRemove"="C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" [1998-12-19 11:06 7680]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-04-26 20:49 582992]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 15:17 14743552 C:\WINDOWS\RTHDCPL.EXE]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-10-11 14:04 462848]
"LaunchApp"="Alaunch" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 20:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 20:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 20:06 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2008-04-26 20:49 385024]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 10:03 2893824]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51 53248]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
iFormat.lnk - C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe [2007-02-11 11:16:54 798720]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-20 08:32:06 389120]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe [2007-06-13 17:23:23 25214]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^IT^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\UTORRENT\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.3.70#GLOBAL]
\Shell\Auto\command - N:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2c753e-c6a6-11dc-8953-0016ceefd597}]
\Shell\AutoRun\command - wd_windows_tools\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b9e0985-af60-11db-88ca-0013ceec6868}]
\Shell\Auto\command - F:\setup.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL setup.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 22:27:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe\"\00|5\01\00À\00\00\00\00\0c\00\00\00D\00\00\00\00\00R\02\18î|\00\00\00\00~\00\00\00¨-
[\02’“€|~\00\00\00x\01\15\00€è\13\00E\1d€|ö\1b"

.
Completion time: 2008-04-28 22:28:15
ComboFix-quarantined-files.txt 2008-04-28 19:28:14

Pre-Run: 15,862,005,760 bytes free
Post-Run: 15,841,542,144 bytes free

144




***************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29, on 2008-04-28
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.192:8080
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: iFormat.lnk = C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1145496174593
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Alghanim.com
O17 - HKLM\Software\..\Telephony: DomainName = Alghanim.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Alghanim.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 10610 bytes
  • 0

#5
Rorschach112
Posted 28 April 2008 - 02:52 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\system32\dllcache\sysinfo.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
N:\setup.exe
F:\setup.exe
E:\LaunchU3.exe

Folder::
C:\FOUND.001
C:\FOUND.000

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.16.3.70#GLOBAL]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b2c753e-c6a6-11dc-8953-0016ceefd597}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b9e0985-af60-11db-88ca-0013ceec6868}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and do this


Download NIAP to your desktop and unzip it to it's own folder

Close all windows and run NIAP_XRay_FileMgr
  • Click the Log tab at the top and click Create System log. Check the boxes beside Autorun.inf file. and System Critical Files and click OK. Save the log to your desktop and let the program run.
  • Exit out of NIAP_XRay_FileMgr


Next run NIAP_XRay_Regedit
  • Click the Log tab then click on Get log. Once it is finished scanning, click Save and call the log NiapReg, then save it to your desktop
  • Exit out of NIAP_XRay_Regedit


Finally run NIAP_XRay_System
  • Click the Log tab and click Create log. Check all the boxes and click Log, save it to your desktop. Let the program run.
  • Once it is done close the program and post the log back here along with the other two logs.

  • 0

#6
kifera
Posted 30 April 2008 - 10:39 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi, here are the new logs

File sysinfo.exe received on 04.29.2008 22:19:54 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/31 (0%)
Loading server information...
Your file is queued in position: 3.
Estimated start time is between 43 and 61 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.4.30.0 2008.04.29 -
AntiVir 7.8.0.10 2008.04.29 -
Authentium 4.93.8 2008.04.27 -
Avast 4.8.1169.0 2008.04.29 -
AVG 7.5.0.516 2008.04.29 -
BitDefender 7.2 2008.04.29 -
CAT-QuickHeal 9.50 2008.04.29 -
ClamAV 0.92.1 2008.04.29 -
DrWeb 4.44.0.09170 2008.04.29 -
eSafe 7.0.15.0 2008.04.28 -
eTrust-Vet 31.3.5744 2008.04.29 -
Ewido 4.0 2008.04.29 -
F-Prot 4.4.2.54 2008.04.28 -
F-Secure 6.70.13260.0 2008.04.29 -
Fortinet 3.14.0.0 2008.04.29 -
Ikarus T3.1.1.26.0 2008.04.29 -
Kaspersky 7.0.0.125 2008.04.29 -
McAfee 5284 2008.04.29 -
Microsoft 1.3408 2008.04.22 -
NOD32v2 3064 2008.04.29 -
Norman 5.80.02 2008.04.29 -
Panda 9.0.0.4 2008.04.29 -
Prevx1 V2 2008.04.29 -
Rising 20.42.12.00 2008.04.29 -
Sophos 4.28.0 2008.04.29 -
Sunbelt 3.0.1056.0 2008.04.17 -
Symantec 10 2008.04.29 -
TheHacker 6.2.92.297 2008.04.29 -
VBA32 3.12.6.5 2008.04.29 -
VirusBuster 4.3.26:9 2008.04.29 -
Webwasher-Gateway 6.6.2 2008.04.29 -
Additional information
File size: 68096 bytes
MD5...: 62e1b537f1df9edadccd77105f51b9ab
SHA1..: 0851f5488b7f7234d86e4851833a72597f6f2c47
SHA256: 552a7a91ce3779250e3e954508e7af4c95425523fddca626af031c43223fcd66
SHA512: 0b6accdda8f2188f785865d06c16fb9c3b397c038d754907fd80efb6a30a689e
88ff5c0bd982b761f9452a4e795f0d1403525143f1ab8ec3f0778881cd9813a9
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x100825b
timedatestamp.....: 0x3b7d846f (Fri Aug 17 20:54:07 2001)
machinetype.......: 0x100 (invalid)

( 4 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0xd418 0xd600 6.16 5b865e8842eaa1dd31d147e7af9da41a
.data 0xf000 0x6c 0x200 0.42 e2414457dbea3421dfc9b0e511403761
.tls 0x10000 0x15 0x200 0.00 bf619eac0cdf3f68d496ea9344137e8b
.rsrc 0x11000 0x2b08 0x2c00 3.44 8a4238f2d665f9713e8208e2e27cc296

( 10 imports )
> msvcrt.dll: __setusermatherr, _adjust_fdiv, __p__commode, __p__fmode, __set_app_type, __1type_info@@UAE@XZ, _controlfp, _except_handler3, _terminate@@YAXXZ, __CxxFrameHandler, _iob, __2@YAPAXI@Z, _ui64tow, _wtoi64, _ftol, _wcsicmp, _initterm, __wgetmainargs, __winitenv, calloc, free, wcstod, wcstol, wcsstr, wcsncmp, _wcsnicmp, realloc, fflush, fprintf, wcschr, strtok, exit, _cexit, _XcptFilter, _exit, _c_exit, _CxxThrowException, wcstok, wcslen, wcscpy, __3@YAXPAX@Z
> ADVAPI32.dll: RegQueryValueExW, RegConnectRegistryW, RegOpenKeyExW, RegCloseKey
> KERNEL32.dll: GetConsoleMode, SetConsoleMode, ReadFile, ReadConsoleW, MultiByteToWideChar, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpynW, WideCharToMultiByte, VerSetConditionMask, VerifyVersionInfoW, lstrcmpW, LocalFree, lstrcatW, FormatMessageW, LocalAlloc, InterlockedIncrement, GetStdHandle, lstrcpyW, GetDateFormatW, GetTimeFormatW, InterlockedDecrement, GetLastError, GetConsoleScreenBufferInfo, GetUserDefaultLCID, lstrcmpiW, GetComputerNameExW, FileTimeToSystemTime, GetModuleHandleA, lstrlenW, WriteConsoleW, SetConsoleCursorPosition, SetLastError, GetNumberFormatW, GetLocaleInfoW
> USER32.dll: LoadStringW, CharUpperW, wsprintfW
> MPR.dll: WNetGetLastErrorW, WNetCancelConnection2W
> ole32.dll: CoTaskMemAlloc, CoCreateInstance, CoInitializeSecurity, CoInitializeEx, CoTaskMemFree, CoUninitialize
> OLEAUT32.dll: -, -, -, -, -, -, -, -, -, -, -
> framedyn.dll: _Empty@CHString@@QAEXXZ, _Compare@CHString@@QBEHPBG@Z, __YCHString@@QAEABV0@PBG@Z, _Left@CHString@@QBE_AV1@H@Z, _FindOneOf@CHString@@QBEHPBG@Z, _Find@CHString@@QBEHG@Z, _Mid@CHString@@QBE_AV1@H@Z, __0CHString@@QAE@PBG@Z, _GetData@CHString@@IBEPAUCHStringData@@XZ, __4CHString@@QAEABV0@PBG@Z, __1CHString@@QAE@XZ, __4CHString@@QAEABV0@ABV0@@Z, _Right@CHString@@QBE_AV1@H@Z, __0CHString@@QAE@XZ, _ReleaseBuffer@CHString@@QAEXH@Z, _GetBufferSetLength@CHString@@QAEPAGH@Z, _GetBuffer@CHString@@QAEPAGH@Z, _Mid@CHString@@QBE_AV1@HH@Z, _Format@CHString@@QAAXPBGZZ, __YCHString@@QAEABV0@ABV0@@Z, __H@YG_AVCHString@@PBGABV0@@Z
> Secur32.dll: GetUserNameExW
> WS2_32.dll: -, -, -, -, -

( 0 exports )



***************************

ComboFix 08-04-24.1 - Nkulik 2008-04-29 20:51:04.6 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.254 [GMT 3:00]
Running from: C:\Documents and Settings\nruskulik\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\nruskulik\Desktop\CFScript.txt
* Created a new restore point

FILE ::
E:\LaunchU3.exe
F:\setup.exe
N:\setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\FOUND.000
C:\FOUND.000\FILE0000.CHK
C:\FOUND.001
C:\FOUND.001\FILE0000.CHK

.
((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-29 )))))))))))))))))))))))))))))))
.

2008-04-29 08:15 . 2008-04-29 08:15 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-28 23:01 . 2008-04-28 23:01 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\AVG7
2008-04-28 23:01 . 2008-04-28 23:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-28 23:00 . 2008-04-28 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-28 23:00 . 2008-04-28 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-26 21:23 . 2008-04-26 21:23 <DIR> d-------- C:\Documents and Settings\nruskulik\DoctorWeb
2008-04-26 21:07 . 2008-04-26 05:40 <DIR> d-------- C:\SDFix
2008-04-26 20:32 . 2008-04-26 20:32 <DIR> d-------- C:\Program Files\doc
2008-04-26 10:01 . 2008-04-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 03:24 . 2008-04-26 03:24 <DIR> d-------- C:\Deckard
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-25 23:07 . 2008-04-25 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\Malwarebytes
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:27 . 2008-04-25 22:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 22:17 . 2008-04-25 22:17 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 01:20 68,096 ----a-w C:\WINDOWS\system32\dllcache\sysinfo.exe
2008-04-26 01:20 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
2008-02-12 13:14 78,756 ----a-w C:\Program Files\release_notes_kav7.0mp1cf1_en.html
2008-02-08 16:04 72,264 ----a-w C:\Program Files\setup.exe
2008-02-08 16:03 30,529,024 ----a-w C:\Program Files\kav.en.msi
2007-08-02 13:53 536 ----a-w C:\Program Files\setup.reg
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_22.28.06.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-28 20:00:42 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-04-28 20:00:46 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-04-28 20:00:46 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-04-28 20:00:48 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-04-28 20:00:48 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 16:13 1207080]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-29 15:36 25370152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 20:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 19:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02 49152]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-09-27 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-09-27 12:37 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-09-27 12:41 569413]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"TempRemove"="C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" [1998-12-19 11:06 7680]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12 483328]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2008-04-26 20:49 582992]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 15:17 14743552 C:\WINDOWS\RTHDCPL.EXE]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-10-11 14:04 462848]
"LaunchApp"="Alaunch" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 20:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 20:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 20:06 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2008-04-26 20:49 385024]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 10:03 2893824]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-28 23:00 579584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-28 23:00 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
iFormat.lnk - C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe [2007-02-11 11:16:54 798720]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-20 08:32:06 389120]
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe [2007-06-13 17:23:23 25214]

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^IT^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\UTORRENT\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

*Newly Created Service* - AVG7ALRT
*Newly Created Service* - AVG7CORE
*Newly Created Service* - AVG7RSXP
*Newly Created Service* - AVG7UPDSVC
*Newly Created Service* - AVGCLEAN
*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-29 20:53:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe\"\00|5\01\00À\00\00\00\00\0c\00\00\00D\00\00\00\00\00R\02\18î|\00\00\00\00~\00\00\00¨-
[\02’“€|~\00\00\00x\01\15\00€è\13\00E\1d€|ö\1b"

.
Completion time: 2008-04-29 20:53:27
ComboFix-quarantined-files.txt 2008-04-29 17:53:26
ComboFix2.txt 2008-04-28 19:28:18

Pre-Run: 15,646,277,632 bytes free
Post-Run: 15,638,724,608 bytes free

164
  • 0

#7
kifera
Posted 30 April 2008 - 10:43 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
# NIAP_XRay_FileMgr.exe 0.0.0.4
# 2008-04-30 19:25:41
# ------------------------------------------------------------------------
# Scan Autorun.inf in: Z:\
# Scan Autorun.inf in: W:\
# Scan Autorun.inf in: N:\
# Scan Autorun.inf in: G:\
# Not Found.

# Scan Autorun.inf in: F:\
# Scan Autorun.inf in: D:\
# Not Found.

# Scan Autorun.inf in: C:\
# Not Found.

# Verify System Critical File
C:\WINDOWS\explorer.exe;OK
C:\WINDOWS\system32\win32k.sys;OK
C:\WINDOWS\system32\watchdog.sys;OK
C:\WINDOWS\system32\hal.dll;OK
C:\WINDOWS\system32\ntkrnlpa.exe;OK
C:\WINDOWS\system32\ntoskrnl.exe;OK
C:\WINDOWS\system32\smss.exe;OK
C:\WINDOWS\system32\csrss.exe;OK
C:\WINDOWS\system32\winlogon.exe;OK
C:\WINDOWS\system32\lsass.exe;OK
C:\WINDOWS\system32\services.exe;OK
C:\WINDOWS\system32\svchost.exe;OK
C:\WINDOWS\system32\userinit.exe;OK
C:\WINDOWS\system32\drivers\acpi.sys;OK
C:\WINDOWS\system32\drivers\atapi.sys;OK
C:\WINDOWS\system32\drivers\beep.sys;OK
C:\WINDOWS\system32\drivers\cdfs.sys;OK
C:\WINDOWS\system32\drivers\cdrom.sys;OK
C:\WINDOWS\system32\drivers\disk.sys;OK
C:\WINDOWS\system32\drivers\fastfat.sys;OK
C:\WINDOWS\system32\drivers\fs_rec.sys;OK
C:\WINDOWS\system32\drivers\ftdisk.sys;OK
C:\WINDOWS\system32\drivers\i8042prt.sys;OK
C:\WINDOWS\system32\drivers\kbdclass.sys;OK
C:\WINDOWS\system32\drivers\mouclass.sys;OK
C:\WINDOWS\system32\drivers\ndis.sys;OK
C:\WINDOWS\system32\drivers\ntfs.sys;OK
C:\WINDOWS\system32\drivers\null.sys;OK
C:\WINDOWS\system32\drivers\partmgr.sys;OK
C:\WINDOWS\system32\drivers\pci.sys;OK
C:\WINDOWS\system32\drivers\pciidex.sys;OK
C:\WINDOWS\system32\drivers\redbook.sys;OK
C:\WINDOWS\system32\drivers\scsiport.sys;OK
C:\WINDOWS\system32\drivers\sr.sys;OK
C:\WINDOWS\system32\drivers\termdd.sys;OK
C:\WINDOWS\system32\drivers\usbhub.sys;OK
C:\WINDOWS\system32\drivers\usbport.sys;OK
C:\WINDOWS\system32\drivers\volsnap.sys;OK
C:\WINDOWS\system32\drivers\tcpip.sys;OK
C:\WINDOWS\system32\drivers\tdi.sys;OK




Report:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:StatusClient 2.6 , Path:C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
Name:TomcatStartup 2.5 , Path:C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
Name:HP Software Update , Path:"C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
Name:IntelZeroConfig , Path:"C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
Name:IntelWireless , Path:"C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
Name:EOUApp , Path:"C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
Name:BluetoothAuthenticationAgent , Path:rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
Name:PCSuiteTrayApplication , Path:C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
Name:TempRemove , Path:"C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
Name:Acrobat Assistant 7.0 , Path:"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
Name:mcagent_exe , Path:C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
Name:SynTPLpr , Path:C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
Name:SynTPEnh , Path:C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
Name:RTHDCPL , Path:RTHDCPL.EXE
Name:PCMService , Path:"C:\Program Files\Acer\Acer Arcade\PCMService.exe"
Name:LManager , Path:C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
Name:LaunchApp , Path:Alaunch
Name:IMJPMIG8.1 , Path:"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
Name:igfxtray , Path:C:\WINDOWS\system32\igfxtray.exe
Name:igfxpers , Path:C:\WINDOWS\system32\igfxpers.exe
Name:igfxhkcmd , Path:C:\WINDOWS\system32\hkcmd.exe
Name:High Definition Audio Property Page Shortcut , Path:HDAShCut.exe
Name:eRecoveryService , Path:C:\Acer\Empowering Technology\eRecovery\Monitor.exe
Name:ePowerManagement , Path:C:\Acer\ePM\ePM.exe boot
Name:AzMixerSel , Path:C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
Name:AVG7_CC , Path:C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:H/PC Connection Agent , Path:"C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
Name:PcSync , Path:C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
Name:ctfmon.exe , Path:C:\WINDOWS\system32\ctfmon.exe
Name:Skype , Path:"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\:


HKCC\Software\Microsoft\Windows NT\CurrentVersion\Windows\[Load]:
Value: None

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Userinit]:
Value: C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Shell]:
Value: Explorer.exe

HKLM\SYSTEM\ControlSet001\Control\Session Manager\[BootExecute]:
Value: autocheck autochk * lsdelete



BHO Items List:
{AE7CD045-E861-484f-8273-0445EE161910}
InprocServer32:C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
ThreadingModel:Apartment
ProgID:Adobe.AcroIEToolbarHelper.1
Programmable:
TypeLib:{04C567CB-A52F-41f4-9628-10CC965E7179}
VersionIndependentProgID:Adobe.AcroIEToolbarHelper

File Links List:
.txt: %SystemRoot%\system32\NOTEPAD.EXE %1
.exe: "%1" %*
.com: "%1" %*
.pif: "%1" %*
.bat: "%1" %*
.reg: regedit.exe "%1"
.chm: "C:\WINDOWS\hh.exe" %1
.hlp: %SystemRoot%\System32\winhlp32.exe %1
.ini: %SystemRoot%\System32\NOTEPAD.EXE %1
.inf: %SystemRoot%\System32\NOTEPAD.EXE %1
.vbs: %SystemRoot%\System32\WScript.exe "%1" %*
.js: %SystemRoot%\System32\WScript.exe "%1" %*
.lnk: CLSID: {00021401-0000-0000-C000-000000000046} shell32.dll

Image File Execution Options:
Your Image File Name Here without a path: ntsd -d

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\[AppInit_DLLs]:
Value:


ShellExecuteHooks:
{AEB6717E-7E19-11d0-97EE-00C04FD91972} : URL Exec Hook
InProcServer32:shell32.dll
{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} : SABShellExecuteHook Class
InProcServer32:C:\Program Files\SUPERAntiSpyware\SASSEH.DLL

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\[Debugger]:
Value: drwtsn32 -p %ld -e %ld -g

Kernel Drivers:
AegisP
DisplayName:AEGIS Protocol (IEEE 802.1x) v3.4.5.0
Description:AEGIS Protocol (IEEE 802.1x) v3.4.5.0
ImagePath:system32\DRIVERS\AegisP.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
Avg7Core
DisplayName:AVG7 Kernel
Description:None
ImagePath:\SystemRoot\System32\Drivers\avg7core.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
Avg7RsW
DisplayName:AVG7 Wrap Driver
Description:None
ImagePath:\SystemRoot\System32\Drivers\avg7rsw.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
Avg7RsXP
DisplayName:AVG7 Resident Driver XP
Description:None
ImagePath:\SystemRoot\System32\Drivers\avg7rsxp.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
btaudio
DisplayName:Bluetooth Audio Device
Description:None
ImagePath:system32\drivers\btaudio.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTDriver
DisplayName:Bluetooth Virtual Communications Driver
Description:None
ImagePath:system32\DRIVERS\btport.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTKRNL
DisplayName:Bluetooth Bus Enumerator
Description:None
ImagePath:system32\DRIVERS\btkrnl.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTSLBCSP
DisplayName:Bluetooth Port Client Driver
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\btslbcsp.sys [File not found]
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
BTWDNDIS
DisplayName:Bluetooth LAN Access Server
Description:None
ImagePath:system32\DRIVERS\btwdndis.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
btwmodem
DisplayName:Bluetooth Modem
Description:None
ImagePath:system32\DRIVERS\btwmodem.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
BTWUSB
DisplayName:WIDCOMM USB Bluetooth Driver
Description:None
ImagePath:System32\Drivers\btwusb.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
EpmPsd
DisplayName:Acer EPM Power Scheme Driver
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\epm-psd.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
EpmShd
DisplayName:Acer EPM System Hardware Driver
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\epm-shd.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
ISODrive
DisplayName:ISO CD-ROM Device Driver
Description:None
ImagePath:\??\C:\Program Files\UltraISO\drivers\ISODrive.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_FILE_SYSTEM_DRIVER(2)
NIAPSafe
DisplayName:NIAPSafe
Description:None
ImagePath:\??\G:\NIAP 0.5\NIAPMirrorSystem.sys
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
NTIDrvr
DisplayName:Upper Class Filter Driver
Description:None
ImagePath:system32\DRIVERS\NTIDrvr.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
osaio
DisplayName:osaio
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\osaio.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
osanbm
DisplayName:osanbm
Description:None
ImagePath:\??\C:\WINDOWS\system32\drivers\osanbm.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
s24trans
DisplayName:WLAN Transport
Description:WLAN Transport
ImagePath:system32\DRIVERS\s24trans.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
SASDIFSV
DisplayName:SASDIFSV
Description:None
ImagePath:\??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
SASENUM
DisplayName:SASENUM
Description:None
ImagePath:\??\C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
SASKUTIL
DisplayName:SASKUTIL
Description:None
ImagePath:\??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)

Services:
anbmService
DisplayName:Notebook Manager Service
Description:None
ImagePath:C:\Acer\eManager\anbmServ.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
Avg7Alrt
DisplayName:AVG7 Alert Manager Server
Description:None
ImagePath:C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
Avg7UpdSvc
DisplayName:AVG7 Update Service
Description:None
ImagePath:C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
CLCapSvc
DisplayName:CyberLink Background Capture Service (CBCS)
Description:Provides background buffering, recording and burning functionality for CyberLink Capturing
ImagePath:"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
CLSched
DisplayName:CyberLink Task Scheduler (CTS)
Description:Enables a user to configure and schedule a automated task for CyberLink Scheduling
ImagePath:"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
CyberLink Media Library Service
DisplayName:CyberLink Media Library Service
Description:None
ImagePath:"C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
EvtEng
DisplayName:Intel® PROSet/Wireless Event Log
Description:Manages the event trace messages for all the components of Intel® PROSet/Wireless software.
ImagePath:C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
HidServ
DisplayName:Human Interface Device Access
Description:Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
ImagePath:%SystemRoot%\System32\svchost.exe -k netsvcs
ServiceDll:%SystemRoot%\System32\hidserv.dll [File not found]
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_SHARE_PROCESS(32)
Pml Driver HPZ12
DisplayName:Pml Driver HPZ12
Description:None
ImagePath:C:\WINDOWS\system32\HPZipm12.exe
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
RegSrvc
DisplayName:Intel® PROSet/Wireless Registry Service
Description:Intel® PROSet/Wireless Registry Service
ImagePath:C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
RichVideo
DisplayName:Cyberlink RichVideo Service(CRVS)
Description:None
ImagePath:"C:\Program Files\CyberLink\Shared Files\RichVideo.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None
rpcapd
DisplayName:Remote Packet Capture Protocol v.0 (experimental)
Description:Allows to capture traffic on this machine from a remote machine.
ImagePath:"%ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:None
S24EventMonitor
DisplayName:Intel® PROSet/Wireless Service
Description:Wireless Management Service for Intel® PROSet/Wireless
ImagePath:C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:None



NIAP_XRay_System Version 0.0.0.5 System log

Process:
PID | EPROCESS | Process Name | Module Path
00000004 837C9490 System
0000009C 8352D990 CLMLSERVICE.EXE C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
000000CC 8343B920 MDM.EXE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
00000128 8344BB98 REGSRVC.EXE C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
00000140 83446668 RICHVIDEO.EXE C:\Program Files\CyberLink\Shared Files\RichVideo.exe
00000198 8345FA60 WDFMGR.EXE C:\WINDOWS\system32\wdfmgr.exe
000001E0 83553788 CLSCHED.EXE C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
00000250 83433DA0 STATUSCLIENT.EX C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
00000268 83472DA0 FXSSVC.EXE C:\WINDOWS\system32\fxssvc.exe
00000274 833BADA0 SMSS.EXE \SystemRoot\System32\smss.exe
00000290 83476990 HPWUSCHD2.EXE C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
00000294 83470580 ZCFGSVC.EXE C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
00000298 8346F9D0 IFRMEWRK.EXE C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
000002A4 83477DA0 EOUWIZ.EXE C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
000002AC 834CC260 CSRSS.EXE \??\C:\WINDOWS\system32\csrss.exe
000002B0 834773D0 RUNDLL32.EXE C:\WINDOWS\system32\rundll32.exe
000002C4 834C6DA0 WINLOGON.EXE \??\C:\WINDOWS\system32\winlogon.exe
000002F0 835253A8 SERVICES.EXE C:\WINDOWS\system32\services.exe
000002FC 83537DA0 LSASS.EXE C:\WINDOWS\system32\lsass.exe
00000364 8367C020 LAUNCH~1.EXE C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
00000390 83538268 SVCHOST.EXE C:\WINDOWS\system32\svchost.exe
00000398 833688E0 SYNTPENH.EXE C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
000003A4 834B2C30 ACROTRAY.EXE C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
000003AC 834B2368 SYNTPLPR.EXE C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
000003D4 83528760 SVCHOST.EXE C:\WINDOWS\system32\svchost.exe
000003F0 833C3418 IGFXPERS.EXE C:\WINDOWS\system32\igfxpers.exe
00000400 834EA5E8 SVCHOST.EXE C:\WINDOWS\System32\svchost.exe
0000041C 834B13F8 RTHDCPL.EXE C:\WINDOWS\RTHDCPL.EXE
00000420 83697658 QTZGACER.EXE C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
00000454 83575688 PCMSERVICE.EXE C:\Program Files\Acer\Acer Arcade\PCMService.exe
00000484 833948F0 IGFXTRAY.EXE C:\WINDOWS\system32\igfxtray.exe
0000048C 83485020 EVTENG.EXE C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
000004B8 834CEA40 S24EVMON.EXE C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
000004DC 834FA020 SVCHOST.EXE C:\WINDOWS\system32\svchost.exe
000004E8 834B6DA0 HKCMD.EXE C:\WINDOWS\system32\hkcmd.exe
000004F8 8351FC68 SVCHOST.EXE C:\WINDOWS\system32\svchost.exe
0000053C 83493590 SPOOLSV.EXE C:\WINDOWS\system32\spoolsv.exe
000005C0 8343EB28 ANBMSERV.EXE C:\Acer\eManager\anbmServ.exe
000005CC 82A4E9E8 avgcc.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
000005D8 828ABB98 WCESCOMM.EXE C:\PROGRA~1\MI3AA1~1\wcescomm.exe
000005E8 82906598 PCSYNC2.EXE C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
000005F0 82905390 CTFMON.EXE C:\WINDOWS\system32\ctfmon.exe
000005F8 828A7DA0 SKYPE.EXE C:\Program Files\Skype\Phone\Skype.exe
000006AC 83594508 avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
000007B4 8346EDA0 avgupsvc.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
000007C0 8343AC68 SVCHOST.EXE C:\WINDOWS\system32\svchost.exe
000007D0 8346DDA0 EXPLORER.EXE C:\WINDOWS\Explorer.EXE
000007DC 833E0578 CLCAPSVC.EXE C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
000007F4 83438DA0 CLMLSERVER.EXE C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
0000081C 827DB968 IFORMAT.EXE C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
00000824 828F60B8 RAPIMGR.EXE C:\PROGRA~1\MI3AA1~1\rapimgr.exe
0000083C 82899DA0 MPAPI3s.exe C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
000008AC 828984C8 WZQKPICK.EXE C:\Program Files\WinZip\WZQKPICK.EXE
000008B4 827CBDA0 JAVAW.EXE C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
000008F4 83621B58 acrobat_sl.exe C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
00000C64 82927558 avgw.exe C:\PROGRA~1\Grisoft\AVG7\avgw.exe
00000D98 836736D8 wuauclt.exe C:\WINDOWS\system32\wuauclt.exe
00000ED8 827F16A8 alg.exe C:\WINDOWS\System32\alg.exe
00000FB0 8289F9A0 NIAP_XRay_Syste G:\NIAP 0.5\NIAP_XRay_System.exe
00000FD0 8261E240 NIAP_XRay_Syste G:\NIAP 0.5\NIAP_XRay_System.exe

Kernel Module:
EntryPoint | Module Base | Image Size | Module Path
806AC2BE 804D7000 00214100 ntoskrnl.exe \WINDOWS\system32\ntoskrnl.exe
807090BC 806EC000 00020380 hal.dll \WINDOWS\system32\hal.dll
F8C43CE6 F8C43000 00002000 kdcom.dll \WINDOWS\system32\KDCOM.DLL
F8B54872 F8B53000 00003000 BOOTVID.dll \WINDOWS\system32\BOOTVID.dll
F871D059 F86F4000 0002E000 ACPI.sys ACPI.sys
F8C45B80 F8C45000 00002000 WMILIB.SYS \WINDOWS\system32\DRIVERS\WMILIB.SYS
F86F1004 F86E3000 00011000 pci.sys pci.sys
F874A3E4 F8743000 00009000 isapnp.sys isapnp.sys
F8B58A00 F8B57000 00003000 compbatt.sys compbatt.sys
F8B5BF00 F8B5B000 00004000 BATTC.SYS \WINDOWS\system32\DRIVERS\BATTC.SYS
F8D0B61E F8D0B000 00001000 pciide.sys pciide.sys
F89C8205 F89C3000 00007000 PCIIDEX.SYS \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
F8C47B6E F8C47000 00002000 aliide.sys aliide.sys
F8C49F05 F8C49000 00002000 intelide.sys intelide.sys
F8C4BA94 F8C4B000 00002000 toside.sys toside.sys
F8C4DE85 F8C4D000 00002000 viaide.sys viaide.sys
F8C502F4 F8C4F000 00002000 cmdide.sys cmdide.sys
F86DFB86 F86C5000 0001E000 pcmcia.sys pcmcia.sys
F875C1B4 F8753000 0000B000 MountMgr.sys MountMgr.sys
F86C14E2 F86A6000 0001F000 ftdisk.sys ftdisk.sys
F8C51BF6 F8C51000 00002000 dmload.sys dmload.sys
F86A1F05 F8680000 00026000 dmio.sys dmio.sys
F8B60D00 F8B5F000 00003000 ACPIEC.sys ACPIEC.sys
F8D0C34A F8D0C000 00001000 OPRGHDLR.SYS \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
F89CE880 F89CB000 00005000 PartMgr.sys PartMgr.sys
F8B65C1A F8B63000 00004000 UBHelper.sys UBHelper.sys
F876CD3E F8763000 0000D000 VolSnap.sys VolSnap.sys
F8B67300 F8B67000 00004000 cpqarray.sys cpqarray.sys
F867D039 F8668000 00018000 SCSIPORT.SYS \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
F86655F7 F8650000 00018000 atapi.sys atapi.sys
F8B6CBD2 F8B6B000 00004000 aha154x.sys aha154x.sys
F89D3FEA F89D3000 00005000 sparrow.sys sparrow.sys
F877E808 F8773000 0000E000 aic78xx.sys aic78xx.sys
F8B71A38 F8B6F000 00004000 dac960nt.sys dac960nt.sys
F8785042 F8783000 00009000 ql10wnt.sys ql10wnt.sys
F8B75472 F8B73000 00003000 amsint.sys amsint.sys
F89DC636 F89DB000 00007000 asc.sys asc.sys
F8B77F52 F8B77000 00004000 asc3550.sys asc3550.sys
F89E3A78 F89E3000 00005000 mraid35x.sys mraid35x.sys
F89EEF85 F89EB000 00005000 i2omp.sys i2omp.sys
F8B7E1D4 F8B7B000 00004000 ini910u.sys ini910u.sys
F8795034 F8793000 0000A000 ql1240.sys ql1240.sys
F87AE99A F87A3000 0000E000 aic78u2.sys aic78u2.sys
F89F8F86 F89F3000 00008000 symc8xx.sys symc8xx.sys
F8A00A66 F89FB000 00007000 sym_hi.sys sym_hi.sys
F8A09268 F8A03000 00008000 sym_u3.sys sym_u3.sys
F8A0C642 F8A0B000 00006000 ABP480N5.SYS ABP480N5.SYS
F8A13C3E F8A13000 00006000 asc3350p.sys asc3350p.sys
F8C53A15 F8C53000 00002000 cd20xrnt.sys cd20xrnt.sys
F87B8CE8 F87B3000 00009000 ultra.sys ultra.sys
F8A1EE30 F8A1B000 00005000 dpti2o.sys dpti2o.sys
F864B3C0 F8637000 00019000 adpu160m.sys adpu160m.sys
F87C4F9C F87C3000 0000A000 ql1080.sys ql1080.sys
F87D6C0A F87D3000 0000C000 ql1280.sys ql1280.sys
F87E6BE8 F87E3000 0000C000 ql12160.sys ql12160.sys
F8B81CE0 F8B7F000 00004000 cbidf2k.sys cbidf2k.sys
F8616B00 F860B000 0002C000 dac2w2k.sys dac2w2k.sys
F8A2605A F8A23000 00007000 hpn.sys hpn.sys
F8A2E05A F8A2B000 00007000 perc2.sys perc2.sys
F8C55DC0 F8C55000 00002000 perc2hib.sys perc2hib.sys
F87FA8AB F87F3000 00009000 disk.sys disk.sys
F880DE8F F8803000 0000D000 CLASSPNP.SYS \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
F8607D6A F85EC000 0001F000 fltMgr.sys fltMgr.sys
F85E9FD4 F85DA000 00012000 sr.sys sr.sys
F85D68A7 F85B7000 00023000 Fastfat.sys Fastfat.sys
F85B4E29 F85A0000 00017000 KSecDD.sys KSecDD.sys
F859C205 F8573000 0002D000 NDIS.sys NDIS.sys
F881B885 F8813000 0000B000 sisagp.sys sisagp.sys
F882BD05 F8823000 0000B000 viaagp.sys viaagp.sys
F856FBFA F8558000 0001B000 Mup.sys Mup.sys
F883BF85 F8833000 0000B000 alim1541.sys alim1541.sys
F884BF85 F8843000 0000B000 amdagp.sys amdagp.sys
F885BD85 F8853000 0000B000 agp440.sys agp440.sys
F886C705 F8863000 0000B000 agpCPQ.sys agpCPQ.sys
F8888885 F8883000 00009000 intelppm.sys \SystemRoot\system32\DRIVERS\intelppm.sys
F8371980 F827B000 00101000 ialmnt5.sys \SystemRoot\system32\DRIVERS\ialmnt5.sys
F8278310 F8267000 00014000 VIDEOPRT.SYS \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
F8262000 F8242000 00025000 HDAudBus.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys
F8A87605 F8A83000 00005000 usbuhci.sys \SystemRoot\system32\DRIVERS\usbuhci.sys
F823F985 F821F000 00023000 USBPORT.SYS \SystemRoot\system32\DRIVERS\USBPORT.SYS
F8A90E05 F8A8B000 00007000 usbehci.sys \SystemRoot\system32\DRIVERS\usbehci.sys
F7EF95E0 F7EF9000 00326000 w29n51.sys \SystemRoot\system32\DRIVERS\w29n51.sys
F8A97480 F8A93000 00006000 RTL8139.SYS \SystemRoot\system32\DRIVERS\RTL8139.SYS
F889C385 F8893000 0000D000 i8042prt.sys \SystemRoot\system32\DRIVERS\i8042prt.sys
F8A9E66E F8A9B000 00005000 DKbFltr.sys \SystemRoot\system32\DRIVERS\DKbFltr.sys
F8AA7610 F8AA3000 00006000 kbdclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys
F7EF5CA0 F7ECB000 0002E000 SynTP.sys \SystemRoot\system32\DRIVERS\SynTP.sys
F8C5D300 F8C5D000 00002000 USBD.SYS \SystemRoot\system32\DRIVERS\USBD.SYS
F8AAF035 F8AAB000 00006000 mouclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys
F88AB9FB F88A3000 0000B000 imapi.sys \SystemRoot\system32\DRIVERS\imapi.sys
F88BD6DA F88B3000 0000D000 cdrom.sys \SystemRoot\system32\DRIVERS\cdrom.sys
F88CE685 F88C3000 0000F000 redbook.sys \SystemRoot\system32\DRIVERS\redbook.sys
F7EC7FB5 F7EA8000 00023000 ks.sys \SystemRoot\system32\DRIVERS\ks.sys
F8C5FF48 F8C5F000 00002000 NTIDrvr.sys \SystemRoot\system32\DRIVERS\NTIDrvr.sys
F8C01966 F8BFF000 00004000 CmBatt.sys \SystemRoot\system32\DRIVERS\CmBatt.sys
F83E8600 F83E8000 00001000 audstub.sys \SystemRoot\system32\DRIVERS\audstub.sys
F88DE505 F88D3000 0000D000 rasl2tp.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys
F8C04A22 F8C03000 00003000 ndistapi.sys \SystemRoot\system32\DRIVERS\ndistapi.sys
F7EA5323 F7E91000 00017000 ndiswan.sys \SystemRoot\system32\DRIVERS\ndiswan.sys
F88EC165 F88E3000 0000B000 raspppoe.sys \SystemRoot\system32\DRIVERS\raspppoe.sys
F88FD905 F88F3000 0000C000 raspptp.sys \SystemRoot\system32\DRIVERS\raspptp.sys
F8AB6B05 F8AB3000 00005000 TDI.SYS \SystemRoot\system32\DRIVERS\TDI.SYS
F7E8F200 F7E80000 00011000 psched.sys \SystemRoot\system32\DRIVERS\psched.sys
F890AA85 F8903000 00009000 msgpc.sys \SystemRoot\system32\DRIVERS\msgpc.sys
F8ABE4A2 F8ABB000 00005000 ptilink.sys \SystemRoot\system32\DRIVERS\ptilink.sys
F8AC6200 F8AC3000 00005000 raspti.sys \SystemRoot\system32\DRIVERS\raspti.sys
F7E7A885 F7E4F000 00031000 rdpdr.sys \SystemRoot\system32\DRIVERS\rdpdr.sys
F891B657 F8913000 0000A000 termdd.sys \SystemRoot\system32\DRIVERS\termdd.sys
F8C618DD F8C61000 00002000 swenum.sys \SystemRoot\system32\DRIVERS\swenum.sys
F7E4D048 F7E1B000 00034000 update.sys \SystemRoot\system32\DRIVERS\update.sys
F8C19BE6 F8C17000 00004000 mssmbios.sys \SystemRoot\system32\DRIVERS\mssmbios.sys
F892AF20 F8923000 0000A000 NDProxy.SYS \SystemRoot\System32\Drivers\NDProxy.SYS
AAFAC000 AABF5000 003CB000 RtkHDAud.sys \SystemRoot\system32\drivers\RtkHDAud.sys
AABF1C85 AABD1000 00024000 portcls.sys \SystemRoot\system32\drivers\portcls.sys
F8950D85 F8943000 0000F000 drmk.sys \SystemRoot\system32\drivers\drmk.sys
AABCC4B8 AAB9B000 00036000 HSFHWAZL.sys \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
AAB91CB8 AAAA7000 000F4000 HSF_DPV.sys \SystemRoot\system32\DRIVERS\HSF_DPV.sys
AAA99500 AA9F6000 000B1000 HSF_CNXT.sys \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
F8AD0E6D F8ACB000 00008000 Modem.SYS \SystemRoot\System32\Drivers\Modem.SYS
F895FA05 F8953000 0000F000 usbhub.sys \SystemRoot\system32\DRIVERS\usbhub.sys
F8C6A785 F8C69000 00002000 i2omgmt.SYS \SystemRoot\System32\Drivers\i2omgmt.SYS
F8C6C5E4 F8C6B000 00002000 Fs_Rec.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS
F83A559A F83A5000 00001000 Null.SYS \SystemRoot\System32\Drivers\Null.SYS
F8C6D66C F8C6D000 00002000 Beep.SYS \SystemRoot\System32\Drivers\Beep.SYS
F83A2A85 F83A2000 00001000 avgclean.sys \SystemRoot\System32\Drivers\avgclean.sys
F8AEF642 F8AEB000 00006000 vga.sys \SystemRoot\System32\drivers\vga.sys
F8C6F646 F8C6F000 00002000 mnmdd.SYS \SystemRoot\System32\Drivers\mnmdd.SYS
F8C71944 F8C71000 00002000 RDPCDD.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys
F8AF6BED F8AF3000 00005000 Msfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS
F8B016D3 F8AFB000 00008000 Npfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS
F852966B F8528000 00003000 rasacd.sys \SystemRoot\system32\DRIVERS\rasacd.sys
AA9AB885 AA99B000 00013000 ipsec.sys \SystemRoot\system32\DRIVERS\ipsec.sys
AA994416 AA943000 00058000 tcpip.sys \SystemRoot\system32\DRIVERS\tcpip.sys
AA93EF85 AA91B000 00028000 netbt.sys \SystemRoot\system32\DRIVERS\netbt.sys
AA916F40 AA8F9000 00022000 afd.sys \SystemRoot\System32\drivers\afd.sys
F896A4A9 F8963000 00009000 netbios.sys \SystemRoot\system32\DRIVERS\netbios.sys
F8974C90 F8973000 0000C000 SASKUTIL.sys \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
F8B04000 F8B03000 00007000 SASDIFSV.SYS \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
AA8F659C AA8D8000 00021000 ipnat.sys \SystemRoot\system32\DRIVERS\ipnat.sys
F8989FD6 F8983000 00009000 wanarp.sys \SystemRoot\system32\DRIVERS\wanarp.sys
AA8D3EF8 AA8AD000 0002B000 rdbss.sys \SystemRoot\system32\DRIVERS\rdbss.sys
AA8A5203 AA83E000 0006F000 mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys
AA83BA27 AA82A000 00014000 ISODrive.sys \??\C:\Program Files\UltraISO\drivers\ISODrive.sys
F8997F2B F8993000 00009000 Fips.SYS \SystemRoot\System32\Drivers\Fips.SYS
AA7F8D8E AA739000 000C9000 avg7core.sys \SystemRoot\System32\Drivers\avg7core.sys
F8C73AC0 F8C73000 00002000 avg7rsw.sys \SystemRoot\System32\Drivers\avg7rsw.sys
F8B106AA F8B0B000 00007000 avg7rsxp.sys \SystemRoot\System32\Drivers\avg7rsxp.sys
F89B0A85 F89A3000 00010000 Cdfs.SYS \SystemRoot\System32\Drivers\Cdfs.SYS
AA6E65F7 AA6D1000 00018000 dump_atapi.sys \SystemRoot\System32\Drivers\dump_atapi.sys
F8C75B80 F8C75000 00002000 dump_WMILIB.SYS \SystemRoot\System32\Drivers\dump_WMILIB.SYS
BF9AE4EF BF800000 001C2000 win32k.sys \SystemRoot\System32\win32k.sys
F7E10E80 F7E0F000 00003000 Dxapi.sys \SystemRoot\System32\drivers\Dxapi.sys
F8B16890 F8B13000 00005000 watchdog.sys \SystemRoot\System32\watchdog.sys
BF9D2090 BF9C2000 00012000 dxg.sys \SystemRoot\System32\drivers\dxg.sys
F8E1F359 F8E1F000 00001000 dxgthk.sys \SystemRoot\System32\drivers\dxgthk.sys
BF9ECFF0 BF9E2000 00021000 ialmdnt5.dll \SystemRoot\System32\ialmdnt5.dll
BF9D8A4D BF9D4000 0000E000 ialmrnt5.dll \SystemRoot\System32\ialmrnt5.dll
BFA13690 BFA03000 00034000 ialmdev5.DLL \SystemRoot\System32\ialmdev5.DLL
BFA4ECF0 BFA37000 000E2000 ialmdd5.DLL \SystemRoot\System32\ialmdd5.DLL
F8B269D6 F8B23000 00005000 AegisP.sys \SystemRoot\system32\DRIVERS\AegisP.sys
AA5A7805 AA5A5000 00004000 s24trans.sys \SystemRoot\system32\DRIVERS\s24trans.sys
AA2BC405 AA294000 0002D000 mrxdav.sys \SystemRoot\system32\DRIVERS\mrxdav.sys
AA1F1D85 AA1DF000 00015000 wdmaud.sys \SystemRoot\system32\drivers\wdmaud.sys
F7DE08E1 F7DD3000 0000F000 sysaudio.sys \SystemRoot\system32\drivers\sysaudio.sys
F8D4768A F8D47000 00001000 epm-psd.sys \??\C:\WINDOWS\system32\drivers\epm-psd.sys
A9EFCD26 A9EFC000 00014000 epm-shd.sys \??\C:\WINDOWS\system32\drivers\epm-shd.sys
AA202780 AA200000 00004000 mdmxsdk.sys \SystemRoot\system32\DRIVERS\mdmxsdk.sys
F8CAA1A4 F8CA9000 00002000 osaio.sys \??\C:\WINDOWS\system32\drivers\osaio.sys
F8D95306 F8D95000 00001000 osanbm.sys \??\C:\WINDOWS\system32\drivers\osanbm.sys
A9D14C05 A9CCA000 00052000 srv.sys \SystemRoot\system32\DRIVERS\srv.sys
F8B2ED1D F8B2B000 00005000 BTHUSB.sys \SystemRoot\System32\Drivers\BTHUSB.sys
A983E2BD A97FF000 00043000 bthport.sys \SystemRoot\System32\Drivers\bthport.sys
A98DF619 A98D2000 0000F000 rfcomm.sys \SystemRoot\system32\DRIVERS\rfcomm.sys
F8B364A9 F8B33000 00005000 BthEnum.sys \SystemRoot\system32\DRIVERS\BthEnum.sys
A973381F A971E000 00019000 bthpan.sys \SystemRoot\system32\DRIVERS\bthpan.sys
A9B62092 A9B5A000 0000A000 bthmodem.sys \SystemRoot\system32\DRIVERS\bthmodem.sys
A93FDCD7 A93C3000 00041000 HTTP.sys \SystemRoot\System32\Drivers\HTTP.sys
F8A60805 F8A5B000 00007000 USBSTOR.SYS \SystemRoot\system32\DRIVERS\USBSTOR.SYS
A9BBCF50 A9BBA000 0000E000 NIAPMirrorSystem.sys \??\G:\NIAP 0.5\NIAPMirrorSystem.sys
A92A8E85 A9281000 0002A000 kmixer.sys \SystemRoot\system32\drivers\kmixer.sys
A9249B50 A9245000 0001A000 NIAPRkDetect.sys \??\G:\NIAP 0.5\NIAPRkDetect.sys

SSDT:
ID | Current Function Address | Module Path | Source Function Address | Function Name
HOOK 0000011C A9BBC530 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys D763C355 -----
HOOK 0000011D A9BBC590 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 71318D8B -----
HOOK 0000011E A9BBC5E0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 049B6FDF -----
HOOK 0000011F A9BBC630 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 7FDD7024 -----
HOOK 00000120 A9BBC680 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 9C50ABFF -----
HOOK 00000121 A9BBC6D0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 68618673 -----
HOOK 00000122 A9BBC710 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 800E5F79 -----
HOOK 00000123 A9BBC750 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 051D300B -----
HOOK 00000124 A9BBC7A0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 800D70D8 -----
HOOK 00000125 A9BBC7F0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 2329B38B -----
HOOK 00000126 A9BBC850 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 7FED6008 -----
HOOK 00000127 A9BBC8A0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 813A23FF -----
HOOK 00000128 A9BBC8F0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 13987000 -----
HOOK 00000129 A9BBC940 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 800D7134 -----
HOOK 0000012A A9BBC980 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 9880FB52 -----
HOOK 0000012B A9BBC9E0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys ACB0F956 -----
HOOK 0000012C A9BBCA30 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 030D7001 -----
HOOK 0000012D A9BBCA80 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 7C9960E4 -----
HOOK 0000012E A9BBCAC0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 821E5C81 -----
HOOK 0000012F A9BBCB00 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 6E8E7000 -----
HOOK 00000130 A9BBCB40 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 800D7210 -----
HOOK 00000131 A9BBCBB0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 091BFBFA -----
HOOK 00000132 A9BBCC00 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys CE98940C -----
HOOK 00000133 A9BBCC40 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys A459F904 -----
HOOK 00000134 A9BBCC80 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 885BFB04 -----
HOOK 00000135 A9BBCCF0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 8831BC89 -----
HOOK 00000136 A9BBCD40 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 0925BE8B -----
HOOK 00000137 A9BBCD90 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 0B25944C -----
HOOK 00000138 A9BBCDF0 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys 800F7C8E -----
HOOK 00000139 A9BBCE50 \??\G:\NIAP 0.5\NIAPMirrorSystem.sys A499F900 -----

Shadow Table:
ID | Current Function Address | Module Path | Source Function Address | Function Name

FSD Dispatch hook:
Driver Name | Major Function | Address | Module Path

Kernel Mode Hook:
Module Name | Address | Hook Type | Memo

Windows Hook:
Process Name | IsGlobal | Function Address | Hook Type | Module Path
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 0041EB20 WH_CBT G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
NIAP_XRay_Syste Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 0041EB20 WH_CBT G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
NIAP_XRay_Syste Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgw.exe Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7C16FAE1 WH_CBT C:\WINDOWS\system32\MFC71.DLL
avgw.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
avgw.exe Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
avgw.exe Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
JAVAW.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
JAVAW.EXE Global 00001580 WH_CBT C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
JAVAW.EXE Global 000108B6 WH_CBT C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
JAVAW.EXE Global 00010D4E WH_SHELL C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
WZQKPICK.EXE Local 004038D0 WH_MSGFILTER C:\Program Files\WinZip\WZQKPICK.EXE
WZQKPICK.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
WZQKPICK.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
MPAPI3s.exe Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
RAPIMGR.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Local 00439E3D WH_MSGFILTER C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
IFORMAT.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Local 004365B8 WH_CBT C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
IFORMAT.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
IFORMAT.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
CLMLSERVER.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLMLSERVER.EXE Global 00001580 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLMLSERVER.EXE Global 000108B6 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLMLSERVER.EXE Global 00010D4E WH_SHELL C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLCAPSVC.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
CLCAPSVC.EXE Global 00001580 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
CLCAPSVC.EXE Global 000108B6 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
CLCAPSVC.EXE Global 00010D4E WH_SHELL C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
EXPLORER.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
avgamsvr.exe Global 00010DE9 WH_GETMESSAGE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgamsvr.exe Global 00001580 WH_CBT C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgamsvr.exe Global 000108B6 WH_CBT C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgamsvr.exe Global 00010D4E WH_SHELL C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
SKYPE.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 006E3794 WH_GETMESSAGE C:\Program Files\Skype\Phone\Skype.exe
SKYPE.EXE Local 004C1468 WH_GETMESSAGE C:\Program Files\Skype\Phone\Skype.exe
SKYPE.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
SKYPE.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Local 72834A2D WH_MSGFILTER C:\WINDOWS\system32\MFC42u.DLL
PCSYNC2.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Local 72834157 WH_CBT C:\WINDOWS\system32\MFC42u.DLL
PCSYNC2.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
PCSYNC2.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
WCESCOMM.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7C172389 WH_MSGFILTER C:\WINDOWS\system32\MFC71.DLL
avgcc.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7C16FAE1 WH_CBT C:\WINDOWS\system32\MFC71.DLL
avgcc.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
avgcc.exe Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
ANBMSERV.EXE Global 00010DE9 WH_GETMESSAGE C:\Acer\eManager\anbmServ.exe
ANBMSERV.EXE Global 00001580 WH_CBT C:\Acer\eManager\anbmServ.exe
ANBMSERV.EXE Global 000108B6 WH_CBT C:\Acer\eManager\anbmServ.exe
ANBMSERV.EXE Global 00010D4E WH_SHELL C:\Acer\eManager\anbmServ.exe
SPOOLSV.EXE Global 00010DE9 WH_GETMESSAGE C:\WINDOWS\system32\spoolsv.exe
SPOOLSV.EXE Global 00001580 WH_CBT C:\WINDOWS\system32\spoolsv.exe
SPOOLSV.EXE Global 000108B6 WH_CBT C:\WINDOWS\system32\spoolsv.exe
SPOOLSV.EXE Global 00010D4E WH_SHELL C:\WINDOWS\system32\spoolsv.exe
HKCMD.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
HKCMD.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
S24EVMON.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
S24EVMON.EXE Global 00001580 WH_CBT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
S24EVMON.EXE Global 000108B6 WH_CBT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
S24EVMON.EXE Global 00010D4E WH_SHELL C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
IGFXTRAY.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Global 00001580 WH_CBT C:\WINDOWS\system32\igfxtray.exe
IGFXTRAY.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Local 7C172389 WH_MSGFILTER C:\Program Files\Acer\Acer Arcade\MFC71.DLL
PCMSERVICE.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Local 7C16FAE1 WH_CBT C:\Program Files\Acer\Acer Arcade\MFC71.DLL
PCMSERVICE.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
PCMSERVICE.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
QTZGACER.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
RTHDCPL.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
IGFXPERS.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
SYNTPLPR.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
SYNTPLPR.EXE Global 00001580 WH_CBT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SYNTPLPR.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
SYNTPLPR.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Global 011F1580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
SYNTPENH.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll<
  • 0

#8
kifera
Posted 30 April 2008 - 10:45 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
The previous message got truncated.

Windows Hook:
Process Name | IsGlobal | Function Address | Hook Type | Module Path
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 0041EB20 WH_CBT G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
NIAP_XRay_Syste Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 0041EB20 WH_CBT G:\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
NIAP_XRay_Syste Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
NIAP_XRay_Syste Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgw.exe Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7C16FAE1 WH_CBT C:\WINDOWS\system32\MFC71.DLL
avgw.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
avgw.exe Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
avgw.exe Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgw.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
JAVAW.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
JAVAW.EXE Global 00001580 WH_CBT C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
JAVAW.EXE Global 000108B6 WH_CBT C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
JAVAW.EXE Global 00010D4E WH_SHELL C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
WZQKPICK.EXE Local 004038D0 WH_MSGFILTER C:\Program Files\WinZip\WZQKPICK.EXE
WZQKPICK.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
WZQKPICK.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
WZQKPICK.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
MPAPI3s.exe Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
MPAPI3s.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
RAPIMGR.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RAPIMGR.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Local 00439E3D WH_MSGFILTER C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
IFORMAT.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Local 004365B8 WH_CBT C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
IFORMAT.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
IFORMAT.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IFORMAT.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
CLMLSERVER.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLMLSERVER.EXE Global 00001580 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLMLSERVER.EXE Global 000108B6 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLMLSERVER.EXE Global 00010D4E WH_SHELL C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
CLCAPSVC.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
CLCAPSVC.EXE Global 00001580 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
CLCAPSVC.EXE Global 000108B6 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
CLCAPSVC.EXE Global 00010D4E WH_SHELL C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
EXPLORER.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EXPLORER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
avgamsvr.exe Global 00010DE9 WH_GETMESSAGE C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgamsvr.exe Global 00001580 WH_CBT C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgamsvr.exe Global 000108B6 WH_CBT C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
avgamsvr.exe Global 00010D4E WH_SHELL C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
SKYPE.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 006E3794 WH_GETMESSAGE C:\Program Files\Skype\Phone\Skype.exe
SKYPE.EXE Local 004C1468 WH_GETMESSAGE C:\Program Files\Skype\Phone\Skype.exe
SKYPE.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
SKYPE.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
SKYPE.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Local 72834A2D WH_MSGFILTER C:\WINDOWS\system32\MFC42u.DLL
PCSYNC2.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Local 72834157 WH_CBT C:\WINDOWS\system32\MFC42u.DLL
PCSYNC2.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
PCSYNC2.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
PCSYNC2.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
WCESCOMM.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
WCESCOMM.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7C172389 WH_MSGFILTER C:\WINDOWS\system32\MFC71.DLL
avgcc.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7C16FAE1 WH_CBT C:\WINDOWS\system32\MFC71.DLL
avgcc.exe Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
avgcc.exe Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
avgcc.exe Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
ANBMSERV.EXE Global 00010DE9 WH_GETMESSAGE C:\Acer\eManager\anbmServ.exe
ANBMSERV.EXE Global 00001580 WH_CBT C:\Acer\eManager\anbmServ.exe
ANBMSERV.EXE Global 000108B6 WH_CBT C:\Acer\eManager\anbmServ.exe
ANBMSERV.EXE Global 00010D4E WH_SHELL C:\Acer\eManager\anbmServ.exe
SPOOLSV.EXE Global 00010DE9 WH_GETMESSAGE C:\WINDOWS\system32\spoolsv.exe
SPOOLSV.EXE Global 00001580 WH_CBT C:\WINDOWS\system32\spoolsv.exe
SPOOLSV.EXE Global 000108B6 WH_CBT C:\WINDOWS\system32\spoolsv.exe
SPOOLSV.EXE Global 00010D4E WH_SHELL C:\WINDOWS\system32\spoolsv.exe
HKCMD.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
HKCMD.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
HKCMD.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
S24EVMON.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
S24EVMON.EXE Global 00001580 WH_CBT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
S24EVMON.EXE Global 000108B6 WH_CBT C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
S24EVMON.EXE Global 00010D4E WH_SHELL C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
IGFXTRAY.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Global 00001580 WH_CBT C:\WINDOWS\system32\igfxtray.exe
IGFXTRAY.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IGFXTRAY.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Local 7C172389 WH_MSGFILTER C:\Program Files\Acer\Acer Arcade\MFC71.DLL
PCMSERVICE.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Local 7C16FAE1 WH_CBT C:\Program Files\Acer\Acer Arcade\MFC71.DLL
PCMSERVICE.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
PCMSERVICE.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
PCMSERVICE.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
QTZGACER.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
QTZGACER.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
RTHDCPL.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RTHDCPL.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
IGFXPERS.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IGFXPERS.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
SYNTPLPR.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
SYNTPLPR.EXE Global 00001580 WH_CBT C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SYNTPLPR.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
SYNTPLPR.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Global 011F1580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
SYNTPENH.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
SYNTPENH.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
LAUNCH~1.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
LAUNCH~1.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
LAUNCH~1.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
LAUNCH~1.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
LAUNCH~1.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
LAUNCH~1.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
RUNDLL32.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
RUNDLL32.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
RUNDLL32.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
RUNDLL32.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
RUNDLL32.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
RUNDLL32.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
EOUWIZ.EXE Local 004419AB WH_MSGFILTER C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
EOUWIZ.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
EOUWIZ.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
EOUWIZ.EXE Local 0043DC28 WH_CBT C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
EOUWIZ.EXE Global 00001580 WH_CBT C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
EOUWIZ.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
EOUWIZ.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
EOUWIZ.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
IFRMEWRK.EXE Local 0044A650 WH_MSGFILTER C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
IFRMEWRK.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
IFRMEWRK.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
IFRMEWRK.EXE Local 00445AB5 WH_CBT C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
IFRMEWRK.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
IFRMEWRK.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
IFRMEWRK.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
IFRMEWRK.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
ZCFGSVC.EXE Local 00459E4B WH_MSGFILTER C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
ZCFGSVC.EXE Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
ZCFGSVC.EXE Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
ZCFGSVC.EXE Local 004551B4 WH_CBT C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
ZCFGSVC.EXE Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
ZCFGSVC.EXE Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
ZCFGSVC.EXE Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
ZCFGSVC.EXE Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Global 74730DE9 WH_GETMESSAGE C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Global 63001580 WH_CBT C:\WINDOWS\system32\SynTPFcs.dll
STATUSCLIENT.EX Global 747308B6 WH_CBT C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Global 74730D4E WH_SHELL C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Local 7473024B WH_KEYBOARD C:\WINDOWS\system32\MSCTF.dll
STATUSCLIENT.EX Local 7472FF89 WH_MOUSE C:\WINDOWS\system32\MSCTF.dll
CLSCHED.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
CLSCHED.EXE Global 00001580 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
CLSCHED.EXE Global 000108B6 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
CLSCHED.EXE Global 00010D4E WH_SHELL C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
RICHVIDEO.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\CyberLink\Shared Files\RichVideo.exe
RICHVIDEO.EXE Global 00001580 WH_CBT C:\Program Files\CyberLink\Shared Files\RichVideo.exe
RICHVIDEO.EXE Global 000108B6 WH_CBT C:\Program Files\CyberLink\Shared Files\RichVideo.exe
RICHVIDEO.EXE Global 00010D4E WH_SHELL C:\Program Files\CyberLink\Shared Files\RichVideo.exe
MDM.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
MDM.EXE Global 00001580 WH_CBT C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
MDM.EXE Global 000108B6 WH_CBT C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
MDM.EXE Global 00010D4E WH_SHELL C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
CLMLSERVICE.EXE Global 00010DE9 WH_GETMESSAGE C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
CLMLSERVICE.EXE Global 00001580 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
CLMLSERVICE.EXE Global 000108B6 WH_CBT C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
CLMLSERVICE.EXE Global 00010D4E WH_SHELL C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
  • 0

#9
Rorschach112
Posted 30 April 2008 - 12:21 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

Now we need to reconfigure Windows XP to show hidden files:
Double-click the My Computer icon on the Windows desktop.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.



Can you tell me if this folder is present

C:\Windows\system32\drivers\disdn




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.



Click here to use the F-Secure Online Scanner
  • Then click the Start Scanning button below.
  • You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply.


Also post a new HijackThis log
  • 0

#10
kifera
Posted 01 May 2008 - 12:17 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi,

The folder disdn is present, but doesn't contain any files.

Unfortunately I can't use any online scanner since I think that due to the virus my internet connection was messed up, and now I can't connect. Tried to repair, but Windows doesn't see any wireless netowkrs and would not start Wireless Zero Configuration that is suggested. LAN doesn't work either. Intel ProSet Wireless device software detects multiple wireless networks, but doesn't connect to them either.
I have ACG software and SuperAntiSpyware that I could run since they do not require online access.
  • 0

Advertisements

#11
Rorschach112
Posted 01 May 2008 - 06:23 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::
C:\Windows\system32\drivers\disdn

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




You will need to transfer this over to your PC with a USB flash key or something


Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.


Also post a new HijackThis log and tell me how your PC is running
  • 0

#12
kifera
Posted 02 May 2008 - 06:16 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Hi, I managed to restore internet connection and ran Kaspersy and F-Secure. Here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2008-05-02 12:10
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/05/2008
Kaspersky Anti-Virus database records: 735310
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\
N:\
W:\
Z:\

Scan Statistics:
Total number of scanned objects: 46489
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:49:39

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\sqlite_4BkMeBuskKXwU3C Object is locked skipped
C:\WINDOWS\Temp\CLML_AGENT_LOG1.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\tmp.edb Object is locked skipped
C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\daas.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F82DAD0F-8E25-468D-A617-7FD631BAC136}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\nruskulik\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45706.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45707.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45708.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45709.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45710.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45711.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45712.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45713.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45714.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\toolbox_healer45715.log Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45716.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45717.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45718.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45719.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45720.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\MPC309C.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45721.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\~DFA68E.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\jar_cache45722.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\~DFA69A.tmp Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temp\PCHC_1_1\Anti-Virus\perf.dat Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\History\History.IE5\MSHist012008050220080503\index.dat Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Temporary Internet Files\Content.IE5\IFKVILPW\default[2].htm Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Application Data\Acer Arcade\Trace.log Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nruskulik\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nruskulik\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nruskulik\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\nruskulik\UserData\index.dat Object is locked skipped
C:\Documents and Settings\nruskulik\NTUSER.DAT Object is locked skipped
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped

Scan process completed.



*******************************
F-Secure log:

Scanning Report
Friday, May 02, 2008 13:00:07 - 13:48:34
Computer name: CHAHINE-LT3217
Scanning type: Scan system for malware, rootkits
Target: C:\ D:\


--------------------------------------------------------------------------------

Result: 1 malware found
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 34062
System: 3971
Not scanned: 9
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{F82DAD0F-8E25-468D-A617-7FD631BAC136}.BIN
C:\WINDOWS\TEMP\SQLITE_4BKMEBUSKKXWU3C
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-05-02
F-Secure AVP: 7.0.171, 2008-05-02
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics



***************************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:50, on 2008-05-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Acer\Acer Arcade\PCMService.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\PROGRA~1\MI3AA1~1\wcescomm.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.1.192:8080
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -onlytray
O4 - HKLM\..\Run: [TempRemove] "C:\Program Files\Crystal Ball\CB Predictor\terminator.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Acer\Acer Arcade\PCMService.exe"
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] "C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MI3AA1~1\wcescomm.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: iFormat.lnk = C:\Program Files\UFDisk\UFDisk Format Tool\iFormat.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - http://www.linkedin....nderControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1209716959968
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {E1E73B44-2D20-47A9-9CA2-B534CEBBF856} (F-Secure Health Check 1.0) - http://support.f-sec.../fshc/fscax.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Alghanim.com
O17 - HKLM\Software\..\Telephony: DomainName = Alghanim.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Alghanim.com
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

--
End of file - 11698 bytes
  • 0

#13
kifera
Posted 02 May 2008 - 06:26 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Then I also ran ComboFix and Dr. Cure accroding to your instructions


ComboFix 08-04-24.1 - Nkulik 2008-05-02 15:03:58.8 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.197 [GMT 3:00]
Running from: C:\Documents and Settings\nruskulik\Desktop\Combo-Fix.exe
Command switches used :: C:\Documents and Settings\nruskulik\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\system32\drivers\disdn . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-04-02 to 2008-05-02 )))))))))))))))))))))))))))))))
.

2008-05-02 14:52 . 2008-05-02 14:52 <DIR> d-------- C:\Program Files\IObit
2008-05-02 14:31 . 2008-05-02 14:31 <DIR> d-------- C:\Program Files\Siber Systems
2008-05-02 14:31 . 2008-05-02 14:31 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\GoodSync
2008-05-02 11:30 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-05-02 11:30 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-05-02 11:30 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-05-02 11:30 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-05-01 11:11 . 2008-05-01 11:11 <DIR> d-------- C:\fsaua.data
2008-05-01 10:59 . 2008-05-01 10:59 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-01 10:54 . 2008-05-01 10:54 21,035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2008-05-01 10:47 . 2008-05-01 10:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PC Suite
2008-05-01 10:47 . 2008-05-01 10:47 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2008-05-01 10:28 . 2008-05-01 10:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-01 10:27 . 2008-05-01 10:27 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 08:15 . 2008-04-29 08:15 <DIR> dr-h----- C:\$VAULT$.AVG
2008-04-28 23:01 . 2008-04-28 23:01 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\AVG7
2008-04-28 23:01 . 2008-04-28 23:01 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-04-28 23:00 . 2008-04-28 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-28 23:00 . 2008-04-28 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-04-26 21:23 . 2008-04-26 21:23 <DIR> d-------- C:\Documents and Settings\nruskulik\DoctorWeb
2008-04-26 21:07 . 2008-04-26 05:40 <DIR> d-------- C:\SDFix
2008-04-26 20:32 . 2008-04-26 20:32 <DIR> d-------- C:\Program Files\doc
2008-04-26 10:01 . 2008-04-26 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 03:24 . 2008-04-26 03:24 <DIR> d-------- C:\Deckard
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee.com
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\McAfee
2008-04-25 23:26 . 2008-04-25 23:26 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-04-25 23:07 . 2008-04-25 23:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\Malwarebytes
2008-04-25 22:28 . 2008-04-25 22:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-25 22:27 . 2008-04-25 22:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-25 22:17 . 2008-04-25 22:17 <DIR> d-------- C:\Documents and Settings\nruskulik\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 01:20 68,096 ----a-w C:\WINDOWS\system32\dllcache\sysinfo.exe
2008-04-26 01:20 14,848 ----a-w C:\WINDOWS\system32\dllcache\register.exe
2008-02-12 13:14 78,756 ----a-w C:\Program Files\release_notes_kav7.0mp1cf1_en.html
2008-02-08 16:04 72,264 ----a-w C:\Program Files\setup.exe
2008-02-08 16:03 30,529,024 ----a-w C:\Program Files\kav.en.msi
2007-08-02 13:53 536 ----a-w C:\Program Files\setup.reg
.

((((((((((((((((((((((((((((( snapshot@2008-04-28_22.28.06.01 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-28 19:24:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-02 12:06:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-28 19:23:44 1,660 ----a-w C:\WINDOWS\bthservsdp.dat
+ 2008-05-02 12:05:54 1,660 ----a-w C:\WINDOWS\bthservsdp.dat
+ 2008-02-27 12:59:28 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\auc_lib.dll
+ 2008-03-07 15:50:50 290,816 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\auc_lib.dll
+ 2008-03-07 15:50:50 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\daas_s.dll
+ 2008-03-07 15:51:48 380,928 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fscax.dll
+ 2008-03-07 15:50:50 159,744 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\fsld32.dll
+ 2008-03-07 15:50:32 588,456 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gatelauncher.exe
+ 2008-03-07 15:50:32 588,456 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\gatelauncheradmin.exe
+ 2008-02-27 12:59:28 495,616 ----a-w C:\WINDOWS\Downloaded Program Files\daas_s.dll
+ 2008-02-27 13:00:12 262,144 ----a-w C:\WINDOWS\Downloaded Program Files\fscax.dll
+ 2008-02-27 12:59:16 588,392 ----a-w C:\WINDOWS\Downloaded Program Files\gatelauncher.exe
- 2005-05-26 01:16:24 75,544 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-30 16:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2005-05-26 01:16:24 75,544 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-30 16:19:20 92,504 ----a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2005-05-26 01:16:30 465,176 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-07-30 16:19:36 549,720 ----a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2005-05-26 01:16:30 124,184 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-30 16:19:16 53,080 ----a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2005-05-26 01:16:30 1,343,768 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-30 16:19:42 1,712,984 ----a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2005-05-26 01:16:30 127,256 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-07-30 16:19:32 325,976 ----a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2005-05-26 01:16:30 41,240 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-07-30 16:18:40 33,624 ----a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2005-05-26 01:19:32 173,536 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2007-07-30 16:19:46 203,096 ----a-w C:\WINDOWS\system32\dllcache\wuweb.dll
+ 2008-04-28 20:00:42 821,856 ----a-w C:\WINDOWS\system32\drivers\avg7core.sys
+ 2008-04-28 20:00:46 4,224 ----a-w C:\WINDOWS\system32\drivers\avg7rsw.sys
+ 2008-04-28 20:00:46 27,776 ----a-w C:\WINDOWS\system32\drivers\avg7rsxp.sys
+ 2008-04-28 20:00:48 10,760 ----a-w C:\WINDOWS\system32\drivers\avgclean.sys
+ 2008-04-28 20:00:48 26,952 ----a-w C:\WINDOWS\system32\drivers\avgmfx86.sys
+ 2005-05-24 09:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 12:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 12:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-04-26 09:19:42 18,433 ----a-w C:\WINDOWS\system32\Lang\Arabic.bin
+ 2008-05-01 07:47:24 18,433 ----a-w C:\WINDOWS\system32\Lang\Arabic.bin
- 2008-04-26 09:19:32 21,036 ----a-w C:\WINDOWS\system32\Lang\Danish.bin
+ 2008-05-01 07:47:24 21,036 ----a-w C:\WINDOWS\system32\Lang\Danish.bin
- 2008-04-26 09:19:34 22,184 ----a-w C:\WINDOWS\system32\Lang\Dutch.bin
+ 2008-05-01 07:47:24 22,184 ----a-w C:\WINDOWS\system32\Lang\Dutch.bin
- 2008-04-26 09:19:40 19,023 ----a-w C:\WINDOWS\system32\Lang\English.bin
+ 2008-05-01 07:47:24 19,023 ----a-w C:\WINDOWS\system32\Lang\English.bin
- 2008-04-26 09:19:34 23,732 ----a-w C:\WINDOWS\system32\Lang\French.bin
+ 2008-05-01 07:47:24 23,732 ----a-w C:\WINDOWS\system32\Lang\French.bin
- 2008-04-26 09:19:34 22,322 ----a-w C:\WINDOWS\system32\Lang\German.bin
+ 2008-05-01 07:47:24 22,322 ----a-w C:\WINDOWS\system32\Lang\German.bin
- 2008-04-26 09:19:42 21,687 ----a-w C:\WINDOWS\system32\Lang\Greek.bin
+ 2008-05-01 07:47:24 21,687 ----a-w C:\WINDOWS\system32\Lang\Greek.bin
- 2008-04-26 09:19:34 23,929 ----a-w C:\WINDOWS\system32\Lang\Italian.bin
+ 2008-05-01 07:47:24 23,929 ----a-w C:\WINDOWS\system32\Lang\Italian.bin
- 2008-04-26 09:19:32 20,930 ----a-w C:\WINDOWS\system32\Lang\Japanese.bin
+ 2008-05-01 07:47:24 20,930 ----a-w C:\WINDOWS\system32\Lang\Japanese.bin
- 2008-04-26 09:19:32 17,413 ----a-w C:\WINDOWS\system32\Lang\Korean.bin
+ 2008-05-01 07:47:24 17,413 ----a-w C:\WINDOWS\system32\Lang\Korean.bin
- 2008-04-26 09:19:42 20,749 ----a-w C:\WINDOWS\system32\Lang\Polish.bin
+ 2008-05-01 07:47:24 20,749 ----a-w C:\WINDOWS\system32\Lang\Polish.bin
- 2008-04-26 09:19:44 21,733 ----a-w C:\WINDOWS\system32\Lang\Portuguese(Brazil).bin
+ 2008-05-01 07:47:24 21,733 ----a-w C:\WINDOWS\system32\Lang\Portuguese(Brazil).bin
- 2008-04-26 09:19:40 22,587 ----a-w C:\WINDOWS\system32\Lang\Portuguese.bin
+ 2008-05-01 07:47:24 22,587 ----a-w C:\WINDOWS\system32\Lang\Portuguese.bin
- 2008-04-26 09:19:34 22,768 ----a-w C:\WINDOWS\system32\Lang\Russian.bin
+ 2008-05-01 07:47:24 22,768 ----a-w C:\WINDOWS\system32\Lang\Russian.bin
- 2008-04-26 09:19:42 14,382 ----a-w C:\WINDOWS\system32\Lang\SimChin.bin
+ 2008-05-01 07:47:24 14,382 ----a-w C:\WINDOWS\system32\Lang\SimChin.bin
- 2008-04-26 09:19:36 24,009 ----a-w C:\WINDOWS\system32\Lang\Spanish.bin
+ 2008-05-01 07:47:24 24,009 ----a-w C:\WINDOWS\system32\Lang\Spanish.bin
- 2008-04-26 09:19:36 20,912 ----a-w C:\WINDOWS\system32\Lang\SWEDISH.bin
+ 2008-05-01 07:47:24 20,912 ----a-w C:\WINDOWS\system32\Lang\SWEDISH.bin
- 2008-04-26 09:19:42 19,081 ----a-w C:\WINDOWS\system32\Lang\Thai.bin
+ 2008-05-01 07:47:24 19,081 ----a-w C:\WINDOWS\system32\Lang\Thai.bin
- 2008-04-26 09:19:34 14,944 ----a-w C:\WINDOWS\system32\Lang\TradChin.bin
+ 2008-05-01 07:47:24 14,944 ----a-w C:\WINDOWS\system32\Lang\TradChin.bin
- 2006-05-17 08:23:38 579,888 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2008-03-20 15:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-07-30 16:18:34 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2005-09-12 07:49:44 3,298,432 ----a-w C:\WINDOWS\system32\ReinstallBackups\0024\DriverFiles\w29n51.sys
+ 2005-09-05 18:25:34 466,944 ----a-w C:\WINDOWS\system32\ReinstallBackups\0024\DriverFiles\w29NCPA.dll
+ 2007-07-30 16:19:36 549,720 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wuapi.dll\7.0.6000.381\wuapi.dll
+ 2007-07-30 16:18:40 33,624 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.0.6000.381\wups.dll
+ 2007-07-30 16:19:12 43,352 ----a-w C:\WINDOWS\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.0.6000.381\wups2.dll
- 2006-04-03 08:40:10 14,048 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 11:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
- 2005-05-26 01:16:30 465,176 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-30 16:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2005-05-26 01:16:30 124,184 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-30 16:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2005-05-26 01:16:30 1,343,768 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-30 16:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2005-05-26 01:16:30 127,256 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-30 16:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2005-05-26 01:16:30 41,240 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-30 16:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
- 2005-05-26 01:16:30 18,200 ----a-w C:\WINDOWS\system32\wups2.dll
+ 2007-07-30 16:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
- 2005-05-26 01:19:32 173,536 ----a-w C:\WINDOWS\system32\wuweb.dll
+ 2007-07-30 16:19:46 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\PROGRA~1\MI3AA1~1\wcescomm.exe" [2006-06-26 16:13 1207080]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2005-11-30 16:56 1306624]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56 15360]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-01-29 15:36 25370152]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StatusClient 2.6"="C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe" [2004-02-27 20:29 61440]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-05-20 19:40 188416]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2004-01-07 13:02 49152]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-03 23:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"PCSuiteTrayApplication"="C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.exe" [2005-12-13 08:49 217088]
"TempRemove"="C:\Program Files\Crystal Ball\CB Predictor\terminator.exe" [1998-12-19 11:06 7680]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 14:44 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 14:43 688218]
"RTHDCPL"="RTHDCPL.EXE" [2005-08-09 15:17 14743552 C:\WINDOWS\RTHDCPL.EXE]
"PCMService"="C:\Program Files\Acer\Acer Arcade\PCMService.exe" [2005-08-31 19:59 147456]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2005-10-11 14:04 462848]
"LaunchApp"="Alaunch" []
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 05:00 208952]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-18 20:09 94208]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-18 20:10 114688]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-18 20:06 77824]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-07 17:07 61952 C:\WINDOWS\system32\HdAShCut.exe]
"eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2008-04-26 20:49 385024]
"ePowerManagement"="C:\Acer\ePM\ePM.exe" [2005-03-15 10:03 2893824]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-06-11 19:51 53248]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-28 23:00 579584]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-09-27 12:37 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-09-27 12:37 602182]
"EOUApp"="C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe" [2005-09-27 12:41 569413]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-04-28 23:00 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-7760-100000000002}\SC_Acrobat.exe [2007-06-13 17:23:23 25214]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"LogonType"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-02-27 11:39 282624 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.mkdmp3enc"= C:\PROGRA~1\Acer\ACERAR~1\Kernel\Burner\MKDMP3Enc.ACM
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=\\Alghanim.com\sysvol\Alghanim.com\scripts\AV_Repair.bat

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^IT^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=C:\WINDOWS\pss\palmOne Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Pitstop Optimize Scheduler]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Acer\\Acer Arcade\\PCMService.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\Program Files\\Hewlett-Packard\\Toolbox\\jre\\bin\\javaw.exe"=
"C:\\Program Files\\UTORRENT\\utorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2004-07-19 13:10]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2005-04-07 18:08]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 16:58]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 15:57]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-02 15:07:46
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
"ImagePath"="\"C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe\"\00|5\01\00À\00\00\00\00\0c\00\00\00D\00\00\00\00\00R\02\18î|\00\00\00\00~\00\00\00¨-
[\02’“€|~\00\00\00x\01\15\00€è\13\00E\1d€|ö\1b"

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Acer\eManager\anbmServ.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-05-02 15:09:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-02 12:09:36
ComboFix4.txt 2008-04-28 19:28:18
ComboFix3.txt 2008-04-29 17:53:28
ComboFix2.txt 2008-04-29 20:27:02

Pre-Run: 14,479,556,608 bytes free
Post-Run: 14,481,227,776 bytes free

288
  • 0

#14
kifera
Posted 02 May 2008 - 07:37 AM

kifera

    Member

  • Topic Starter
  • Member
  • PipPip
  • 22 posts
Log from Dr.Web:

mbam.exe;C:\Program Files\Malwarebytes' Anti-Malware;Probably BACKDOOR.Trojan;;
Process.exe;C:\SDFix\apps;Tool.Prockill;;
  • 0

#15
Rorschach112
Posted 02 May 2008 - 08:22 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Looking good

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com.../readstep2.html





Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP