Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virus Win32/AutoRun.Agent.GR

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virus Win32/AutoRun.Agent.GR

Unread postby Nuker » April 27th, 2009, 9:49 am

Hello !

I'm new to this site and I came here using Google, trying to solve my problem. So, to make it a short one, here it goes :
I detected the problem on saturday (25 april 2009) when my NOD32 Antivirus 3.0.650.0 detected a virus. It was like a stack of viruses. In fact they were all in the same folder, generated by some .exe from my computer. The antivirus quaratined them saying that it "cleaned by deleting-quaratined" them. In the folder where the viruses were created, there were also some other files, which I deleted. Later, I encounter another error of the same type. SAME files created, at the SAME destionation, in the SAME folder (same folder name, 'cause I deleted the previous one). The .exe files were different this time. So, NOD32 sais that this is a Win32/AutoRun.Agent.GR worm, it detects it, but seems that it cannot erase it.
Probably some more important things that I should tell are :
- the folder in which the virused folder is created is named "Transfer" (because it is a shared folder with a laptop in my house). I have this Transfer folder on both D:\ and E:\ . The virused folder gets created in both of these folders. On C:\ is my Windows installation folder; C:\ and D:\ are the partitions of the same HDD, E:\ is a different HDD (used mainly for downloads).
- the virus is created by different applications, like svchost.exe, wuauclt.exe from system32, or from some applications like iexplorer.exe (also from C:\) or firefox.exe (from D:\). I also noticed that I have 2 system32 folders : "system32" (from where svchost.exe creates the worm) and "System32" (from which wuauclt.exe creates the worm); donno if this is right, it may be, but I don't know exactly.

Ok, now that I presented the problem, I'll also tell you what I've already done, trying to remove the virus.
- scanned with NOD32 (+ in-depths mode) but it doesn't detect anything.
- scanned with Super AntiSpyware, also nothing. (it was one time when NOD32 warned me that superantispyware.exe created the worm.)
- scanned with NOD32 from SAFEMODE, nothing.
- applied a system restore checkpoint from Monday (20 april 2009), when my computer was OK; nothing. (this might have been a mistake.)
- scanned with a worm removal tool from avast! (though, I think it was out-of-date); nothing.

My NOD32 is up-to-date and it has the Win32/AutoRun.Agent.GR in his database (as I checked it on the internet).

That's all for now. I hope that you have the patience to read all of this and you could help me.
Thanks in advice !


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:31:20 PM, on 4/27/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Vlad\Tools\Daemon Tools Lite\daemon.exe
D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
D:\Vlad\Tools\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Vlad\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winhelp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Vlad\Tools\Daemon Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5891851937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5891794078
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC06CEC9-3EA9-46BF-B0C2-4D79F053E077}: NameServer = 82.76.253.115 82.76.253.125
O20 - Winlogon Notify: !SASWinLogon - D:\Vlad\Tools\Super AntiSpyware\SASWINLO.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Update Service (gupdate1c98c8872f32cb0) (gupdate1c98c8872f32cb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7736 bytes
Nuker
Active Member
 
Posts: 13
Joined: April 27th, 2009, 9:23 am
Location: Romania
Advertisement
Register to Remove

Re: Virus Win32/AutoRun.Agent.GR

Unread postby MWR 3 day Mod » May 1st, 2009, 5:28 am

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Katana » May 2nd, 2009, 7:40 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
  1. Please Read All Instructions Carefully
  2. If you don't understand something, stop and ask! Don't keep going on.
  3. Please do not run any other tools or scans whilst I am helping you
  4. Please continue to respond until I give you the "All Clear"
    (Just because you can't see a problem doesn't mean it isn't there)

If you can do those few things, everything should go smoothly Image

Please Note, your security programs may give warnings for some of the tools I will ask you to use.
Be assured, any links I give are safe


----------------------------------------------------------------------------------------

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

If you still require help please do the following


Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winhelp.exe

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis


Download and Run RSIT
  • Please download Random's System Information Tool by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open:
    • log.txt will be opened maximized.
    • info.txt will be opened minimized.
  • Please post the contents of both log.txt and info.txt.
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Nuker » May 2nd, 2009, 8:14 am

Hello katana and thanks for your help ! The problem is still persisting, virus-generated folders still appear from time to time (don't have an algorithm or something - just aleatory).

Here are the logs :

FRESH HJT LOG (the problem HJT entry wasn't there anymore) :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:08:03 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Vlad\Tools\Daemon Tools Lite\daemon.exe
D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Vlad\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winhelp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Vlad\Tools\Daemon Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5891851937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5891794078
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC06CEC9-3EA9-46BF-B0C2-4D79F053E077}: NameServer = 82.76.253.115 82.76.253.125
O20 - Winlogon Notify: !SASWinLogon - D:\Vlad\Tools\Super AntiSpyware\SASWINLO.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Update Service (gupdate1c98c8872f32cb0) (gupdate1c98c8872f32cb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7700 bytes



INFO.TXT FROM RSIT :

info.txt logfile of random's system information tool 1.06 2009-05-02 15:09:05

======Uninstall list======

-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE
-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
-->C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
-->C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNRecode.exe /UNINSTALL
-->MsiExec /X{8AAB4176-A747-493A-A42C-B63CFADFD8E3}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"E:\uTorrent\uninstall.exe"
ACE Mega CoDecS Pack-->"C:\Program Files\ACE Mega CoDecS Pack\unins000.exe"
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe AIR-->c:\Program Files\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Shockwave Player 11-->C:\WINDOWS\system32\adobe\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Adobe\SHOCKW~1\Install.log
Age of Chivalry-->"D:\Vlad\Steam\steam.exe" steam://uninstall/17510
Age of Empires III - The Asian Dynasties-->C:\Program Files\InstallShield Installation Information\{C43C1415-3DFC-4089-9A32-0BECF28A6046}\setup.exe -runfromtemp -l0x0409
Age of Empires III - The WarChiefs-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{1C08A24C-B168-407E-A826-68FAF5F20710}
Age of Empires III-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Assassin's Creed-->C:\Program Files\InstallShield Installation Information\{8CFA9151-6404-409A-AF22-4632D04582FD}\setup.exe -runfromtemp -l0x0009 -removeonly
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
Battlefield Heroes-->"D:\Vlad\Games\Battlefield Heroes\uninstaller.exe" "D:\Vlad\Games\Battlefield Heroes\Uninstall.xml"
BS.Player FREE-->"C:\Program Files\ACE Mega CoDecS Pack\BSPlayer\uninstall.exe"
Call of Duty(R) - World at War(TM) 1.1 Patch-->C:\Program Files\InstallShield Installation Information\{AFAE2B15-89A0-4215-A030-F7B5B478886B}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) - World at War(TM)-->C:\Program Files\InstallShield Installation Information\{D80A6A73-E58A-4673-AFF5-F12D7110661F}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.6 Patch-->C:\Program Files\InstallShield Installation Information\{8A15B7D9-908A-4EF9-BA84-5AEDE61743EE}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM) 1.7 Patch-->C:\Program Files\InstallShield Installation Information\{931C37FC-594D-43A9-B10F-A2F2B1F03498}\setup.exe -runfromtemp -l0x0409
Call of Duty(R) 4 - Modern Warfare(TM)-->C:\Program Files\InstallShield Installation Information\{E48469CC-635E-4FD5-A122-1497C286D217}\setup.exe -runfromtemp -l0x0409
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Command & Conquer™ Red Alert™ 3-->MsiExec.exe /X{296D8550-CB06-48E4-9A8B-E5034FB64715}
Creative Video Blaster WebCam 3 USB/WebCam Plus Driver-->C:\WINDOWS\ctdrvins.exe -uninstall usb\vid_05a9&pid_0511 -plugin webc3pin.dll -pluginres webc3pin.crl
Critical Update for Windows Media Player 11 (KB959772)-->"C:\WINDOWS\$NtUninstallKB959772_WM11$\spuninst\spuninst.exe"
Deadliest Catch Alaskan Storm-->"D:\Vlad\Games\Deadliest Catch - Alaskan Storm\Deadliest Catch Alaskan Storm\uninstall.exe"
EA Sports FIFA Online 2 -->D:\Vlad\Games\FIFA Online 2\Uninst.exe
ESET NOD32 Antivirus-->MsiExec.exe /I{86A6E235-C08F-4A14-B14C-793C7D8844A0}
Eurobattle.net Installer-->"C:\WINDOWS\Eurobattle.net Installer\uninstall.exe" "/U:D:\Vlad\Games\Warcraft III\Uninstall\uninstall.xml"
FIFA 09-->MsiExec.exe /X{2315B23D-3E21-4920-837D-AE6460934ECB}
Garena-->C:\Program Files\InstallShield Installation Information\{89C89156-A70F-4C6D-9CAE-2EA71F1396FE}\setup.exe -runfromtemp -l0x0009 -removeonly
GGPO-->MsiExec.exe /X{68BD9036-0952-4849-AE7A-963BB53EDB71}
Google Earth-->MsiExec.exe /X{548EAC70-EE00-11DD-908C-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Grand Theft Auto IV-->"C:\Program Files\InstallShield Installation Information\{579BA58C-F33D-4970-9953-B94B43768AC3}\setup.exe" -runfromtemp -l0x0009 -removeonly
Half-Life 2: Deathmatch-->"D:\Vlad\Steam\steam.exe" steam://uninstall/320
Hamachi 1.0.1.5-->D:\Vlad\Tools\Hamachi\uninstall.exe
HijackThis 2.0.2-->"D:\Vlad\Tools\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB942288-v3)-->"C:\WINDOWS\$NtUninstallKB942288-v3$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Insurgency-->"D:\Vlad\Steam\steam.exe" steam://uninstall/17700
IOSS 2008 Beta 1.0-->d:\vlad\steam\SteamApps\SourceMods\ios\unins000.exe
Java(TM) 6 Update 13-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Launchpad Enhanced-->MsiExec.exe /I{BAA11826-70EF-4E44-9E97-8476793E022F}
Madden NFL 08-->D:\Vlad\Games\NFL 2008\EAUninstall.exe
Marsu-Fix-->C:\WINDOWS\Marsu-Fix Uninstaller.exe
MediaCoder 0.6.2-->D:\Vlad\Tools\MediaCoder\uninst.exe
Microsoft .NET Framework 2.0 Service Pack 1-->MsiExec.exe /I{B508B3F1-A24A-32C0-B310-85786919EF28}
Microsoft .NET Framework 3.0 Service Pack 1-->MsiExec.exe /I{2BA00471-0328-3743-93BD-FA813353A783}
Microsoft .NET Framework 3.5-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5\setup.exe
Microsoft .NET Framework 3.5-->MsiExec.exe /I{2FC099BD-AC9B-33EB-809C-D332E1B27C40}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Games for Windows - LIVE -->MsiExec.exe /X{4AA3D64E-9EC3-4B0F-AB91-5885AC55641F}
Microsoft Games for Windows - LIVE Redistributable-->MsiExec.exe /X{FD052FB9-FE90-4438-B355-15EDC89D8FB1}
Microsoft Internationalized Domain Names Mitigation APIs-->"C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7-->"C:\WINDOWS\$NtUninstallWdf01007$\spuninst\spuninst.exe"
Microsoft National Language Support Downlevel APIs-->"C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
MinGW Developer Studio-->D:\Vlad\Compilers\MinGWStudio\uninstall.exe
Mirror's Edge™-->MsiExec.exe /X{AEDBD563-24BB-4EE3-8366-A654DAC2D988}
Mozilla Firefox (3.0.10)-->D:\Vlad\Tools\Mozilla Firefox\uninstall\helper.exe
MSVCMergeModules-->MsiExec.exe /I{AA721D14-CFE2-410E-B975-79FE5F82F99F}
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
MyVideoConverter 1.34-->D:\Vlad\Tools\MyVideoConverter\uninst.exe
Nav N Go Content Manager-->"D:\Stefan\Nav N Go\Content Manager\uninst.exe"
Nero 7 Demo-->MsiExec.exe /I{0D9E1F52-CE29-B03B-D79F-8EC434821033}
NVIDIA Drivers-->C:\WINDOWS\system32\nvuninst.exe UninstallGUI
NVIDIA PhysX-->MsiExec.exe /X{8AAB4176-A747-493A-A42C-B63CFADFD8E3}
oDC (remove only)-->"E:\oDC\oDC\uninstall.exe"
OpenAL-->"C:\Program Files\OpenAL\OalinstGridRelease.exe" /U
Penumbra Episode 1-->"D:\Vlad\Games\Penumbra Overture\unins000.exe"
PunkBuster Services-->C:\WINDOWS\system32\pbsvc.exe -u
QuickTime-->MsiExec.exe /I{8DC42D05-680B-41B0-8878-6C14D24602DB}
Rainlendar2 (remove only)-->"D:\Vlad\Tools\Rainlendar2\uninst.exe"
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Rockstar Games Social Club-->"C:\Program Files\InstallShield Installation Information\{08B3869E-D282-424C-9AFC-870E04A4BA14}\setup.exe" -runfromtemp -l0x0009 -removeonly
Scratch-->D:\Vlad\Compilers\Scratch\uninstall.exe
Security Update for Windows Internet Explorer 7 (KB938127)-->"C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB950759)-->"C:\WINDOWS\ie7updates\KB950759-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB953838)-->"C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB956390)-->"C:\WINDOWS\ie7updates\KB956390-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB958215)-->"C:\WINDOWS\ie7updates\KB958215-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB960714)-->"C:\WINDOWS\ie7updates\KB960714-IE7\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 7 (KB961260)-->"C:\WINDOWS\ie7updates\KB961260-IE7\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB936782)-->"C:\WINDOWS\$NtUninstallKB936782_WMP11$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464)-->"C:\WINDOWS\$NtUninstallKB938464$\spuninst\spuninst.exe"
Security Update for Windows XP (KB938464-v2)-->"C:\WINDOWS\$NtUninstallKB938464-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951066)-->"C:\WINDOWS\$NtUninstallKB951066$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951698)-->"C:\WINDOWS\$NtUninstallKB951698$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB953839)-->"C:\WINDOWS\$NtUninstallKB953839$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954211)-->"C:\WINDOWS\$NtUninstallKB954211$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954600)-->"C:\WINDOWS\$NtUninstallKB954600$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956391)-->"C:\WINDOWS\$NtUninstallKB956391$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956841)-->"C:\WINDOWS\$NtUninstallKB956841$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957095)-->"C:\WINDOWS\$NtUninstallKB957095$\spuninst\spuninst.exe"
Security Update for Windows XP (KB957097)-->"C:\WINDOWS\$NtUninstallKB957097$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958687)-->"C:\WINDOWS\$NtUninstallKB958687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958690)-->"C:\WINDOWS\$NtUninstallKB958690$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960715)-->"C:\WINDOWS\$NtUninstallKB960715$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961373)-->"C:\WINDOWS\$NtUninstallKB961373$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Skype 3.1-->"D:\Vlad\Tools\Skype\unins000.exe"
Sony Ericsson Media Manager 1.1-->MsiExec.exe /X{0096A731-71DB-4969-AF1A-651698B246A5}
Sony Ericsson PC Suite 1.20.173-->MsiExec.exe /I{C5ADA65A-7828-4D85-B071-ECC52B51F794}
Sony Ericsson PC Suite 4.010.00-->C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\Setup.exe -runfromtemp -l0x0009 -removeonly
SopCast 3.0.3-->D:\Vlad\Tools\SopCast\uninst.exe
Source SDK Base - Orange Box-->"D:\Vlad\Steam\steam.exe" steam://uninstall/218
Source SDK Base-->"D:\Vlad\Steam\steam.exe" steam://uninstall/215
SourceForts-->d:\vlad\steam\SteamApps\SourceMods\sourceforts\uninstall.exe
Spider-Man 3 (TM)-->C:\Program Files\InstallShield Installation Information\{990166FA-1ACB-4AA7-B592-4D370C7CDD1A}\setup.exe -runfromtemp -l0x0809
Spider-Man(TM) - Web of Shadows-->C:\Program Files\InstallShield Installation Information\{7F7E4FA7-6F32-4DE2-917E-361E034AED7A}\setup.exe -runfromtemp -l0x0409
Star Wars Galaxies-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{88038160-9BCB-47BE-A5C3-5CE2DC115509}\setup.exe" -l0x9
Star Wars Jedi Knight Jedi Academy-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1EECBA68-8BE4-4076-94DF-E9ED206B1D21}\Setup.exe" -l0x9
Starcraft Brood War 1.15.2-->D:\Vlad\Games\Starcraft BNet\Uninstall.exe
Station Launcher-->C:\Program Files\Sony\Station\Station Launcher\uninstall.exe
Steam-->MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Sudden Strike 3-->D:\Stefan\Games St\Sudden Strike 3\uninstall.exe
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
System Requirements Lab-->C:\Program Files\SystemRequirementsLab\Uninstall.exe
Team Fortress 2-->"D:\Vlad\Steam\steam.exe" steam://uninstall/440
TeamSpeak 2 RC2-->"D:\Vlad\Tools\Teamspeak 2\unins000.exe"
The Godfather™ II-->MsiExec.exe /X{A1416622-0DDE-45B5-B06C-DFC3ED94C53B}
Tom Clancy's H.A.W.X-->"C:\Program Files\InstallShield Installation Information\{6E36A172-06FB-4BC8-B7FC-D30D219E6776}\setup.exe" -runfromtemp -l0x0009 -removeonly
TVAnts 1.0-->D:\Vlad\Tools\TVAnts\UNWISE.EXE D:\Vlad\Tools\TVAnts\INSTALL.LOG
UltraStar Deluxe-->D:\Vlad\Games\UltraStar Deluxe\Uninstall.exe
Update for Windows Internet Explorer 8 (KB968220)-->"C:\WINDOWS\ie8updates\KB968220-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB942763)-->"C:\WINDOWS\$NtUninstallKB942763$\spuninst\spuninst.exe"
Update for Windows XP (KB951072-v2)-->"C:\WINDOWS\$NtUninstallKB951072-v2$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955839)-->"C:\WINDOWS\$NtUninstallKB955839$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update Service-->D:\Vlad\Tools\Sony Ericsson\Update Service\uninst.exe
WinAce Archiver-->C:\Program Files\WinAce\SXUNINST.EXE C:\Program Files\WinAce\SXUNINST.INI
Winamp-->"C:\Program Files\Winamp\UninstWA.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{C6CA8874-5F22-4AF0-9BE3-016BF299C536}
Windows Live Messenger-->MsiExec.exe /X{0AAA9C97-74D4-47CE-B089-0B147EF3553C}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows XP Service Pack 3-->"C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinZip-->"C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
World of Warcraft-->C:\Program Files\Common Files\Blizzard Entertainment\World of Warcraft (2)\Uninstall.exe
Xfire (remove only)-->"D:\Vlad\Tools\Xfire\uninst.exe"
XviD MPEG-4 Video Codec-->C:\WINDOWS\system32\rundll32.exe setupapi,InstallHinfSection Remove_XviD 132 C:\WINDOWS\INF\xvid.inf
Yahoo! Messenger-->C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~1\Yahoo!\Common\UNYT_W~1.EXE

======Security center information======

AV: ESET NOD32 Antivirus 3.0

======System event log======

Computer Name: VLAD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 20289
Source Name: Tcpip
Time Written: 20090404215406.000000+180
Event Type: warning
User:

Computer Name: VLAD
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\STEFAN on the network \Device\NetBT_Tcpip_{9D3589D1-8FCA-4FBE-AA9C-070EE0F34794}.
The data is the error code.

Record Number: 20285
Source Name: BROWSER
Time Written: 20090404164023.000000+180
Event Type: warning
User:

Computer Name: VLAD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 20281
Source Name: Tcpip
Time Written: 20090404152151.000000+180
Event Type: warning
User:

Computer Name: VLAD
Event Code: 4226
Message: TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Record Number: 20279
Source Name: Tcpip
Time Written: 20090404150008.000000+180
Event Type: warning
User:

Computer Name: VLAD
Event Code: 7000
Message: The EIO service failed to start due to the following error:
Cannot create a file when that file already exists.


Record Number: 20263
Source Name: Service Control Manager
Time Written: 20090404143949.000000+180
Event Type: error
User:

=====Application event log=====

Computer Name: VLAD
Event Code: 1024
Message: Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Excel 2003 (KB958436): EXCEL' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Record Number: 1780
Source Name: MsiInstaller
Time Written: 20081217153748.000000+120
Event Type: error
User: VLAD\Vlad

Computer Name: VLAD
Event Code: 11311
Message: Product: Microsoft Office Professional Edition 2003 -- Error 1311. Source file not found(cabinet): C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\PA561401.CAB. Verify that the file exists and that you can access it.

Record Number: 1779
Source Name: MsiInstaller
Time Written: 20081217153746.000000+120
Event Type: error
User: VLAD\Vlad

Computer Name: VLAD
Event Code: 1024
Message: Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Word 2003 (KB956357): WINWORD' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Record Number: 1777
Source Name: MsiInstaller
Time Written: 20081217153715.000000+120
Event Type: error
User: VLAD\Vlad

Computer Name: VLAD
Event Code: 11311
Message: Product: Microsoft Office Professional Edition 2003 -- Error 1311. Source file not found(cabinet): C:\MSOCache\All Users\90000409-6000-11D3-8CFE-0150048383C9\PA561401.CAB. Verify that the file exists and that you can access it.

Record Number: 1776
Source Name: MsiInstaller
Time Written: 20081217153715.000000+120
Event Type: error
User: VLAD\Vlad

Computer Name: VLAD
Event Code: 1024
Message: Product: Microsoft Office Professional Edition 2003 - Update 'Security Update for Office 2003 (KB951535): MSXML5' could not be installed. Error code 1603. Windows Installer can create logs to help troubleshoot issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127

Record Number: 1774
Source Name: MsiInstaller
Time Written: 20081217153708.000000+120
Event Type: error
User: VLAD\Vlad

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"DEFAULT_CA_NR"=CA6
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"RGSCLauncher"=D:\Vlad\Games\GTA 4\Rockstar Games Social Club
"RGSC"=D:\Vlad\Games\GTA 4\Rockstar Games Social Club\1_0_0_0

-----------------EOF-----------------




LOGFILE.TXT FROM RSIT :

Logfile of random's system information tool 1.06 (written by random/random)
Run by Vlad at 2009-05-02 15:09:03
Microsoft Windows XP Professional Service Pack 3
System drive C: has 31 GB (61%) free of 50 GB
Total RAM: 2045 MB (81% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:04 PM, on 5/2/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Vlad\Tools\Daemon Tools Lite\daemon.exe
D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Vlad\Desktop\RSIT.exe
D:\Vlad\Tools\HijackThis\Vlad.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winhelp.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Vlad\Tools\Daemon Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5891851937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5891794078
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC06CEC9-3EA9-46BF-B0C2-4D79F053E077}: NameServer = 82.76.253.115 82.76.253.125
O20 - Winlogon Notify: !SASWinLogon - D:\Vlad\Tools\Super AntiSpyware\SASWINLO.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Update Service (gupdate1c98c8872f32cb0) (gupdate1c98c8872f32cb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7776 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Google Software Updater.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]
&Yahoo! Toolbar Helper - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
AcroIEHlprObj Class - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 37808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll [2009-03-24 668656]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-03-09 35840]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2009-03-09 73728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll [2008-05-15 817936]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2009-01-15 13680640]
"nwiz"=nwiz.exe /install []
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2008-01-16 69632]
""= []
"Sony Ericsson PC Suite"=C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe [2005-10-26 159744]
"NeroFilterCheck"=C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2006-01-12 155648]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2008-01-16 16384512]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2008-09-06 413696]
"Tweak UI"=TWEAKUI.CPL,TweakMeUp []
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-03-13 1443072]
"NvMediaCenter"=C:\WINDOWS\system32\NvMcTray.dll [2009-01-15 86016]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-03-09 148888]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
"DAEMON Tools Lite"=D:\Vlad\Tools\Daemon Tools Lite\daemon.exe [2008-04-01 486856]
"Messenger (Yahoo!)"=C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe [2008-09-19 4347120]
"Rainlendar2"=D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe [2008-08-24 4067328]
"Sony Ericsson PC Suite"=D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe [2008-06-18 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
D:\Vlad\Tools\Super AntiSpyware\SASWINLO.DLL [2009-01-23 356352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]
C:\WINDOWS\system32\WgaLogon.dll [2009-03-10 190464]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=D:\Vlad\Tools\Super AntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\Wdf01000.sys]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"D:\Vlad\Tools\Xfire\xfire.exe"="D:\Vlad\Tools\Xfire\xfire.exe:*:Enabled:Xfire"
"E:\uTorrent\utorrent.exe"="E:\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Yahoo!\Messenger\YServer.exe"="C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server"
"E:\oDC\oDC\oDC.exe"="E:\oDC\oDC\oDC.exe:*:Enabled:oDC"
"D:\Stefan\Games St\Age of Empires 3\age3x.exe"="D:\Stefan\Games St\Age of Empires 3\age3x.exe:*:Enabled:Age of Empires III - The WarChiefs"
"D:\Stefan\Games St\Age of Empires 3\age3y.exe"="D:\Stefan\Games St\Age of Empires 3\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"D:\Vlad\Steam\steamapps\nuker90\team fortress 2\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\team fortress 2\hl2.exe:*:Enabled:hl2"
"C:\WINDOWS\system32\PnkBstrA.exe"="C:\WINDOWS\system32\PnkBstrA.exe:*:Enabled:PnkBstrA"
"C:\WINDOWS\system32\PnkBstrB.exe"="C:\WINDOWS\system32\PnkBstrB.exe:*:Enabled:PnkBstrB"
"D:\Vlad\Games\Call of Duty 4\iw3mp.exe"="D:\Vlad\Games\Call of Duty 4\iw3mp.exe:*:Enabled:Call of Duty(R) 4 - Modern Warfare(TM) "
"D:\Vlad\Games\Flatout 2\FlatOut2.exe"="D:\Vlad\Games\Flatout 2\FlatOut2.exe:*:Enabled:FlatOut2"
"D:\Vlad\Games\World of Warcraft\Repair.exe"="D:\Vlad\Games\World of Warcraft\Repair.exe:*:Enabled:Blizzard Repair Utility"
"D:\Vlad\Games\Assassin's Creed\AssassinsCreed_Dx9.exe"="D:\Vlad\Games\Assassin's Creed\AssassinsCreed_Dx9.exe:*:Enabled:Assassin's Creed Dx9"
"D:\Vlad\Games\Assassin's Creed\AssassinsCreed_Dx10.exe"="D:\Vlad\Games\Assassin's Creed\AssassinsCreed_Dx10.exe:*:Enabled:Assassin's Creed Dx10"
"D:\Vlad\Games\Assassin's Creed\AssassinsCreed_Launcher.exe"="D:\Vlad\Games\Assassin's Creed\AssassinsCreed_Launcher.exe:*:Enabled:Assassin's Creed Update"
"D:\Vlad\Games\Warcraft III\Warcraft III.exe"="D:\Vlad\Games\Warcraft III\Warcraft III.exe:*:Enabled:Warcraft III"
"D:\Vlad\Games\Warcraft III\w3l.exe"="D:\Vlad\Games\Warcraft III\w3l.exe:*:Enabled:w3l.exe"
"C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe"="C:\Program Files\Nero\Nero 7\Nero Home\NeroHome.exe:*:Enabled:Nero Home"
"D:\Vlad\Games\Warcraft III\euroloader.exe"="D:\Vlad\Games\Warcraft III\euroloader.exe:*:Enabled:euroloader"
"D:\Vlad\Steam\steamapps\nuker90\source sdk base\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\source sdk base\hl2.exe:*:Enabled:hl2"
"D:\Vlad\Steam\steamapps\nuker90\counter-strike source\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\counter-strike source\hl2.exe:*:Enabled:hl2"
"D:\Vlad\Steam\steamapps\nuker90\half-life 2 deathmatch\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2"
"D:\Vlad\Tools\Mozilla Firefox\firefox.exe"="D:\Vlad\Tools\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"D:\Vlad\Games\FIFA 2009\FIFA09.exe"="D:\Vlad\Games\FIFA 2009\FIFA09.exe:*:Enabled:FIFA09"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\Vlad\Steam\steamapps\nuker90\insurgency\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\insurgency\hl2.exe:*:Enabled:hl2"
"D:\Vlad\Steam\steamapps\nuker90\age of chivalry\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\age of chivalry\hl2.exe:*:Enabled:hl2"
"D:\Vlad\Games\Spider Man Web of Shadows\image\pc\Spider-Man Web of Shadows.exe"="D:\Vlad\Games\Spider Man Web of Shadows\image\pc\Spider-Man Web of Shadows.exe:*:Enabled:Spider-Man(TM) - Web of Shadows"
"D:\Vlad\Games\COD WAW BETA\CoDWaWbeta.exe"="D:\Vlad\Games\COD WAW BETA\CoDWaWbeta.exe:*:Enabled:Call of Duty(R): World at War Multiplayer"
"D:\Vlad\Games\Red Alert 3\Data\ra3_1.0.game"="D:\Vlad\Games\Red Alert 3\Data\ra3_1.0.game:*:Enabled:Command & Conquer™ Red Alert™ 3"
"C:\Documents and Settings\Vlad\Local Settings\Temp\ElectronicArts_Patcher_000.exe"="C:\Documents and Settings\Vlad\Local Settings\Temp\ElectronicArts_Patcher_000.exe:*:Enabled:Red Alert 3 Launcher"
"D:\Vlad\Games\Red Alert 3\RA3.exe"="D:\Vlad\Games\Red Alert 3\RA3.exe:*:Enabled:Command & Conquer™ Red Alert™ 3"
"D:\Vlad\Tools\TVAnts\Tvants.exe"="D:\Vlad\Tools\TVAnts\Tvants.exe:*:Enabled:TVAnts"
"D:\Vlad\Games\Call of Duty 5\CoDWaW.exe"="D:\Vlad\Games\Call of Duty 5\CoDWaW.exe:*:Enabled:Call of Duty(R) - World at War(TM) "
"D:\Vlad\Games\Call of Duty 5\CoDWaWmp.exe"="D:\Vlad\Games\Call of Duty 5\CoDWaWmp.exe:*:Enabled:Call of Duty(R) - World at War(TM) "
"D:\Vlad\Games\Call of Duty 5\CoDWaW_LANFixed.exe"="D:\Vlad\Games\Call of Duty 5\CoDWaW_LANFixed.exe:*:Enabled:Call of Duty(R): World at War Campaign/Coop"
"D:\Vlad\Games\GTA 4\Grand Theft Auto IV\LaunchGTAIV.exe"="D:\Vlad\Games\GTA 4\Grand Theft Auto IV\LaunchGTAIV.exe:*:Enabled:Grand Theft Auto IV"
"D:\Vlad\Games\GTA 4\Rockstar Games Social Club\RGSCLauncher.exe"="D:\Vlad\Games\GTA 4\Rockstar Games Social Club\RGSCLauncher.exe:*:Enabled:Rockstar Games Social Club"
"D:\Vlad\Games\GTA 4\Grand Theft Auto IV\GTAIV.exe"="D:\Vlad\Games\GTA 4\Grand Theft Auto IV\GTAIV.exe:*:Enabled:Grand Theft Auto IV"
"D:\Vlad\Tools\Hamachi\hamachi.exe"="D:\Vlad\Tools\Hamachi\hamachi.exe:*:Enabled:Hamachi"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"D:\Vlad\Games\Gay Arena\Garena.exe"="D:\Vlad\Games\Gay Arena\Garena.exe:*:Enabled:Garena"
"D:\Vlad\Tools\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe"="D:\Vlad\Tools\Sony Ericsson\Sony Ericsson Media Manager\MediaManager.exe:*:Enabled:Sony Ericsson Media Manager 1.1"
"D:\Vlad\Games\Metin 2\metin2.bin"="D:\Vlad\Games\Metin 2\metin2.bin:*:Enabled:metin2"
"D:\Vlad\Games\Mirror's Edge\Binaries\MirrorsEdge.exe"="D:\Vlad\Games\Mirror's Edge\Binaries\MirrorsEdge.exe:*:Enabled:Mirror's Edge™"
"C:\Program Files\Java\jre6\bin\javaw.exe"="C:\Program Files\Java\jre6\bin\javaw.exe:*:Enabled:Java(TM) Platform SE binary"
"D:\Vlad\Steam\steamapps\nuker90\source sdk base 2007\hl2.exe"="D:\Vlad\Steam\steamapps\nuker90\source sdk base 2007\hl2.exe:*:Enabled:hl2"
"D:\Vlad\Tools\SopCast\adv\SopAdver.exe"="D:\Vlad\Tools\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver"
"D:\Vlad\Tools\SopCast\SopCast.exe"="D:\Vlad\Tools\SopCast\SopCast.exe:*:Enabled:SopCast Main Application"
"D:\Vlad\Steam\steamapps\common\warhammer 40,000 dawn of war ii - beta\DOW2.exe"="D:\Vlad\Steam\steamapps\common\warhammer 40,000 dawn of war ii - beta\DOW2.exe:*:Enabled:DOW2"
"D:\Vlad\Games\NFL 2008\mainapp.exe"="D:\Vlad\Games\NFL 2008\mainapp.exe:*:Enabled:Madden NFL 08"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"D:\Vlad\Tools\Skype\Skype.exe"="D:\Vlad\Tools\Skype\Skype.exe:*:Enabled:Skype"
"D:\Vlad\Games\Tom Clancy's HAWX\HAWX.exe"="D:\Vlad\Games\Tom Clancy's HAWX\HAWX.exe:*:Enabled:Tom Clancy's H.A.W.X"
"D:\Vlad\Games\Tom Clancy's HAWX\HAWX_dx10.exe"="D:\Vlad\Games\Tom Clancy's HAWX\HAWX_dx10.exe:*:Enabled:Tom Clancy's H.A.W.X"
"D:\Vlad\Games\FIFA Online 2\FF2Client.exe"="D:\Vlad\Games\FIFA Online 2\FF2Client.exe:*:Enabled:FIFA ONLINE"
"D:\Vlad\Steam\steamapps\common\empire total war demo\Empire.exe"="D:\Vlad\Steam\steamapps\common\empire total war demo\Empire.exe:*:Enabled:Empire: Total War Demo"
"D:\Vlad\Steam\Steam.exe"="D:\Vlad\Steam\Steam.exe:*:Enabled:Steam"
"D:\Vlad\Games\GGPO\ggpo.exe"="D:\Vlad\Games\GGPO\ggpo.exe:*:Enabled:ggpo"
"D:\Vlad\Games\GGPO\ggpofba.exe"="D:\Vlad\Games\GGPO\ggpofba.exe:*:Enabled:Emulator for MC68000/Z80 based arcade games"
"C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe"="C:\Program Files\Sony\Station\Launchpad\_aunchPad.exe:*:Enabled:_aunchPad"
"D:\Vlad\Games\Robots Arena\Robot Arena 2.exe"="D:\Vlad\Games\Robots Arena\Robot Arena 2.exe:*:Enabled:Robot Arena 2"
"D:\Vlad\Games\Star Wars Jedi Academy\GameData\jamp.exe"="D:\Vlad\Games\Star Wars Jedi Academy\GameData\jamp.exe:*:Enabled:Jedi Academy MultiPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4dd55400-5056-11dd-90ca-001d605c9793}]
shell\AutoRun\command - G:\Autorun.exe


======List of files/folders created in the last 1 months======

2009-05-02 15:09:03 ----D---- C:\rsit
2009-05-01 21:25:05 ----A---- C:\WINDOWS\system32\ff2statslog.ini
2009-04-29 23:27:10 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2009-04-26 13:36:16 ----A---- C:\WINDOWS\ntbtlog.txt
2009-04-16 02:16:48 ----D---- C:\CrashReport
2009-04-15 21:33:44 ----D---- C:\Program Files\Common Files\DirectX
2009-04-15 12:20:41 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2009-04-15 12:20:36 ----HDC---- C:\WINDOWS\$NtUninstallKB961373$
2009-04-15 12:19:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2009-04-15 12:19:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2009-04-15 12:19:10 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2009-04-15 12:18:19 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2009-04-15 10:24:22 ----N---- C:\WINDOWS\system32\xpsp4res.dll
2009-04-14 23:42:15 ----D---- C:\Documents and Settings\Vlad\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-14 23:12:40 ----D---- C:\Documents and Settings\All Users\Application Data\Adobe
2009-04-14 23:12:20 ----D---- C:\Program Files\Common Files\Adobe AIR
2009-04-14 19:00:32 ----D---- C:\SWGEmu
2009-04-14 18:59:49 ----D---- C:\Documents and Settings\Vlad\Application Data\LPECommon
2009-04-14 05:19:32 ----A---- C:\WINDOWS\system32\xfcodec.dll

======List of files/folders modified in the last 1 months======

2009-05-02 15:08:51 ----D---- C:\WINDOWS\Prefetch
2009-05-02 15:06:49 ----D---- C:\WINDOWS\Temp
2009-05-02 13:16:10 ----D---- C:\WINDOWS
2009-05-02 13:15:18 ----SD---- C:\WINDOWS\Tasks
2009-05-02 10:37:28 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-05-01 21:25:05 ----D---- C:\WINDOWS\system32
2009-05-01 21:25:03 ----A---- C:\WINDOWS\FOE2.ini
2009-05-01 20:25:23 ----D---- C:\WINDOWS\system32\drivers
2009-04-29 23:27:15 ----HD---- C:\WINDOWS\inf
2009-04-29 23:27:12 ----RSHDC---- C:\WINDOWS\system32\dllcache
2009-04-29 23:26:49 ----D---- C:\WINDOWS\system32\CatRoot2
2009-04-29 23:26:43 ----SHD---- C:\WINDOWS\Installer
2009-04-29 22:16:38 ----HD---- C:\WINDOWS\$hf_mig$
2009-04-28 22:17:13 ----SD---- C:\Documents and Settings\Vlad\Application Data\Microsoft
2009-04-28 15:47:34 ----D---- C:\Documents and Settings\Vlad\Application Data\uTorrent
2009-04-28 15:39:14 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-04-26 12:24:43 ----D---- C:\WINDOWS\system32\config
2009-04-26 12:24:30 ----D---- C:\WINDOWS\system32\wbem
2009-04-26 12:24:29 ----D---- C:\WINDOWS\Registration
2009-04-26 12:23:53 ----D---- C:\WINDOWS\system32\Restore
2009-04-16 16:50:25 ----D---- C:\Documents and Settings\Vlad\Application Data\Xfire
2009-04-15 21:49:11 ----HD---- C:\Program Files\InstallShield Installation Information
2009-04-15 21:47:22 ----D---- C:\Documents and Settings\Vlad\Application Data\Hamachi
2009-04-15 21:33:44 ----D---- C:\Program Files\Common Files
2009-04-15 18:58:29 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2009-04-15 18:52:59 ----D---- C:\WINDOWS\AppPatch
2009-04-15 12:20:44 ----A---- C:\WINDOWS\imsins.BAK
2009-04-15 12:18:59 ----A---- C:\WINDOWS\WIN.INI
2009-04-14 23:12:40 ----D---- C:\Documents and Settings\Vlad\Application Data\Adobe
2009-04-14 23:07:41 ----A---- C:\WINDOWS\NeroDigital.ini
2009-04-14 18:51:12 ----D---- C:\Program Files\Sony
2009-04-14 15:48:15 ----A---- C:\WINDOWS\system32\PnkBstrB.exe
2009-04-13 23:06:34 ----D---- C:\WINDOWS\Help
2009-04-07 22:21:37 ----D---- C:\WINDOWS\system32\DirectX
2009-04-07 22:20:56 ----RSD---- C:\WINDOWS\assembly
2009-04-06 23:05:56 ----D---- C:\temp
2009-04-06 17:57:24 ----A---- C:\WINDOWS\system32\MRT.exe

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 easdrv;easdrv; C:\WINDOWS\system32\DRIVERS\easdrv.sys [2008-03-13 29704]
R1 EIO_XP;EIO_XP; \??\C:\WINDOWS\system32\drivers\EIO_XP.sys []
R1 epfwtdir;epfwtdir; C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2008-04-13 36352]
R1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2008-04-13 14592]
R1 SASDIFSV;SASDIFSV; \??\D:\Vlad\Tools\Super AntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\D:\Vlad\Tools\Super AntiSpyware\SASKUTIL.sys []
R2 atksgt;atksgt; C:\WINDOWS\system32\DRIVERS\atksgt.sys [2009-04-11 278984]
R2 eamon;EAMON; C:\WINDOWS\system32\DRIVERS\eamon.sys [2008-03-13 40456]
R2 lirsgt;lirsgt; C:\WINDOWS\system32\DRIVERS\lirsgt.sys [2009-04-11 25416]
R3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM); C:\WINDOWS\system32\DRIVERS\webc3vid.sys [2001-11-07 166504]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2008-01-16 4609024]
R3 ipgd;ASUS NX1101 Gigabit Ethernet Adapter Driver; C:\WINDOWS\system32\DRIVERS\ipgdnd51.sys [2005-01-28 33536]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
R3 nv;nv; C:\WINDOWS\system32\DRIVERS\nv4_mini.sys [2009-01-15 6301248]
R3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2008-04-13 30208]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2008-04-13 59520]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
S2 EIO;EIO; \??\C:\WINDOWS\system32\drivers\EIO.sys []
S3 a4tfgpkh;a4tfgpkh; C:\WINDOWS\system32\drivers\a4tfgpkh.sys []
S3 asusgsb;ASUS Virtual Video Capture Device Driver; C:\WINDOWS\system32\drivers\asusgsb.sys [2008-03-25 12416]
S3 ASUSVRC;ASUSTeK Virtual Capture Device; C:\WINDOWS\system32\DRIVERS\AsusVRC.sys [2007-01-29 18432]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 CrystalSysInfo;CrystalSysInfo; \??\D:\Vlad\Tools\MediaCoder\SysInfo.sys []
S3 ggflt;SEMC USB Flash Driver Filter; C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-12-30 10976]
S3 ggsemc;SEMC USB Flash Driver; C:\WINDOWS\system32\DRIVERS\ggsemc.sys [2008-12-30 22368]
S3 hamachi;Hamachi Network Interface; C:\WINDOWS\system32\DRIVERS\hamachi.sys [2008-10-31 17480]
S3 k750mdfl;Sony Ericsson 750 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\k750mdfl.sys [2008-07-25 6576]
S3 k750mdm;Sony Ericsson 750 USB WMC Modem Drivers; C:\WINDOWS\system32\DRIVERS\k750mdm.sys [2008-07-25 89872]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-13 10880]
S3 s115bus;Sony Ericsson Device 115 driver (WDM); C:\WINDOWS\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
S3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
S3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
S3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s115mgmt.sys [2007-04-23 100488]
S3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
S3 s117bus;Sony Ericsson Device 117 driver (WDM); C:\WINDOWS\system32\DRIVERS\s117bus.sys [2007-06-25 82984]
S3 s117mdfl;Sony Ericsson Device 117 USB WMC Modem Filter; C:\WINDOWS\system32\DRIVERS\s117mdfl.sys [2007-06-25 14888]
S3 s117mdm;Sony Ericsson Device 117 USB WMC Modem Driver; C:\WINDOWS\system32\DRIVERS\s117mdm.sys [2007-06-25 108456]
S3 s117mgmt;Sony Ericsson Device 117 USB WMC Device Management Drivers (WDM); C:\WINDOWS\system32\DRIVERS\s117mgmt.sys [2007-06-25 100264]
S3 s117nd5;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (NDIS); C:\WINDOWS\system32\DRIVERS\s117nd5.sys [2007-06-25 22952]
S3 s117obex;Sony Ericsson Device 117 USB WMC OBEX Interface; C:\WINDOWS\system32\DRIVERS\s117obex.sys [2007-06-25 98344]
S3 s117unic;Sony Ericsson Device 117 USB Ethernet Emulation SEMC117 (WDM); C:\WINDOWS\system32\DRIVERS\s117unic.sys [2007-06-25 98856]
S3 SASENUM;SASENUM; \??\D:\Vlad\Tools\Super AntiSpyware\SASENUM.SYS []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
S3 Video3D;ASUS Video3D Service; C:\WINDOWS\System32\Drivers\Video3D32.sys []
S3 Wdf01000;Kernel Mode Driver Frameworks service; C:\WINDOWS\System32\Drivers\wdf01000.sys [2008-03-27 503008]
S3 WpdUsb;WpdUsb; C:\WINDOWS\system32\DRIVERS\wpdusb.sys [2006-10-18 38528]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S3 zlportio;zlportio; \??\D:\Vlad\Games\UltraStar Deluxe\zlportio.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []
S4 WS2IFSL;Windows Socket 2.0 Non-IFS Service Provider Support Environment; C:\WINDOWS\System32\drivers\ws2ifsl.sys [2001-08-23 12032]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2009-03-09 152984]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2009-01-15 163908]
R2 PnkBstrA;PnkBstrA; C:\WINDOWS\system32\PnkBstrA.exe [2009-03-02 75064]
R2 PnkBstrB;PnkBstrB; C:\WINDOWS\system32\PnkBstrB.exe [2009-04-14 189072]
R2 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2008-04-14 14336]
S2 gupdate1c98c8872f32cb0;Google Update Service (gupdate1c98c8872f32cb0); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-24 183280]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-03-13 19200]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe [2007-10-09 36864]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe [2005-04-04 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2007-10-11 864256]
S3 npggsvc;nProtect GameGuard Service; C:\WINDOWS\system32\GameMon.des [2009-03-30 2735133]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 usprserv;User Privilege Service; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2007-10-11 122880]

-----------------EOF-----------------



Thanks again !
Nuker
Active Member
 
Posts: 13
Joined: April 27th, 2009, 9:23 am
Location: Romania

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Katana » May 2nd, 2009, 9:44 am

Information




REMOVE P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

µTorrent

Please read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected.
The bad guys use P2P filesharing as a major conduit to spread their wares.

Go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red) NOW.


----------------------------------------------------------- -----------------------------------------------------------

Step 1

the problem HJT entry wasn't there anymore

Yes it is, it shows in both the HJT and RSIT logs

Fix With HJT

Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\winhelp.exe

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

----------------------------------------------------------- -----------------------------------------------------------
Step 2


Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)

NOTE:- Vista users should start IE by Start(Vista Orb) >> Internet Explorer >> Right-Click Run As Admin
Go Here http://www.kaspersky.com/kos/eng/partne ... bscan.html

Read the Requirements and limitations before you click Accept.
Once the database has downloaded, click My Computer in the left pane
Now go and put the kettle on !
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

----------------------------------------------------------- -----------------------------------------------------------
Step 3

USBNoRisk

Please download USBNoRisk to your Desktop and run it by double-clicking the program's icon
wait a couple of seconds for initial scan to be done
connect all of the USB storage devices to the PC, one at a time, and keep each one connected at least for 10 seconds
if there are more USB storage devices to scan, please take a note about the order in which these were connected
after all the devices are scanned, choose "Save log" option from right-click menu on Monitor tab. That will open the log in Notepad. Please copy/paste the log to forum

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC, e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras, memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

----------------------------------------------------------- -----------------------------------------------------------
Step 4

Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • A fresh HJT log
  • Kaspersky Log
  • USBNoRisk Log
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Nuker » May 3rd, 2009, 6:37 am

Sorry for the delay, but the Kaspersky Online Scanner took me a while :) I also uninstalled the uTorrent P2P client, sorry for the inconvenience.
So, here are the logs :

HJT FRESH LOGFILE :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:21 PM, on 5/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Vlad\Tools\Daemon Tools Lite\daemon.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
D:\Vlad\Tools\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ro/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "D:\Vlad\Tools\Daemon Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Rainlendar2] D:\Vlad\Tools\Rainlendar2\Rainlendar2.exe
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "D:\Vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 5891851937
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 5891794078
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC06CEC9-3EA9-46BF-B0C2-4D79F053E077}: NameServer = 82.76.253.115 82.76.253.125
O20 - Winlogon Notify: !SASWinLogon - D:\Vlad\Tools\Super AntiSpyware\SASWINLO.DLL
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Update Service (gupdate1c98c8872f32cb0) (gupdate1c98c8872f32cb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 7329 bytes



Kaspersky LOGFILE :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Saturday, May 2, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Saturday, May 02, 2009 19:04:22
Records in database: 2120968
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 188448
Threat name: 2
Infected objects: 18
Suspicious objects: 0
Duration of the scan: 03:20:00


File name / Threat name / Threats count
D:\Transfer\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe Infected: Worm.Win32.AutoRun.xxn 1
D:\Transfer\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe Infected: Worm.Win32.AutoRun.xxn 1
D:\Transfer\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe Infected: Worm.Win32.AutoRun.xxn 1
D:\Transfer\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe Infected: Worm.Win32.AutoRun.xxn 1
D:\Transfer\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe Infected: Worm.Win32.AutoRun.xxn 1
D:\Transfer\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe Infected: Worm.Win32.AutoRun.xxn 1
D:\Vlad\Kituri Vlad\Codecs and Stuff\De la Dragos\WINAMP 2.6\PLUGINS\realreverb310.exe Infected: not-a-virus:AdWare.Win32.Aureate.a 6
E:\Transfer Download\-= The Porn Collection =-\Blonde-stravaganza\VIDEO - Blonde-stravaganza.exe Infected: Worm.Win32.AutoRun.xxn 1
E:\Transfer Download\-= The Porn Collection =-\Casey Parker's School's Out\VIDEO - Casey Parker's School's Out.exe Infected: Worm.Win32.AutoRun.xxn 1
E:\Transfer Download\-= The Porn Collection =-\Extreme Ty #9 On The Prowl\VIDEO - Extreme Ty #9 On The Prowl.exe Infected: Worm.Win32.AutoRun.xxn 1
E:\Transfer Download\-= The Porn Collection =-\Impulsive Sex Acts\VIDEO - Impulsive Sex Acts.exe Infected: Worm.Win32.AutoRun.xxn 1
E:\Transfer Download\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5\VIDEO - INTERNAL EXPLOSIONS 5.exe Infected: Worm.Win32.AutoRun.xxn 1
E:\Transfer Download\-= The Porn Collection =-\Pretty Young Ass\Pretty Young Ass.exe Infected: Worm.Win32.AutoRun.xxn 1

The selected area was scanned.



USBNoRisk LOGFILE :

USBNoRisk 2.1 by bobby

Started at 5/3/2009 1:24:17 PM

Scanning for connected USB Mass storage...
----------------------------------------
========================================

Scanning for other storage...
----------------------------------------
C: {103b288e-500c-11dd-9751-806d6172696f}
D: {103b288f-500c-11dd-9751-806d6172696f}
E: {103b2890-500c-11dd-9751-806d6172696f}
========================================


Scanning fixed storage for autorun.inf files...
----------------------------------------

No blocked files found on C:
No Autorun.inf files found on C:
No mountpoint found for C:
No mountpoint found for 103b288e-500c-11dd-9751-806d6172696f
----------------------------------------

No blocked files found on D:
No Autorun.inf files found on D:
No mountpoint found for D:
No mountpoint found for 103b288f-500c-11dd-9751-806d6172696f
----------------------------------------

No blocked files found on E:
No Autorun.inf files found on E:
No mountpoint found for E:
No mountpoint found for 103b2890-500c-11dd-9751-806d6172696f
----------------------------------------

========================================
Initial scan finished!
========================================


New device connected at 5/3/2009 1:25:03 PM

Scanning for connected USB mass storage...
----------------------------------------

========================================
New drive connected, but USBNoRisk can't find it
========================================



New device connected at 5/3/2009 1:25:04 PM


Scanning for connected USB mass storage...
----------------------------------------

========================================
New drive connected, but USBNoRisk can't find it
========================================



New device connected at 5/3/2009 1:25:13 PM

Scanning for connected removable storage...
----------------------------------------
H: {77ed7f98-d2a8-11dd-91c8-001d605c9793}
J: {77ed7f99-d2a8-11dd-91c8-001d605c9793}
Added J:
========================================

Scanning removable storage for files...
----------------------------------------


New device connected at 5/3/2009 1:25:13 PM

Scanning for connected removable storage...
----------------------------------------

========================================

Scanning removable storage for files...
----------------------------------------
No blocked files found on J:
----------------------------------------
No Autorun.inf files found on J:
Sanitized mountpoint for 77ed7f99-d2a8-11dd-91c8-001d605c9793
----------------------------------------

desktop.ini found on J:
----------------------------------------

Content of J:\Music\MP3\Pirates of the Carribean\desktop.ini
----------------------------------------
[.ShellClassInfo]
FolderType=MusicAlbum
MusicBuyUrl=http://windowsmedia.com/redir/buynow9.asp?providerName=ZACR DBS&albumID=A9336AF4-96A2-4C65-A38F-778573F63E8F&a_id=%20&album=Pirates%20Of%20The%20Caribbean:%20The%20Curse%20Of%20The%20Black%20Pearl&artistID=64422E7B-3A9A-4439-93EB-F3260CCFC2CA&p_id=%20&artist=Klaus%20Badelt&locale=409&geoid=c8&version=10.0.0.4036&userlocale=418
----------------------------------------

Files referenced from J:\Music\MP3\Pirates of the Carribean\desktop.ini
----------------------------------------
None
----------------------------------------

----------------------------------------

No mimics found on drive J:
========================================

No blocked files found on J:
----------------------------------------
No Autorun.inf files found on J:
No mountpoint found for 77ed7f99-d2a8-11dd-91c8-001d605c9793
----------------------------------------

desktop.ini found on J:
----------------------------------------

Content of J:\Music\MP3\Pirates of the Carribean\desktop.ini
----------------------------------------
[.ShellClassInfo]
FolderType=MusicAlbum
MusicBuyUrl=http://windowsmedia.com/redir/buynow9.asp?providerName=ZACR DBS&albumID=A9336AF4-96A2-4C65-A38F-778573F63E8F&a_id=%20&album=Pirates%20Of%20The%20Caribbean:%20The%20Curse%20Of%20The%20Black%20Pearl&artistID=64422E7B-3A9A-4439-93EB-F3260CCFC2CA&p_id=%20&artist=Klaus%20Badelt&locale=409&geoid=c8&version=10.0.0.4036&userlocale=418
----------------------------------------

Files referenced from J:\Music\MP3\Pirates of the Carribean\desktop.ini
----------------------------------------
None
----------------------------------------

----------------------------------------

No mimics found on drive J:
========================================




Kaspersky discovered the random spawned folder containing the worms. The "Porn" folder which I didn't download. I have no such porn things on my computer, but I don't know how it appeared over there. And, is there a chance that the worm is an intellingent thing that spawns the folder in the "shared" folders with the reason of sharing it with the other PCs ?

Thanks for the help.
Nuker
Active Member
 
Posts: 13
Joined: April 27th, 2009, 9:23 am
Location: Romania

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Katana » May 3rd, 2009, 7:35 am

is there a chance that the worm is an intellingent thing that spawns the folder in the "shared" folders with the reason of sharing it with the other PCs ?

Yes :)




OTMoveIt
Please download OTMoveIt3 by OldTimer and save it to your desktop
  • Double-click OTMoveIt3.exe to run it.
  • Copy the lines in the codebox below. ( Make sure you include :Processes )
Code: Select all
:Processes
:Files
D:\Transfer\-= The Porn Collection =-
D:\Vlad\Kituri Vlad\Codecs and Stuff\De la Dragos\WINAMP 2.6\PLUGINS\realreverb310.exe
E:\Transfer Download\-= The Porn Collection =-
:Commands
[Purity]
[EmptyTemp]

  • Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • - Close ALL open windows (especially Internet Explorer!)-
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Let's make sure nothing is lurking.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

  • You must download it to and run it from your Desktop
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply
  • Re-enable all the programs that were disabled during the running of ComboFix..


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper




Logs/Information to Post in Reply
Please post the following logs/Information in your reply
  • OTMoveIt Log
  • Combofix Log
  • How are things running now ?
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Nuker » May 3rd, 2009, 11:29 am

Ok, I've done everything :

OTMoveIt3 LOGFILE :

========== PROCESSES ==========
========== FILES ==========
Folder move failed. D:\Transfer\-= The Porn Collection =-\Pretty Young Ass scheduled to be moved on reboot.
Folder move failed. D:\Transfer\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5 scheduled to be moved on reboot.
Folder move failed. D:\Transfer\-= The Porn Collection =-\Impulsive Sex Acts scheduled to be moved on reboot.
Folder move failed. D:\Transfer\-= The Porn Collection =-\Extreme Ty #9 On The Prowl scheduled to be moved on reboot.
Folder move failed. D:\Transfer\-= The Porn Collection =-\Casey Parker's School's Out scheduled to be moved on reboot.
Folder move failed. D:\Transfer\-= The Porn Collection =-\Blonde-stravaganza scheduled to be moved on reboot.
Folder move failed. D:\Transfer\-= The Porn Collection =- scheduled to be moved on reboot.
D:\Vlad\Kituri Vlad\Codecs and Stuff\De la Dragos\WINAMP 2.6\PLUGINS\realreverb310.exe moved successfully.
Folder move failed. E:\Transfer Download\-= The Porn Collection =-\Pretty Young Ass scheduled to be moved on reboot.
Folder move failed. E:\Transfer Download\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5 scheduled to be moved on reboot.
Folder move failed. E:\Transfer Download\-= The Porn Collection =-\Impulsive Sex Acts scheduled to be moved on reboot.
Folder move failed. E:\Transfer Download\-= The Porn Collection =-\Extreme Ty #9 On The Prowl scheduled to be moved on reboot.
Folder move failed. E:\Transfer Download\-= The Porn Collection =-\Casey Parker's School's Out scheduled to be moved on reboot.
Folder move failed. E:\Transfer Download\-= The Porn Collection =-\Blonde-stravaganza scheduled to be moved on reboot.
Folder move failed. E:\Transfer Download\-= The Porn Collection =- scheduled to be moved on reboot.
========== COMMANDS ==========
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Vlad\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6f8.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_cbc.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05032009_175950

Files moved on Reboot...
D:\Transfer\-= The Porn Collection =-\Pretty Young Ass moved successfully.
D:\Transfer\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5 moved successfully.
D:\Transfer\-= The Porn Collection =-\Impulsive Sex Acts moved successfully.
D:\Transfer\-= The Porn Collection =-\Extreme Ty #9 On The Prowl moved successfully.
D:\Transfer\-= The Porn Collection =-\Casey Parker's School's Out moved successfully.
D:\Transfer\-= The Porn Collection =-\Blonde-stravaganza moved successfully.
D:\Transfer\-= The Porn Collection =- moved successfully.
E:\Transfer Download\-= The Porn Collection =-\Pretty Young Ass moved successfully.
E:\Transfer Download\-= The Porn Collection =-\INTERNAL EXPLOSIONS 5 moved successfully.
E:\Transfer Download\-= The Porn Collection =-\Impulsive Sex Acts moved successfully.
E:\Transfer Download\-= The Porn Collection =-\Extreme Ty #9 On The Prowl moved successfully.
E:\Transfer Download\-= The Porn Collection =-\Casey Parker's School's Out moved successfully.
E:\Transfer Download\-= The Porn Collection =-\Blonde-stravaganza moved successfully.
E:\Transfer Download\-= The Porn Collection =- moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_6f8.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_cbc.dat not found!



COMBOFIX LOGFILE :

ComboFix 09-05-02.4 - Vlad 05/03/2009 18:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1511 [GMT 3:00]
Running from: c:\documents and settings\Vlad\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-04-03 to 2009-05-03 )))))))))))))))))))))))))))))))
.

2009-05-03 14:59 . 2009-05-03 14:59 -------- d-----w C:\_OTMoveIt
2009-05-03 10:26 . 2009-05-03 10:26 -------- d-----w C:\USBNoRisk
2009-04-15 23:16 . 2009-04-15 23:16 -------- d-----w C:\CrashReport
2009-04-15 18:33 . 2009-04-15 18:33 -------- d-----w c:\program files\Common Files\DirectX
2009-04-15 07:24 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-15 07:24 . 2008-04-21 12:08 215552 -c----w c:\windows\system32\dllcache\wordpad.exe
2009-04-15 07:24 . 2009-03-06 14:22 284160 -c----w c:\windows\system32\dllcache\pdh.dll
2009-04-15 07:24 . 2009-02-09 12:10 401408 -c----w c:\windows\system32\dllcache\rpcss.dll
2009-04-15 07:24 . 2009-02-06 11:11 110592 -c----w c:\windows\system32\dllcache\services.exe
2009-04-15 07:24 . 2009-02-09 12:10 473600 -c----w c:\windows\system32\dllcache\fastprox.dll
2009-04-15 07:24 . 2009-02-06 10:10 227840 -c----w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-15 07:24 . 2009-02-09 12:10 453120 -c----w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-15 07:24 . 2009-02-09 12:10 729088 -c----w c:\windows\system32\dllcache\lsasrv.dll
2009-04-15 07:24 . 2009-02-09 12:10 617472 -c----w c:\windows\system32\dllcache\advapi32.dll
2009-04-15 07:24 . 2009-02-09 12:10 714752 -c----w c:\windows\system32\dllcache\ntdll.dll
2009-04-14 22:28 . 2009-04-14 22:28 -------- d-----w c:\documents and settings\Vlad\Local Settings\Application Data\LaunchpadEnhanced
2009-04-14 20:42 . 2009-04-14 20:42 -------- d-----w c:\documents and settings\Vlad\Application Data\com.doubleperfect.ggpo.0753AD3679DBFCA1E7F470171B7D0DB8B404A7EA.1
2009-04-14 20:12 . 2009-04-14 20:12 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-14 16:00 . 2009-04-14 22:38 -------- d-----w C:\SWGEmu
2009-04-14 15:59 . 2009-04-14 15:59 -------- d-----w c:\documents and settings\Vlad\Application Data\LPECommon
2009-04-14 15:59 . 2009-04-14 15:59 -------- d-----w c:\documents and settings\Vlad\Local Settings\Application Data\Downloaded Installations
2009-04-14 02:19 . 2009-04-14 02:19 41808 ----a-w c:\windows\system32\xfcodec.dll
2009-04-11 12:19 . 2009-04-11 12:19 278984 ----a-w c:\windows\system32\drivers\atksgt.sys
2009-04-11 12:19 . 2009-04-11 12:19 25416 ----a-w c:\windows\system32\drivers\lirsgt.sys
2009-04-04 12:59 . 2009-04-04 12:59 -------- d-----w c:\documents and settings\Vlad\Local Settings\Application Data\EA Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-03 15:19 . 2008-07-12 09:47 6 ---ha-w c:\windows\Tasks\SA.DAT
2009-05-03 15:03 . 2009-01-28 18:07 868 ----a-w c:\windows\Tasks\Google Software Updater.job
2009-05-03 15:01 . 2009-02-11 20:36 882 ----a-w c:\windows\Tasks\GoogleUpdateTaskMachine.job
2009-04-15 18:49 . 2008-07-12 09:53 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-14 15:51 . 2008-12-30 12:57 -------- d-----w c:\program files\Sony
2009-04-14 12:48 . 2008-07-13 13:55 189072 ----a-w c:\windows\system32\PnkBstrB.exe
2009-04-14 12:14 . 2008-07-13 13:55 138920 ----a-w c:\windows\system32\drivers\PnkBstrK.sys
2009-04-13 23:32 . 2008-10-28 13:33 2593096 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-04-01 20:30 . 2008-07-14 12:56 -------- d-----w c:\program files\Java
2009-03-31 11:23 . 2009-03-31 11:23 -------- d-----w c:\program files\Common Files\INCA Shared
2009-03-13 13:21 . 2008-07-13 10:05 -------- d-----w c:\program files\Common Files\Blizzard Entertainment
2009-03-09 02:19 . 2008-12-07 10:44 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 02:34 . 2004-08-03 21:56 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 02:34 . 2004-08-03 21:56 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 02:33 . 2004-08-03 21:56 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 02:33 . 2004-08-03 21:56 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 02:32 . 2004-08-03 21:56 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 02:32 . 2004-08-03 21:56 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 02:31 . 2004-08-03 21:56 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 02:31 . 2004-08-03 21:56 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 02:31 . 2004-08-03 21:56 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 02:22 . 2001-08-23 11:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2004-08-03 21:56 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-02 13:35 . 2008-07-13 13:55 75064 ----a-w c:\windows\system32\PnkBstrA.exe
2009-02-09 12:10 . 2004-08-03 21:56 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2004-08-03 21:56 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2004-08-03 21:56 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 12:10 . 2004-08-03 21:56 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 11:13 . 2004-08-03 20:17 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 16:52 . 2009-02-06 16:52 49504 ----a-w c:\windows\system32\sirenacm.dll
2009-02-06 11:11 . 2004-08-03 21:56 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2004-08-03 20:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2001-08-23 11:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-03 22:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-04 22:31 . 2008-07-12 09:59 65344 ----a-w c:\documents and settings\Vlad\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-02-03 19:59 . 2004-08-03 21:56 56832 ----a-w c:\windows\system32\secur32.dll
.

------- Sigcheck -------

[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[7] 2004-08-03 20:14 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\TCPIP.SYS
[-] 2009-01-14 12:14 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\dllcache\TCPIP.SYS
[-] 2009-01-14 12:14 361600 D24EA301E2B36C4E975FD216CA85D8E7 c:\windows\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DAEMON Tools Lite"="d:\vlad\Tools\Daemon Tools Lite\daemon.exe" [2008-04-01 486856]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2008-09-19 4347120]
"Rainlendar2"="d:\vlad\Tools\Rainlendar2\Rainlendar2.exe" [2008-08-24 4067328]
"Sony Ericsson PC Suite"="d:\vlad\Tools\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-06-18 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 159744]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-09-06 413696]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-01-15 1657376]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2008-01-16 16384512]
"Tweak UI"="TWEAKUI.CPL" - c:\windows\system32\tweakui.cpl [2003-03-25 106544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\vlad\Tools\Super AntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-23 13:15 356352 ----a-w d:\vlad\Tools\Super AntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"d:\\Vlad\\Tools\\Xfire\\xfire.exe"=
"e:\\oDC\\oDC\\oDC.exe"=
"d:\\Stefan\\Games St\\Age of Empires 3\\age3x.exe"=
"d:\\Stefan\\Games St\\Age of Empires 3\\age3y.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\team fortress 2\\hl2.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"d:\\Vlad\\Games\\Call of Duty 4\\iw3mp.exe"=
"d:\\Vlad\\Games\\World of Warcraft\\Repair.exe"=
"d:\\Vlad\\Games\\Assassin's Creed\\AssassinsCreed_Dx9.exe"=
"d:\\Vlad\\Games\\Assassin's Creed\\AssassinsCreed_Dx10.exe"=
"d:\\Vlad\\Games\\Assassin's Creed\\AssassinsCreed_Launcher.exe"=
"d:\\Vlad\\Games\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"d:\\Vlad\\Games\\Warcraft III\\euroloader.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\source sdk base\\hl2.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\counter-strike source\\hl2.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\half-life 2 deathmatch\\hl2.exe"=
"d:\\Vlad\\Tools\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"d:\\Vlad\\Games\\FIFA 2009\\FIFA09.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\insurgency\\hl2.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\age of chivalry\\hl2.exe"=
"d:\\Vlad\\Games\\Spider Man Web of Shadows\\image\\pc\\Spider-Man Web of Shadows.exe"=
"d:\\Vlad\\Games\\Red Alert 3\\Data\\ra3_1.0.game"=
"d:\\Vlad\\Games\\Red Alert 3\\RA3.exe"=
"d:\\Vlad\\Tools\\TVAnts\\Tvants.exe"=
"d:\\Vlad\\Games\\Call of Duty 5\\CoDWaW.exe"=
"d:\\Vlad\\Games\\Call of Duty 5\\CoDWaWmp.exe"=
"d:\\Vlad\\Games\\GTA 4\\Grand Theft Auto IV\\LaunchGTAIV.exe"=
"d:\\Vlad\\Games\\GTA 4\\Rockstar Games Social Club\\RGSCLauncher.exe"=
"d:\\Vlad\\Games\\GTA 4\\Grand Theft Auto IV\\GTAIV.exe"=
"d:\\Vlad\\Tools\\Hamachi\\hamachi.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"d:\\Vlad\\Games\\Gay Arena\\Garena.exe"=
"d:\\Vlad\\Tools\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"d:\\Vlad\\Games\\Mirror's Edge\\Binaries\\MirrorsEdge.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"d:\\Vlad\\Steam\\steamapps\\nuker90\\source sdk base 2007\\hl2.exe"=
"d:\\Vlad\\Tools\\SopCast\\adv\\SopAdver.exe"=
"d:\\Vlad\\Tools\\SopCast\\SopCast.exe"=
"d:\\Vlad\\Games\\NFL 2008\\mainapp.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"d:\\Vlad\\Tools\\Skype\\Skype.exe"=
"d:\\Vlad\\Games\\Tom Clancy's HAWX\\HAWX.exe"=
"d:\\Vlad\\Games\\FIFA Online 2\\FF2Client.exe"=
"d:\\Vlad\\Steam\\steamapps\\common\\empire total war demo\\Empire.exe"=
"d:\\Vlad\\Steam\\Steam.exe"=
"d:\\Vlad\\Games\\GGPO\\ggpo.exe"=
"d:\\Vlad\\Games\\GGPO\\ggpofba.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\LaunchPad.exe"=
"d:\\Vlad\\Games\\Star Wars Jedi Academy\\GameData\\jamp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6112:TCP"= 6112:TCP:Warcraft3 Hoster
"16800:TCP"= 16800:TCP:TVAnts Ports
"16800:UDP"= 16800:UDP:TVANTS Port2
"3658:TCP"= 3658:TCP:FIFA
"3658:UDP"= 3658:UDP:FIFA

R2 gupdate1c98c8872f32cb0;Google Update Service (gupdate1c98c8872f32cb0);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 133104]
R3 CrystalSysInfo;CrystalSysInfo;d:\vlad\Tools\MediaCoder\SysInfo.sys [2007-09-25 15152]
R3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\DRIVERS\ggflt.sys [2008-12-30 10976]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-03-29 2735133]
R3 s115bus;Sony Ericsson Device 115 driver (WDM);c:\windows\system32\DRIVERS\s115bus.sys [2007-04-23 83208]
R3 s115mdfl;Sony Ericsson Device 115 USB WMC Modem Filter;c:\windows\system32\DRIVERS\s115mdfl.sys [2007-04-23 15112]
R3 s115mdm;Sony Ericsson Device 115 USB WMC Modem Driver;c:\windows\system32\DRIVERS\s115mdm.sys [2007-04-23 108680]
R3 s115mgmt;Sony Ericsson Device 115 USB WMC Device Management Drivers (WDM);c:\windows\system32\DRIVERS\s115mgmt.sys [2007-04-23 100488]
R3 s115obex;Sony Ericsson Device 115 USB WMC OBEX Interface;c:\windows\system32\DRIVERS\s115obex.sys [2007-04-23 98568]
R3 SASENUM;SASENUM;d:\vlad\Tools\Super AntiSpyware\SASENUM.SYS [2008-12-04 7408]
R3 zlportio;zlportio; [x]
S1 epfwtdir;epfwtdir;c:\windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
S1 SASDIFSV;SASDIFSV;d:\vlad\Tools\Super AntiSpyware\SASDIFSV.SYS [2009-03-30 9968]
S1 SASKUTIL;SASKUTIL;d:\vlad\Tools\Super AntiSpyware\SASKUTIL.sys [2008-12-04 55024]
S2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
S3 CTL511Plus;Video Blaster WebCam 3/WebCam Plus (WDM);c:\windows\system32\DRIVERS\webc3vid.sys [2001-11-06 166504]
S3 ipgd;ASUS NX1101 Gigabit Ethernet Adapter Driver;c:\windows\system32\DRIVERS\ipgdnd51.sys [2005-01-28 33536]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2008-09-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 09:34]

2009-05-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-28 13:08]

2009-05-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-11 20:36]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ro/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/def ... earch.html
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {AC06CEC9-3EA9-46BF-B0C2-4D79F053E077} = 82.76.253.115 82.76.253.125
FF - ProfilePath - c:\documents and settings\Vlad\Application Data\Mozilla\Firefox\Profiles\g3x1shwl.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ro/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - plugin: c:\documents and settings\Vlad\Application Data\Mozilla\Firefox\Profiles\g3x1shwl.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-03 18:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1004336348-839522115-1003\Software\SecuROM\License information*]
"datasecu"=hex:89,70,b3,98,6d,65,7c,d5,97,cf,29,d6,94,39,22,ef,44,c3,d5,f2,6a,
37,b1,24,f4,c9,24,63,a6,69,2e,65,a3,45,b8,48,12,be,5e,30,6b,05,49,54,79,89,\
"rkeysecu"=hex:c9,3f,90,72,7e,b5,ad,da,47,99,87,fd,0a,05,5c,70
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(724)
d:\vlad\Tools\Super AntiSpyware\SASWINLO.DLL

- - - - - - - > 'explorer.exe'(3332)
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-03 18:21
ComboFix-quarantined-files.txt 2009-05-03 15:21

Pre-Run: 32,388,665,344 bytes free
Post-Run: 32,384,135,168 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptOut

257 --- E O F --- 2009-04-29 20:27



The computer is running ok, in fact in was always running ok (like not losing FPS or not freezing or stuff like this). Regarding the NOD32 virus alerts, there was one when OTMoveIt3 tried to remove the infected folders. But it rebooted the computer and it seems like it deleted the folders (I also manually checked it). In this moment I don't really know if it is gone or not (because the virus activated randomly - or not really randomly... just when I launched infected .exe's I think) - only you can tell me this at the moment :).

Thanks. :)
Nuker
Active Member
 
Posts: 13
Joined: April 27th, 2009, 9:23 am
Location: Romania

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Katana » May 3rd, 2009, 2:27 pm

In this moment I don't really know if it is gone or not

There is no evidence of any infection now, so do the following clean up and then let me know in a couple of days if it has reappeared

Congratulations your logs look clean :)

Let's see if I can help you keep it that way

First lets tidy up

Uninstall Combofix
  • This will clear your System Volume Information restore points and remove all the infected files that were quarantined
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.
    • Image

Uninstall OTMoveIt
  • Open OTMoveIt Click Cleanup,
  • When a box pops up click YES.

You can also delete any logs we have produced, and empty your Recycle bin.


----------------------------------------------------------- -----------------------------------------------------------


Remove Programs

Older versions of some programs have vulnerabilities that malware can use to infect your system.

Now click Start---Control Panel. Double click Add or Remove Programs (XP) / Programs and Features (Vista) . If any of the following programs are listed there,
click on the program to highlight it, and click on remove.
  • Java(TM) 6 Update 7
Now close the Control Panel.



----------------------------------------------------------- -----------------------------------------------------------

The following is some info to help you stay safe and clean.


You may already have some of the following programs, but I include the full list for the benefit of all the other people who will be reading this thread in the future.
( Vista users must ensure that any programs are Vista compatible BEFORE installing )

Online Scanners
I would recommend a scan at one or more of the following sites at least once a month.

http://www.pandasecurity.com/activescan
http://www.kaspersky.com/kos/eng/partne ... bscan.html

!!! Make sure that all your programs are updated !!!
Secunia Software Inspector does all the work for you, .... see HERE for details

AntiSpyware
    AntiSpyware is not the same thing as Antivirus.
    Different AntiSpyware programs detect different things, so in this case it is recommended that you have more than one.
    You should only have one running all the time, the other/s should be used "on demand" on a regular basis.
    Most of the programs in this list have a free (for Home Users ) and paid versions,
    it is worth paying for one and having "realtime" protection, unless you intend to do a manual scan often.
  • Spybot - Search & Destroy <<< A must have program
    • It includes host protection and registry protection
    • A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
  • MalwareBytes Anti-malware <<< A New and effective program
  • a-squared Free <<< A good "realtime" or "on demand" scanner
  • superantispyware <<< A good "realtime" or "on demand" scanner

Prevention
    These programs don't detect malware, they help stop it getting on your machine in the first place.
    Each does a different job, so you can have more than one
  • Winpatrol
    • An excellent startup manager and then some !!
    • Notifies you if programs are added to startup
    • Allows delayed startup
    • A must have addition
  • SpywareBlaster 4.0
    • SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
  • SpywareGuard 2.2
    • SpywareGuard provides real-time protection against spyware.
    • Not required if you have other "realtime" antispyware or Winpatrol
  • ZonedOut
    • Formerly known as IE-SPYAD, adds a long list of sites and domains associated with known advertisers and marketers to the Restricted sites zone of Internet Explorer.
  • MVPS HOSTS
    • This little program packs a powerful punch as it blocks ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
    • For information on how to download and install, please read this tutorial by WinHelp2002.
    • Not required if you are using other host file protections

Internet Browsers
    Microsoft has worked hard to make IE.7 a more secure browser, unfortunately whilst it is still the leading browser of choice it will always be under attack from the bad guys.
    Using a different web browser can help stop malware getting on your machine.
    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      1. From within Internet Explorer click on the Tools menu and then click on Options.
      2. Click once on the Security tab
      3. Click once on the Internet icon so it becomes highlighted.
      4. Click once on the Custom Level button.
        • Change the Download signed ActiveX controls to Prompt
        • Change the Download unsigned ActiveX controls to Disable
        • Change the Initialise and script ActiveX controls not marked as safe to Disable
        • Change the Installation of desktop items to Prompt
        • Change the Launching programs and files in an IFRAME to Prompt
        • Change the Navigate sub-frames across different domains to Prompt
        • When all these settings have been made, click on the OK button.
        • If it prompts you as to whether or not you want to save the settings, press the Yes button.
      5. Next press the Apply button and then the OK to exit the Internet Properties page.
    If you are still using IE6 then either update, or get one of the following.
    • FireFox
      • With many addons available that make customization easy this is a very popular choice
      • NoScript and AdBlockPlus addons are essential
    • Opera
      • Another popular alternative
    • Netscape
      • Another popular alternative
      • Also has Addons available

Cleaning Temporary Internet Files and Tracking Cookies
    Temporary Internet Files are mainly the files that are downloaded when you open a web page.
    Unfortunately, if the site you visit is of a dubious nature or has been hacked, they can also be an entry point for malware.
    It is a good idea to empty the Temporary Internet Files folder on a regular basis.

    Tracking Cookies are files that websites use to monitor which sites you visit and how often.
    A lot of Antispyware scanners pick up these tracking cookies and flag them as unwanted.
    CAUTION :- If you delete all your cookies you will lose any autologin information for sites that you visit, and will need your passwords

    Both of these can be cleaned manually, but a quicker option is to use a program
  • ATF Cleaner
    • Free and very simple to use
  • CCleaner
    • Free and very flexible, you can chose which cookies to keep

Also PLEASE read this article.....So How Did I Get Infected In The First Place

The last and most important thing I can tell you is UPDATE.
If you don't update your security programs (Antivirus, Antispyware even Windows) then you are at risk.
Malware changes on a day to day basis. You should update every week at the very least.

If you follow this advice then (with a bit of luck) you will never have to hear from me again :D


If you could post back one more time to let me know everything is OK, then I can have this thread archived.

Happy surfing K'
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Nuker » May 4th, 2009, 9:18 am

Thanks for your help during this process. I downloaded the Spybot antispyware and I'll take a look on the kaspersky online scanner every week (seems that Kaspersky is better than my NOD32 :s). I'll keep you up-to-date in the next 2-3 days regarding the appearance of the virus.

Thanks again and I'll follow your instructions regarding the future security (antispywares, etc. :) ). Good luck and hope that the worm won't come back :). Anyway, I'll post in here 'til this weekend and tell you whether it is back or not, so you can close the topic.

Thanks,
Nuker.
Nuker
Active Member
 
Posts: 13
Joined: April 27th, 2009, 9:23 am
Location: Romania

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Nuker » May 6th, 2009, 11:40 am

Ok, so here I am, on more than 48 hours from the finalized desinfection of my computer and... There is no more virused folder in the shared folders. !! :D So this seems to be working well, the virus beeing "killed". Hope so :).

Thanks again for your help katana, and hope that I won't need it anymore (this MUST not sound like a bad thing, you understand it :) ). Also, there's a chance that I'll join the MR University in here I think, because I start to like the community and the things you are doing over here. I'd like to learn to do the same and help others. I'll look forward to.

Thanks and good luck !

Nuker.
Nuker
Active Member
 
Posts: 13
Joined: April 27th, 2009, 9:23 am
Location: Romania

Re: Virus Win32/AutoRun.Agent.GR

Unread postby Katana » May 6th, 2009, 5:37 pm

Nuker wrote:Thanks again for your help katana, and hope that I won't need it anymore (this MUST not sound like a bad thing, you understand it :) ). Also, there's a chance that I'll join the MR University in here I think, because I start to like the community and the things you are doing over here. I'd like to learn to do the same and help others. I'll look forward to.


I don't take offence to you not wanting my help in the future ;) :lol:

As for joining us, that is excellent news. We always need more helpers on the forums.
The community is second to none, and there is a wealth of knowledge that is freely given.

:cheers:
User avatar
Katana
MRU Teacher Emeritus
 
Posts: 6412
Joined: November 10th, 2006, 5:00 pm
Location: Manchester

Re: Virus Win32/AutoRun.Agent.GR

Unread postby NonSuch » May 11th, 2009, 1:38 am

As this issue appears to be resolved, this topic is now closed.

We are pleased we could help you resolve your computer's malware issues.

If you would like to make a comment or leave a compliment regarding the help you have received, please see Feedback for Our Helpers - Say "Thanks" Here.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27304
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware