Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

Advanced Conficker Problems

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

Advanced Conficker Problems

Unread postby sanzar » February 19th, 2009, 5:08 am

Over the past week, my anti-virus software and Windows Update have been failing to retrieve the latest virus definitions. In addition, a list of anti-virus and Windows websites/downloads are blocked access. I understood this may be becuase of a Conficker infection. I have downloaded and run almost a dozen Conficker remover tools, some with success reporting no conficker found, others failing to run. I also tried uninstalling/installing at least five different anti-virus and anti-malware programs - all fail updates. I've manually updated the virus definitions after downloading them on different computers, never finding any viruses. Repeated installation attempts of the Microsoft Malicious Software Removal Tool seem to fail and when I've tried to run mrt.exe as Administrator, it reports that the MMSRT "has stopped working". Log files do not catch any recent error codes. My HOSTS file had an extra line that looked suspicious ":: 1" so I replaced my HOSTS file with the one from http://www.mvps.org. I went through each of the Microsoft manual steps for removing the Conficker.b worm (http://support.microsoft.com/kb/962007) and while I found no random service name in netsvcs of my Registry, I found 2 suspicious autorun.inf files which I deleted.

After all this - attempts in both administrator mode and safe mode, across five different internet service providers, I am still unable to update my anti-virus software or access anti-virus websites. Any help will be greatly appreciated.

I closed most running programs and services before generating this HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:52:27 PM, on 2/19/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.21:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Google Update] "C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.afghanistanjustice.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\Users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe

--
End of file - 6215 bytes
Last edited by sanzar on February 25th, 2009, 2:15 am, edited 1 time in total.
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top
Advertisement
Register to Remove

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 21st, 2009, 4:16 pm

Hello, and Image to the Malware Removal forums.
My name is Michael I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happen.

Please be patient and I'd be grateful if you would note the following:
  • I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • If after 5 days you have not responded to this topic, it will be closed, and you will need to start a new one.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Save the file to your desktop.

Please post this log on your next reply.

Thanks, Michael
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » February 21st, 2009, 6:39 pm

Here is the uninstall_list.txt from HijackThis, as requested:
------------------------
1&1 EasyLogin
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Activation Assistant for the 2007 Microsoft Office suites
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8.1.3
Adobe Stock Photos 1.0
AnswerWorks 4.0 Runtime - English
AnswerWorks 5.0 English Runtime
Apple Mobile Device Support
Apple Software Update
Bonjour
EasyCleaner
eFax Messenger 4.3
ESET NOD32 Antivirus
ESU for Microsoft Vista
ExtractNow
Fax1.com
File Renamer - Basic
FileZilla Client 3.1.1.1
Google Desktop
Google Earth
Google Update Helper
Google Updater
Hewlett-Packard Active Check
Hewlett-Packard Asset Agent for Health Check
HijackThis 2.0.2
HP Active Support Library
HP Active Support Library 32 bit components
HP Customer Experience Enhancements
HP Doc Viewer
HP Easy Setup - Frontend
HP Help and Support
HP Photosmart Essential 2.0
HP Quick Launch Buttons 6.20 B1
HP QuickPlay 3.2
HP Total Care Advisor
HP Update
HP User Guides 0056
HP Wireless Assistant
HPNetworkAssistant
IIF Transaction Creator
iTunes
Java(TM) 6 Update 11
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6
Malwarebytes' Anti-Malware
Microsoft Office 2007 Primary Interop Assemblies
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Professional 2007
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project 2007 Service Pack 1 (SP1)
Microsoft Office Project MUI (English) 2007
Microsoft Office Project Professional 2007
Microsoft Office Project Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)
Microsoft Office SharePoint Designer MUI (English) 2007
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio 2007 Service Pack 1 (SP1)
Microsoft Office Visio MUI (English) 2007
Microsoft Office Visio Professional 2007
Microsoft Office Visio Professional 2007
Microsoft Office Word MUI (English) 2007
Microsoft Silverlight
Microsoft Visual Studio 2005 Tools for Office Runtime
MobileMe Control Panel
Motorola SM56 Data Fax Modem
MSCU for Microsoft Vista
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 Parser and SDK
muvee autoProducer 6.0
My HP Games
Norton Security Scan
Norton Security Scan (Symantec Corporation)
NVIDIA Drivers
OGA Notifier 1.7.0105.35.0
Panda ActiveScan 2.0
PC Fixer
PDFCreator
Picasa 3
QuickBooks
QuickBooks Premier Edition 2009
QuickTime
Realtek High Definition Audio Driver
Rhapsody
Rhapsody Player Engine
Roxio Activation Module
Roxio Creator Audio
Roxio Creator Basic v9
Roxio Creator Copy
Roxio Creator Data
Roxio Creator EasyArchive
Roxio Creator Tools
Roxio Express Labeler 3
Roxio MyDVD Basic v9
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB958439)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft Office Excel 2007 (KB958437)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Project 2007 (KB949046)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Visio 2007 (KB947590)
Security Update for Microsoft Office Word 2007 (KB956358)
Skype™ 3.6
SupportSoft Assisted Service
Synaptics Pointing Device Driver
TurboTax 2008
TurboTax 2008 WinPerFedFormset
TurboTax 2008 WinPerProgramHelp
TurboTax 2008 WinPerReleaseEngine
TurboTax 2008 WinPerTaxSupport
TurboTax 2008 WinPerUserEducation
TurboTax 2008 wrapper
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Project 2007 Help (KB957248)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office SharePoint Designer 2007 Help (KB957250)
Update for Microsoft Office Visio 2007 Help (KB957251)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Microsoft Script Editor Help (KB957253)
Update for Microsoft Script Editor Help (KB957253)
Update for Microsoft Script Editor Help (KB957253)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb959141)
Visual Studio 2005 Tools for Office Second Edition Runtime
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
---End of file

Thank you for your time.
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 22nd, 2009, 1:50 pm

Please stop making self fixes. If you wish for me to continue to help you, you must not make any "fixes". Please also do not download any tools.

Restore Hijackthis Backups

  • Open Hijackthis
  • Click View The List of Backups
  • Place a check-mark next to every item by clicking in the box
  • Then on the Right side, click Restore
  • Close Hijackthis for now

Download and Run: RSIT

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Please post both of the RSIT logs (info.txt and log.txt)
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » February 23rd, 2009, 2:00 am

There are no backups in HijackThis List of Backups for me to Restore. I have not taken any action using HijackThis other than to copy the log to this forum.

Here is the log.txt you requested:

Logfile of random's system information tool 1.05 (written by random/random)
Run by SK at 2009-02-23 10:14:19
Microsoft® Windows Vista™ Business Service Pack 1
System drive C: has 31 GB (22%) free of 144 GB
Total RAM: 3069 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:14:39 AM, on 2/23/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\System32\notepad.exe
C:\Users\SK\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\SK.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.21:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Google Update] "C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.afghanistanjustice.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\Users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c98ea175fcf676) (gupdate1c98ea175fcf676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9924 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachine.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2516499264-4240842885-3651820049-1004.job
C:\Windows\tasks\Norton Security Scan for SK.job
C:\Windows\tasks\User_Feed_Synchronization-{1869ED3F-334E-48D9-8547-172DC521BF51}.job
C:\Windows\tasks\User_Feed_Synchronization-{E0763640-E72B-4C4E-9306-925D1FFD47FA}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2007-11-12 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-11 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-29 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-11 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"WAWifiMessage"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [2007-01-11 317128]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-15 102400]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1045800]
"SMSERIAL"=C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2006-10-10 729088]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2007-04-24 176128]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-02-13 159744]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2008-11-18 623880]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-03-02 472776]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe []
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-14 30192]
"eFax 4.3"=C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe [2007-03-06 116224]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-03-13 1443072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-20 133104]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"EnableLinkedConnections"=1

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"REG_DWAORD"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.40.14.175#aicfdocs]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##192.168.0.160#aicfdocs]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL M:\regsvr.exe
shell\Open\command - M:\regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a0c4f4-700a-11dd-b20f-001a6bf2781d}]
shell\AutoRun\command - 32.com
shell\explore\command - 32.com
shell\open\command - 32.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a0c54f-700a-11dd-b20f-001a6bf2781d}]
shell\AutoRun\command - F:\cm.com
shell\explore\command - F:\cm.com
shell\open\command - F:\cm.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3eb9cbba-6b53-11dd-915c-001b24a025e7}]
shell\AutoRun\command - ukgki.cmd
shell\explore\command - ukgki.cmd
shell\open\command - ukgki.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60cbc35d-a7cc-11dd-9972-001a6bf2781d}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe comboClt.ocx.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60cbc360-a7cc-11dd-9972-001a6bf2781d}]
shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a001c3a-894a-11dd-aef5-001a6bf2781d}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eb89081-8cc2-11dd-9cdd-001a6bf2781d}]
shell\AutoRun\command - unt3obe.bat
shell\explore\command - unt3obe.bat
shell\open\command - unt3obe.bat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eb89084-8cc2-11dd-9cdd-001a6bf2781d}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6efb33a2-4fc9-11dd-96b8-001a6bf2781d}]
shell\AutoRun\command - 32.com
shell\explore\command - 32.com
shell\open\command - 32.com

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fac1f4d-c5a5-11dd-9f38-806e6f6e6963}]
shell\AutoRun\command - vva0hc0p.cmd
shell\explore\command - vva0hc0p.cmd
shell\open\command - vva0hc0p.cmd

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a054957f-9438-11dd-ad93-001a6bf2781d}]
shell\AutoRun\command - uisvkqr.exe
shell\explore\command - uisvkqr.exe
shell\open\command - uisvkqr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2a17841-7e62-11dd-92f1-001a6bf2781d}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL regsvr.exe
shell\Open\command - regsvr.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d920bb28-39ca-11dd-b87e-001b24a025e7}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f612f781-9b36-11dd-ac86-001a6bf2781d}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL F:\regsvr.exe
shell\Open\command - F:\regsvr.exe


======List of files/folders created in the last 1 months======

2009-02-23 10:14:19 ----D---- C:\rsit
2009-02-20 21:37:26 ----A---- C:\Windows\_MSRSTRT.EXE
2009-02-19 11:43:34 ----A---- C:\Windows\system32\MRT.exe
2009-02-17 20:01:46 ----D---- C:\Program Files\Panda Security
2009-02-16 12:32:21 ----D---- C:\Program Files\Exterminate It!
2009-02-15 20:01:25 ----D---- C:\Users\SK\AppData\Roaming\Digital Support
2009-02-15 19:51:35 ----D---- C:\Program Files\Digital Support
2009-02-15 17:37:35 ----D---- C:\nod_upd
2009-02-15 11:50:20 ----SHD---- C:\Config.Msi
2009-02-15 10:05:03 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-02-15 10:04:13 ----D---- C:\Program Files\SUPERAntiSpyware
2009-02-14 17:02:05 ----D---- C:\Program Files\Trend Micro
2009-02-14 16:58:54 ----D---- C:\Program Files\Norton Security Scan
2009-02-14 14:36:22 ----D---- C:\ProgramData\ESET
2009-02-14 14:36:22 ----D---- C:\Program Files\ESET
2009-02-12 20:09:06 ----D---- C:\ProgramData\AntiVir PersonalEdition Classic
2009-02-12 19:36:49 ----D---- C:\Program Files\ToniArts
2009-02-12 19:36:38 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-11 13:38:45 ----D---- C:\Program Files\Windows Live Safety Center
2009-02-11 13:37:55 ----D---- C:\Users\SK\AppData\Roaming\Malwarebytes
2009-02-11 13:37:43 ----D---- C:\ProgramData\Malwarebytes
2009-02-11 13:37:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-07 17:34:05 ----A---- C:\Windows\system32\pdfcmnnt.dll
2009-02-07 16:54:23 ----A---- C:\Windows\system32\MSMPIDE.DLL
2009-01-30 14:16:12 ----D---- C:\ProgramData\McAfee
2009-01-29 23:52:13 ----A---- C:\Windows\system32\avgrep.txt
2009-01-29 23:47:43 ----D---- C:\Windows\pss
2009-01-29 22:50:17 ----D---- C:\RECYCLER
2009-01-26 09:17:50 ----D---- C:\ProgramData\NVIDIA
2009-01-24 21:51:54 ----A---- C:\Windows\IIF Transaction Creator Uninstaller.exe

======List of files/folders modified in the last 1 months======

2009-02-23 10:14:38 ----D---- C:\Windows\Temp
2009-02-22 18:24:00 ----D---- C:\Windows\Tasks
2009-02-22 18:23:52 ----D---- C:\ProgramData\Google Updater
2009-02-21 22:17:07 ----D---- C:\Windows\System32
2009-02-21 22:17:07 ----D---- C:\Windows\inf
2009-02-21 22:17:07 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-02-21 22:11:41 ----D---- C:\Windows\system32\catroot2
2009-02-21 09:11:29 ----RD---- C:\Program Files
2009-02-20 21:37:26 ----D---- C:\Windows
2009-02-20 21:35:32 ----AD---- C:\ProgramData\TEMP
2009-02-19 11:39:40 ----D---- C:\Windows\Prefetch
2009-02-19 10:12:49 ----D---- C:\Windows\system32\Tasks
2009-02-17 20:39:01 ----D---- C:\Windows\system32\drivers
2009-02-17 19:45:17 ----SD---- C:\Windows\Downloaded Program Files
2009-02-17 07:16:23 ----SHD---- C:\System Volume Information
2009-02-15 20:37:24 ----D---- C:\Windows\system32\LogFiles
2009-02-15 17:59:43 ----A---- C:\Windows\ntbtlog.txt
2009-02-15 15:13:18 ----D---- C:\Windows\system32\wbem
2009-02-15 15:10:42 ----D---- C:\Windows\system32\CodeIntegrity
2009-02-15 15:10:32 ----SHD---- C:\Windows\Installer
2009-02-15 15:10:30 ----RSD---- C:\Windows\Fonts
2009-02-15 15:10:29 ----RSD---- C:\Windows\assembly
2009-02-15 15:10:28 ----D---- C:\Program Files\PDFCreator
2009-02-15 15:10:28 ----D---- C:\Program Files\Microsoft Works
2009-02-15 15:10:28 ----D---- C:\Program Files\Google
2009-02-15 15:10:28 ----D---- C:\Program Files\eFax Messenger 4.3
2009-02-15 15:10:28 ----D---- C:\Program Files\Common Files\SureThing Shared
2009-02-15 15:10:27 ----D---- C:\Windows\registration
2009-02-15 11:45:40 ----D---- C:\Windows\SoftwareDistribution
2009-02-15 10:05:03 ----HD---- C:\ProgramData
2009-02-14 16:59:06 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-02-12 19:36:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-12 19:36:38 ----D---- C:\Program Files\Common Files
2009-02-12 15:47:04 ----D---- C:\Program Files\McAfee
2009-02-07 16:24:10 ----D---- C:\PerfLogs
2009-02-06 21:34:38 ----D---- C:\Windows\Minidump
2009-01-30 20:37:21 ----D---- C:\Windows\SMINST
2009-01-30 12:58:27 ----D---- C:\ProgramData\avg8
2009-01-30 12:51:27 ----D---- C:\Program Files\YouTube Downloader
2009-01-29 23:21:15 ----D---- C:\Windows\winsxs
2009-01-29 23:20:51 ----D---- C:\Program Files\Common Files\microsoft shared
2009-01-29 23:18:10 ----D---- C:\Program Files\Microsoft SQL Server
2009-01-29 23:13:14 ----D---- C:\Program Files\Microsoft Office
2009-01-29 23:09:06 ----D---- C:\Users\SK\AppData\Roaming\Orbit
2009-01-29 23:07:14 ----D---- C:\Program Files\Real
2009-01-29 23:07:14 ----D---- C:\Program Files\Common Files\Real
2009-01-25 11:25:01 ----D---- C:\Windows\system32\catroot

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-19 350720]
R1 eabfiltr;eabfiltr; C:\Windows\system32\DRIVERS\eabfiltr.sys [2006-11-30 8192]
R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2008-03-13 29704]
R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2008-03-13 40456]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-01-23 37376]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HBtnKey;HBtnKey; C:\Windows\system32\DRIVERS\cpqbttn.sys [2006-06-28 9472]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-12 1747936]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-12-04 7606688]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-12-23 138240]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2006-10-10 981504]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-03-28 199472]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-19 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-29 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-29 29184]
S3 dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 E100B;Intel(R) PRO Adapter Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-11-02 163328]
S3 fsbl;F-Secure BlackLight Engine Driver; \??\C:\Users\SK\Downloads\fsmrt\fsbldrv.sys []
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; \??\C:\Users\SK\AppData\Local\Temp\{E4A61882-FB77-4F02-A0FC-7737A3C74AC0}\fsgk.sys [2009-02-19 55808]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R3 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [2007-04-24 262243]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 gupdate1c98ea175fcf676;Google Update Service (gupdate1c98ea175fcf676); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 182768]
S2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-04-29 72704]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S3 BthServ;Bluetooth Support Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe [2007-04-24 106593]
S3 Com4Qlb;Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [2007-01-10 110592]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-03-13 19200]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-19 523776]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor; C:\Users\SK\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe [2009-02-19 147456]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-14 30192]
S3 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-09-19 65536]
S3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-03 135168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-15 61440]
S3 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-12-04 203296]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-12-09 24576]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2008-11-18 61440]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-02-12 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-02-17 74656]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S4 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]

-----------------EOF-----------------

Here is the info.txt file:

info.txt logfile of random's system information tool 1.05 2009-02-23 10:14:43

======Uninstall list======

-->"C:\Program Files\HP Games\Bejeweled 2 Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Blackhawk Striker 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Blasterball 3\Uninstall.exe"
-->"C:\Program Files\HP Games\Bookworm Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Bounce Symphony\Uninstall.exe"
-->"C:\Program Files\HP Games\Cake Mania\Uninstall.exe"
-->"C:\Program Files\HP Games\Chuzzle Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Crystal Maze\Uninstall.exe"
-->"C:\Program Files\HP Games\Diner Dash\Uninstall.exe"
-->"C:\Program Files\HP Games\Family Feud\Uninstall.exe"
-->"C:\Program Files\HP Games\FATE\Uninstall.exe"
-->"C:\Program Files\HP Games\Final Drive Fury\Uninstall.exe"
-->"C:\Program Files\HP Games\Flip Words\Uninstall.exe"
-->"C:\Program Files\HP Games\Insaniquarium Deluxe\Uninstall.exe"
-->"C:\Program Files\HP Games\Jewel Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\Lemonade Tycoon 2\Uninstall.exe"
-->"C:\Program Files\HP Games\Mah Jong Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\My HP Game Console\Uninstall.exe"
-->"C:\Program Files\HP Games\Otto\Uninstall.exe"
-->"C:\Program Files\HP Games\Penguins!\Uninstall.exe"
-->"C:\Program Files\HP Games\Phoenix Assault\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Bowler\Uninstall.exe"
-->"C:\Program Files\HP Games\Polar Golfer\Uninstall.exe"
-->"C:\Program Files\HP Games\Puzzle Express\Uninstall.exe"
-->"C:\Program Files\HP Games\SCRABBLE\Uninstall.exe"
-->"C:\Program Files\HP Games\Snowboard SuperJam\Uninstall.exe"
-->"C:\Program Files\HP Games\SpongeBob SquarePants Krabby Quest\Uninstall.exe"
-->"C:\Program Files\HP Games\Super Granny\Uninstall.exe"
-->"C:\Program Files\HP Games\Tradewinds\Uninstall.exe"
-->"C:\Program Files\HP Games\Wheel of Fortune\Uninstall.exe"
-->"C:\Program Files\HP Games\Zuma Deluxe\Uninstall.exe"
1&1 EasyLogin-->C:\Program Files\1&1\1&1 EasyLogin\Uninstall.exe
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
Activation Assistant for the 2007 Microsoft Office suites-->"C:\ProgramData\{623D32E9-0C62-4453-AD44-98B31F52A5E1}\Microsoft Office Activation Assistant.exe" REMOVE=TRUE MODIFY=FALSE
Adobe Bridge 1.0-->MsiExec.exe /I{B74D4E10-6884-0000-0000-000000000103}
Adobe Common File Installer-->MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Flash Player 10 Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Flash Player ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0-->MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2-->msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.3-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe Stock Photos 1.0-->MsiExec.exe /I{786C5747-1033-0000-B58E-000000000001}
AnswerWorks 4.0 Runtime - English-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}\setup.exe" -l0x9 -removeonly
AnswerWorks 5.0 English Runtime-->MsiExec.exe /I{9E5A03E3-6246-4920-9630-0527D5DA9B07}
Apple Mobile Device Support-->MsiExec.exe /I{EC4455AB-F155-4CC1-A4C5-88F3777F9886}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Bonjour-->MsiExec.exe /I{07287123-B8AC-41CE-8346-3D777245C35B}
EasyCleaner-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F5346614-B7C4-4E94-826A-E2363155233D}\setup.exe" -l0x9 -removeonly
eFax Messenger 4.3-->C:\Program Files\eFax Messenger 4.3\Uninstall.exe
ESET NOD32 Antivirus-->MsiExec.exe /I{86A6E235-C08F-4A14-B14C-793C7D8844A0}
ESU for Microsoft Vista-->MsiExec.exe /X{1517A7CB-5F00-4A88-8F06-E89B6DB63784}
ExtractNow-->"C:\Program Files\ExtractNow\unins000.exe"
Fax1.com-->"C:\Program Files\Fax1.com V7\unins000.exe"
File Renamer - Basic-->C:\Windows\File Renamer - Basic Uninstaller.exe
FileZilla Client 3.1.1.1-->C:\Program Files\FileZilla FTP Client\uninstall.exe
Google Desktop-->C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Earth-->MsiExec.exe /X{548EAC70-EE00-11DD-908C-005056806466}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Google Updater-->"C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
Hewlett-Packard Active Check-->MsiExec.exe /X{254C37AA-6B72-4300-84F6-98A82419187E}
Hewlett-Packard Asset Agent for Health Check-->MsiExec.exe /X{669D4A35-146B-4314-89F1-1AC3D7B88367}
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HP Active Support Library 32 bit components-->MsiExec.exe /I{FAB0C302-CB18-4A7A-BA03-C3DC23101A68}
HP Active Support Library-->C:\Program Files\InstallShield Installation Information\{11BB336F-0E58-4977-B866-F24FA334616B}\setup.exe -runfromtemp -l0x0409
HP Customer Experience Enhancements-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AB5E289E-76BF-4251-9F3F-9B763F681AE0}\setup.exe" -l0x9 -removeonly
HP Doc Viewer-->MsiExec.exe /I{082702D5-5DD8-4600-BCE5-48B15174687F}
HP Easy Setup - Frontend-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40F7AED3-0C7D-4582-99F6-484A515C73F2}\setup.exe" -l0x9 -removeonly
HP Help and Support-->MsiExec.exe /I{9061CEF2-51F5-42C9-8A70-9ED351C6597A}
HP Photosmart Essential 2.0-->C:\Program Files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe -datfile hpqbud13.dat
HP Quick Launch Buttons 6.20 B1-->C:\Program Files\InstallShield Installation Information\{34D2AB40-150D-475D-AE32-BD23FB5EE355}\setup.exe -runfromtemp -l0x0009 uninst
HP QuickPlay 3.2-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45D707E9-F3C4-11D9-A373-0050BAE317E1}\setup.exe" -uninstall
HP Total Care Advisor-->MsiExec.exe /X{F6B29003-A078-4491-AFBE-62EFB6CFFE19}
HP Update-->MsiExec.exe /X{8C6027FD-53DC-446D-BB75-CACD7028A134}
HP User Guides 0056-->MsiExec.exe /I{5AB56552-6938-4686-9F87-DB0ED8D1E06B}
HP Wireless Assistant-->MsiExec.exe /I{D32067CD-7409-4792-BFA0-1469BCD8F0C8}
HPNetworkAssistant-->MsiExec.exe /I{228C6B46-64E2-404E-898A-EF0830603EF4}
IIF Transaction Creator-->"C:\Windows\IIF Transaction Creator Uninstaller.exe"
iTunes-->MsiExec.exe /I{318AB667-3230-41B5-A617-CB3BF748D371}
Java(TM) 6 Update 11-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216011FF}
Java(TM) 6 Update 7-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160070}
Java(TM) SE Runtime Environment 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160000}
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft Office 2007 Primary Interop Assemblies-->MsiExec.exe /X{50120000-1105-0000-0000-0000000FF1CE}
Microsoft Office Access MUI (English) 2007-->MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office FrontPage 2003-->MsiExec.exe /I{90170409-6000-11D3-8CFE-0150048383C9}
Microsoft Office Outlook MUI (English) 2007-->MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PROR /dll OSETUP.DLL
Microsoft Office Professional 2007-->MsiExec.exe /X{91120000-0014-0000-0000-0000000FF1CE}
Microsoft Office Project 2007 Service Pack 1 (SP1)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {C1877F6E-C1C8-486D-A697-86431029690C}
Microsoft Office Project 2007 Service Pack 1 (SP1)-->msiexec /package {90120000-00B4-0409-0000-0000000FF1CE} /uninstall {75EC8FFC-B913-4991-B3A1-22576D2FC45D}
Microsoft Office Project MUI (English) 2007-->MsiExec.exe /X{90120000-00B4-0409-0000-0000000FF1CE}
Microsoft Office Project Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PRJPRO /dll OSETUP.DLL
Microsoft Office Project Professional 2007-->MsiExec.exe /X{90120000-003B-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PUBLISHER /dll OSETUP.DLL
Microsoft Office Publisher 2007-->MsiExec.exe /X{90120000-0019-0000-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007-->MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)-->msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {37180755-CA2B-40AD-9637-89FB0CE7CB36}
Microsoft Office SharePoint Designer 2007 Service Pack 1 (SP1)-->msiexec /package {90120000-0017-0409-0000-0000000FF1CE} /uninstall {E3FED5B9-29D7-42E7-B10D-88AFEAF470F0}
Microsoft Office SharePoint Designer 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall SHAREPOINTDESIGNER /dll OSETUP.DLL
Microsoft Office SharePoint Designer 2007-->MsiExec.exe /X{90120000-0017-0000-0000-0000000FF1CE}
Microsoft Office SharePoint Designer MUI (English) 2007-->MsiExec.exe /X{90120000-0017-0409-0000-0000000FF1CE}
Microsoft Office Visio 2007 Service Pack 1 (SP1)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {AA4F2610-5FF1-4DCD-A6FB-BCA2D09A6443}
Microsoft Office Visio 2007 Service Pack 1 (SP1)-->msiexec /package {90120000-0054-0409-0000-0000000FF1CE} /uninstall {EA35370F-586C-45E1-AC6C-A4E275C6B762}
Microsoft Office Visio MUI (English) 2007-->MsiExec.exe /X{90120000-0054-0409-0000-0000000FF1CE}
Microsoft Office Visio Professional 2007-->"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall VISPRO /dll OSETUP.DLL
Microsoft Office Visio Professional 2007-->MsiExec.exe /X{90120000-0051-0000-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual Studio 2005 Tools for Office Runtime-->MsiExec.exe /X{388E4B09-3E71-4649-8921-F44A3A2954A7}
MobileMe Control Panel-->MsiExec.exe /I{A14C24F6-615B-415E-84B0-610FDAD19B68}
Motorola SM56 Data Fax Modem-->rundll32.exe sm56co6a.dll,SM56UnInstaller
MSCU for Microsoft Vista-->MsiExec.exe /X{3FFB3B34-D639-4384-9AE9-DDE58430D86F}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 Parser and SDK-->MsiExec.exe /I{716E0306-8318-4364-8B8F-0CC4E9376BAC}
muvee autoProducer 6.0-->C:\Program Files\InstallShield Installation Information\{0BFC200F-C45D-4271-AF34-4CA969225DEB}\setup.exe -runfromtemp -l0x0009 -removeonly
My HP Games-->"C:\Program Files\HP Games\Uninstall.exe"
Norton Security Scan (Symantec Corporation)-->"C:\Program Files\Common Files\Symantec Shared\NSSSetup\{795AF20A-51C5-4BAF-9EF5-AA38105C6141}_2_0_0\NSSSetup.exe" /X
Norton Security Scan-->MsiExec.exe /X{795AF20A-51C5-4BAF-9EF5-AA38105C6141}
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
OGA Notifier 1.7.0105.35.0-->MsiExec.exe /I{B148AB4B-C8FA-474B-B981-F2943C5B5BCD}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Fixer-->"C:\Program Files\Digital Support\hta\dselevate.exe" "\"C:\Program Files\Digital Support\hta\dsweb.exe\" \"C:\Program Files\Digital Support\hta\uninst.htm\" wxh=5.3x3.8 noWait
PDFCreator-->"C:\Program Files\PDFCreator\unins000.exe"
Picasa 3-->"C:\Program Files\Google\Picasa3\Uninstall.exe"
QuickBooks Premier Edition 2009-->msiexec.exe /I {9A2F0810-369F-4E86-9072-973FBE1679C5} UNIQUE_NAME="superpro" QBFULLNAME="QuickBooks Premier Edition 2009" ADDREMOVE=1
QuickBooks-->MsiExec.exe /I{9A2F0810-369F-4E86-9072-973FBE1679C5}
QuickTime-->MsiExec.exe /I{F958CA02-BB40-4007-894B-258729456EE4}
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Rhapsody Player Engine-->MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Rhapsody-->C:\PROGRA~1\Rhapsody\Unwise32.exe /A C:\PROGRA~1\Rhapsody\install.log
Roxio Activation Module-->MsiExec.exe /I{35E1EC43-D4FC-4E4A-AAB3-20DDA27E8BB0}
Roxio Creator Audio-->MsiExec.exe /I{83FFCFC7-88C6-41c6-8752-958A45325C82}
Roxio Creator Basic v9-->MsiExec.exe /I{C8B0680B-CDAE-4809-9F91-387B6DE00F7C}
Roxio Creator Copy-->MsiExec.exe /I{619CDD8A-14B6-43a1-AB6C-0F4EE48CE048}
Roxio Creator Data-->MsiExec.exe /I{0D397393-9B50-4c52-84D5-77E344289F87}
Roxio Creator EasyArchive-->MsiExec.exe /I{11F93B4B-48F0-4A4E-AE77-DFA96A99664B}
Roxio Creator Tools-->MsiExec.exe /I{0394CDC8-FABD-4ed8-B104-03393876DFDF}
Roxio Express Labeler 3-->MsiExec.exe /I{6675CA7F-E51B-4F6A-99D4-F8F0124C6EAA}
Roxio MyDVD Basic v9-->MsiExec.exe /I{33C65B6A-5D73-4E3E-A1F9-127C27BD3F72}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951550)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {B243E9A5-ED77-4F1B-B338-2486FD82DC85}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB951944)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {797AE457-BA17-4BBC-B501-25FB3A0103C7}
Security Update for 2007 Microsoft Office System (KB958439)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {6491B8AA-D11C-4648-A461-6234B31EB7E2}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft Office Excel 2007 (KB958437)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {648FC016-2D6B-4A16-8D87-404533642F4B}
Security Update for Microsoft Office PowerPoint 2007 (KB951338)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {558B709B-821B-4FC5-90FC-9A8890641E77}
Security Update for Microsoft Office Project 2007 (KB949046)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {B14B8A2C-6EB4-4FB6-B589-F6A5ABEC5B00}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office Publisher 2007 (KB950114)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB954326)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {5F7F6FFF-395D-480E-8450-64F385D82C5F}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office system 2007 (KB956828)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {885E081B-72BD-4E76-8E98-30B4BE468FAC}
Security Update for Microsoft Office Visio 2007 (KB947590)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {199018BD-578E-44BD-A28F-7F944931CABD}
Security Update for Microsoft Office Word 2007 (KB956358)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {4551666D-0FD6-4C69-8A81-1C6F2E64517C}
Skype™ 3.6-->MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SupportSoft Assisted Service-->MsiExec.exe /I{5A3F6A80-7913-475E-8B96-477A952CFA43}
Synaptics Pointing Device Driver-->rundll32.exe "C:\Program Files\Synaptics\SynTP\SynISDLL.dll",standAloneUninstall
TurboTax 2008 WinPerFedFormset-->MsiExec.exe /I{7570F1CA-016D-46AC-B586-CD74645EFB52}
TurboTax 2008 WinPerProgramHelp-->MsiExec.exe /I{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}
TurboTax 2008 WinPerReleaseEngine-->MsiExec.exe /I{88214092-836F-4E22-A5AC-569AC9EE6A0F}
TurboTax 2008 WinPerTaxSupport-->MsiExec.exe /I{B23726CF-68BF-41A6-A4EB-72F12F87FE05}
TurboTax 2008 WinPerUserEducation-->MsiExec.exe /I{29521505-F489-4822-ADFA-32C6DEE4F114}
TurboTax 2008 wrapper-->MsiExec.exe /I{B1DB1AD8-C07E-4052-81A1-D2930232BA70}
TurboTax 2008-->C:\Program Files\TurboTax\Home & Business 2008\Installer\TurboTax 2008 Installer.exe /u /t /a
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office 2007 Help for Common Features (KB957244)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {C8C72583-C907-4D20-8973-C3858D96BD9E}
Update for Microsoft Office Access 2007 Help (KB957241)-->msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {D670F9B9-3E84-47B5-8A4A-618B65DB1593}
Update for Microsoft Office Excel 2007 Help (KB957242)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {51864046-74C8-487B-97CD-6167A4B1DB56}
Update for Microsoft Office Outlook 2007 (KB952142)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {4AD3A076-427C-491F-A5B7-7D1DE788A756}
Update for Microsoft Office Outlook 2007 Help (KB957246)-->msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {6F0E4983-E419-4591-B7DD-EFB0073D3E47}
Update for Microsoft Office PowerPoint 2007 Help (KB957247)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {B20E2C59-EEC5-4102-9E50-5DBB2093C37D}
Update for Microsoft Office Project 2007 Help (KB957248)-->msiexec /package {90120000-00B4-0409-0000-0000000FF1CE} /uninstall {E268D20D-C74A-49C7-A800-050D8E3CEE2B}
Update for Microsoft Office Publisher 2007 Help (KB957249)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4E140A5A-4A90-404A-B955-10C2D98CD3EE}
Update for Microsoft Office Publisher 2007 Help (KB957249)-->msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4E140A5A-4A90-404A-B955-10C2D98CD3EE}
Update for Microsoft Office SharePoint Designer 2007 Help (KB957250)-->msiexec /package {90120000-0017-0409-0000-0000000FF1CE} /uninstall {B34252EB-314B-4E35-837A-DBAE952A1959}
Update for Microsoft Office Visio 2007 Help (KB957251)-->msiexec /package {90120000-0054-0409-0000-0000000FF1CE} /uninstall {24F43C74-6200-432B-98C7-85AC1CF1A7AF}
Update for Microsoft Office Word 2007 Help (KB957252)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {54DF3345-0720-4224-9740-C7E00303F565}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Microsoft Script Editor Help (KB957253)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {F21BF703-548C-47B2-B92A-6876E9566C42}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0017-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0019-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-003B-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691)-->msiexec /package {90120000-0051-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb959141)-->msiexec /package {91120000-0014-0000-0000-0000000FF1CE} /uninstall {CC6191C2-B0CE-473C-AD77-61EA3497D796}
Visual Studio 2005 Tools for Office Second Edition Runtime-->c:\Program Files\Common Files\Microsoft Shared\VSTO\8.0\Microsoft Visual Studio 2005 Tools for Office Runtime\install.exe
Windows Live OneCare safety scanner-->"C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner-->MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}

======Hosts File======

127.0.0.1 localhost
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 a9rhiwa.cn #[Google.Warning]
127.0.0.1 http://www.a9rhiwa.cn
127.0.0.1 acezip.net #[SiteAdvisor.acezip.net]
127.0.0.1 http://www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com
127.0.0.1 a.abnad.net
127.0.0.1 b.abnad.net

======Security center information======

AV: McAfee VirusScan Enterprise
AV: ESET NOD32 Antivirus 3.0
AS: ESET NOD32 Antivirus 3.0
AS: Windows Defender (disabled)

System event log

Computer Name: SK
Event Code: 4201
Message: The system detected that network adapter Local Area Connection was connected to the network, and has initiated normal operation.
Record Number: 226419
Source Name: Tcpip
Time Written: 20090223054049.557600-000
Event Type: Information
User:

Computer Name: SK
Event Code: 7036
Message: The Windows Image Acquisition (WIA) service entered the running state.
Record Number: 226420
Source Name: Service Control Manager
Time Written: 20090223054054.000000-000
Event Type: Information
User:

Computer Name: SK
Event Code: 1
Message: The system has resumed from sleep.

Sleep Time: 2009-02-23T05:31:10.081Z
Wake Time: 2009-02-23T05:40:52.662Z

Wake Source: Power Button
Record Number: 226421
Source Name: Microsoft-Windows-Power-Troubleshooter
Time Written: 20090223054055.329600-000
Event Type: Information
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: SK
Event Code: 1003
Message: Your computer was not able to renew its address from the network (from the DHCP Server) for the Network Card with network address 001B24A025E7. The following error occurred:
The semaphore timeout period has expired.. Your computer will continue to try and obtain an address on its own from the network address (DHCP) server.
Record Number: 226422
Source Name: Microsoft-Windows-Dhcp-Client
Time Written: 20090223054116.000000-000
Event Type: Warning
User:

Computer Name: SK
Event Code: 7036
Message: The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.
Record Number: 226423
Source Name: Service Control Manager
Time Written: 20090223054133.000000-000
Event Type: Information
User:

Application event log

Computer Name: SK
Event Code: 4
Message: An unexpected error has occured in "QuickBooks Premier Edition 2009":
StateMachineWorker Execution failure :Exeption: Could not find transition for request id=1
Record Number: 28801
Source Name: QuickBooks
Time Written: 20090222155300.000000-000
Event Type: Error
User:

Computer Name: SK
Event Code: 4
Message: An unexpected error has occured in "QuickBooks Premier Edition 2009":
StateMachineWorker Execution failure :Exeption: Could not find transition for request id=1
Record Number: 28802
Source Name: QuickBooks
Time Written: 20090222155300.000000-000
Event Type: Error
User:

Computer Name: SK
Event Code: 4
Message: An unexpected error has occured in "QuickBooks Premier Edition 2009":
StateMachineWorker Execution failure :Exeption: Could not find transition for request id=1
Record Number: 28803
Source Name: QuickBooks
Time Written: 20090222155300.000000-000
Event Type: Error
User:

Computer Name: SK
Event Code: 4
Message: An unexpected error has occured in "QuickBooks Premier Edition 2009":
StateMachineWorker Execution failure :Exeption: Could not find transition for request id=1
Record Number: 28804
Source Name: QuickBooks
Time Written: 20090222155300.000000-000
Event Type: Error
User:

Computer Name: SK
Event Code: 4
Message: An unexpected error has occured in "QuickBooks Premier Edition 2009":
StateMachineWorker Execution failure :Exeption: Could not find transition for request id=1
Record Number: 28805
Source Name: QuickBooks
Time Written: 20090222155300.000000-000
Event Type: Error
User:

Security event log

Computer Name: SK
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-21-2516499264-4240842885-3651820049-1004
Account Name: SK
Account Domain: SK
Logon ID: 0x5067f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SK
Account Domain: corp
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: email.corp.paegsi.com
Additional Information: email.corp.paegsi.com

Process Information:
Process ID: 0x1764
Process Name: C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 258489
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090218095608.230800-000
Event Type: Audit Success
User:

Computer Name: SK
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-21-2516499264-4240842885-3651820049-1004
Account Name: SK
Account Domain: SK
Logon ID: 0x5067f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SK
Account Domain: corp
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: email.corp.paegsi.com
Additional Information: email.corp.paegsi.com

Process Information:
Process ID: 0x1764
Process Name: C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 258490
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090218095608.262000-000
Event Type: Audit Success
User:

Computer Name: SK
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-21-2516499264-4240842885-3651820049-1004
Account Name: SK
Account Domain: SK
Logon ID: 0x5067f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SK
Account Domain: corp
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: vWEB02.corp.paegsi.com
Additional Information: vWEB02.corp.paegsi.com

Process Information:
Process ID: 0x16c8
Process Name: C:\Windows\System32\SearchProtocolHost.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 258491
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090218095620.164800-000
Event Type: Audit Success
User:

Computer Name: SK
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-21-2516499264-4240842885-3651820049-1004
Account Name: SK
Account Domain: SK
Logon ID: 0x5067f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SK
Account Domain: corp
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: vWEB02.corp.paegsi.com
Additional Information: vWEB02.corp.paegsi.com

Process Information:
Process ID: 0x16c8
Process Name: C:\Windows\System32\SearchProtocolHost.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 258492
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090218095621.132000-000
Event Type: Audit Success
User:

Computer Name: SK
Event Code: 4648
Message: A logon was attempted using explicit credentials.

Subject:
Security ID: S-1-5-21-2516499264-4240842885-3651820049-1004
Account Name: SK
Account Domain: SK
Logon ID: 0x5067f
Logon GUID: {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
Account Name: SK
Account Domain: corp
Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:
Target Server Name: email.corp.paegsi.com
Additional Information: email.corp.paegsi.com

Process Information:
Process ID: 0x16c8
Process Name: C:\Windows\System32\SearchProtocolHost.exe

Network Information:
Network Address: -
Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Record Number: 258493
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090218095624.064800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\DLLShared\;C:\Program Files\Common Files\Roxio Shared\9.0\DLLShared\;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Common Files\Intuit\QBPOSSDKRuntime
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 15 Stepping 11, GenuineIntel
"PROCESSOR_REVISION"=0f0b
"NUMBER_OF_PROCESSORS"=2
"PLATFORM"=MCD
"PCBRAND"=Pavilion
"OnlineServices"=Online Services
"RoxioCentral"=C:\Program Files\Common Files\Roxio Shared\9.0\Roxio Central33\
"USERPART"=E:
"CLASSPATH"=.;C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre1.6.0_07\lib\ext\QTJava.zip

-----------------EOF-----------------
Last edited by sanzar on February 25th, 2009, 2:20 am, edited 1 time in total.
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 23rd, 2009, 6:53 pm

Backup the Registry

  • Download ERUNT
  • Save it to your desktop. Right click on the downloaded file(erunt.zip) and click Extract.Follow the prompts to extract the file.
  • Now click on the folder "erunt" and find and double click on the file called Erunt.exe
  • Click OK. Then Click OK again.
  • Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.

Download and Run OTMoveIt3
Download OTMoveIt3 by OldTimer and save it to your desktop.
  • Double-click on OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below.
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: Select all
    :files
C:\Program Files\AVG
M:\regsvr.exe
F:\cm.com
F:\regsvr.exe
C:\ProgramData\avg8
:reg
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.40.14.175#aicfdocs]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##192.168.0.160#aicfdocs]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a0c4f4-700a-11dd-b20f-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a0c54f-700a-11dd-b20f-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3eb9cbba-6b53-11dd-915c-001b24a025e7}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a001c3a-894a-11dd-aef5-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eb89081-8cc2-11dd-9cdd-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6efb33a2-4fc9-11dd-96b8-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fac1f4d-c5a5-11dd-9f38-806e6f6e6963}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a054957f-9438-11dd-ad93-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2a17841-7e62-11dd-92f1-001a6bf2781d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f612f781-9b36-11dd-ac86-001a6bf2781d}]
  • Return to OTMoveIt3, right click in the Paste Instructions for Items to be Moved window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • If you are not asked to reboot close OTMoveIt3.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).

Flash Disinfector

  • Please download Flash_Disinfector and save it to your desktop.
  • Double click to run it.
  • You will be prompted to plug in your flash drive. Plug it in.
  • Flash_Disinfector will start disinfecting your flash and hard drives. This takes a few seconds. Your desktop will disappear in the meantime.
  • When done, a message box will appear. Click OK. Your desktop should now appear. If it doesn't, press Ctrl + Shift + Esc to open Task Manager.
  • Click on File > New Task (Run...). Type in explorer.exe and press Enter. Your desktop should now appear.

Please now re-run RSIT by double clicking RSIT.exe. Only log.txt will be produced.

Please post the OTMoveIt3 log and the log.txt
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » February 24th, 2009, 3:27 am

Thank you for your help. This morning, before reading your post, my ESET NOD32 automatically updated for the first time to the 20090224 virus definitions. I still cannot access anti-virus websites like Eset.com, WindowsUpdate.com, WindowsDefender updates, etc.

Here is the OTMoveIt3 log:

========== FILES ==========
C:\Program Files\AVG\AVG8 moved successfully.
C:\Program Files\AVG moved successfully.
File/Folder M:\regsvr.exe not found.
File/Folder F:\cm.com not found.
File/Folder F:\regsvr.exe not found.
C:\ProgramData\avg8\dumps moved successfully.
C:\ProgramData\avg8 moved successfully.
========== REGISTRY ==========
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##172.40.14.175#aicfdocs\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##192.168.0.160#aicfdocs\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a0c4f4-700a-11dd-b20f-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{39a0c54f-700a-11dd-b20f-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3eb9cbba-6b53-11dd-915c-001b24a025e7}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a001c3a-894a-11dd-aef5-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eb89081-8cc2-11dd-9cdd-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6efb33a2-4fc9-11dd-96b8-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9fac1f4d-c5a5-11dd-9f38-806e6f6e6963}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a054957f-9438-11dd-ad93-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b2a17841-7e62-11dd-92f1-001a6bf2781d}\\ deleted successfully.
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f612f781-9b36-11dd-ac86-001a6bf2781d}\\ deleted successfully.

OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 02242009_112422


--------------------------------------------
And here is the log.txt from RSIT.exe:


Logfile of random's system information tool 1.05 (written by random/random)
Run by SK at 2009-02-24 11:28:55
Microsoft® Windows Vista™ Business Service Pack 1
System drive C: has 31 GB (22%) free of 144 GB
Total RAM: 3069 MB (52% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:09 AM, on 2/24/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\SK\Downloads\OTMoveIt3.exe
C:\Windows\Explorer.exe
C:\Users\SK\Downloads\RSIT.exe
C:\Program Files\Trend Micro\HijackThis\SK.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.21:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Google Update] "C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.afghanistanjustice.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resour ... cctrl2.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\Users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c98ea175fcf676) (gupdate1c98ea175fcf676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 9752 bytes

======Scheduled tasks folder======

C:\Windows\tasks\Google Software Updater.job
C:\Windows\tasks\GoogleUpdateTaskMachine.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-2516499264-4240842885-3651820049-1004.job
C:\Windows\tasks\Norton Security Scan for SK.job
C:\Windows\tasks\User_Feed_Synchronization-{1869ED3F-334E-48D9-8547-172DC521BF51}.job
C:\Windows\tasks\User_Feed_Synchronization-{E0763640-E72B-4C4E-9306-925D1FFD47FA}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-23 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{22BF413B-C6D2-4d91-82A9-A0F997BA588C}]
Skype add-on (mastermind) - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll [2007-11-12 1377576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG8\avgssie.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
Java(tm) Plug-In SSV Helper - C:\Program Files\Java\jre6\bin\ssv.dll [2009-01-11 320920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll [2009-01-29 657904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-01-11 34816]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1008184]
"WAWifiMessage"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe [2007-01-11 317128]
"SynTPStart"=C:\Program Files\Synaptics\SynTP\SynTPStart.exe [2007-09-15 102400]
"SynTPEnh"=C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-03-28 1045800]
"SMSERIAL"=C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe [2006-10-10 729088]
"QPService"=C:\Program Files\HP\QuickPlay\QPService.exe [2007-04-24 176128]
"QlbCtrl"=C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [2007-02-13 159744]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-11-20 290088]
"Intuit SyncManager"=C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe [2008-11-18 623880]
"hpWirelessAssistant"=C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [2007-03-02 472776]
"HP Software Update"=C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe [2005-02-17 49152]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe []
"Google Desktop Search"=C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-14 30192]
"eFax 4.3"=C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe [2007-03-06 116224]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-02-06 177472]
"egui"=C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe [2008-03-13 1443072]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Google Update"=C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-20 133104]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0
"EnableLinkedConnections"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveAutoRun"=FFFFFFFF
"NoDriveTypeAutoRun"=36

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"REG_DWAORD"=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60cbc35d-a7cc-11dd-9972-001a6bf2781d}]
shell\AutoRun\command - C:\Windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe comboClt.ocx.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60cbc360-a7cc-11dd-9972-001a6bf2781d}]
shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eb89084-8cc2-11dd-9cdd-001a6bf2781d}]
shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d920bb28-39ca-11dd-b87e-001b24a025e7}]
shell\AutoRun\command - G:\LaunchU3.exe -a


======List of files/folders created in the last 1 months======

2009-02-24 11:26:54 ----RASHD---- C:\autorun.inf
2009-02-24 11:24:22 ----D---- C:\_OTMoveIt
2009-02-24 11:21:43 ----D---- C:\Windows\ERDNT
2009-02-23 10:14:19 ----D---- C:\rsit
2009-02-20 21:37:26 ----A---- C:\Windows\_MSRSTRT.EXE
2009-02-19 11:43:34 ----A---- C:\Windows\system32\MRT.exe
2009-02-17 20:01:46 ----D---- C:\Program Files\Panda Security
2009-02-16 12:32:21 ----D---- C:\Program Files\Exterminate It!
2009-02-15 20:01:25 ----D---- C:\Users\SK\AppData\Roaming\Digital Support
2009-02-15 19:51:35 ----D---- C:\Program Files\Digital Support
2009-02-15 17:37:35 ----D---- C:\nod_upd
2009-02-15 11:50:20 ----SHD---- C:\Config.Msi
2009-02-15 10:05:03 ----D---- C:\ProgramData\SUPERAntiSpyware.com
2009-02-15 10:04:13 ----D---- C:\Program Files\SUPERAntiSpyware
2009-02-14 17:02:05 ----D---- C:\Program Files\Trend Micro
2009-02-14 16:58:54 ----D---- C:\Program Files\Norton Security Scan
2009-02-14 14:36:22 ----D---- C:\ProgramData\ESET
2009-02-14 14:36:22 ----D---- C:\Program Files\ESET
2009-02-12 20:09:06 ----D---- C:\ProgramData\AntiVir PersonalEdition Classic
2009-02-12 19:36:49 ----D---- C:\Program Files\ToniArts
2009-02-12 19:36:38 ----D---- C:\Program Files\Common Files\Wise Installation Wizard
2009-02-11 13:38:45 ----D---- C:\Program Files\Windows Live Safety Center
2009-02-11 13:37:55 ----D---- C:\Users\SK\AppData\Roaming\Malwarebytes
2009-02-11 13:37:43 ----D---- C:\ProgramData\Malwarebytes
2009-02-11 13:37:43 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-07 17:34:05 ----A---- C:\Windows\system32\pdfcmnnt.dll
2009-02-07 16:54:23 ----A---- C:\Windows\system32\MSMPIDE.DLL
2009-01-30 14:16:12 ----D---- C:\ProgramData\McAfee
2009-01-29 23:52:13 ----A---- C:\Windows\system32\avgrep.txt
2009-01-29 23:47:43 ----D---- C:\Windows\pss
2009-01-29 22:50:17 ----D---- C:\RECYCLER
2009-01-26 09:17:50 ----D---- C:\ProgramData\NVIDIA

======List of files/folders modified in the last 1 months======

2009-02-24 11:29:59 ----D---- C:\Windows\Temp
2009-02-24 11:28:29 ----D---- C:\Windows\System32
2009-02-24 11:28:29 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-02-24 11:28:28 ----D---- C:\Windows\inf
2009-02-24 11:24:24 ----HD---- C:\ProgramData
2009-02-24 11:24:23 ----RD---- C:\Program Files
2009-02-24 11:21:43 ----D---- C:\Windows
2009-02-24 09:49:32 ----D---- C:\Windows\Tasks
2009-02-24 09:49:22 ----D---- C:\ProgramData\Google Updater
2009-02-21 22:11:41 ----D---- C:\Windows\system32\catroot2
2009-02-20 21:35:32 ----AD---- C:\ProgramData\TEMP
2009-02-19 11:39:40 ----D---- C:\Windows\Prefetch
2009-02-19 10:12:49 ----D---- C:\Windows\system32\Tasks
2009-02-17 20:39:01 ----D---- C:\Windows\system32\drivers
2009-02-17 19:45:17 ----SD---- C:\Windows\Downloaded Program Files
2009-02-17 07:16:23 ----SHD---- C:\System Volume Information
2009-02-15 20:37:24 ----D---- C:\Windows\system32\LogFiles
2009-02-15 17:59:43 ----A---- C:\Windows\ntbtlog.txt
2009-02-15 15:13:18 ----D---- C:\Windows\system32\wbem
2009-02-15 15:10:42 ----D---- C:\Windows\system32\CodeIntegrity
2009-02-15 15:10:32 ----SHD---- C:\Windows\Installer
2009-02-15 15:10:30 ----RSD---- C:\Windows\Fonts
2009-02-15 15:10:29 ----RSD---- C:\Windows\assembly
2009-02-15 15:10:28 ----D---- C:\Program Files\PDFCreator
2009-02-15 15:10:28 ----D---- C:\Program Files\Microsoft Works
2009-02-15 15:10:28 ----D---- C:\Program Files\Google
2009-02-15 15:10:28 ----D---- C:\Program Files\eFax Messenger 4.3
2009-02-15 15:10:28 ----D---- C:\Program Files\Common Files\SureThing Shared
2009-02-15 15:10:27 ----D---- C:\Windows\registration
2009-02-15 11:45:40 ----D---- C:\Windows\SoftwareDistribution
2009-02-14 16:59:06 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-02-12 19:36:49 ----HD---- C:\Program Files\InstallShield Installation Information
2009-02-12 19:36:38 ----D---- C:\Program Files\Common Files
2009-02-12 15:47:04 ----D---- C:\Program Files\McAfee
2009-02-07 16:24:10 ----D---- C:\PerfLogs
2009-02-06 21:34:38 ----D---- C:\Windows\Minidump
2009-01-30 20:37:21 ----D---- C:\Windows\SMINST
2009-01-30 12:51:27 ----D---- C:\Program Files\YouTube Downloader
2009-01-29 23:21:15 ----D---- C:\Windows\winsxs
2009-01-29 23:20:51 ----D---- C:\Program Files\Common Files\microsoft shared
2009-01-29 23:18:10 ----D---- C:\Program Files\Microsoft SQL Server
2009-01-29 23:13:14 ----D---- C:\Program Files\Microsoft Office
2009-01-29 23:09:06 ----D---- C:\Users\SK\AppData\Roaming\Orbit
2009-01-29 23:07:14 ----D---- C:\Program Files\Real
2009-01-29 23:07:14 ----D---- C:\Program Files\Common Files\Real
2009-01-25 11:25:01 ----D---- C:\Windows\system32\catroot

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 CSC;Offline Files Driver; C:\Windows\system32\drivers\csc.sys [2008-01-19 350720]
R1 eabfiltr;eabfiltr; C:\Windows\system32\DRIVERS\eabfiltr.sys [2006-11-30 8192]
R1 easdrv;easdrv; C:\Windows\system32\DRIVERS\easdrv.sys [2008-03-13 29704]
R1 epfwtdir;epfwtdir; C:\Windows\system32\DRIVERS\epfwtdir.sys [2008-03-13 33800]
R2 eamon;EAMON; C:\Windows\system32\DRIVERS\eamon.sys [2008-03-13 40456]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmptsk.sys [2007-02-24 39936]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimsptsk.sys [2007-01-23 42496]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdptsk.sys [2007-01-23 37376]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-01-19 14208]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\Windows\System32\Drivers\GEARAspiWDM.sys [2008-04-17 15464]
R3 HBtnKey;HBtnKey; C:\Windows\system32\DRIVERS\cpqbttn.sys [2006-06-28 9472]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-03-12 1747936]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2008-12-04 7606688]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2008-12-23 138240]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2008-01-19 88576]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2006-10-10 981504]
R3 SynTP;Synaptics TouchPad Driver; C:\Windows\system32\DRIVERS\SynTP.sys [2008-03-28 199472]
R3 usbvideo;USB Video Device (WDM); C:\Windows\System32\Drivers\usbvideo.sys [2008-01-19 134016]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-01-19 11264]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver; C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 464384]
S3 BthEnum;Bluetooth Enumerator Service; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-01-19 19456]
S3 BthPan;Bluetooth Device (Personal Area Network); C:\Windows\system32\DRIVERS\bthpan.sys [2008-01-19 92160]
S3 BTHPORT;Bluetooth Port Driver; C:\Windows\System32\Drivers\BTHport.sys [2008-04-29 220160]
S3 BTHUSB;Bluetooth Radio USB Driver; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-29 29184]
S3 dot4;MS IEEE-1284.4 Driver; C:\Windows\system32\DRIVERS\Dot4.sys [2008-01-19 131584]
S3 Dot4Print;Print Class Driver for IEEE-1284.4; C:\Windows\system32\DRIVERS\Dot4Prt.sys [2008-01-19 16384]
S3 dot4usb;Dot4USB Filter Dot4USB Filter; C:\Windows\system32\DRIVERS\dot4usb.sys [2008-01-19 36864]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2008-01-19 5632]
S3 E100B;Intel(R) PRO Adapter Driver; C:\Windows\system32\DRIVERS\e100b325.sys [2006-11-02 163328]
S3 fsbl;F-Secure BlackLight Engine Driver; \??\C:\Users\SK\Downloads\fsmrt\fsbldrv.sys []
S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter; \??\C:\Users\SK\AppData\Local\Temp\{E4A61882-FB77-4F02-A0FC-7737A3C74AC0}\fsgk.sys [2009-02-19 55808]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
S3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\VSTDPV3.SYS [2006-11-02 987648]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL3.SYS [2006-11-02 200704]
S3 ialm;ialm; C:\Windows\system32\DRIVERS\igdkmd32.sys [2006-10-19 1380864]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 8192]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2008-01-19 5888]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2008-01-19 5504]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 6016]
S3 NETw4v32;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 32 Bit; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-09-26 2251776]
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2008-01-19 49664]
S3 USBAAPL;Apple Mobile USB Driver; C:\Windows\System32\Drivers\usbaapl.sys [2008-10-01 32000]
S3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 35328]
S3 winachsf;winachsf; C:\Windows\system32\DRIVERS\VSTCNXT3.SYS [2006-11-02 654336]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2008-01-19 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 83328]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-11-07 132424]
R2 ekrn;Eset Service; C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R2 IntuitUpdateService;Intuit Update Service; C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
R3 CLCapSvc;CyberLink Background Capture Service (CBCS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe [2007-04-24 262243]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-11-20 536872]
S2 gupdate1c98ea175fcf676;Google Update Service (gupdate1c98ea175fcf676); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
S2 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 182768]
S2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 Adobe LM Service;Adobe LM Service; C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe [2008-04-29 72704]
S3 AppMgmt;@appmgmts.dll,-3250; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2008-12-12 238888]
S3 BthServ;Bluetooth Support Service; C:\Windows\system32\svchost.exe [2008-01-19 21504]
S3 CLSched;CyberLink Task Scheduler (CTS); C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe [2007-04-24 106593]
S3 Com4Qlb;Com4Qlb; C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe [2007-01-10 110592]
S3 EhttpSrv;Eset HTTP Server; C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe [2008-03-13 19200]
S3 Fax;@%systemroot%\system32\fxsresm.dll,-118; C:\Windows\system32\fxssvc.exe [2008-01-19 523776]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor; C:\Users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe [2009-02-19 147456]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345; C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe [2009-02-14 30192]
S3 HP Health Check Service;HP Health Check Service; c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe [2007-09-19 65536]
S3 hpqwmiex;hpqwmiex; C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe [2006-05-03 135168]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe [2004-10-22 73728]
S3 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files\Common Files\LightScribe\LSSrvc.exe [2006-12-15 61440]
S3 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2008-12-04 203296]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2007-08-24 443776]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-27 145184]
S3 QBCFMonitorService;QBCFMonitorService; C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe [2008-12-09 24576]
S3 QBFCService;Intuit QuickBooks FCS; C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe [2008-11-18 61440]
S3 RoxMediaDB9;RoxMediaDB9; C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe [2007-02-12 880640]
S3 stllssvr;stllssvr; C:\Program Files\Common Files\SureThing Shared\stllssvr.exe [2007-02-17 74656]
S3 UmRdpService;@%SystemRoot%\system32\umrdp.dll,-1000; C:\Windows\System32\svchost.exe [2008-01-19 21504]
S3 wbengine;@%systemroot%\system32\wbengine.exe,-104; C:\Windows\system32\wbengine.exe [2008-01-19 917504]
S4 CscService;@%systemroot%\system32\cscsvc.dll,-200; C:\Windows\System32\svchost.exe [2008-01-19 21504]

-----------------EOF-----------------
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 24th, 2009, 4:28 pm

Download and Run Gmer

Download Gmer to your Desktop and unzip it to your Desktop.
http://majorgeeks.com/GMER_d5198.html

Disconnect from internet and close running programs.
There is a small chance this application may crash your computer so save any work you have open.
Double click gmer.exe.
Let the gmer.sys driver load if asked.
If it gives you a warning at program start about rootkit activity and asks if you want to run scan...say Ok.
If no warning....
Click the Rootkit/Malware tab
To the right of the program you will see a bunch of boxes that have been checked... leave everything checked. Then click the Scan button. Wait for the scan to finish.
Once done click the Copy button.
Open Notepad and hit ctrl+v to paste the log. Save the log to your desktop please.

Click the >>> tab. This will open up all available tabs for you.
Click the Autostart tab then the scan button. Once its done click the Copy button and paste it into a new notepad document. Save that document to your desktop please.

Please post this log on your next reply.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » February 25th, 2009, 2:12 am

gmer.exe started and found ROOTKIT activity to which I would click ok scan. It crashed right away each time. I tried running it in SafeMode as Administrator and managed to get it to complete its scan, and I copied the requested results below. I causally noticed the random name service "gaopdxkoyxayvb" which might be the Conficker infection. I have not taken any further action; waiting for your instruction.


GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-25 10:31:03
Windows 6.0.6001 Service Pack 1


---- System - GMER 1.0.14 ----

Code 8593F368 ZwEnumerateKey
Code 8593F330 ZwFlushInstructionCache
Code 8593F2F8 ZwQueryValueKey
Code 8593F39D IofCallDriver
Code 8593E346 IofCompleteRequest

---- Kernel code sections - GMER 1.0.14 ----

.text ntkrnlpa.exe!IofCompleteRequest 82277FE2 5 Bytes JMP 8593E34B
.text ntkrnlpa.exe!IofCallDriver 822F9F6F 5 Bytes JMP 8593F3A2
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 823F030B 5 Bytes JMP 8593F334
PAGE ntkrnlpa.exe!ZwQueryValueKey 82443B57 5 Bytes JMP 8593F2FC
PAGE ntkrnlpa.exe!ZwEnumerateKey 82445BB4 5 Bytes JMP 8593F36C

---- User code sections - GMER 1.0.14 ----

.text C:\Users\SK\Downloads\gmer\gmer.exe[432] kernel32.dll!CopyFileW + 3 76786FB0 2 Bytes [ 8C, FB ]

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Modules - GMER 1.0.14 ----

Module \systemroot\system32\drivers\gaopdxkoyxayvb.sys (*** hidden *** ) 8EA93000-8EABD000 (172032 bytes)

---- Services - GMER 1.0.14 ----

Service C:\Windows\system32\drivers\gaopdxkoyxayvb.sys (*** hidden *** ) [SYSTEM] gaopdxserv.sys <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bf2781d
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkoyxayvb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkoyxayvb.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxmrfqirmt.dll
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6bf2781d
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@imagepath \systemroot\system32\drivers\gaopdxkoyxayvb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys@userdata -1
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxserv \\?\globalroot\systemroot\system32\drivers\gaopdxkoyxayvb.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys\modules@gaopdxl \\?\globalroot\systemroot\system32\gaopdxmrfqirmt.dll

---- EOF - GMER 1.0.14 ----





GMER 1.0.14.14536 - http://www.gmer.net
Autostart scan 2009-02-25 10:31:16
Windows 6.0.6001 Service Pack 1


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,12288,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\ >>>
Winlogon@Userinit = userinit.exe,
Windows@AppInit_DLLs = C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Apple Mobile Device@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
ekrn@ = "C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe"
gupdate1c98ea175fcf676@ = "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc
gusvc@ = "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
IntuitUpdateService@ = "C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe"
slsvc@ = %SystemRoot%\system32\SLsvc.exe
WSearch@ = %systemroot%\system32\SearchIndexer.exe /Embedding

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Windows DefenderC:\Program Files\Windows Defender\MSASCui.exe -hide /*file not found*/ = C:\Program Files\Windows Defender\MSASCui.exe -hide /*file not found*/
@WAWifiMessage%ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe /*file not found*/ = %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe /*file not found*/
@SynTPStartC:\Program Files\Synaptics\SynTP\SynTPStart.exe = C:\Program Files\Synaptics\SynTP\SynTPStart.exe
@SynTPEnhC:\Program Files\Synaptics\SynTP\SynTPEnh.exe = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
@SMSERIALC:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe = C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
@QPService"C:\Program Files\HP\QuickPlay\QPService.exe" = "C:\Program Files\HP\QuickPlay\QPService.exe"
@QlbCtrl%ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start /*file not found*/ = %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start /*file not found*/
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@Intuit SyncManagerC:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup /*file not found*/ = C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup /*file not found*/
@hpWirelessAssistant%ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe /*file not found*/ = %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe /*file not found*/
@HP Software UpdateC:\Program Files\Hp\HP Software Update\HPWuSchd2.exe = C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
@HP Health Check Scheduler[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe /*file not found*/ = [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe /*file not found*/
@Google Desktop Search"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup = "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
@eFax 4.3"C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R = "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
@AppleSyncNotifierC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe = C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
@egui"C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice = "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

HKCU\Software\Microsoft\Windows\CurrentVersion\Run@Google Update = "C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" /c

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{F02C1A0D-BE21-4350-88B0-7367FC96EF3C} /*Computers and Devices*/%systemroot%\system32\NetworkExplorer.dll = %systemroot%\system32\NetworkExplorer.dll
@{4A1E5ACD-A108-4100-9E26-D2FAFA1BA486} /*IGD Property Sheet Handler*/%SystemRoot%\System32\icsigd.dll = %SystemRoot%\System32\icsigd.dll
@{92dbad9f-5025-49b0-9078-2d78f935e341} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{b9815375-5d7f-4ce2-9245-c9d4da436930} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{f8b8412b-dea3-4130-b36c-5e8be73106ac} /*Microsoft Windows Mail Html Preview Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{5FA29220-36A1-40f9-89C6-F4B384B7642E} /*Shell Message Handler*/%SystemRoot%\system32\inetcomm.dll = %SystemRoot%\system32\inetcomm.dll
@{E7E4BC40-E76A-11CE-A9BB-00AA004AE837} /*Shell DocObject Viewer*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FBF23B40-E3F0-101B-8488-00AA003E56F8} /*InternetShortcut*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3C374A40-BAE4-11CF-BF7D-00AA006946EE} /*Microsoft Url History Service*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FF393560-C2A7-11CF-BFF4-444553540000} /*History*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E00-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{7BD29E01-76C1-11CF-9DD0-00A0C9034933} /*Temporary Internet Files*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{CFBFAE00-17A6-11D0-99CB-00C04FD64497} /*Microsoft Url Search Hook*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} /*The Internet*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{30D02401-6A81-11d0-8274-00C04FD5AE38} /*IE Search Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{871C5380-42A0-1069-A2EA-08002B30309D} /*Internet Name Space*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{8856f961-340a-11d0-a96b-00c04fd705a2} /*Microsoft Web Browser*/C:\Windows\system32\ieframe.dll = C:\Windows\system32\ieframe.dll
@{00020d75-0000-0000-c000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL
@{CC6EEFFB-43F6-46c5-9619-51D571967F7D} /*Web Publishing Wizard*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{add36aa8-751a-4579-a266-d66f5202ccbb} /*Print Ordering via the Web*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{6b33163c-76a5-4b6c-bf21-45de9cd503a1} /*Shell Publishing Wizard Object*/%SystemRoot%\System32\shwebsvc.dll = %SystemRoot%\System32\shwebsvc.dll
@{176d6597-26d3-11d1-b350-080036a75b03} /*ICM Scanner Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{5DB2625A-54DF-11D0-B6C4-0800091AA605} /*ICM Monitor Management*/%SystemRoot%\System32\colorui.dll = %SystemRoot%\System32\colorui.dll
@{675F097E-4C4D-11D0-B6C1-0800091AA605} /*ICM Printer Management*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{DBCE2480-C732-101B-BE72-BA78E9AD5B27} /*ICC Profile*/%SystemRoot%\system32\colorui.dll = %SystemRoot%\system32\colorui.dll
@{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) =
@{74246bfc-4c96-11d0-abef-0020af6b0b7a} /*Device Manager*/%SystemRoot%\System32\devmgr.dll = %SystemRoot%\System32\devmgr.dll
@{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) =
@{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) =
@{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) =
@{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) =
@{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) =
@{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) =
@{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) =
@{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) =
@{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) =
@{97e467b4-98c6-4f19-9588-161b7773d6f6} /*Office Document Property Handler*/%SystemRoot%\system32\propsys.dll = %SystemRoot%\system32\propsys.dll
@{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) =
@{DC1C5A9C-E88A-4dde-A5A1-60F82A20AEF7} /*File Open Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{C0B4E2F3-BA21-4773-8DBA-335EC946EB8B} /*File Save Dialog*/%SystemRoot%\System32\comdlg32.dll = %SystemRoot%\System32\comdlg32.dll
@{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75} /*Shell Icon Handler for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{e82a2d71-5b2f-43a0-97b8-81be15854de8} /*ShellLink for Application References*/C:\Windows\system32\dfshim.dll = C:\Windows\system32\dfshim.dll
@{92337A8C-E11D-11D0-BE48-00C04FC30DF6} /*OlePrn.PrinterURL*/%SystemRoot%\system32\oleprn.dll = %SystemRoot%\system32\oleprn.dll
@{45670FA8-ED97-4F44-BC93-305082590BFB} /*Microsoft XPS Properties*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{44121072-A222-48f2-A58A-6D9AD51EBBE9} /*Microsoft XPS Thumbnail*/%SystemRoot%\system32\XPSSHHDR.DLL = %SystemRoot%\system32\XPSSHHDR.DLL
@{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) =
@{13D3C4B8-B179-4ebb-BF62-F704173E7448} /*Windows Contact Preview Handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) =
@{4F58F63F-244B-4c07-B29F-210BE59BE9B4} /*.group shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{8082C5E6-4C27-48ec-A809-B8E1122E8F97} /*.contact shell extension handler*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{16C2C29D-0E5F-45f3-A445-03E03F587B7D} /*group_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{CF67796C-F57F-45F8-92FB-AD698826C602} /*contact_wab_auto_file*/%CommonProgramFiles%\System\wab32.dll = %CommonProgramFiles%\System\wab32.dll
@{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8} /*Compatibility Property Page*/%windir%\system32\acppage.dll = %windir%\system32\acppage.dll
@{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/C:\Windows\system32\extmgr.dll = C:\Windows\system32\extmgr.dll
@{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) =
@{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) =
@{11dbb47c-a525-400b-9e80-a54615a090c0} /*Execute Folder*/ExplorerFrame.dll = ExplorerFrame.dll
@{90b9bce2-b6db-4fd3-8451-35917ea1081b} /*Search Execute Command*/ExplorerFrame.dll = ExplorerFrame.dll
@{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) =
@{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) =
@{a38b883c-1682-497e-97b0-0a3a9e801682} /*IPropertyStore Handler for Images*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{C7657C4A-9F68-40fa-A4DF-96BC08EB3551} /*Photo Thumbnail Provider*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{3F30C968-480A-4C6C-862D-EFC0897BB84B} /*Photo Thumbnail Extractor*/C:\Windows\system32\PhotoMetadataHandler.dll = C:\Windows\system32\PhotoMetadataHandler.dll
@{BC65FB43-1958-4349-971A-210290480130} /*Network Explorer Property Sheet Handler*/%SystemRoot%\System32\NcdProp.dll = %SystemRoot%\System32\NcdProp.dll
@{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) =
@{40C3D757-D6E4-4b49-BB41-0E5BBEA28817} /*Video Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{E598560B-28D5-46aa-A14A-8A3BEA34B576} /*Windows Photo Gallery Viewer Video Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) =
@{0a4286ea-e355-44fb-8086-af3df7645bd9} /*Windows Media Player*/C:\PROGRA~1\WI4EB4~1\wmpband.dll = C:\PROGRA~1\WI4EB4~1\wmpband.dll
@{BB6B2374-3D79-41DB-87F4-896C91846510} /*EMDFileProperties*/emdmgmt.dll = emdmgmt.dll
@{875CB1A1-0F29-45de-A1AE-CFB4950D0B78} /*Audio Media Properties Handler*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{89D83576-6BD1-4c86-9454-BEB04E94C819} /*MAPI Search Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{7A0F6AB7-ED84-46B6-B47E-02AA159A152B} /*Sync Center Simple Conflict Presenter*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) =
@{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) =
@{00f20eb5-8fd6-4d9d-b75e-36801766c8f1} /*PhotoAcqDropTarget*/%ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoAcq.dll /*file not found*/
@{BC48B32F-5910-47F5-8570-5074A8A5636A} /*Sync Results Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{ED228FDF-9EA8-4870-83B1-96B02CFE0D52} /*Games Folder*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{E413D040-6788-4C22-957E-175D1C513A34} /*Sync Center Conflict Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) =
@{91ADC906-6722-4B05-A12B-471ADDCCE132} /*Touch Band*/%SystemRoot%\System32\TouchX.dll = %SystemRoot%\System32\TouchX.dll
@{2781761E-28E0-4109-99FE-B9D127C57AFE} /*Windows Defender IOfficeAntiVirus implementation*/%ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/ = %ProgramFiles%\Windows Defender\MpOav.dll /*file not found*/
@{FFE2A43C-56B9-4bf5-9A79-CC6D4285608A} /*Windows Photo Gallery Viewer Image Verbs*/%ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/ = %ProgramFiles%\Windows Photo Gallery\PhotoViewer.dll /*file not found*/
@{4B534112-3AF6-4697-A77C-D62CE9B9E7CF} /*Sync Center Event Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{F1390A9A-A3F4-4E5D-9C5F-98F3BD8D935C} /*Sync Setup Delegate Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{4E5BFBF8-F59A-4e87-9805-1F9B42CC254A} /*GameUX.RichGameMediaThumbnail*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) =
@{576C9E85-1300-4EF5-BF6B-D00509F4EDCD} /*Sync Center Handler Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) =
@{289978AC-A101-4341-A817-21EBA7FD046D} /*Sync Center Conflict Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{877ca5ac-cb41-4842-9c69-9136e42d47e2} /*File Backup Index*/%systemroot%\system32\sdshext.dll = %systemroot%\system32\sdshext.dll
@{71D99464-3B6B-475C-B241-E15883207529} /*Sync Results Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{B32D3949-ED98-4DBB-B347-17A144969BBA} /*Sync Center Item Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{D6791A63-E7E2-4fee-BF52-5DED8E86E9B8} /*Portable Devices Menu*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{2E9E59C0-B437-4981-A647-9C34B9B90891} /*Sync Setup Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF} /*Sync Center Folder*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{CB1B7F8C-C50A-4176-B604-9E24DEE8D4D1} /*Welcome Center*/oobefldr.dll = oobefldr.dll
@{15D633E2-AD00-465b-9EC7-F56B7CDF8E27} /*Tablet PC Input Panel*/%CommonProgramFiles%\microsoft shared\ink\TipBand.dll /*file not found*/ = %CommonProgramFiles%\microsoft shared\ink\TipBand.dll /*file not found*/
@{F04CC277-03A2-4277-96A9-77967471BDFF} /*Sync Center Conflict Properties Extension*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{53BEDF0B-4E5B-4183-8DC9-B844344FA104} /*Microsoft Windows MAPI Preview Handler*/%SystemRoot%\system32\mssvp.dll = %SystemRoot%\system32\mssvp.dll
@{6b9228da-9c15-419e-856c-19e768a13bdc} /*Windows gadget DropTarget*/%ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/ = %ProgramFiles%\Windows Sidebar\sbdrop.dll /*file not found*/
@{8E25992B-373E-486E-80E5-BD23AE417E66} /*Sync Center Device Notification Sink*/%SystemRoot%\System32\SyncCenter.dll = %SystemRoot%\System32\SyncCenter.dll
@{35786D3C-B075-49b9-88DD-029876E11C01} /*Portable Devices*/%SystemRoot%\system32\wpdshext.dll = %SystemRoot%\system32\wpdshext.dll
@{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) =
@{1FA9085F-25A2-489B-85D4-86326EEDCD87} /*Manage Wireless Networks*/%SystemRoot%\system32\wlanpref.dll = %SystemRoot%\system32\wlanpref.dll
@{7dda204b-2097-47c9-8323-c40bb840ae44} /*XPS document*/(null) =
@{ECDD6472-2B9B-4b4b-AE36-F316DF3C8D60} /*RichGameMediaPropertyStore Class*/C:\Windows\System32\gameux.dll = C:\Windows\System32\gameux.dll
@{BD7A2E7B-21CB-41b2-A086-B309680C6B7E} /*Client Side Cache Namespace Extension*/%systemroot%\system32\mssvp.dll = %systemroot%\system32\mssvp.dll
@{c5a40261-cd64-4ccf-84cb-c394da41d590} /*Video Thumbnail Extractor*/%SystemRoot%\System32\mediametadatahandler.dll = %SystemRoot%\System32\mediametadatahandler.dll
@{A70C977A-BF00-412C-90B7-034C51DA2439} /*NvCpl DesktopContext Class*/C:\Windows\system32\nvcpl.dll = C:\Windows\system32\nvcpl.dll
@{2F603045-309F-11CF-9774-0020AFD0CFF6} /*Synaptics Control Panel*/C:\Program Files\Synaptics\SynTP\SynTPCpl.dll = C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\Office12\msohevi.dll = C:\Program Files\Microsoft Office\Office12\msohevi.dll
@{993BE281-6695-4BA5-8A2A-7AACBFAAB69E} /*Microsoft Office Metadata Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97} /*Microsoft Office Thumbnail Handler*/C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll
@{7F67036B-66F1-411A-AD85-759FB9C5B0DB} /*ShellViewRTF*/C:\Windows\System32\ShellvRTF.dll = C:\Windows\System32\ShellvRTF.dll
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL
@{AB4F43CA-ADCD-4384-B9AF-3CECEA7D6544} /*Web Sites*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\12\BIN\FPNSE.DLL
@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/C:\Program Files\Microsoft Office\Office12\VISSHE.DLL = C:\Program Files\Microsoft Office\Office12\VISSHE.DLL
@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/C:\Program Files\Microsoft Office\Office12\VISSHE.DLL = C:\Program Files\Microsoft Office\Office12\VISSHE.DLL
@{E81FFB23-40E2-431C-A041-76AEA0E4B04C} /*Nameext*/C:\PROGRA~1\MICROS~2\Office12\NAMEEXT.DLL = C:\PROGRA~1\MICROS~2\Office12\NAMEEXT.DLL
@{6872d785-fe43-44cb-9b2a-2df4c5eb13b2} /*eFax Messenger - Shell Extension*/C:\Program Files\eFax Messenger 4.3\J2GShell.dll = C:\Program Files\eFax Messenger 4.3\J2GShell.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{7D5C4BDD-B015-4401-8731-1507B87DE297} /*QBVersionTool*/C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll = C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll
@{FFB699E0-306A-11d3-8BD1-00104B6F7516} /*Play on my TV helper*/C:\Windows\system32\nvcpl.dll = C:\Windows\system32\nvcpl.dll
@{45AC2688-0253-4ED8-97DE-B5370FA7D48A} /*Shell Extension for Malware scanning*/(null) =
@{B089FE88-FB52-11D3-BDF1-0050DA34150D} /*Eset Smart Security - Context Menu Shell Extension*/C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Eset Smart Security - Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll
HotShellExt_40@{6872D785-FE43-44cb-9B2A-2DF4C5EB13B2} = C:\Program Files\eFax Messenger 4.3\J2GShell.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\DAP_ShredMenu@{BED4C38B-F765-45AC-8C56-613F76BBF43E} =

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers@{596AB062-B4D2-4215-9F74-E9109B0A8153} = %SystemRoot%\system32\twext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\Eset Smart Security - Context Menu Shell Extension@{B089FE88-FB52-11D3-BDF1-0050DA34150D} = C:\Program Files\ESET\ESET NOD32 Antivirus\shellExt.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
@{22BF413B-C6D2-4d91-82A9-A0F997BA588C}C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll = C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
@{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}C:\Program Files\AVG\AVG8\avgssie.dll /*file not found*/ = C:\Program Files\AVG\AVG8\avgssie.dll /*file not found*/
@{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre6\bin\ssv.dll = C:\Program Files\Java\jre6\bin\ssv.dll
@{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll = C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
@{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre6\bin\jp2ssv.dll = C:\Program Files\Java\jre6\bin\jp2ssv.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\Windows\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
@Start Pagehttp://ie.redirect.hp.com/svs/rdr?T ... &pf=laptop = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main@Start Page = http://www.google.com/

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\Windows\System32\msvidctl.dll
intu-help-qb2@CLSID = C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
its@CLSID = %SystemRoot%\System32\itss.dll
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-help@CLSID = C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
ms-its@CLSID = %SystemRoot%\System32\itss.dll
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
skype4com@CLSID = C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
tv@CLSID = C:\Windows\System32\msvidctl.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ >>>
000000000001@LibraryPath = %SystemRoot%\system32\NLAapi.dll
000000000002@LibraryPath = %SystemRoot%\system32\napinsp.dll
000000000003@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll
000000000004@LibraryPath = %SystemRoot%\system32\pnrpnsp.dll
000000000005@LibraryPath = %SystemRoot%\system32\wshbth.dll

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\NameSpace_Catalog5\Catalog_Entries\000000000008@LibraryPath = C:\Program Files\Bonjour\mdnsNSP.dll

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup = QuickBooks Update Agent.lnk

---- EOF - GMER 1.0.14 ----
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 25th, 2009, 6:39 pm

Download and Run Avenger

Download Avenger by Swandog46 from here.
  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to run it.
  • Click OK.
  • Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
  • Copy all of the text in the below textbox to the clipboard by highlighting it and then pressing Ctrl+C.
    Code: Select all
    Files to delete:
C:\Windows\system32\drivers\gaopdxkoyxayvb.sys
C:\Windows\system32\gaopdxmrfqirmt.dll

Drivers to delete:
gaopdxserv.sys

Registry keys to delete:
HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bf2781d
HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys
HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6bf2781d
HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys
  • In the avenger window, click the Paste Script from Clipboard, Image button.
  • Click the Execute button.
  • You will be asked Are you sure you want to execute the current script?.
  • Click Yes.
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click Yes.
  • Your PC will now be rebooted.
  • Note: If the above script contains Drivers to delete: or Drivers to disable:, then Avenger will require two reboots to complete its operation. If that is the case, it will force a BSOD on the first reboot. This is normal & expected behavior.
  • After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
  • Close the log for now.

Please now re-run GMER with the same settings as my previous post.

Please post the Avenger log and the GMER log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » February 26th, 2009, 2:31 am

I believe you did it! I can now access all anti-virus websites as well as automatic updates. Here is the Avenger logfile:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "gaopdxserv.sys" found!
ImagePath: \systemroot\system32\drivers\gaopdxkoyxayvb.sys
Start Type: 4 (Disabled)

Rootkit scan completed.

File "C:\Windows\system32\drivers\gaopdxkoyxayvb.sys" deleted successfully.
File "C:\Windows\system32\gaopdxmrfqirmt.dll" deleted successfully.
Driver "gaopdxserv.sys" deleted successfully.
Registry key "HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bf2781d" deleted successfully.

Error: registry key "HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys" not found!
Deletion of registry key "HKLM\SYSTEM\CurrentControlSet\Services\gaopdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Registry key "HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6bf2781d" deleted successfully.
Registry key "HKLM\SYSTEM\ControlSet002\Services\gaopdxserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.




And here is the gmer.exe logfile:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-26 12:48:47
Windows 6.0.6001 Service Pack 1


---- Kernel code sections - GMER 1.0.14 ----

? system32\drivers\sbssdp.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1400] kernel32.dll!SetUnhandledExceptionFilter 75956E2D 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtCreateFile + 6 76FD800E 4 Bytes [ 25, 00, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtCreateFile + B 76FD8013 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtMapViewOfSection + 6 76FD875E 1 Byte [ 25 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtMapViewOfSection + 8 76FD8760 2 Bytes [ 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtMapViewOfSection + B 76FD8763 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenFile + 6 76FD87EE 4 Bytes [ 65, 00, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenFile + B 76FD87F3 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenProcess + 6 76FD886E 4 Bytes [ A5, 01, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenProcess + B 76FD8873 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenProcessToken + 6 76FD887E 4 Bytes [ E5, 01, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenProcessToken + B 76FD8883 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenProcessTokenEx + 6 76FD888E 4 Bytes [ A5, 02, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenProcessTokenEx + B 76FD8893 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenThread + 6 76FD88DE 4 Bytes [ 65, 01, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenThread + B 76FD88E3 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenThreadToken + 6 76FD88EE 4 Bytes [ 65, 02, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenThreadToken + B 76FD88F3 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenThreadTokenEx + 6 76FD88FE 4 Bytes [ E5, 02, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtOpenThreadTokenEx + B 76FD8903 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtQueryAttributesFile + 6 76FD898E 4 Bytes [ A5, 00, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtQueryAttributesFile + B 76FD8993 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtQueryFullAttributesFile + 6 76FD8A3E 4 Bytes [ E5, 00, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtQueryFullAttributesFile + B 76FD8A43 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtSetInformationFile + 6 76FD8F1E 4 Bytes [ 25, 01, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtSetInformationFile + B 76FD8F23 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtSetInformationThread + 6 76FD8F6E 4 Bytes [ 25, 02, 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtSetInformationThread + B 76FD8F73 1 Byte [ E2 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtUnmapViewOfSection + 6 76FD920E 1 Byte [ 65 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtUnmapViewOfSection + 8 76FD9210 2 Bytes [ 06, 00 ]
.text C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe[2196] ntdll.dll!NtUnmapViewOfSection + B 76FD9213 1 Byte [ E2 ]
.text C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE[2320] kernel32.dll!SetUnhandledExceptionFilter 75956E2D 5 Bytes JMP 66F3531D C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation)

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

---- Threads - GMER 1.0.14 ----

Thread 4:1460 A0BBE8C8
Thread 4:1548 A0BBE8C8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6bf2781d
Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6bf2781d
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS@StateIndex 0
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10090400000000000F01FEC\Usage@OutlookMAPI2Intl_1033 978993978
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002119410000000000000000F01FEC\Usage@ProductFiles 978985232
Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gathering Manager\Applications\Windows@CrawlScopeVersion 870

---- EOF - GMER 1.0.14 ----
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 26th, 2009, 4:44 pm

Download and Run ComboFix

Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found here.
    The ones that need to be closed/disabled are:
    Windows Defender
    ESET Nod32 Anti-Virus

  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » February 27th, 2009, 3:07 pm

I disabled Eset and had uninstalled McAfee before installing Eset, but ComboFix showed both as running when I started the scan. I copied both requested logfiles below. Does everything look good?




ComboFix 09-02-26.02 - SK 2009-02-27 23:15:35.1 - NTFSx86
Microsoft® Windows Vista™ Business 6.0.6001.1.1252.1.1033.18.3069.2180 [GMT 4.5:30]
Running from: c:\users\SK\Downloads\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)
AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated)
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\gaopdxcounter

.
((((((((((((((((((((((((( Files Created from 2009-01-27 to 2009-02-27 )))))))))))))))))))))))))))))))
.

2009-02-26 10:53 . 2008-06-20 05:44 781,344 --a------ c:\windows\System32\PresentationNative_v0300.dll
2009-02-26 10:53 . 2008-06-20 05:44 622,080 --a------ c:\windows\System32\icardagt.exe
2009-02-26 10:53 . 2008-06-20 05:44 326,160 --a------ c:\windows\System32\PresentationHost.exe
2009-02-26 10:53 . 2008-06-20 05:44 105,016 --a------ c:\windows\System32\PresentationCFFRasterizerNative_v0300.dll
2009-02-26 10:53 . 2008-06-20 05:44 97,800 --a------ c:\windows\System32\infocardapi.dll
2009-02-26 10:53 . 2008-06-20 05:44 43,544 --a------ c:\windows\System32\PresentationHostProxy.dll
2009-02-26 10:53 . 2008-06-20 05:44 37,384 --a------ c:\windows\System32\infocardcpl.cpl
2009-02-26 10:53 . 2008-06-20 05:44 11,264 --a------ c:\windows\System32\icardres.dll
2009-02-26 10:37 . 2008-07-27 22:33 282,112 --a------ c:\windows\System32\mscoree.dll
2009-02-26 10:37 . 2008-07-27 22:33 96,760 --a------ c:\windows\System32\dfshim.dll
2009-02-26 10:37 . 2008-07-27 22:33 41,984 --a------ c:\windows\System32\netfxperf.dll
2009-02-26 10:36 . 2008-07-27 22:33 158,720 --a------ c:\windows\System32\mscorier.dll
2009-02-26 10:35 . 2008-07-27 22:33 83,968 --a------ c:\windows\System32\mscories.dll
2009-02-26 10:33 . 2009-01-15 08:06 1,383,424 --a------ c:\windows\System32\mshtml.tlb
2009-02-26 10:33 . 2009-01-15 10:41 827,392 --a------ c:\windows\System32\wininet.dll
2009-02-25 10:05 . 2009-02-26 10:18 250 --a------ c:\windows\gmer.ini
2009-02-24 11:24 . 2009-02-24 11:24 <DIR> d-------- C:\_OTMoveIt
2009-02-23 10:14 . 2009-02-23 10:14 <DIR> d-------- C:\rsit
2009-02-20 21:37 . 2009-02-20 21:37 2,560 --a------ c:\windows\_MSRSTRT.EXE
2009-02-20 00:40 . 2009-02-20 00:40 <DIR> d-------- c:\users\Public\Recorded TV
2009-02-17 20:01 . 2009-02-17 20:01 <DIR> d-------- c:\program files\Panda Security
2009-02-17 20:01 . 2008-06-19 16:24 28,544 --a------ c:\windows\System32\drivers\pavboot.sys
2009-02-16 12:32 . 2009-02-17 20:59 <DIR> d-------- c:\program files\Exterminate It!
2009-02-15 20:01 . 2009-02-15 20:11 <DIR> d-------- c:\users\SK\AppData\Roaming\Digital Support
2009-02-15 19:51 . 2009-02-15 20:01 <DIR> d-------- c:\program files\Digital Support
2009-02-15 17:37 . 2009-02-15 17:37 <DIR> d-------- C:\nod_upd
2009-02-15 14:55 . 2009-02-15 14:55 <DIR> dr------- c:\users\Public\Videos
2009-02-15 14:55 . 2009-02-15 14:55 <DIR> dr------- c:\users\Public\Pictures
2009-02-15 14:55 . 2009-02-15 14:55 <DIR> dr------- c:\users\Public\Music
2009-02-15 14:55 . 2009-02-15 14:55 <DIR> dr------- c:\users\Public\Documents
2009-02-15 13:57 . 2009-02-15 13:57 26,624 --a------ c:\windows\System32\drivers\fsbts.sys
2009-02-15 10:05 . 2009-02-15 10:05 <DIR> d-------- c:\users\All Users\SUPERAntiSpyware.com
2009-02-15 10:05 . 2009-02-15 10:05 <DIR> d-------- c:\programdata\SUPERAntiSpyware.com
2009-02-15 10:04 . 2009-02-15 11:50 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-14 17:02 . 2009-02-14 17:02 <DIR> d-------- c:\program files\Trend Micro
2009-02-14 16:58 . 2009-02-26 14:09 <DIR> d-------- c:\program files\Norton Security Scan
2009-02-14 14:36 . 2009-02-14 14:36 <DIR> d-------- c:\users\All Users\ESET
2009-02-14 14:36 . 2009-02-14 14:36 <DIR> d-------- c:\programdata\ESET
2009-02-14 14:36 . 2009-02-14 14:36 <DIR> d-------- c:\program files\ESET
2009-02-12 20:09 . 2009-02-12 20:09 <DIR> d-------- c:\users\All Users\AntiVir PersonalEdition Classic
2009-02-12 20:09 . 2009-02-12 20:09 <DIR> d-------- c:\programdata\AntiVir PersonalEdition Classic
2009-02-12 19:36 . 2009-02-12 19:36 <DIR> d-------- c:\program files\ToniArts
2009-02-12 19:36 . 2009-02-15 11:50 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-02-11 13:38 . 2009-02-15 15:28 <DIR> d-------- c:\program files\Windows Live Safety Center
2009-02-11 13:37 . 2009-02-11 13:37 <DIR> d-------- c:\users\SK\AppData\Roaming\Malwarebytes
2009-02-11 13:37 . 2009-02-11 13:37 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-02-11 13:37 . 2009-02-11 13:37 <DIR> d-------- c:\programdata\Malwarebytes
2009-02-11 13:37 . 2009-02-26 14:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-02-11 13:37 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-02-11 13:37 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-02-07 17:34 . 1998-06-24 01:00 137,000 --a------ c:\windows\System32\MSMAPI32.OCX
2009-02-07 17:34 . 2001-10-28 17:42 116,224 --a------ c:\windows\System32\pdfcmnnt.dll
2009-02-07 16:54 . 1998-07-06 01:00 23,552 --a------ c:\windows\System32\MSMPIDE.DLL
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Videos
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Searches
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Saved Games
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Pictures
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Links
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Downloads
2009-02-07 16:47 . 2009-02-07 16:47 <DIR> dr------- c:\windows\System32\config\systemprofile\Documents
2009-02-06 21:33 . 2009-02-06 21:34 221,714,877 --a------ c:\windows\MEMORY.DMP
2009-01-30 14:16 . 2009-02-12 15:46 <DIR> d-------- c:\users\All Users\McAfee
2009-01-30 14:16 . 2009-02-12 15:46 <DIR> d-------- c:\programdata\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-26 10:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-26 10:05 --------- d-----w c:\programdata\Microsoft Help
2009-02-26 09:29 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-26 09:27 --------- d-----w c:\program files\Windows Mail
2009-02-26 04:32 --------- d-----w c:\programdata\Google Updater
2009-02-20 17:05 --------- d---a-w c:\programdata\TEMP
2009-02-15 10:40 --------- d-----w c:\program files\PDFCreator
2009-02-15 10:40 --------- d-----w c:\program files\Microsoft Works
2009-02-15 10:40 --------- d-----w c:\program files\Google
2009-02-15 10:40 --------- d-----w c:\program files\eFax Messenger 4.3
2009-02-15 10:40 --------- d-----w c:\program files\Common Files\SureThing Shared
2009-02-12 15:06 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-12 11:17 --------- d-----w c:\program files\McAfee
2009-01-30 08:21 --------- d-----w c:\program files\YouTube Downloader
2009-01-29 19:13 68,504 ----a-w c:\users\All Users\nvModes.dat
2009-01-29 19:13 68,504 ----a-w c:\programdata\nvModes.dat
2009-01-29 18:48 --------- d-----w c:\program files\Microsoft SQL Server
2009-01-29 18:39 --------- d-----w c:\users\SK\AppData\Roaming\Orbit
2009-01-29 18:37 --------- d-----w c:\program files\Real
2009-01-29 18:37 --------- d-----w c:\program files\Common Files\Real
2009-01-26 04:47 --------- d-----w c:\programdata\NVIDIA
2009-01-24 17:21 68,248 ----a-w c:\windows\IIF Transaction Creator Uninstaller.exe
2009-01-22 21:50 --------- d-----w c:\programdata\Intuit
2009-01-22 21:06 --------- d-----w c:\users\SK\AppData\Roaming\FileZilla
2009-01-21 08:26 --------- d-----w c:\program files\Common Files\Intuit
2009-01-21 08:19 --------- d-----w c:\users\SK\AppData\Roaming\Download Manager
2009-01-20 23:20 --------- d-----w c:\programdata\SQL Anywhere 10
2009-01-17 12:12 --------- d-----w c:\program files\Common Files\supportsoft
2009-01-17 12:04 --------- d-----w c:\program files\Intuit
2009-01-17 12:00 --------- d-----w c:\programdata\COMMON FILES
2009-01-15 22:20 --------- d-----w c:\program files\Akamai
2009-01-11 09:45 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-01-11 09:45 --------- d-----w c:\program files\Java
2009-01-04 10:46 --------- d-----w c:\program files\BitTorrent
2009-01-04 10:45 --------- d-----w c:\program files\DNA
2008-12-31 12:34 691,560 ----a-w c:\windows\System32\OGACheckControl.dll
2008-12-31 12:34 528,744 ----a-w c:\windows\System32\OGAVerify.exe
2008-12-31 12:34 502,120 ----a-w c:\windows\System32\OGAAddin.dll
2008-12-22 23:17 10,240 ----a-w c:\windows\System32\RtNicProp32.dll
2008-12-12 06:48 87,336 ----a-w c:\windows\System32\dns-sd.exe
2008-12-12 06:41 61,440 ----a-w c:\windows\System32\dnssd.dll
2008-06-23 23:18 174 --sha-w c:\program files\desktop.ini
2008-05-31 08:33 32 ----a-w c:\users\All Users\ezsid.dat
2008-05-31 08:33 32 ----a-w c:\programdata\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="c:\users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-09-20 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-11 317128]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 102400]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-03-28 1045800]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2006-10-10 729088]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-04-24 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"Intuit SyncManager"="c:\program files\Common Files\Intuit\Sync\IntuitSyncManager.exe" [2008-11-18 623880]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-02 472776]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2009-02-14 30192]
"eFax 4.3"="c:\program files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 116224]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-03-13 1443072]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-12-09 984352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"REG_DWAORD"= 0xff

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~4\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C8792133-1C3C-47B8-8456-848DE667C071}"= Profile=Private|c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{194D912B-ACF8-460A-A1E2-C25F03CEE118}"= Profile=Private|c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{EAE5B236-039A-49B1-B591-A1ED71ADA293}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{BA345E33-3992-4D17-B391-E908B989F7C8}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{9ADACA5E-158F-45F6-B457-3523D2215809}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{B6B55F98-69D7-4C97-B456-9EDA823C2E75}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{4015679F-7B60-4F60-9E5A-10F67FE4E720}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{9FD30FFD-A9CC-4450-B08B-231E75AA61EE}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{8DB70D54-23A9-45EB-9476-8BEAB363C9E1}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{5BCCC0E1-F744-4199-8DB0-0B70C5D55302}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{3BE01D2C-CBA9-4CBC-B89D-A025807489DA}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{A91F1FF0-D393-464C-AB7B-DAD00FE6AF4A}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{3D19D6A1-19FC-4C2C-A494-98D2FB5BD184}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{23CABFD2-5472-4FB5-A442-2C54D20C4827}c:\\users\\SK\\appdata\\local\\google\\chrome\\application\\chrome.exe"= UDP:c:\users\SK\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"UDP Query User{051E9D6C-7E86-48DB-8552-D7362CEFF1CA}c:\\users\\SK\\appdata\\local\\google\\chrome\\application\\chrome.exe"= TCP:c:\users\SK\appdata\local\google\chrome\application\chrome.exe:chrome.exe
"{44F79501-0C9F-47C1-ACAE-C7525051C894}"= UDP:c:\program files\TurboTax\Deluxe 2007\32bit\ttax.exe:TurboTax
"{F749D29C-A525-4E39-97CA-E46A541FD8DF}"= TCP:c:\program files\TurboTax\Deluxe 2007\32bit\ttax.exe:TurboTax
"{4D4D5617-C3FE-4543-A07F-C2CB3138E1CD}"= UDP:c:\program files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{554DD1A2-194E-4058-9A78-48678D358A91}"= TCP:c:\program files\TurboTax\Deluxe 2007\32bit\updatemgr.exe:TurboTax Update Manager
"{2C31DDE4-0D27-4698-8E35-A7E9B84C8B74}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3C648891-8947-4B60-B3EC-EA3F45E11C58}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{E3EB6EC3-B770-4E55-B90A-871387EAA0DC}c:\\program files\\filezilla ftp client\\filezilla.exe"= UDP:c:\program files\filezilla ftp client\filezilla.exe:FileZilla FTP Client
"UDP Query User{D972F3DF-519B-4D1F-B2F4-51E6200B1575}c:\\program files\\filezilla ftp client\\filezilla.exe"= TCP:c:\program files\filezilla ftp client\filezilla.exe:FileZilla FTP Client
"{E878F2CC-7782-45B0-877C-3EA265523764}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{230905E3-2133-47A5-BAA0-6B2CF3DBA019}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"{6E5A6E61-D175-4D91-AE28-CA903566A1E7}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{A4CF97C8-754E-4631-895E-CCB7623AA0E0}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{211DD8E3-FD88-48BA-ABDE-78DBC4524A97}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{3741EAB8-7208-4234-AC5A-390EF1B0E6DD}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{3121FFB4-0087-40C5-9762-F561873E4B1F}"= UDP:c:\program files\DAP\DAP.exe:Download Accelerator Plus (DAP)
"{35EFA903-408C-40B9-BFC6-81914325149A}"= TCP:c:\program files\DAP\DAP.exe:Download Accelerator Plus (DAP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"DoNotAllowExceptions"= 1 (0x1)

R0 fsbts;fsbts;c:\windows\System32\drivers\fsbts.sys [2009-02-15 26624]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [2009-02-17 28544]
R1 epfwtdir;epfwtdir;c:\windows\System32\drivers\epfwtdir.sys [2008-03-13 33800]
R2 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-03-13 472320]
R3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\System32\drivers\NETw5v32.sys [2008-11-17 3668480]
S2 gupdate1c98ea175fcf676;Google Update Service (gupdate1c98ea175fcf676);c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 133104]
S2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [2008-10-10 13088]
S3 F-Secure BlackLight Sensor;F-Secure BlackLight Sensor;c:\users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe --> c:\users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe [?]
S3 GoogleDesktopManager-110408-113106;Google Desktop Manager 5.8.811.4345;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [2009-01-17 30192]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - f:\wd_windows_tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60cbc35d-a7cc-11dd-9972-001a6bf2781d}]
\shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe comboClt.ocx.vbs

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{60cbc360-a7cc-11dd-9972-001a6bf2781d}]
\shell\AutoRun\command - G:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6eb89084-8cc2-11dd-9cdd-001a6bf2781d}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d920bb28-39ca-11dd-b87e-001b24a025e7}]
\shell\AutoRun\command - G:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-02-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-01-29 09:46]

2009-02-19 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-14 17:10]

2009-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2516499264-4240842885-3651820049-1004.job
- c:\users\SK\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-20 20:26]

2009-02-14 c:\windows\Tasks\Norton Security Scan for SK.job
- c:\program files\Norton Security Scan\Nss.exe [2008-12-11 17:49]

2009-02-18 c:\windows\Tasks\User_Feed_Synchronization-{1869ED3F-334E-48D9-8547-172DC521BF51}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 12:03]

2009-02-19 c:\windows\Tasks\User_Feed_Synchronization-{E0763640-E72B-4C4E-9306-925D1FFD47FA}.job
- c:\windows\system32\msfeedssync.exe [2008-01-19 12:03]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-HP Health Check Scheduler - [ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyServer = 192.168.1.21:8080
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: afghanistanjustice.com\www
Trusted Zone: download.com
Trusted Zone: intuit.com
Trusted Zone: turbotax.com
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-27 23:21:01
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-02-27 23:24:43
ComboFix-quarantined-files.txt 2009-02-27 18:53:57

Pre-Run: 31,244,976,128 bytes free
Post-Run: 31,585,181,696 bytes free

271 --- E O F --- 2009-02-27 07:50:14














Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:54 PM, on 2/27/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\Taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.21:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Google Update] "C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: http://www.afghanistanjustice.com
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: *.intuit.com
O15 - Trusted Zone: http://*.turbotax.com
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\Users\SK~1\AppData\Local\Temp\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c98ea175fcf676) (gupdate1c98ea175fcf676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8848 bytes
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top

Re: Advanced Conficker Problems

Unread postby MikeSwim07 » February 28th, 2009, 9:45 am

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O15 - Trusted Zone: http://www.afghanistanjustice.com
    O15 - Trusted Zone: *.download.com
    O15 - Trusted Zone: *.intuit.com
    O15 - Trusted Zone: http://*.turbotax.com

  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.

Delete bad files and/or folders

Use Explorer to navigate to and delete the following files and/or folders (if they are present):

Folders:
c:\program files\BitTorrent
c:\program files\DNA

Now just exit Explorer.

*****Make sure that you empty your recycle bin and restart your computer*****

Registry File

Open Notepad and copy the contents of the following box to a new file.

Code: Select all
REGEDIT4

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E878F2CC-7782-45B0-877C-3EA265523764}"=-
"{230905E3-2133-47A5-BAA0-6B2CF3DBA019}"=-


Save it as fix.reg (save type: "All files" (*.*)) to your desktop.

It should look like this -> Image

Go to Desktop, double-click fix.reg and merge the information with the registry.

Do you have BlackLight installed? If so, please ignore the instructions about downloading it.

BlackLight
  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start > Run
  • Copy and paste the contents of the below codebox into the run box
    Code: Select all
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic together with a new HijackThis log.

Please post a new Hijackthis log and the Blacklight log.
MikeSwim07
Regular Member
 
Posts: 4215
Joined: August 27th, 2007, 9:44 am
Location: Gone
Top

Re: Advanced Conficker Problems

Unread postby sanzar » March 1st, 2009, 5:28 am

Did as you instructed and included the two logs below. BlackLight reported nothing found. All done?

03/01/09 13:18:25 [Info]: BlackLight Engine 2.2.1092 initialized
03/01/09 13:18:25 [Info]: OS: 6.0 build 6001 (Service Pack 1)
03/01/09 13:18:25 [Note]: 7019 4
03/01/09 13:18:25 [Note]: 7005 0
03/01/09 13:18:32 [Note]: 7006 0
03/01/09 13:18:32 [Note]: 7027 0
03/01/09 13:18:32 [Error]: 6034 1072
03/01/09 13:18:42 [Note]: 7006 0
03/01/09 13:18:42 [Note]: 7027 0
03/01/09 13:18:43 [Note]: 7035 0
03/01/09 13:18:43 [Note]: 7026 0
03/01/09 13:18:43 [Note]: 7026 0
03/01/09 13:18:48 [Note]: FSRAW library version 1.7.1024
03/01/09 13:24:37 [Note]: 4015 236418
03/01/09 13:24:37 [Note]: 4027 236418 3670016
03/01/09 13:24:37 [Note]: 4020 236350 13041664
03/01/09 13:24:37 [Note]: 4022 236350
03/01/09 13:55:13 [Note]: 7007 0

---------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:55:40 PM, on 3/1/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\SK\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Windows\System32\notepad.exe
C:\Windows\System32\notepad.exe
C:\Program Files\Intuit\QuickBooks 2009\qbw32.exe
C:\PROGRA~1\Intuit\QUICKB~1\QBDBMgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Intuit\QuickBooks\axlbridge.exe
C:\Program Files\Intuit\QuickBooks 2009\QBGDSPlugin.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=73&bd=Pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.21:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [WAWifiMessage] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Intuit SyncManager] C:\Program Files\Common Files\Intuit\Sync\IntuitSyncManager.exe startup
O4 - HKLM\..\Run: [hpWirelessAssistant] %ProgramFiles%\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKCU\..\Run: [Google Update] "C:\Users\SK\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {3860DD98-0549-4D50-AA72-5D17D200EE10} (Windows Live OneCare safety scanner control) - http://cdn.scan.onecare.live.com/resource/download/scanner/en-us/wlscctrl2.cab
O18 - Protocol: intu-help-qb2 - {84D77A00-41B5-4B8B-8ADF-86486D72E749} - C:\Program Files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~4\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Google Desktop Manager 5.8.811.4345 (GoogleDesktopManager-110408-113106) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c98ea175fcf676) (gupdate1c98ea175fcf676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 8937 bytes
sanzar
Active Member
 
Posts: 10
Joined: February 19th, 2009, 4:44 am
Top
Advertisement
Register to Remove
Next
Topic locked
  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 125 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index