Free Malware Removal Forum

[surgyelan]

Hi!

I have encountered a rather weird behaviour: occasionally my mouse pointer gets self concoius, moves from here to there on my desktop, clicks on links on websites, switches between applications. It looks like exactly as I had a Remote Desktop or VNC server on my computer, and someone took control of my computer remotely. Of course I have no VNC nor RD installed / enabled (intentionally at least). In addition, my IE keeps shutting down on a random basis.

Could someone help me to gather back the control of my computer?

Here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:18:10, on 2009.09.21.
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Program Files\Eset\nod32krn.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\Windows\system32\svchost.exe
C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\C&E\OSD\osd.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Users\Leon\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\taskmgr.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6w.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\explorer.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Windows\system32\groupmanager.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Adobe\Adobe Photoshop CS3\Photoshop.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Notepad++\notepad++.exe
C:\Users\Leon\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader hivatkozássúgó - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live bejelentkezési segítség - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [OSD] C:\Program Files\C&E\OSD\osd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [GroupManager] C:\Windows\system32\groupmanager.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Leon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HÁLÓZATI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70C7EB5-4178-4A2E-818D-6E8CC9892E2C}: NameServer = 193.110.57.4 193.110.56.8
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\Windows\system32\afisicx.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Distributed Transaction Servic (DstRser) - Unknown owner - C:\Windows\msagent\agentdpv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9942cbcaf5990) (gupdate1c9942cbcaf5990) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logicle Disk Managers - Unknown owner - C:\Windows\msagent\agentpsh.exe
O23 - Service: Logicle Mianags - Unknown owner - C:\Windows\system32\Restore\sframie.exe
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\Windows\system32\mabidwe.exe (file missing)
O23 - Service: Microsoft Exchange Miange (MSExchangeMEM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEINFS32.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Network DSDM SRV - Unknown owner - C:\Program Files\Windows Media Player\wmpband.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\Windows\system32\noytcyr.exe (file missing)
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: RenProcis(DPE) (RenPro(DPE)) - Unknown owner - C:\Program Files\Windows Media Player\wmpbands.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\Windows\system32\roytctm.exe (file missing)
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\Windows\system32\soxpeca.exe (file missing)
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\Windows\system32\wsldoekd.exe (file missing)

--
End of file - 13160 bytes

[deltalima]

Hi surgyelan,

Welcome to the Malware Removal forums.
My nickname is deltalima and I will be helping you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me.

Please note the following:

• I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for this issue on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• If after 3 days you have not responded to this topic, it will be closed, and you will need to start a new one.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.
• All of my posts need to be checked by a teacher, so please be patient while I attempt to remove your malware.

LIST OF PROGRAMS USING HIJACKTHIS

• Open HijackThis.
• Look under System tools.
• Click on the Open Uninstall Manager... button.
• Click on the Save list... button.
• It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
• Notepad will open. Please copy and paste the contents of this log in your next reply.

See in this link details.
http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

[surgyelan]

Hi Deltalima,

I am so glad you are babysitting me, I desperately need some help to resolve my problem.
I did as you instructed, here is the result of the uninstall_list.txt.

Best regards,

Leon

uninstall_list.txt:
32 Bit HP CIO Components Installer
3DMark06
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player Plugin
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop CS4
Adobe Reader 8 - Hungarian
Adobe Setup
Adobe Setup
Adobe Shockwave Player 11
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Any Video Converter 2.7.2
Apache Tomcat 6.0 (remove only)
Avanquest update
AVIConverter 5.1.6
CharmDesktop
Choice Guard
Click to Convert 6.0
CyberLink PowerDVD 8
E.M. Total Video Player 1.31
Electronic Piano 2.5
ExamDiff Pro 3.1
Exterminate It!
FirstSteps Diagnostics
Fwink
Google Föld
Google Gears
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Update Helper
Heroes of Might and Magic V Collector Edition
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Intel® Turbo Memory és Intel® Matrix Storage Manager
Java Platform, Enterprise Edition 5 SDK
Java(TM) 6 Update 15
Java(TM) 6 Update 6
JMB36X Raid Configurer
K&H e-bank2 1.41
Malwarebytes' Anti-Malware
Marketing Plan Pro 9.0
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft SQL Server 2000
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual SourceSafe NetSetup
Microsoft Visual Studio .NET Enterprise Architect - English
Monopoly by Parker Brothers
Motorola SM56 Data Fax Modem
MSVCRT
MSXML 4.0 SP2 (KB941833)
MSXML 4.0 SP2 (KB954430)
MySQL Server 5.1
Nero 7 Essentials
Network Recording Player
NOD32 antivirus system
Notepad++
Oblivion
Open Video Capture version 1.1
openCRX Server
openMDX Tomcat+EJB
OpenVPN 2.0.9-gui-1.0.3
OSDInstall
Palo Alto Software's Application Manager 8.2
Panda ActiveScan 2.0
PCMark05
PDF Settings
PHP 5.2.11
PieceCopy
Pocket RAR documentation
PowerDV
Prevx CSI
PrimoPDF -- brought to you by Nitro PDF Software
Professional Equitas Terminal Interface
Quake 4(TM) Demo
Realtek High Definition Audio Driver
Recovery Toolbox for Excel 1.1
RemoveIT Pro v7 (Trial)
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio 3
Screenshot Pilot version 1.46.01
Sony Ericsson PC Suite 4.010.00
Spelling Dictionaries Support For Adobe Reader 8
Spybot - Search & Destroy
SpyHunter
SQLyog Enterprise Trial 8.14
SubViewer 3.063
System Spyware Interrogator
The Quest
Total Commander (Remove or Repair)
TradeManager 2008
Trader Workstation 4.0
Trojan Remover 6.7.5
TrojanHunter 5.0
Uninstall AdeptSQL Diff
Uninstall Startup Inspector
VideoLAN VLC media player 0.8.6i
Vista PDF Creator 1.02
VNC Free Edition 4.1.2
Vodafone Mobile Connect Lite
WebCam
Windows Live bejelentkezési segéd
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live feltöltőeszköz
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live OneCare safety scanner
Windows Mobile Device Center Driver Update
Windows Mobile Resources
Windows Mobile-eszközközpont
WinRAR archiver
WinSCP 4.0.7
Xvid 1.1.3 final uninstall
Yawcam v0.3.0
zzEPG 1.0.0.0

[deltalima]

Hi surgyelan,

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Make sure you are connected to the Internet.
• Double-click on mbam-setup.exe to install the application.
• When the installation begins, follow the prompts and do not make any changes to default settings.
• When installation has finished, make sure you leave both of these checked:
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
• On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
• If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
• The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
• When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
• Click OK to close the message box and continue with the removal process.
• Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
• Make sure that everything is checked, and click Remove Selected.
• When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
• The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
• Copy and paste the contents of that report in your next reply and exit MBAM.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

• Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
• Double click on RSIT.exe to run RSIT.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

Now please post the log from Malwarebytes Anti-Malware and the contents of log.txt and info.txt from the RSIT scan along with an update on how the computer is now running.

[surgyelan]

Hi Deltalima,

I followed your instructions: I let MBAM to perform a full scan. It found a dozen of malware infections, the results are as follows (mbam-log-2009-09-30 (10-53-58).txt). It prompted to reboot. After reboot I run MBAM to make sure, all found infections colud be removed. This time MBAM found my computer clean (mbam-log-2009-09-30 (13-36-59).txt). Next, I run RSIT, I pasted the logs (log.txt, info.txt). I did not notice any changes since MBAM disinfection on my system.

Best regards,

Leon

Log files:

mbam-log-2009-09-30 (10-53-58).txt

Malwarebytes' Anti-Malware 1.41
Database version: 2870
Windows 6.0.6000

2009.09.30. 10:53:58
mbam-log-2009-09-30 (10-53-58).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 445224
Time elapsed: 2 hour(s), 1 minute(s), 13 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 11
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\Windows\System32\groupmanager.exe (Trojan.Clicker) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe (Security.Hijack) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mabidwe (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\roytctm (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wingms (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wsldoekd (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\groupmanager (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\BuildW (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\FirstInstallFlag (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\guid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\mso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\udso (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\uid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Ulrn (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Update (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\UpdateNew (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\krnlsrvc (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\txtfile\shell\open\command\(default) (Hijack.Notepad) -> Bad: ("C:\Windows\system32\nxtepad.exe" "%1") Good: (notepad.exe %1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\Temp\863791232_360.temp (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\Windows\System32\c.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Windows\System32\comsa32.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\groupmanager.exe (Trojan.Clicker) -> Delete on reboot.
C:\Windows\Temp\OPRYBIHT (Trojan.Agent) -> Quarantined and deleted successfully.

mbam-log-2009-09-30 (13-36-59).txt

Malwarebytes' Anti-Malware 1.41
Database version: 2875
Windows 6.0.6000

2009.09.30. 13:36:59
mbam-log-2009-09-30 (13-36-59).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 444973
Time elapsed: 1 hour(s), 59 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

log.txt

Logfile of random's system information tool 1.06 (written by random/random)
Run by Leon at 2009-09-30 14:37:53
Microsoft® Windows Vista™ Home Premium
System drive C: has 22 GB (15%) free of 150 GB
Total RAM: 3070 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:38:00, on 2009.09.30.
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16764)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\inetsrv\inetinfo.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe
C:\Windows\system32\svchost.exe
C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Eset\nod32krn.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\C&E\OSD\osd.exe
C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\Leon\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\ClickToConvert\C2CMonitor.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Sun\SDK\jdk\bin\javaw.exe
C:\Windows\System32\mobsync.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\totalcmd\TOTALCMD.EXE
C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system32\inetsrv\w3wp.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Users\Leon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\C3P1IQAU\RSIT[1].exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\Leon.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader hivatkozássúgó - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live bejelentkezési segítség - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IaNvSrv] C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe
O4 - HKLM\..\Run: [OSD] C:\Program Files\C&E\OSD\osd.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [MSConfig] "C:\Windows\System32\msconfig.exe" /auto
O4 - HKLM\..\Run: [MobileConnect] %programfiles%\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe /silent
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Leon\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'HELYI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'HÁLÓZATI SZOLGÁLTATÁS')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\Windows\system32\Macromed\Flash\FlashUtil10b.exe (User 'Default user')
O4 - Startup: Check for TWS Updates.lnk = C:\Program Files\Jts\WiseUpdt.exe
O4 - Startup: SDK Tray Menu.lnk = ?
O4 - Global Startup: C2CMonitor.lnk = C:\Program Files\ClickToConvert\C2CMonitor.exe
O4 - Global Startup: Palo Alto Software Update Manager 8.0.lnk = C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xportálás Microsoft Excel formátumba - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Kutatás - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O13 - Gopher Prefix:
O17 - HKLM\System\CCS\Services\Tcpip\..\{E70C7EB5-4178-4A2E-818D-6E8CC9892E2C}: NameServer = 193.110.57.4 193.110.56.8
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Distributed Transaction Servic (DstRser) - Unknown owner - C:\Windows\msagent\agentdpv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c9942cbcaf5990) (gupdate1c9942cbcaf5990) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Help Supportr - Unknown owner - C:\Program Files\Windows Media Player\npdsplay.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Logicle Disk Managers - Unknown owner - C:\Windows\msagent\agentpsh.exe
O23 - Service: Logicle Mianags - Unknown owner - C:\Windows\system32\Restore\sframie.exe
O23 - Service: Microsoft Exchange Miange (MSExchangeMEM) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEINFS32.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Network DSDM SRV - Unknown owner - C:\Program Files\Windows Media Player\wmpband.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe
O23 - Service: RenProcis(DPE) (RenPro(DPE)) - Unknown owner - C:\Program Files\Windows Media Player\wmpbands.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: SysEnforce - Unknown owner - C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE
O23 - Service: Fujitsu Siemens Computers Diagnostic Testhandler (TestHandler) - Fujitsu Siemens Computers - C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Apache Software Foundation - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe
O23 - Service: Vodafone Mobile Connect Service (VMCService) - Vodafone - C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe

--
End of file - 11939 bytes

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-581560883-1044469292-4072932869-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-581560883-1044469292-4072932869-1000UA.job
C:\Windows\tasks\User_Feed_Synchronization-{5ADDF6CF-0CC0-44B5-AB8F-4DC1CEBF2C02}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader hivatkozássúgó - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live bejelentkezési segítség - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-08-27 256112]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.3.4501.1418\swg.dll [2009-09-30 762864]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C84D72FE-E17D-4195-BB24-76C02E2E7C4E}]
Google Dictionary Compression sdch - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll [2009-08-27 458736]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2009-07-25 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll [2009-08-27 256112]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-04-16 1006264]
"JMB36X IDE Setup"=C:\Windows\RaidTool\xInsIDE.exe [2007-03-20 36864]
"IAAnotif"=C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe [2007-07-24 174616]
"IaNvSrv"=C:\Program Files\Intel\Intel Matrix Storage Manager\OROM\IaNvSrv\IaNvSrv.exe [2007-07-24 33304]
"OSD"=C:\Program Files\C&E\OSD\osd.exe [2007-09-20 561152]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"nod32kui"=C:\Program Files\Eset\nod32kui.exe [2008-05-29 951624]
"Windows Mobile Device Center"=C:\Windows\WindowsMobile\wmdc.exe [2007-05-31 648072]
"MSConfig"=C:\Windows\System32\msconfig.exe [2006-11-02 222208]
"MobileConnect"=C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\MobileConnect.exe [2008-07-04 2072576]
"SunJavaUpdateSched"=C:\Program Files\Java\jre6\bin\jusched.exe [2009-07-25 149280]
"Malwarebytes Anti-Malware (reboot)"=C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2009-09-10 1312080]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2008-04-16 1232896]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2006-11-02 125440]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-01-23 39408]
"Google Update"=C:\Users\Leon\AppData\Local\Google\Update\GoogleUpdate.exe [2008-09-06 133104]
"msnmsgr"=C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-02-06 3885408]
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe [2006-11-02 201728]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe [2007-02-26 153136]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe [2006-11-10 90112]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe []

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
C2CMonitor.lnk - C:\Program Files\ClickToConvert\C2CMonitor.exe
Palo Alto Software Update Manager 8.0.lnk - C:\Program Files\Common Files\Palo Alto Software\8.0\PAS8_Update.exe
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe

C:\Users\Leon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
Check for TWS Updates.lnk - C:\Program Files\Jts\WiseUpdt.exe
SDK Tray Menu.lnk - C:\Sun\SDK\jdk\bin\javaw.exe

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\aawservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"EnableLUA"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bb6c456-7b94-11de-ae62-99d4d065e8ca}]
shell\AutoRun\command - H:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bb6c45b-7b94-11de-ae62-99d4d065e8ca}]
shell\AutoRun\command - I:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bb6c488-7b94-11de-ae62-001060d021c1}]
shell\AutoRun\command - H:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6bb6c48a-7b94-11de-ae62-001060d021c1}]
shell\AutoRun\command - H:\setup_vmc_lite.exe /checkApplicationPresence

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4291ce6-2f0f-11dd-95eb-001060d021c1}]
shell\AutoRun\command - G:\MonopolyPBInstall.exe


======File associations======

.txt - open - notepad.exe %1

======List of files/folders created in the last 1 months======

2009-09-30 14:37:53 ----D---- C:\rsit
2009-09-20 01:16:36 ----D---- C:\Users\Leon\AppData\Roaming\Notepad++
2009-09-20 01:16:36 ----D---- C:\Program Files\Notepad++
2009-09-19 14:40:42 ----D---- C:\ProgramData\FLEXnet
2009-09-19 14:36:31 ----D---- C:\Program Files\Bonjour
2009-09-19 14:29:45 ----D---- C:\Program Files\Common Files\Macrovision Shared
2009-09-18 11:26:56 ----D---- C:\Program Files\Apache Software Foundation
2009-09-18 01:24:58 ----A---- C:\Windows\php.ini
2009-09-17 23:58:17 ----SHD---- C:\Config.Msi
2009-09-17 23:20:42 ----D---- C:\Program Files\PHP
2009-09-17 20:32:33 ----A---- C:\Windows\libmySQL.dll
2009-09-17 19:58:03 ----D---- C:\Users\Leon\AppData\Roaming\SQLyog
2009-09-17 19:57:56 ----D---- C:\Program Files\SQLyog Enterprise Trial
2009-09-17 19:39:19 ----A---- C:\Windows\system32\libmcrypt.dll
2009-09-17 18:52:50 ----D---- C:\ProgramData\MySQL
2009-09-17 18:52:50 ----D---- C:\Program Files\MySQL
2009-09-14 16:35:18 ----A---- C:\Windows\system32\javaws.exe
2009-09-14 16:35:18 ----A---- C:\Windows\system32\javaw.exe
2009-09-14 16:35:18 ----A---- C:\Windows\system32\java.exe

======List of files/folders modified in the last 1 months======

2009-09-30 14:38:00 ----D---- C:\Windows\Prefetch
2009-09-30 14:37:56 ----D---- C:\Windows\Temp
2009-09-30 14:11:00 ----SHD---- C:\System Volume Information
2009-09-30 11:08:05 ----D---- C:\Windows\System32
2009-09-30 11:08:05 ----D---- C:\Windows\inf
2009-09-30 11:08:05 ----A---- C:\Windows\system32\PerfStringBackup.INI
2009-09-30 11:06:59 ----D---- C:\Windows\system32\drivers
2009-09-30 11:03:10 ----D---- C:\Windows\system32\inetsrv
2009-09-29 12:10:52 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-09-29 11:36:10 ----D---- C:\Program Files\Jts
2009-09-28 23:36:22 ----D---- C:\Users\Leon\AppData\Roaming\Adobe
2009-09-27 20:53:38 ----D---- C:\Users\Leon\AppData\Roaming\uTorrent
2009-09-25 11:55:30 ----D---- C:\Program Files\Common Files
2009-09-23 16:00:41 ----SD---- C:\Users\Leon\AppData\Roaming\Microsoft
2009-09-22 09:24:26 ----D---- C:\Program Files\Windows Media Player
2009-09-20 01:16:36 ----RD---- C:\Program Files
2009-09-19 23:46:05 ----D---- C:\Windows
2009-09-19 15:58:20 ----RSD---- C:\Windows\Fonts
2009-09-19 14:40:42 ----HD---- C:\ProgramData
2009-09-19 14:38:04 ----SHD---- C:\Windows\Installer
2009-09-19 14:37:26 ----D---- C:\Program Files\Adobe
2009-09-19 14:37:06 ----D---- C:\ProgramData\Adobe
2009-09-19 14:36:29 ----D---- C:\Program Files\Common Files\Adobe
2009-09-19 14:25:29 ----D---- C:\tmp
2009-09-17 23:57:22 ----D---- C:\Windows\SoftwareDistribution
2009-09-17 23:56:51 ----SD---- C:\Windows\Downloaded Program Files
2009-09-17 21:29:29 ----D---- C:\Windows\system32\Tasks
2009-09-17 20:59:35 ----A---- C:\Windows\php.iniold
2009-09-14 16:35:17 ----D---- C:\Program Files\Java
2009-09-03 11:40:40 ----D---- C:\Program Files\Windows Live Safety Center
2009-09-02 01:42:34 ----D---- C:\Windows\Minidump

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 nod32drv;nod32drv; C:\Windows\system32\drivers\nod32drv.sys [2008-05-29 15160]
R1 StarOpen;StarOpen; C:\Windows\system32\drivers\StarOpen.sys [2008-11-22 5632]
R2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}; \??\C:\Program Files\CyberLink\PowerDVD8\000.fcl [2008-02-01 41456]
R2 AMON;AMON; C:\Windows\system32\drivers\amon.sys [2008-05-29 511832]
R3 atikmdag;atikmdag; C:\Windows\system32\DRIVERS\atikmdag.sys [2007-12-04 3351040]
R3 BthEnum;Bluetooth enumerálási szolgáltatás; C:\Windows\system32\DRIVERS\BthEnum.sys [2008-04-29 19456]
R3 BthPan;Bluetooth-eszköz (személyes hálózat); C:\Windows\system32\DRIVERS\bthpan.sys [2006-11-02 92160]
R3 BTHUSB;Bluetooth-rádió USB illesztőprogramja; C:\Windows\System32\Drivers\BTHUSB.sys [2008-04-29 29184]
R3 CmBatt;Microsoft ACPI vezérlési módú telep illesztőprogramja; C:\Windows\system32\DRIVERS\CmBatt.sys [2008-04-16 14208]
R3 HdAudAddService;Microsoft 1.1 UAA funkció-illesztőprogram High Definition Audio hangszolgáltatáshoz; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 235520]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHDA.sys [2007-05-10 1775712]
R3 itecir;ITECIR Infrared Receiver; C:\Windows\system32\DRIVERS\itecir.sys [2007-04-04 46592]
R3 NETw4v32;Intel(R) Wireless WiFi Link adapter illesztőprogram 32 bites Windows Vistához; C:\Windows\system32\DRIVERS\NETw4v32.sys [2007-02-25 2216448]
R3 RFCOMM;Bluetooth-eszköz (RFCOMM protokoll TDI); C:\Windows\system32\DRIVERS\rfcomm.sys [2006-11-02 49664]
R3 RTL8169;Realtek 8169 NT Driver; C:\Windows\system32\DRIVERS\Rtlh86.sys [2007-04-30 81408]
R3 smserial;smserial; C:\Windows\system32\DRIVERS\smserial.sys [2006-11-22 982272]
R3 tap0801;TAP-Win32 Adapter V8; C:\Windows\system32\DRIVERS\tap0801.sys [2006-10-01 26624]
R3 WmiAcpi;Microsoft Windows Management Interface for ACPI; C:\Windows\system32\DRIVERS\wmiacpi.sys [2008-04-16 11264]
S3 a437mcei;a437mcei; C:\Windows\system32\drivers\a437mcei.sys []
S3 BTHPORT;Bluetooth-portillesztőprogram; C:\Windows\System32\Drivers\BTHport.sys [2008-04-29 220160]
S3 Cam5603D;WebCam; C:\Windows\System32\Drivers\BisonCam.sys [2007-06-01 753456]
S3 CEBFilter;CEBFilter; \??\C:\Program Files\C&E\OSD\OsdService\cebuffer.sys [2007-09-04 5120]
S3 CEIO;CEIO; \??\C:\Program Files\C&E\OSD\OsdService\ceio.sys [2007-08-31 4608]
S3 cKBFilter;cKBFilter; \??\C:\Program Files\C&E\OSD\OsdService\kbfiltr.sys [2007-08-31 7168]
S3 drmkaud;Microsoft Kernel DRM-hangdekódoló; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 5632]
S3 ENTECH;ENTECH; \??\C:\Windows\system32\DRIVERS\ENTECH.sys [2007-09-07 27672]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\Windows\system32\DRIVERS\ewusbmdm.sys [2008-03-17 101632]
S3 MSKSSRV;Microsoft Streaming szolgáltatásproxy; C:\Windows\system32\drivers\MSKSSRV.sys [2006-11-02 8192]
S3 MSPCLOCK;Microsoft Streaming óraproxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 5888]
S3 MSPQM;Microsoft Streaming minőségkezelő proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 5504]
S3 MSTEE;Microsoft Streaming cél/fogadók közötti konverter; C:\Windows\system32\drivers\MSTEE.sys [2006-11-02 6016]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM); C:\Windows\system32\DRIVERS\s0016bus.sys [2008-05-16 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter; C:\Windows\system32\DRIVERS\s0016mdfl.sys [2008-05-16 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver; C:\Windows\system32\DRIVERS\s0016mdm.sys [2008-05-16 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM); C:\Windows\system32\DRIVERS\s0016mgmt.sys [2008-05-16 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS); C:\Windows\system32\DRIVERS\s0016nd5.sys [2008-05-16 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface; C:\Windows\system32\DRIVERS\s0016obex.sys [2008-05-16 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM); C:\Windows\system32\DRIVERS\s0016unic.sys [2008-05-16 115752]
S3 usb_rndisx;USB RNDIS adapter; C:\Windows\system32\DRIVERS\usb8023x.sys [2006-11-02 14848]
S3 USBCCID;USB intelligenskártya-olvasó; C:\Windows\system32\DRIVERS\usbccid.sys [2006-11-02 30208]
S3 usbmouseb;usbmouseb; \??\C:\Windows\SYSTEM32\drivers\svhose.sys []
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2006-11-02 39936]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2006-11-02 82560]
S4 nvrd32;NVIDIA nForce RAID Driver; C:\Windows\system32\drivers\nvrd32.sys [2007-07-02 131616]
S4 nvstor32;nvstor32; C:\Windows\system32\drivers\nvstor32.sys [2007-07-02 110112]
S4 viamraid;viamraid; C:\Windows\system32\drivers\viamraid.sys [2006-11-08 102912]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 aawservice;Lavasoft Ad-Aware Service; C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2008-09-10 611664]
R2 Bonjour Service;##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##; C:\Program Files\Bonjour\mDNSResponder.exe [2006-02-28 229376]
R2 BthServ;@%SystemRoot%\System32\bthserv.dll,-101; C:\Windows\system32\svchost.exe [2006-11-02 22016]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe [2007-07-24 354840]
R2 IISADMIN;@%windir%\system32\inetsrv\iisres.dll,-30007; C:\Windows\system32\inetsrv\inetinfo.exe [2007-10-11 13824]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe [2004-10-18 335872]
R2 MSSQLSERVER;MSSQLSERVER; C:\PROGRA~1\MI6841~1\MSSQL\binn\sqlservr.exe [2005-05-04 9150464]
R2 MySQL;MySQL; C:\Program Files\MySQL\MySQL Server 5.1\bin\mysqld --defaults-file=C:\Program Files\MySQL\MySQL Server 5.1\my.ini MySQL []
R2 Net Driver HPZ12;Net Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R2 NOD32krn;NOD32 Kernel Service; C:\Program Files\Eset\nod32krn.exe [2008-05-29 554312]
R2 Pml Driver HPZ12;Pml Driver HPZ12; C:\Windows\System32\svchost.exe [2006-11-02 22016]
R2 RapiMgr;@%windir%\WindowsMobile\rapimgr.dll,-104; C:\Windows\system32\svchost.exe [2006-11-02 22016]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2007-10-16 243056]
R2 SysEnforce;SysEnforce; C:\PROGRA~1\TRISNA~1\SSI\SYSENF~1.EXE [2006-01-13 57344]
R2 TestHandler;Fujitsu Siemens Computers Diagnostic Testhandler; C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe [2006-12-08 204800]
R2 VMCService;Vodafone Mobile Connect Service; C:\Program Files\Vodafone\Vodafone Mobile Connect\Bin\VMCService.exe [2008-07-04 14336]
R2 W3SVC;@%windir%\system32\inetsrv\iisres.dll,-30003; C:\Windows\system32\svchost.exe [2006-11-02 22016]
R2 WcesComm;@%windir%\WindowsMobile\wcescomm.dll,-40079; C:\Windows\system32\svchost.exe [2006-11-02 22016]
R3 WAS;@%windir%\system32\inetsrv\iisres.dll,-30001; C:\Windows\system32\svchost.exe [2006-11-02 22016]
S2 11111112323322323444;12313212132132321123123123123; C:\Windows\system32\svchost.exe [2006-11-02 22016]
S2 DstRser;Distributed Transaction Servic; C:\Windows\msagent\agentdpv.exe [2009-02-16 676864]
S2 FastUserSwitchingCompatibility;Microsolf Devicer Manager; C:\Windows\sYSTEM32\SVCHOST.EXE [2006-11-02 22016]
S2 gupdate1c9942cbcaf5990;Google Update Service (gupdate1c9942cbcaf5990); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-02-21 133104]
S2 Help Supportr;Help Supportr; C:\Program Files\Windows Media Player\npdsplay.exe [2009-09-22 479744]
S2 Logicle Disk Managers;Logicle Disk Managers; C:\Windows\msagent\agentpsh.exe [2009-05-15 669696]
S2 Logicle Mianags;Logicle Mianags; C:\Windows\system32\Restore\sframie.exe [2009-06-03 305785]
S2 MSExchangeMEM;Microsoft Exchange Miange; C:\Program Files\Common Files\Microsoft Shared\MSInfo\IEINFS32.exe [2009-05-04 669696]
S2 MS-SP3;Microsoft Support Online Update; C:\Windows\system32\svchost.exe [2006-11-02 22016]
S2 Network DSDM SRV;Network DSDM SRV; C:\Program Files\Windows Media Player\wmpband.exe [2009-05-05 656384]
S2 RenPro(DPE);RenProcis(DPE); C:\Program Files\Windows Media Player\wmpbands.exe [2009-04-29 645120]
S3 aspnet_state;@%windir%\system32\inetsrv\iisres.dll,-30009; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-27 34312]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-09-19 654848]
S3 gusvc;Google Software Updater; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-03 182768]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 MSSQLServerADHelper;MSSQLServerADHelper; C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe [2005-05-03 73728]
S3 OpenVPNService;OpenVPN Service; C:\Program Files\OpenVPN\bin\openvpnserv.exe [2006-10-01 16384]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SQLSERVERAGENT;SQLSERVERAGENT; C:\Program Files\Microsoft SQL Server\MSSQL\binn\sqlagent.exe [2005-05-03 323584]
S3 Tomcat6;Apache Tomcat 6; C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [2009-05-14 57344]
S3 WMSvc;@%windir%\system32\inetsrv\iisres.dll,-20001; C:\Windows\system32\inetsrv\wmsvc.exe [2006-11-02 10752]
S4 Ati External Event Utility;Ati External Event Utility; C:\Windows\system32\Ati2evxx.exe [2007-12-04 626688]
S4 CSIScanner;CSIScanner; C:\Program Files\PrevxCSI\prevxcsi.exe [2009-02-01 4107832]
S4 Network Connections Manager;Network Connections Manager; C:\Windows\Ati2vexx.exe []
S4 NMIndexingService;NMIndexingService; C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2007-02-26 267824]
S4 OsdService;OsdService; C:\Program Files\C&E\OSD\OsdService\OsdService.exe [2007-09-03 53248]
S4 ZYYGD;ZYYGD; C:\Users\Leon\AppData\Local\Temp\ZYYGD.exe []

-----------------EOF-----------------


info.txt

info.txt logfile of random's system information tool 1.06 2009-09-30 14:38:02

======Uninstall list======

-->C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Windows\UNNeroMediaHome.exe /UNINSTALL
-->C:\Windows\UNNeroShowTime.exe /UNINSTALL
-->C:\Windows\UNNeroVision.exe /UNINSTALL
-->C:\Windows\UNRecode.exe /UNINSTALL
32 Bit HP CIO Components Installer-->MsiExec.exe /I{F7B0E599-C114-4493-BC4D-D8FC7CBBABBB}
3DMark06-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7F3AD00A-1819-4B15-BB7D-08B3586336D7}\setup.exe" -l0x9 -removeonly
Ad-Aware-->MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)-->MsiExec.exe /X{6846389C-BAC0-4374-808E-B120F86AF5D7}
Adobe Anchor Service CS3-->MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3-->MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3-->MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting-->MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0-->MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps-->MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific-->MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings-->MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings-->MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings-->MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings-->MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3-->MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3-->MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2-->MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 10 ActiveX-->C:\Windows\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin-->C:\Windows\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Fonts All-->MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3-->MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3-->MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files-->MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3-->C:\Program Files\Common Files\Adobe\Installers\2ac78060bc5856b0c1cf873bb919b58\Setup.exe
Adobe Photoshop CS3-->MsiExec.exe /I{0046FA01-C5B9-4985-BACB-398DC480FC05}
Adobe Photoshop CS4-->C:\Program Files\Common Files\Adobe\Installers\faf656ef605427ee2f42989c3ad31b8\Setup.exe --uninstall=1
Adobe Reader 8 - Hungarian-->MsiExec.exe /I{AC76BA86-7AD7-1038-7B44-A81200000003}
Adobe Setup-->MsiExec.exe /I{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}
Adobe Setup-->MsiExec.exe /I{D1BB4446-AE9C-4256-9A7F-4D46604D2462}
Adobe Shockwave Player 11-->C:\Windows\system32\adobe\SHOCKW~1\UNWISE.EXE C:\Windows\system32\Adobe\SHOCKW~1\Install.log
Adobe Stock Photos CS3-->MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe Type Support-->MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3-->MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client-->MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin-->MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3-->MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Any Video Converter 2.7.2-->"C:\Program Files\Any Video Converter\unins000.exe"
Apache Tomcat 6.0 (remove only)-->"C:\Program Files\Apache Software Foundation\Tomcat 6.0\Uninstall.exe"
Avanquest update-->C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe -runfromtemp -l0x0009 -removeonly
AVIConverter 5.1.6-->C:\Program Files\TrekStor\i.Beat move\AVI-Converter\uninst.exe
CharmDesktop-->"C:\Program Files\CharmDesktop\unins000.exe"
Choice Guard-->MsiExec.exe /I{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}
Click to Convert 6.0-->C:\PROGRA~1\CLICKT~1\UNWISE.EXE C:\PROGRA~1\CLICKT~1\INSTALL.LOG
CyberLink PowerDVD 8-->"C:\Program Files\InstallShield Installation Information\{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}\setup.exe" /z-uninstall
E.M. Total Video Player 1.31-->"C:\Program Files\Total Video Player\unins000.exe"
Electronic Piano 2.5-->"C:\Program Files\Electronic Piano 2.5\unins000.exe"
ExamDiff Pro 3.1-->"C:\Program Files\ExamDiff Pro\unins000.exe"
Exterminate It!-->C:\Program Files\Exterminate It!\ExterminateIt_Uninst.exe
FirstSteps Diagnostics-->MsiExec.exe /X{94D66D71-12F0-48A5-B46A-D4B835A0F1B7}
Fwink-->MsiExec.exe /I{F432F2AE-F463-4491-A5FE-844849992F6E}
Google Föld-->MsiExec.exe /X{CC016F21-3970-11DE-B878-005056806466}
Google Gears-->MsiExec.exe /I{95774351-6087-3A3B-8CA8-70BEE49D2BD5}
Google Toolbar for Internet Explorer-->"C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarManager_E582EA556D8DE101.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Heroes of Might and Magic V Collector Edition-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DDB68A90-340C-42B9-B42B-D2CBED1B91DC}\setup.exe" -l0x9
HijackThis 2.0.2-->"C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Intel® Turbo Memory és Intel® Matrix Storage Manager-->C:\Windows\system32\imsmudlg.exe -uninstall
Java Platform, Enterprise Edition 5 SDK-->"C:\Sun\SDK\uninstall.exe" -javahome "C:\Sun\SDK\jdk"
Java(TM) 6 Update 15-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216013FF}
Java(TM) 6 Update 6-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160060}
JMB36X Raid Configurer-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}\SETUP.exe" -l0x9 -removeonly
K&H e-bank2 1.41-->"C:\Program Files\e-bank2\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Marketing Plan Pro 9.0-->MsiExec.exe /X{3F7C20E7-37DA-4DBF-B1C1-0F207633C178}
Microsoft .NET Framework (English) v1.0.3705-->C:\Windows\Microsoft.NET\Framework\Install.exe /u /p Microsoft .NET Framework Full v1.0.3705 (1033)
Microsoft .NET Framework (English)-->MsiExec.exe /X{B43357AA-3A6D-4D94-B56E-43C44D09E548}
Microsoft .NET Framework 1.0 Hotfix (KB928367)-->"C:\Windows\Microsoft.NET\Framework\v1.0.3705\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp"
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{9011040E-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2000-->C:\Windows\IsUninst.exe -f"C:\Program Files\Microsoft SQL Server\MSSQL\Uninst.isu" -c"C:\Program Files\Microsoft SQL Server\MSSQL\sqlsun.dll" -msql.mif i=MSSQLSERVER
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual SourceSafe NetSetup-->"C:\program files\vss\setup\win32\1033\Setup.exe"
Microsoft Visual Studio .NET Enterprise Architect - English-->"C:\Program Files\Microsoft Visual Studio .NET\Setup\Visual Studio .NET Enterprise Architect - English\setup.exe" /MaintMode
Monopoly by Parker Brothers-->C:\PROGRA~1\Hasbro\MONOPO~1\UNWISE.EXE /U C:\PROGRA~1\Hasbro\MONOPO~1\INSTALL.LOG
Motorola SM56 Data Fax Modem-->rundll32.exe sm56co6a.dll,SM56UnInstaller
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MySQL Server 5.1-->MsiExec.exe /I{FC874712-FA25-4DDA-9BFD-084CC0AE7327}
Nero 7 Essentials-->MsiExec.exe /X{81CD6232-10F5-4832-B3DA-1B88B1571038}
Network Recording Player-->MsiExec.exe /I{08333C2F-8219-48E8-8569-E53D4C761882}
NOD32 antivirus system-->C:\Program Files\Eset\Setup\setup.exe /UNINSTALL
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
Oblivion-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{35CB6715-41F8-4F99-8881-6FC75BF054B0}\setup.exe" -l0x9 -removeonly
Open Video Capture version 1.1-->"C:\Program Files\OpenVideoCapture\unins000.exe"
openCRX Server-->C:\Program Files\openmdxTomcatEjb-2.4.1\installer\opencrx-server\uninstall.exe
openMDX Tomcat+EJB-->C:\Program Files\openmdxTomcatEjb-2.4.1\installer\openmdx-tomcat-ejb\uninstall.exe
OpenVPN 2.0.9-gui-1.0.3-->C:\Program Files\OpenVPN\Uninstall.exe
OSDInstall-->MsiExec.exe /I{EB863CFD-6889-47B0-9D79-492DE0D07EE7}
Palo Alto Software's Application Manager 8.2-->MsiExec.exe /X{BAD00139-E284-4F6C-AA94-FB637462DEEB}
Panda ActiveScan 2.0-->C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PCMark05-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C104E56-A441-429D-A609-D8A46EB92EA1}\setup.exe" -l0x9 -removeonly
PDF Settings-->MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PHP 5.2.11-->MsiExec.exe /I{89C096A7-9A21-4402-9CD5-A09DA89551F0}
PieceCopy-->RunDll32 setupapi.dll,InstallHinfSection DefaultUninstall.ntx86 132 C:\Windows\INF\PEACCOPY.INF
Pocket RAR documentation-->C:\Program Files\PocketRAR\uninstall.exe
PowerDV-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe" -uninstall
Prevx CSI-->"C:\Program Files\PrevxCSI\prevxcsi.exe" /prop UNINSTALL=Y
PrimoPDF -- brought to you by Nitro PDF Software-->"C:\Program Files\Nitro PDF\PrimoPDF\uninstaller.exe"
Professional Equitas Terminal Interface-->"C:\Program Files\PETI\uninstall.exe"
Quake 4(TM) Demo-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{BAB004F0-F04C-49DD-8118-AE4A7697C469} /l2057
Realtek High Definition Audio Driver-->RtlUpd.exe -r -m
Recovery Toolbox for Excel 1.1-->"C:\Program Files\Recovery Toolbox for Excel\unins000.exe"
RemoveIT Pro v7 (Trial)-->C:\PROGRA~1\INCODE~1\REMOVE~1\UNWISE.EXE C:\PROGRA~1\INCODE~1\REMOVE~1\INSTALL.LOG
SAMSUNG Mobile Modem Driver Set-->C:\Windows\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung Mobile phone USB driver Software-->C:\Windows\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\Windows\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\Windows\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Screenshot Pilot version 1.46.01-->"C:\Program Files\Screenshot Pilot\unins000.exe"
Sony Ericsson PC Suite 4.010.00-->C:\Program Files\InstallShield Installation Information\{2FFE93F0-BB72-4E52-8761-354D1AAA9387}\ISAdmin.exe -runfromtemp -l0x000e -removeonly
Spelling Dictionaries Support For Adobe Reader 8-->MsiExec.exe /I{AC76BA86-7AD7-5464-3428-800000000003}
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpyHunter-->"C:\Program Files\Enigma Software Group\SpyHunter\Uninstall.exe" "C:\Program Files\Enigma Software Group\SpyHunter\install.log" -u
SQLyog Enterprise Trial 8.14 -->C:\Program Files\SQLyog Enterprise Trial\uninst.exe
SubViewer 3.063-->C:\Program Files\SubViewer3\Uninstal.exe
System Spyware Interrogator-->C:\PROGRA~1\TRISNA~1\SSI\UNWISE.EXE C:\PROGRA~1\TRISNA~1\SSI\INSTALL.LOG
The Quest-->C:\Windows\WindowsMobile\The Quest\Uninstall.exe The Quest
Total Commander (Remove or Repair)-->c:\Program Files\totalcmd\tcuninst.exe
TradeManager 2008-->C:\Program Files\trademanager\Uninstall.exe
Trader Workstation 4.0-->C:\PROGRA~1\Jts\UNWISE.EXE C:\PROGRA~1\Jts\INSTALL.LOG
Trojan Remover 6.7.5-->"C:\Program Files\Trojan Remover\unins000.exe"
TrojanHunter 5.0-->"C:\Program Files\TrojanHunter 5.0\unins000.exe"
Uninstall AdeptSQL Diff-->"C:\Program Files\AdeptSQL Diff\unins000.exe"
Uninstall Startup Inspector-->"C:\Program Files\Startup Inspector for Windows\unins000.exe"
VideoLAN VLC media player 0.8.6i-->C:\Program Files\VideoLAN\VLC\uninstall.exe
Vista PDF Creator 1.02-->"C:\Program Files\Vista PDF Creator\unins000.exe"
VNC Free Edition 4.1.2-->"C:\Program Files\RealVNC\VNC4\unins000.exe"
Vodafone Mobile Connect Lite-->MsiExec.exe /X{C656142F-EFE1-44CD-BFAD-6CBC6DCB9860}
WebCam-->Rundll32.exe BisonRem.dll,WinMainRmv
Windows Live bejelentkezési segéd-->MsiExec.exe /I{733EB793-0840-4D69-97AA-6934FC79DB16}
Windows Live Communications Platform-->MsiExec.exe /I{3B4E636E-9D65-4D67-BA61-189800823F52}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{6E07FF7A-878C-486C-BB85-516F61A8E2C7}
Windows Live feltöltőeszköz-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Messenger-->MsiExec.exe /X{D2C2B2A0-F37E-43CC-9E94-FC52F6D20C43}
Windows Live OneCare safety scanner-->"C:\Program Files\Windows Live Safety Center\UnInstall.exe"
Windows Live OneCare safety scanner-->MsiExec.exe /X{FE0646A7-19D0-41B4-A2BB-2C35D644270D}
Windows Mobile Device Center Driver Update-->MsiExec.exe /X{E7044E25-3038-4A76-9064-344AC038043E}
Windows Mobile Resources-->C:\Program Files\Windows Mobile Resources\Windows Mobile Device Handbook\Bin\DHUninstall.exe
Windows Mobile-eszközközpont-->MsiExec.exe /X{904CCF62-818D-4675-BC76-D37EB399F917}
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
WinSCP 4.0.7-->"C:\Program Files\WinSCP\unins000.exe"
Xvid 1.1.3 final uninstall-->"C:\Program Files\Xvid\unins000.exe"
Yawcam v0.3.0-->"C:\Program Files\Yawcam\unins000.exe"
zzEPG 1.0.0.0-->c:\tmp\zzEPG\uninst.exe

=====HijackThis Backups=====

O23 - Service: Wingms - Unknown owner - C:\Windows\SYSTEM32\svhose.exe (file missing) [2009-01-31]
O23 - Service: Network Connections Manager - Unknown owner - C:\Windows\Ati2vexx.exe (file missing) [2009-01-31]
O23 - Service: mstsc - Unknown owner - C:\Windows\RemoteAbc.exe (file missing) [2009-01-31]
O23 - Service: ZYYGD - Unknown owner - C:\Users\Leon\AppData\Local\Temp\ZYYGD.exe (file missing) [2009-01-31]
O23 - Service: mstsc - Unknown owner - C:\Windows\RemoteAbc.exe (file missing) [2009-01-31]
O23 - Service: RenProcis(DPE) (RenPro(DPE)) - Unknown owner - C:\Program Files\Windows Media Player\wmpbands.exe [2009-05-03]
O23 - Service: wsldoekd Service (wsldoekd) - Unknown owner - C:\Windows\system32\wsldoekd.exe (file missing) [2009-05-03]
O4 - HKLM\..\Run: [openvpn-gui] C:\Program Files\OpenVPN\bin\openvpn-gui.exe [2009-05-03]
O4 - HKCU\..\Run: [RemoveIT Pro v7Ent] C:\Program Files\InCode Solutions\RemoveIT Pro v7 Enterprise\removeit.exe [2009-05-03]
O23 - Service: awsedktv Driver (awsedktv) - Beijing Rising Information Technology Co., Ltd. - C:\Windows\system32\awsedktv.exe [2009-05-03]
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe [2009-05-03]
O4 - HKCU\..\Run: [aliim] C:\Program Files\trademanager\aliim.exe [2009-05-03]
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe [2009-05-03]
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot [2009-05-03]
O15 - Trusted Zone: http://*.alipay.com [2009-05-03]
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe [2009-05-03]
O23 - Service: OpenVPN Service (OpenVPNService) - Unknown owner - C:\Program Files\OpenVPN\bin\openvpnserv.exe [2009-05-03]
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon [2009-05-03]
O23 - Service: CSIScanner - Prevx - C:\Program Files\PrevxCSI\prevxcsi.exe [2009-05-03]
O23 - Service: OsdService - Unknown owner - C:\Program Files\C&E\OSD\OsdService\OsdService.exe [2009-05-03]
O15 - Trusted Zone: http://*.alisoft.com [2009-05-03]
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab [2009-05-03]
O23 - Service: soxpeca Service (soxpeca) - Unknown owner - C:\Windows\system32\soxpeca.exe (file missing) [2009-05-03]
O15 - Trusted Zone: http://*.taobao.com [2009-05-03]
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe [2009-05-03]
O23 - Service: noytcyr Service (noytcyr) - Unknown owner - C:\Windows\system32\noytcyr.exe (file missing) [2009-05-03]
O23 - Service: mabidwe Service (mabidwe) - Unknown owner - C:\Windows\system32\mabidwe.exe (file missing) [2009-05-03]
O23 - Service: afisicx Service (afisicx) - Unknown owner - C:\Windows\system32\afisicx.exe (file missing) [2009-05-03]
O23 - Service: roytctm Service (roytctm) - Unknown owner - C:\Windows\system32\roytctm.exe (file missing) [2009-05-03]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab [2009-05-03]

======Hosts File======

127.0.0.1 localhost
::1 localhost

======Security center information======

AV: ESET NOD32 Antivirus System 2.70 (outdated)
AS: Windows Defender

======System event log======

Computer Name: Leon-Laptop
Event Code: 7036
Message: A(z) Microsoft Kötet árnyékmásolata szolgáltató szolgáltatás állapota: "fut".
Record Number: 3906701
Source Name: Service Control Manager
Time Written: 20090930120934.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 33
Message: A(z) C: kötet legrégebbi árnyékmásolatát törölte a program, hogy a(z) C: kötet árnyékmásolatainak tárolására használt lemezterület a felhasználó által megadott korlát alatt maradjon.
Record Number: 3906702
Source Name: volsnap
Time Written: 20090930121100.440342-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 7036
Message: A(z) Kötet árnyékmásolata szolgáltatás állapota: "leállítva".
Record Number: 3906703
Source Name: Service Control Manager
Time Written: 20090930121235.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 7036
Message: A(z) Microsoft Kötet árnyékmásolata szolgáltató szolgáltatás állapota: "leállítva".
Record Number: 3906704
Source Name: Service Control Manager
Time Written: 20090930121535.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 7036
Message: A(z) Védett tároló szolgáltatás állapota: "fut".
Record Number: 3906705
Source Name: Service Control Manager
Time Written: 20090930123628.000000-000
Event Type: Információ
User:

=====Application event log=====

Computer Name: Leon-Laptop
Event Code: 8194
Message: A visszaállítási pont sikeresen létrehozva (Folyamat = C:\Windows\system32\svchost.exe -k netsvcs; Leírás = Windows Update).
Record Number: 39714
Source Name: System Restore
Time Written: 20090930092059.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 8194
Message: A visszaállítási pont sikeresen létrehozva (Folyamat = C:\Windows\system32\svchost.exe -k netsvcs; Leírás = Windows Update).
Record Number: 39715
Source Name: System Restore
Time Written: 20090930092125.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 8224
Message: A VSS-szolgáltatás az üresjárat időtúllépése miatt leáll.
Record Number: 39716
Source Name: VSS
Time Written: 20090930092448.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 0
Message:
Record Number: 39717
Source Name: gusvc
Time Written: 20090930111909.000000-000
Event Type: Információ
User:

Computer Name: Leon-Laptop
Event Code: 8224
Message: A VSS-szolgáltatás az üresjárat időtúllépése miatt leáll.
Record Number: 39718
Source Name: VSS
Time Written: 20090930121234.000000-000
Event Type: Információ
User:

=====Security event log=====

Computer Name: Leon-Laptop
Event Code: 4672
Message: Speciális jogosultságok hozzárendelve az új bejelentkezéshez.

Tárgy:
Biztonsági azonosító: S-1-5-18
Fióknév: SYSTEM
Fiók tartománya: NT AUTHORITY
Bejelentkezési azonosító: 0x3e7

Jogosultságok: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 26484
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090930090614.636509-000
Event Type: Sikeres naplózás
User:

Computer Name: Leon-Laptop
Event Code: 5038
Message: A kódsértetlenségi összetevő megállapította, hogy egy fájlnak nem érvényes a képkivonata. Lehet, hogy a fájl sérült, mert illetéktelenül módosították. Az érvénytelen kivonat esetleges lemezeszközhibára is utalhat.

Fájlnév: \Device\HarddiskVolume3\Windows\System32\drivers\mchInjDrv.sys
Record Number: 26485
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090930090659.346109-000
Event Type: Sikertelen naplózás
User:

Computer Name: Leon-Laptop
Event Code: 5038
Message: A kódsértetlenségi összetevő megállapította, hogy egy fájlnak nem érvényes a képkivonata. Lehet, hogy a fájl sérült, mert illetéktelenül módosították. Az érvénytelen kivonat esetleges lemezeszközhibára is utalhat.

Fájlnév: \Device\HarddiskVolume3\Windows\System32\drivers\mbamswissarmy.sys
Record Number: 26486
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090930090846.275509-000
Event Type: Sikertelen naplózás
User:

Computer Name: Leon-Laptop
Event Code: 4904
Message: Egy biztonságiesemény-forrás regisztrálására történt kísérlet.

Tárgy:
Biztonsági azonosító: S-1-5-18
Fióknév: LEON-LAPTOP$
Fiók tartománya: IRD
Bejelentkezési azonosító: 0x3e7

Folyamat:
Folyamatazonosító: 0x1740
Folyamat neve: C:\Windows\System32\VSSVC.exe

Esemény forrása:
Forrásnév: VSSAudit
Eseményforrás azonosítója: 0x495955
Record Number: 26487
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090930092144.055417-000
Event Type: Sikeres naplózás
User:

Computer Name: Leon-Laptop
Event Code: 4905
Message: Egy biztonságiesemény-forrrás regisztrációjának megszüntetésére történt kísérlet.

Tárgy
Biztonsági azonosító: S-1-5-18
Fióknév: LEON-LAPTOP$
Fiók tartománya: IRD
Bejelentkezési azonosító: 0x3e7

Folyamat:
Folyamatazonosító: 0x1740
Folyamat neve: C:\Windows\System32\VSSVC.exe

Esemény forrása:
Forrásnév: VSSAudit
Eseményforrás azonosítója: 0x495955
Record Number: 26488
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20090930092144.055417-000
Event Type: Sikeres naplózás
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"INCLUDE"=C:\Program Files\Microsoft Visual Studio .NET\FrameworkSDK\include\
"LIB"=C:\Program Files\Microsoft Visual Studio .NET\FrameworkSDK\Lib\
"NUMBER_OF_PROCESSORS"=2
"OS"=Windows_NT
"Path"=C:\Program Files\PHP\;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;c:\Program Files\ATI Technologies\ATI.ACE\Core-Static;C:\Program Files\Microsoft SQL Server\80\Tools\BINN;c:\jdk1.5\jre\bin\client;C:\Program Files\Samsung\Samsung PC Studio 3\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_LEVEL"=6
"PROCESSOR_REVISION"=1706
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"VSCOMNTOOLS"="C:\Program Files\Microsoft Visual Studio .NET\Common7\Tools\"
"windir"=%SystemRoot%
"PHPRC"=C:\Program Files\PHP\

-----------------EOF-----------------

[deltalima]

Hi surgyelan,

I'm afraid I have some bad news for you. Your computer has been infected with BACKDOOR TROJAN. Backdoor Trojans are the most dangerous and most widespread type of Trojan. Backdoor Trojans provide the author or "master" of the Trojan with remote "administration" of victims machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, Backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer, change settings on the computer and more. Please read this article by Roger A. Grimes on Remote Access Trojans it will give you an Idea of the severity of the type of infection you have.

What are Remote Access Trojans and why are they dangerous

You are strongly advised to do the following:

• Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.
• Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft and put a watch on your accounts. If you don't mind the hassle, change all youraccount numbers.
• From a clean computer, change all your passwords (ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, online groups and forums and any other online activities you carry out which require a username and password).

Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.


How do I respond to a possible identity theft and how do I prevent it


Because of the severity and the capabilities of this type of virus, (it cannot be known what changes to your system it has made or if it opened up other ways into your system) The only responsible course of action I can advise is to reformat your computer and reinstall windows.

Further reading:

When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

I strongly advise you to follow the above instructions and reformat the computer, if however you decide not to do so then let me know and we can continue to try to ensure that your computer is clean.

[surgyelan]

Hi Deltalima,

What are the symptoms that made you think I have a backdoor trojan? How did you get to this conclusion? This remote administration hijacking is accomplished by just plain programs/processes/services. I am sure there is a way to identify those programs/processes/services, stop them, and prevent my OS from running them again.

Best regards,

Surgyelan

[deltalima]

Hi surgyelan,

The evidence of the backdoor Trojan in the Malwarebytes log were

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\afisicx (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\mabidwe (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\noytcyr (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\roytctm (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\soxpeca (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Wingms (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wsldoekd (Backdoor.Bot) -> Quarantined and deleted successfully.

Along with some other signs, this fits with your original description of the problem.

It looks like exactly as I had a Remote Desktop or VNC server on my computer, and someone took control of my computer remotely

The programs / processes / services associated with the trojan have now been removed, the issue is that we cannot tell for sure what other changes have been made to the system while it was accessed by an unknown third party and so the only way to guarantee that the system is clean is to reformat.

[surgyelan]

Hi Deltalima,

I read the article you suggested in one of your previous posts. The author mentioned a rather basic but efficient method to filter out those RAT-s. The principle is very simple: if your computer is infected with a RAT server, whatever it is, it has to communicate with the RAT oparator's client program via TCP/UDP. So I listed all connections with Process IDs (with netstat -o command) and found 2 suspicious processes (and one legitimate: jusched.exe). The suspicious processes were both svchost.exe, but executed with a strange "42314" command line parameter. In fact there were 8 of these running processes according to task manager, but actually just two of them were communicating through the internet. (This I concluded from the observation of the PID column of the connection list, and matching thoose with the task manager's process list.) I killed all instances of the svchost.exe with the odd parameter (I left the rest svchost processes alone). They did NOT respawn themselves. Since then, I did not encounter with the hijack phenomenon. Yet. It's early to relieve, but so far so good. The only thing that concerns me, is upon restarting my computer, these svchost instances are running again, but if I shut them down, they won't reappear. No matter how much time spent online, there won't be any of these processes communicating via TCP/UDP nor any other process (except jusched.exe, that is some Java component).

I hope this helped to get closer to the solution, by I need further help. Reformatting my computer would be a pain in the a*s, I hope there is a way to get rid of this RAT with less fuss.

Best regards,

surgyelan

[deltalima]

Hi surgyelan,

Since then, I did not encounter with the hijack phenomenon.

Could you please confirm that you are still seeing the signs of remote access to your computer as described in your original post.

occasionally my mouse pointer gets self concoius, moves from here to there on my desktop, clicks on links on websites, switches between applications. It looks like exactly as I had a Remote Desktop or VNC server on my computer, and someone took control of my computer remotely

If so then please download GMER Rootkit Scanner from here.

• Double click the .exe file. If asked to allow gmer.sys driver to load, please consent
• If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
• Run Gmer again and click on the Rootkit tab.
• Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
• Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
• Click on the "Scan" and wait for the scan to finish.
  Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
• When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
• Note: If you have any problems, try running GMER in SAFE MODE"

Important! Please do not select the "Show all" checkbox during the scan..

Please post the GMER log into your next reply.

[Shaba]

Due to lack of response this topic is now closed.

If you still require help, please open a new thread in the Infected? Virus, malware, adware, ransomware, oh my! forum, include a fresh FRST log, and wait for a new helper.