Author Topic: persistent TR/Crypt.Xpack.gen (Read 34627 times)

an8el · « **on:** June 19, 2010, 05:26:08 AM »

Got this nasty trojan that records key-strokes, etc. Am running Win7 - did not experience a slow-down, but became aware of the virus through Avira - and noticed it was preventing me from copy/pasting to notepad!

Tried to deal with it. Did all of the recommended things to get ready to ask you guys questions. (Except I left the Win7 firewall in place because it wasn't mentioned. But I'm completely open to installing another firewall if you guys think it's necessary now!)
To deal with it, I scanned with multiple other programs in addition to that on the advice of a friend who was available to coach me. Now have done multiple scans and most of the scanners come up completely nothing is there.

What makes me wonder if I've actually gotten rid of the little monster are these points:

my b/g router password is gone.
the default that reveals extensions such as .exe .jpg, etc. on the endings of files have been changed to hide them again.
Avira Scanner seems to take forever (6 hours) and then repeats scans saying a different thing about files being scanned... (but I am not familiar with it because I downloaded a new version good for another year)

Super Anti-spyware won't write to a .txt report at all

...and... drumroll....
HiJackThis has told me in an error message:
My system has denied access to notepad
C:\windows\system32\drives\etc\hosts
and suggests I find the line(s) HiJackThis reports and delete them..Save the new file as "hosts" with quotes and reboot. Alternately, it suggests to right-click on the hijackthis icon and choose "run as admin"

I haven't done this yet because I'm not sure what I'm being asked to do, because I'm already logged on as admin. That's what made me decide to ask for help. It looks as if I'm not "done yet" with getting rid of this thing.

Help!

OK, now I'll go back to my sneakily crippled thing and post the logs I have so far...

an8el · « **Reply #1 on:** June 19, 2010, 05:47:28 AM »

Thanks for your consideration!

In addition to the three listed logs below, the list of programs that I've scanned with are:
Abexo, Advanced System Care, CCleaner, Activescan, Glary Utilities
Have been pretty much exclusively using Mozilla Firefox, current version and not Explorer as a browser...unless a website required Explorer. Fortunately, before I discovered the trojan I did not go onto any important places where my security would have been compromised.

OK, as I said before, there was no results from SuperAnti-Spyware so it's not included because the trojan wouldn't let me write to a file. So I used MalwareBytes and Avira, which both did allow me to save to a file if I renamed it.

Here is the log from HIJackThis - (the .exe I renamed on your advice before I ran the program.)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:28:05 AM, on 6/9/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Franis\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SAS Core Service (SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11079 bytes

*****************************
Now here's the scan results from AVira

Avira AntiVir Personal
Report file date: Friday, June 18, 2010 14:22

Scanning for 2227595 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ACERTAIN

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 23:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 23:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 05:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 10:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 20:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 04:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 03:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 22:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 22:44:29
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 22:44:41
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 22:44:42
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 22:44:42
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 22:44:42
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 22:44:43
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 22:44:43
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 22:44:43
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 08:59:46
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 08:59:47
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 08:59:49
VBASE016.VDF : 7.10.8.103 2048 Bytes 6/16/2010 08:59:49
VBASE017.VDF : 7.10.8.104 2048 Bytes 6/16/2010 08:59:49
VBASE018.VDF : 7.10.8.105 2048 Bytes 6/16/2010 08:59:49
VBASE019.VDF : 7.10.8.106 2048 Bytes 6/16/2010 08:59:50
VBASE020.VDF : 7.10.8.107 2048 Bytes 6/16/2010 08:59:50
VBASE021.VDF : 7.10.8.108 2048 Bytes 6/16/2010 08:59:50
VBASE022.VDF : 7.10.8.109 2048 Bytes 6/16/2010 08:59:51
VBASE023.VDF : 7.10.8.110 2048 Bytes 6/16/2010 08:59:51
VBASE024.VDF : 7.10.8.111 2048 Bytes 6/16/2010 08:59:51
VBASE025.VDF : 7.10.8.112 2048 Bytes 6/16/2010 08:59:51
VBASE026.VDF : 7.10.8.113 2048 Bytes 6/16/2010 08:59:52
VBASE027.VDF : 7.10.8.114 2048 Bytes 6/16/2010 08:59:52
VBASE028.VDF : 7.10.8.115 2048 Bytes 6/16/2010 08:59:52
VBASE029.VDF : 7.10.8.116 2048 Bytes 6/16/2010 08:59:53
VBASE030.VDF : 7.10.8.117 2048 Bytes 6/16/2010 08:59:53
VBASE031.VDF : 7.10.8.127 102912 Bytes 6/18/2010 20:16:39
Engineversion : 8.2.2.6
AEVDF.DLL : 8.1.2.0 106868 Bytes 6/7/2010 22:45:13
AESCRIPT.DLL : 8.1.3.31 1352058 Bytes 6/7/2010 22:45:12
AESCN.DLL : 8.1.6.1 127347 Bytes 6/7/2010 22:45:08
AESBX.DLL : 8.1.3.1 254324 Bytes 6/7/2010 22:45:14
AERDL.DLL : 8.1.4.6 541043 Bytes 6/7/2010 22:45:07
AEPACK.DLL : 8.2.1.1 426358 Bytes 3/19/2010 23:34:51
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/7/2010 22:45:04
AEHEUR.DLL : 8.1.1.33 2724214 Bytes 6/7/2010 22:45:03
AEHELP.DLL : 8.1.11.5 242038 Bytes 6/7/2010 22:44:58
AEGEN.DLL : 8.1.3.10 377205 Bytes 6/7/2010 22:44:57
AEEMU.DLL : 8.1.2.0 393588 Bytes 6/7/2010 22:44:55
AECORE.DLL : 8.1.15.3 192886 Bytes 6/7/2010 22:44:53
AEBB.DLL : 8.1.1.0 53618 Bytes 6/7/2010 22:44:52
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 23:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 23:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 03:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 23:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 23:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 23:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 20:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 23:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/17/2010 02:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/20/2010 01:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/29/2010 00:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/10/2010 01:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Friday, June 18, 2010 14:22

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'avscan.exe' - '87' Module(s) have been scanned
Scan process 'firefox.exe' - '169' Module(s) have been scanned
Scan process 'BrMfcmon.exe' - '35' Module(s) have been scanned
Scan process 'brccMCtl.exe' - '72' Module(s) have been scanned
Scan process 'avgnt.exe' - '70' Module(s) have been scanned
Scan process 'jusched.exe' - '59' Module(s) have been scanned
Scan process 'PMVService.exe' - '51' Module(s) have been scanned
Scan process 'BrMfcWnd.exe' - '45' Module(s) have been scanned
Scan process 'pptd40nt.exe' - '28' Module(s) have been scanned
Scan process 'ArcadeDeluxeAgent.exe' - '53' Module(s) have been scanned
Scan process 'LManager.exe' - '55' Module(s) have been scanned
Scan process 'EgisUpdate.exe' - '40' Module(s) have been scanned
Scan process 'AWC.exe' - '74' Module(s) have been scanned
Scan process 'UpdaterService.exe' - '23' Module(s) have been scanned
Scan process 'SchedulerSvc.exe' - '39' Module(s) have been scanned
Scan process 'MWLService.exe' - '42' Module(s) have been scanned
Scan process 'GregHSRW.exe' - '24' Module(s) have been scanned
Scan process 'avguard.exe' - '68' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '116' files ).

Starting the file scan:

Begin scan in 'C:\' <Acer>

End of the scan: Friday, June 18, 2010 21:04
Used time: 6:41:54 Hour(s)

The scan has been done completely.

24289 Scanned directories
745366 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
745366 Files not concerned
6188 Archives were scanned
0 Warnings
0 Notes
652638 Objects were scanned with rootkit scan
1 Hidden objects were found

**********************************************

...and here's the scan from Malware Bytes:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4215

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

6/18/2010 11:54:20 PM
mbam-log-2010-06-18 (23-54-20).txt

Scan type: Full scan (C:\|)
Objects scanned: 259010
Time elapsed: 48 minute(s), 35 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Crush · « **Reply #2 on:** June 22, 2010, 12:00:16 AM »

Hello, and welcome to Computer Hope Forums!

I'm Crush but, you can call me Chris too and I will be helping you with your Malware issues

Please note the following information about the malware forum:

Only members of the Malware Removal Specialist user group are allowed to give advice on removing malware from your computer. Do not follow the advice of anyone without that user title.
From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
If you have already asked for help somewhere, please post the link to the topic you were helped.
We try our best to reply quickly, but for any reason we do not reply in two days, do this:

Reply to this topic with the word BUMP.

Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

Now that we have that out of the way:

Download OTL to your Desktop

Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
Under the Custom Scan box paste this in

Code: [Select]

netsvcs
msconfig
safebootminimal
safebootnetwork
activex
drivers32
%SYSTEMDRIVE%\*.exe
%systemroot%\*. /mp /s
c:\$recycle.bin\*.* /s
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
nvstor32.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
explorer.exe
svchost.exe
userinit.exe
qmgr.dll
ws2_32.dll
proquota.exe
imm32.dll
kernel32.dll
ndis.sys
autochk.exe
spoolsv.exe
xmlprov.dll
ntmssvc.dll
mswsock.dll
Beep.SYS
ntfs.sys
termsrv.dll
sfcfiles.dll
st3shark.sys
ahcix86.sys
srsvc.dll
nvrd32.sys
/md5stop
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles

Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
- Please copy (Edit>Select All, Edit>Copy) the contents of these files, one at a time

==========

Next, we need to disable CD Emulation programs using DeFogger please perform these steps:

Please download DeFogger to your desktop.
Once downloaded, double-click on the DeFogger icon to start the tool.
The application window will now appear. You should now click on the Disable button to disable your CD Emulation drivers
When it prompts you whether or not you want to continue, please click on the Yes button to continue
When the program has completed you will see a Finished! message. Click on the OK button to exit the program.
If CD Emulation programs are present and have been disabled, DeFogger will now ask you to reboot the machine. Please allow it to do so by clicking on the OK button.

==========

Finally, Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any "<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.

Click NO
In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
Now click the Scan button.

Once the scan is complete, you may receive another notice about rootkit activity.

Click OK.
GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
Save it where you can easily find it, such as your desktop.

Post the contents of GMER.txt in your next reply.

Things I need in your reply:
OTL Logs
GMER Log

an8el · « **Reply #3 on:** June 22, 2010, 04:52:25 AM »

Hi Crush - was beginning to wonder if I got myself into too big of a mess to be saved... Thanks SOOOO much for helping me!
Going to copy these two files here after the OTL scans, and then do the Gfogger & GMER steps...

It appears that your evil twin Chris provided me with the wrong link to download next - the defogger link doesn't work, so I'm not going to go on with the next step yet if I can't disable the CD Emulation = correct? Wait a minute - the next link to GMER doesn't work either...(I'm not being blocked from downloading by the virus because the links don't work on my Linux box either.)

Just noticed the post truncated the info... gotta split it up... so I'll wait to post the rest until I hear back from you about the links that don't work.

Here's the 2 OTL files so far though:
OTL logfile created on: 6/22/2010 12:26:43 AM - Run 1
OTL by OldTimer - Version 3.2.6.1 Folder = C:\Users\Franis\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 136.95 Gb Total Space | 90.89 Gb Free Space | 66.37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACERTAIN
Current User Name: Franis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/06/22 00:20:04 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Franis\Desktop\OTL.exe
PRC - [2010/05/26 11:03:40 | 002,346,192 | ---- | M] (IObit) -- C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/18 15:05:36 | 000,181,480 | ---- | M] (Acer Corp.) -- C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
PRC - [2009/10/29 03:47:34 | 000,419,112 | ---- | M] (CyberLink Corp.) -- C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
PRC - [2009/08/06 07:18:54 | 000,311,592 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\MWLService.exe
PRC - [2009/08/03 19:09:34 | 000,199,464 | ---- | M] (Egis Technology Inc.) -- C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
PRC - [2009/07/27 14:50:32 | 001,157,128 | ---- | M] (Dritek System Inc.) -- C:\Program Files (x86)\Launch Manager\LManager.exe
PRC - [2009/07/03 15:47:12 | 000,240,160 | ---- | M] (Acer) -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe
PRC - [2009/06/17 14:31:58 | 000,144,640 | ---- | M] (NewTech Infosystems, Inc.) -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
PRC - [2009/06/04 03:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
PRC - [2008/01/31 14:01:38 | 000,159,744 | R--- | M] (Brother Industries, Ltd.) -- C:\Program Files (x86)\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2007/11/05 21:34:58 | 000,741,376 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2004/04/14 14:46:50 | 000,057,393 | ---- | M] (ScanSoft, Inc.) -- C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe

========== Modules (SafeList) ==========

MOD - [2010/06/22 00:20:04 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Franis\Desktop\OTL.exe
MOD - [2009/07/13 15:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\SysWOW64\msscript.ocx
MOD - [2009/07/13 15:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll

========== Win32 Services (SafeList) ==========

SRV:64bit: - [2010/04/28 05:23:07 | 000,120,832 | ---- | M] (SUPERAntiSpyware.com) [Auto | Running] -- C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE -- (SASCORE)
SRV:64bit: - [2009/08/05 18:30:58 | 000,844,320 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe -- (ePowerSvc)
SRV:64bit: - [2009/07/29 02:03:42 | 000,203,264 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\SysNative\atiesrxx.exe -- (AMD External Events Utility)
SRV:64bit: - [2009/07/13 15:41:27 | 001,011,712 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV:64bit: - [2009/07/03 15:47:12 | 000,240,160 | ---- | M] (Acer) [Auto | Running] -- C:\Program Files\Acer\Acer Updater\UpdaterService.exe -- (Updater Service)
SRV:64bit: - [2009/03/30 15:19:56 | 002,297,216 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE -- (wlidsvc)
SRV - [2010/04/16 13:09:06 | 000,246,520 | ---- | M] (WildTangent, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe -- (GameConsoleService)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/08/06 07:18:54 | 000,311,592 | ---- | M] () [Auto | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe -- (MWLService)
SRV - [2009/07/13 17:20:14 | 000,000,000 | ---D | M] [On_Demand | Stopped] -- C:\Windows\Vss -- (VSS)
SRV - [2009/07/13 17:20:14 | 000,000,000 | ---D | M] [Unknown | Stopped] -- C:\Windows\SysWOW64\Msdtc -- (MSDTC)
SRV - [2009/07/13 10:30:11 | 000,061,056 | ---- | M] () [On_Demand | Stopped] -- C:\Windows\SysWOW64\wbem\vds.mof -- (vds)
SRV - [2009/06/17 14:31:58 | 000,144,640 | ---- | M] (NewTech Infosystems, Inc.) [Auto | Running] -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe -- (NTISchedulerSvc)
SRV - [2009/06/17 14:31:46 | 000,050,432 | ---- | M] (NewTech InfoSystems, Inc.) [On_Demand | Stopped] -- C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe -- (NTIBackupSvc)
SRV - [2009/06/04 03:04:50 | 001,150,496 | ---- | M] (Acer Incorporated) [Auto | Running] -- C:\Program Files (x86)\Acer\Registration\GregHSRW.exe -- (Greg_Service)

========== Driver Services (SafeList) ==========

DRV:64bit: - [2010/03/02 13:35:01 | 000,116,568 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\avipbb.sys -- (avipbb)
DRV:64bit: - [2010/02/17 08:23:05 | 000,014,920 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv64.sys -- (SASDIFSV)
DRV:64bit: - [2010/02/17 08:23:05 | 000,012,360 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\saskutil64.sys -- (SASKUTIL)
DRV:64bit: - [2010/02/16 14:24:00 | 000,081,072 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\SysNative\drivers\avgntflt.sys -- (avgntflt)
DRV:64bit: - [2009/11/13 09:47:38 | 000,067,072 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\L1C62x64.sys -- (L1C)
DRV:64bit: - [2009/11/04 02:58:42 | 000,022,528 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\dc3d.sys -- (dc3d) MS Hardware Device Detection Driver (HID)
DRV:64bit: - [2009/10/05 14:34:00 | 001,542,656 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\athrx.sys -- (athr)
DRV:64bit: - [2009/07/29 12:11:24 | 006,038,016 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\atikmdag.sys -- (atikmdag)
DRV:64bit: - [2009/07/13 15:52:21 | 000,106,576 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsata.sys -- (amdsata)
DRV:64bit: - [2009/07/13 15:52:21 | 000,028,752 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\amdxata.sys -- (amdxata)
DRV:64bit: - [2009/07/13 15:52:20 | 000,194,128 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\amdsbs.sys -- (amdsbs)
DRV:64bit: - [2009/07/13 15:48:04 | 000,065,600 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\lsi_sas2.sys -- (LSI_SAS2)
DRV:64bit: - [2009/07/13 15:47:48 | 000,077,888 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\HpSAMD.sys -- (HpSAMD)
DRV:64bit: - [2009/07/13 15:45:55 | 000,024,656 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\stexstor.sys -- (stexstor)
DRV:64bit: - [2009/07/13 15:18:06 | 000,281,088 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BrSerIb.sys -- (BrSerIb) Brother MFC Serial Interface Driver(WDM)
DRV:64bit: - [2009/06/18 02:12:32 | 000,272,432 | ---- | M] (Synaptics Incorporated) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\SynTP.sys -- (SynTP)
DRV:64bit: - [2009/06/10 10:41:10 | 000,015,360 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\BrUsbSIb.sys -- (BrUsbSIb) Brother MFC Serial USB Driver(WDM)
DRV:64bit: - [2009/06/10 10:34:33 | 003,286,016 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\evbda.sys -- (ebdrv)
DRV:64bit: - [2009/06/10 10:34:28 | 000,468,480 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\bxvbda.sys -- (b06bdrv)
DRV:64bit: - [2009/06/10 10:34:23 | 000,270,848 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\b57nd60a.sys -- (b57nd60a)
DRV:64bit: - [2009/06/10 10:31:59 | 000,031,232 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\hcw85cir.sys -- (hcw85cir)
DRV:64bit: - [2009/06/02 01:15:30 | 000,060,464 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDVDisk.sys -- (mwlPSDVDisk)
DRV:64bit: - [2009/06/02 01:15:30 | 000,022,576 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDFilter.sys -- (mwlPSDFilter)
DRV:64bit: - [2009/06/02 01:15:30 | 000,020,016 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Windows\SysNative\drivers\mwlPSDNserv.sys -- (mwlPSDNServ)
DRV:64bit: - [2009/05/08 23:14:20 | 000,015,752 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\SysNative\drivers\nuidfltr.sys -- (NuidFltr)
DRV:64bit: - [2009/05/04 22:46:08 | 000,018,432 | ---- | M] (NewTech Infosystems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\NTIDrvr.sys -- (NTIDrvr)
DRV:64bit: - [2009/05/04 22:46:08 | 000,016,896 | ---- | M] (NewTech Infosystems Corporation) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\UBHelper.sys -- (UBHelper)
DRV:64bit: - [2009/05/04 03:30:28 | 000,016,440 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\SysNative\drivers\AtiPcie.sys -- (AtiPcie) AMD PCI Express (3GIO)
DRV:64bit: - [2009/04/03 03:39:58 | 000,034,872 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Running] -- C:\Windows\SysNative\drivers\usbfilter.sys -- (usbfilter)
DRV - [2009/06/10 11:28:14 | 000,001,088 | ---- | M] () [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\wbem\mpsdrv.mof -- (mpsdrv)
DRV - [2009/06/10 11:15:18 | 000,003,066 | ---- | M] () [Kernel | System | Running] -- C:\Windows\SysWOW64\wbem\tcpip.mof -- (Tcpip)
DRV - [2009/06/02 01:15:40 | 000,060,976 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlPSDVdisk.sys -- (mwlPSDVDisk)
DRV - [2009/06/02 01:15:38 | 000,016,432 | ---- | M] (Egis Technology Inc.) [Kernel | System | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlPSDNServ.sys -- (mwlPSDNServ)
DRV - [2009/06/02 01:15:34 | 000,018,992 | ---- | M] (Egis Technology Inc.) [File_System | System | Running] -- C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlPSDFilter.sys -- (mwlPSDFilter)
DRV - [2009/03/25 17:16:08 | 000,025,608 | ---- | M] (Dritek System Inc.) [Kernel | On_Demand | Running] -- C:\Windows\SysWOW64\drivers\DKbFltr.sys -- (DKbFltr) Dritek Keyboard Filter Driver (64-bit)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
IE:64bit: - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..extensions.enabledItems: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}:1.2
FF - prefs.js..extensions.enabledItems: [email protected]:0.8.51
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}:6.0.20

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files (x86)\Mozilla Firefox\components [2010/05/05 01:44:41 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files (x86)\Mozilla Firefox\plugins [2010/06/07 02:18:04 | 000,000,000 | ---D | M]

[2009/11/18 13:10:02 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\mozilla\Extensions
[2010/06/18 10:20:34 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\mozilla\Firefox\Profiles\2c9a767w.default\extensions
[2010/05/06 18:57:41 | 000,000,000 | ---D | M] (Adblock Plus) -- C:\Users\Franis\AppData\Roaming\mozilla\Firefox\Profiles\2c9a767w.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
[2010/05/03 10:57:36 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\mozilla\Firefox\Profiles\2c9a767w.default\extensions\[email protected]
[2010/06/07 02:18:06 | 000,000,000 | ---D | M] -- C:\Program Files (x86)\Mozilla Firefox\extensions
[2010/06/07 02:18:06 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files (x86)\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/06/07 02:17:51 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files (x86)\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2009/06/10 11:00:26 | 000,000,824 | ---- | M]) - C:\Windows\SysNative\drivers\etc\hosts
O2:64bit: - BHO: (Windows Live ID Sign-in Helper) - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corporation)
O2:64bit: - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O2:64bit: - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg64.dll (Google Inc.)
O2 - BHO: (Skype add-on (mastermind)) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3:64bit: - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKLM\..\Toolbar: (no name) - - No CLSID value found.
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3:64bit: - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O4:64bit: - HKLM..\Run: [Acer ePower Management] C:\Program Files\Acer\Acer ePower Management\ePowerTray.exe (Acer Incorporated)
O4:64bit: - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer\Acer Assist\launcher.exe ()
O4 - HKLM..\Run: [ArcadeDeluxeAgent] C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe (CyberLink Corp.)
O4 - HKLM..\Run: [avgnt] C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [EgisTecLiveUpdate] C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe (Egis Technology Inc.)
O4 - HKLM..\Run: [IndexSearch] C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe (Dritek System Inc.)
O4 - HKLM..\Run: [PaperPort PTD] C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe (ScanSoft, Inc.)
O4 - HKLM..\Run: [PlayMovie] C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - HKCU..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktop = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoActiveDesktopChanges = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8:64bit: - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra Button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Skype Technologies S.A.)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10:64bit: - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000008 [] - C:\Program Files (x86)\Common Files\microsoft shared\Windows Live\WLIDNSP.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O13 - gopher Prefix: missing
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab (Java Plug-in 1.6.0_20)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.2.1 24.25.227.55 209.18.47.61 24.25.227.53
O18:64bit: - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - Reg Error: Key error. File not found
O18:64bit: - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - Reg Error: Key error. File not found
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files (x86)\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20:64bit: - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysNative\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20:64bit: - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\SysWow64\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\SysWow64\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O21:64bit: - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O30:64bit: - LSA: Security Packages - (livessp) - C:\Windows\SysNative\livessp.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (livessp) - C:\Windows\SysWow64\livessp.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35:64bit: - HKLM\..comfile [open] -- "%1" %*
O35:64bit: - HKLM\..exefile [open] -- "%1" %*
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37:64bit: - HKLM\...com [@ = comfile] -- "%1" %*
O37:64bit: - HKLM\...exe [@ = exefile] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

MsConfig:64bit - StartUpReg: mwlDaemon - hkey= - key= - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\mwlDaemon.exe (Egis Technology Inc.)
MsConfig:64bit - StartUpReg: NortonOnlineBackupReminder - hkey= - key= - C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe (Symantec Corporation)
MsConfig:64bit - StartUpReg: PlayMovie - hkey= - key= - C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe (Acer Corp.)
MsConfig:64bit - StartUpReg: swg - hkey= - key= - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
MsConfig:64bit - State: "startup" - Reg Error: Key error.

SafeBootMin:64bit: Base - Driver Group
SafeBootMin:64bit: Boot Bus Extender - Driver Group
SafeBootMin:64bit: Boot file system - Driver Group
SafeBootMin:64bit: File system - Driver Group
SafeBootMin:64bit: Filter - Driver Group
SafeBootMin:64bit: HelpSvc - Service
SafeBootMin:64bit: mcmscsvc - Service
SafeBootMin:64bit: MCODS - Service
SafeBootMin:64bit: PCI Configuration - Driver Group
SafeBootMin:64bit: PNP Filter - Driver Group
SafeBootMin:64bit: Primary disk - Driver Group
SafeBootMin:64bit: sacsvr - Service
SafeBootMin:64bit: SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SafeBootMin:64bit: SCSI Class - Driver Group
SafeBootMin:64bit: System Bus Extender - Driver Group
SafeBootMin:64bit: vmms - Service
SafeBootMin:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootMin:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootMin: Base - Driver Group
SafeBootMin: Boot Bus Extender - Driver Group
SafeBootMin: Boot file system - Driver Group
SafeBootMin: File system - Driver Group
SafeBootMin: Filter - Driver Group
SafeBootMin: HelpSvc - Service
SafeBootMin: mcmscsvc - Service
SafeBootMin: MCODS - Service
SafeBootMin: PCI Configuration - Driver Group
SafeBootMin: PNP Filter - Driver Group
SafeBootMin: Primary disk - Driver Group
SafeBootMin: sacsvr - Service
SafeBootMin: SCSI Class - Driver Group
SafeBootMin: System Bus Extender - Driver Group
SafeBootMin: VDS - C:\Windows\SysWOW64\wbem\vds.mof ()
SafeBootMin: vmms - Service
SafeBootMin: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootMin: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootMin: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootMin: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootMin: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootMin: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootMin: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootMin: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootMin: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootMin: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootMin: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootMin: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootMin: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootMin: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootMin: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootMin: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootMin: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

SafeBootNet:64bit: Base - Driver Group
SafeBootNet:64bit: Boot Bus Extender - Driver Group
SafeBootNet:64bit: Boot file system - Driver Group
SafeBootNet:64bit: File system - Driver Group
SafeBootNet:64bit: Filter - Driver Group
SafeBootNet:64bit: HelpSvc - Service
SafeBootNet:64bit: mcmscsvc - Service
SafeBootNet:64bit: MCODS - Service
SafeBootNet:64bit: Messenger - Service
SafeBootNet:64bit: MpfService - Service
SafeBootNet:64bit: NDIS Wrapper - Driver Group
SafeBootNet:64bit: NetBIOSGroup - Driver Group
SafeBootNet:64bit: NetDDEGroup - Driver Group
SafeBootNet:64bit: Network - Driver Group
SafeBootNet:64bit: NetworkProvider - Driver Group
SafeBootNet:64bit: PCI Configuration - Driver Group
SafeBootNet:64bit: PNP Filter - Driver Group
SafeBootNet:64bit: PNP_TDI - Driver Group
SafeBootNet:64bit: Primary disk - Driver Group
SafeBootNet:64bit: rdsessmgr - Service
SafeBootNet:64bit: sacsvr - Service
SafeBootNet:64bit: SASCORE - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE (SUPERAntiSpyware.com)
SafeBootNet:64bit: SCSI Class - Driver Group
SafeBootNet:64bit: Streams Drivers - Driver Group
SafeBootNet:64bit: System Bus Extender - Driver Group
SafeBootNet:64bit: TDI - Driver Group
SafeBootNet:64bit: vmms - Service
SafeBootNet:64bit: WinDefend - C:\Program Files\Windows Defender\MpSvc.dll (Microsoft Corporation)
SafeBootNet:64bit: WudfUsbccidDriver - Driver
SafeBootNet:64bit: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet:64bit: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet:64bit: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet:64bit: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet:64bit: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet:64bit: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet:64bit: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet:64bit: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet:64bit: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet:64bit: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet:64bit: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet:64bit: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet:64bit: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet:64bit: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet:64bit: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet:64bit: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet:64bit: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet:64bit: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet:64bit: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet:64bit: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet:64bit: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet:64bit: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices
SafeBootNet: Base - Driver Group
SafeBootNet: Boot Bus Extender - Driver Group
SafeBootNet: Boot file system - Driver Group
SafeBootNet: File system - Driver Group
SafeBootNet: Filter - Driver Group
SafeBootNet: HelpSvc - Service
SafeBootNet: mcmscsvc - Service
SafeBootNet: MCODS - Service
SafeBootNet: Messenger - Service
SafeBootNet: MpfService - Service
SafeBootNet: MPSDrv - C:\Windows\SysWOW64\wbem\mpsdrv.mof ()
SafeBootNet: NDIS Wrapper - Driver Group
SafeBootNet: NetBIOSGroup - Driver Group
SafeBootNet: NetDDEGroup - Driver Group
SafeBootNet: Network - Driver Group
SafeBootNet: NetworkProvider - Driver Group
SafeBootNet: PCI Configuration - Driver Group
SafeBootNet: PNP Filter - Driver Group
SafeBootNet: PNP_TDI - Driver Group
SafeBootNet: Primary disk - Driver Group
SafeBootNet: rdsessmgr - Service
SafeBootNet: sacsvr - Service
SafeBootNet: SCSI Class - Driver Group
SafeBootNet: Streams Drivers - Driver Group
SafeBootNet: System Bus Extender - Driver Group
SafeBootNet: Tcpip - C:\Windows\SysWOW64\wbem\tcpip.mof ()
SafeBootNet: TDI - Driver Group
SafeBootNet: VDS - C:\Windows\SysWOW64\wbem\vds.mof ()
SafeBootNet: vmms - Service
SafeBootNet: WudfUsbccidDriver - Driver
SafeBootNet: {36FC9E60-C465-11CF-8056-444553540000} - Universal Serial Bus controllers
SafeBootNet: {4D36E965-E325-11CE-BFC1-08002BE10318} - CD-ROM Drive
SafeBootNet: {4D36E967-E325-11CE-BFC1-08002BE10318} - DiskDrive
SafeBootNet: {4D36E969-E325-11CE-BFC1-08002BE10318} - Standard floppy disk controller
SafeBootNet: {4D36E96A-E325-11CE-BFC1-08002BE10318} - Hdc
SafeBootNet: {4D36E96B-E325-11CE-BFC1-08002BE10318} - Keyboard
SafeBootNet: {4D36E96F-E325-11CE-BFC1-08002BE10318} - Mouse
SafeBootNet: {4D36E972-E325-11CE-BFC1-08002BE10318} - Net
SafeBootNet: {4D36E973-E325-11CE-BFC1-08002BE10318} - NetClient
SafeBootNet: {4D36E974-E325-11CE-BFC1-08002BE10318} - NetService
SafeBootNet: {4D36E975-E325-11CE-BFC1-08002BE10318} - NetTrans
SafeBootNet: {4D36E977-E325-11CE-BFC1-08002BE10318} - PCMCIA Adapters
SafeBootNet: {4D36E97B-E325-11CE-BFC1-08002BE10318} - SCSIAdapter
SafeBootNet: {4D36E97D-E325-11CE-BFC1-08002BE10318} - System
SafeBootNet: {4D36E980-E325-11CE-BFC1-08002BE10318} - Floppy disk drive
SafeBootNet: {50DD5230-BA8A-11D1-BF5D-0000F805F530} - Smart card readers
SafeBootNet: {533C5B84-EC70-11D2-9505-00C04F79DEAF} - Volume shadow copy
SafeBootNet: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F} - IEEE 1394 Bus host controllers
SafeBootNet: {71A27CDD-812A-11D0-BEC7-08002BE2092F} - Volume
SafeBootNet: {745A17A0-74D3-11D0-B6FE-00A0C90F57DA} - Human Interface Devices
SafeBootNet: {D48179BE-EC20-11D1-B6B8-00C04FA372A7} - SBP2 IEEE 1394 Devices
SafeBootNet: {D94EE5D8-D189-4994-83D2-F68D7D41B0E6} - SecurityDevices

ActiveX:64bit: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX:64bit: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX:64bit: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX:64bit: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX:64bit: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX:64bit: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX:64bit: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX:64bit: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX:64bit: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX:64bit: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX:64bit: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX:64bit: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX:64bit: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\System32\ie4uinit.exe -BaseSettings
ActiveX:64bit: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\system32\Rundll32.exe C:\Windows\system32\mscories.dll,Install
ActiveX:64bit: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX:64bit: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX:64bit: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX:64bit: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX:64bit: {FEBEF00C-046D-438D-8A88-BF94A6C9E703} - .NET Framework
ActiveX:64bit: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX:64bit: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\System32\ie4uinit.exe -UserIconConfig
ActiveX:64bit: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
ActiveX: {08B0E5C0-4FCB-11CF-AAA5-00401C608500} - Java (Sun)
ActiveX: {22d6f312-b0f6-11d0-94ab-0080c74c7e95} - Microsoft Windows Media Player 12.0
ActiveX: {2C7339CF-2B09-4501-B3F3-F3508C9228ED} - %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll
ActiveX: {3af36230-a269-11d1-b5bf-0000f8051515} - Offline Browsing Pack
ActiveX: {44BBA840-CC51-11CF-AAFA-00AA00B6015C} - "%ProgramFiles(x86)%\Windows Mail\WinMail.exe" OCInstallUserConfigOE
ActiveX: {44BBA855-CC51-11CF-AAFA-00AA00B6015F} - DirectDrawEx
ActiveX: {45ea75a0-a269-11d1-b5bf-0000f8051515} - Internet Explorer Help
ActiveX: {4f645220-306d-11d2-995d-00c04f98bbc9} - Microsoft Windows Script 5.6
ActiveX: {5fd399c0-a70a-11d1-9948-00c04f98bbc9} - Internet Explorer Setup Tools
ActiveX: {630b1da0-b465-11d1-9948-00c04f98bbc9} - Browsing Enhancements
ActiveX: {6BF52A52-394A-11d3-B153-00C04F79FAA6} - Microsoft Windows Media Player
ActiveX: {6fab99d0-bab8-11d1-994a-00c04f98bbc9} - MSN Site Access
ActiveX: {7790769C-0471-11d2-AF11-00C04FA35D02} - Address Book 7
ActiveX: {7C028AF8-F614-47B3-82DA-BA94E41B1089} - .NET Framework
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4340} - regsvr32.exe /s /n /i:U shell32.dll
ActiveX: {89820200-ECBD-11cf-8B85-00AA005B4383} - C:\Windows\SysWOW64\ie4uinit.exe -BaseSettings
ActiveX: {89B4C1CD-B018-4511-B0A1-5476DBF70820} - C:\Windows\SysWOW64\Rundll32.exe C:\Windows\SysWOW64\mscories.dll,Install
ActiveX: {9381D8F2-0288-11D0-9501-00AA00B911A5} - Dynamic HTML Data Binding
ActiveX: {C9E9A340-D1F1-11D0-821E-444553540600} - Internet Explorer Core Fonts
ActiveX: {D27CDB6E-AE6D-11CF-96B8-444553540000} - Adobe Flash Player
ActiveX: {de5aed00-a4bf-11d1-9948-00c04f98bbc9} - HTML Help
ActiveX: {E92B03AB-B707-11d2-9CBD-0000F87A369E} - Active Directory Service Interface
ActiveX: >{22d6f312-b0f6-11d0-94ab-0080c74c7e95} - %SystemRoot%\system32\unregmp2.exe /ShowWMP
ActiveX: >{26923b43-4d38-484f-9b9e-de460746276c} - C:\Windows\SysWOW64\ie4uinit.exe -UserIconConfig
ActiveX: >{60B49E34-C7CC-11D0-8953-00A0C90347FF} - "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\iedkcs32.dll",BrandIEActiveSetup SIGNUP

Drivers32:64bit: msacm.l3acm - C:\Windows\System32\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: msacm.l3acm - C:\Windows\SysWOW64\l3codeca.acm (Fraunhofer Institut Integrierte Schaltungen IIS)
Drivers32: vidc.cvid - C:\Windows\SysWow64\iccvid.dll (Radius Inc.)

========== Files/Folders - Created Within 90 Days ==========

[2010/06/22 00:20:03 | 000,574,464 | ---- | C] (OldTimer Tools) -- C:\Users\Franis\Desktop\OTL.exe
[2010/06/09 10:23:41 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Trend Micro
[2010/06/07 12:47:36 | 000,000,000 | ---D | C] -- C:\Users\Franis\AppData\Roaming\Avira
[2010/06/07 12:43:19 | 000,116,568 | ---- | C] (Avira GmbH) -- C:\Windows\SysNative\drivers\avipbb.sys
[2010/06/07 12:43:19 | 000,081,072 | ---- | C] (Avira GmbH) -- C:\Windows\SysNative\drivers\avgntflt.sys
[2010/06/07 12:43:19 | 000,051,992 | ---- | C] (AVIRA GmbH) -- C:\Windows\SysWow64\drivers\avgntdd.sys
[2010/06/07 12:43:19 | 000,017,016 | ---- | C] (AVIRA GmbH) -- C:\Windows\SysWow64\drivers\avgntmgr.sys
[2010/06/07 12:43:18 | 000,000,000 | ---D | C] -- C:\ProgramData\Avira
[2010/06/07 12:43:18 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Avira
[2010/06/07 11:19:31 | 000,000,000 | ---D | C] -- C:\Users\Franis\Desktop\spyware src scanners
[2010/06/07 04:17:16 | 000,000,000 | ---D | C] -- C:\Users\Franis\AppData\Roaming\Malwarebytes
[2010/06/07 04:16:56 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/06/07 04:16:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/06/07 04:16:54 | 000,024,664 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/06/07 04:16:54 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Malwarebytes' Anti-Malware
[2010/06/07 02:40:02 | 000,000,000 | ---D | C] -- C:\Users\Franis\AppData\Roaming\SUPERAntiSpyware.com
[2010/06/07 02:40:02 | 000,000,000 | ---D | C] -- C:\ProgramData\SUPERAntiSpyware.com
[2010/06/07 02:39:57 | 000,000,000 | ---D | C] -- C:\ProgramData\SASCORE
[2010/06/07 02:39:55 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/06/07 02:18:32 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Common Files\Java
[2010/06/07 01:36:02 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Abexo
[2010/06/07 01:28:08 | 000,000,000 | ---D | C] -- C:\Users\Franis\Documents\c cleaner 6-7
[2010/06/07 01:23:16 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\CCleaner
[2010/06/07 01:00:05 | 000,000,000 | ---D | C] -- C:\Users\Franis\AppData\Roaming\IObit
[2010/06/07 01:00:04 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\IObit
[2010/06/07 00:55:42 | 000,000,000 | ---D | C] -- C:\Users\Franis\AppData\Roaming\GlarySoft
[2010/06/07 00:52:44 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\Glary Utilities
[2010/06/04 09:14:38 | 000,000,000 | ---D | C] -- C:\Users\Franis\Desktop\moving meditation
[2010/04/24 16:31:49 | 000,000,000 | ---D | C] -- C:\Program Files (x86)\QuickTime
[2010/04/24 16:31:49 | 000,000,000 | ---D | C] -- C:\ProgramData\Apple Computer
[2010/04/20 08:49:26 | 000,000,000 | ---D | C] -- C:\Windows\SysWow64\Wat
[2010/04/20 08:49:24 | 000,000,000 | ---D | C] -- C:\Windows\SysNative\Wat
[2010/03/25 12:04:47 | 000,000,000 | ---D | C] -- C:\Users\Franis\AppData\Roaming\PC-FAX TX

========== Files - Modified Within 90 Days ==========

[2010/06/22 00:28:20 | 002,621,440 | -HS- | M] () -- C:\Users\Franis\NTUSER.DAT
[2010/06/22 00:27:15 | 000,000,860 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1109757479-377625319-1456128612-1000Core.job
[2010/06/22 00:24:29 | 000,000,894 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/06/22 00:20:04 | 000,574,464 | ---- | M] (OldTimer Tools) -- C:\Users\Franis\Desktop\OTL.exe
[2010/06/22 00:13:26 | 000,000,912 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-1109757479-377625319-1456128612-1000UA.job
[2010/06/22 00:13:26 | 000,000,898 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/06/22 00:13:08 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/06/18 20:09:26 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/06/18 20:09:26 | 000,009,920 | -H-- | M] () -- C:\Windows\SysNative\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/06/17 23:41:23 | 000,000,396 | ---- | M] () -- C:\Windows\tasks\AWC Startup.job
[2010/06/17 23:41:23 | 000,000,326 | ---- | M] () -- C:\Windows\tasks\GlaryInitialize.job
[2010/06/17 23:40:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/06/17 23:40:25 | 000,366,104 | ---- | M] () -- C:\Windows\SysNative\FNTCACHE.DAT
[2010/06/17 23:39:43 | 2211,483,648 | -HS- | M] () -- C:\hiberfil.sys
[2010/06/17 23:38:46 | 002,524,292 | -H-- | M] () -- C:\Users\Franis\AppData\Local\IconCache.db
[2010/06/17 23:01:06 | 000,002,368 | ---- | M] () -- C:\Users\Franis\Desktop\Google Chrome.lnk
[2010/06/09 10:25:39 | 000,001,640 | ---- | M] () -- C:\Users\Franis\Desktop\Sneaky Sniper.lnk
[2010/06/09 10:23:41 | 000,002,981 | ---- | M] () -- C:\Users\Franis\Desktop\HiJackThis.lnk
[2010/06/07 19:26:23 | 000,177,032 | ---- | M] () -- C:\Users\Franis\Desktop\activescan2_en.exe
[2010/06/07 12:43:32 | 000,002,070 | ---- | M] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/06/07 05:08:17 | 000,000,036 | ---- | M] () -- C:\Users\Franis\AppData\Local\housecall.guid.cache
[2010/06/07 04:16:58 | 000,001,013 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/07 04:00:29 | 000,001,085 | ---- | M] () -- C:\Users\Franis\Application Data\Microsoft\Internet Explorer\Quick Launch\Abexo Free Registry Cleaner.lnk
[2010/06/07 04:00:29 | 000,001,061 | ---- | M] () -- C:\Users\Franis\Desktop\Abexo Free Registry Cleaner.lnk
[2010/06/07 02:39:57 | 000,001,772 | ---- | M] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/07 01:23:17 | 000,001,889 | ---- | M] () -- C:\Users\Franis\Desktop\CCleaner.lnk
[2010/06/07 01:00:12 | 000,001,225 | ---- | M] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2010/06/07 00:52:47 | 000,000,992 | ---- | M] () -- C:\Users\Franis\Desktop\Glary Utilities.lnk
[2010/06/07 00:49:22 | 000,000,284 | ---- | M] () -- C:\Windows\reimage.ini
[2010/06/07 00:32:33 | 000,713,888 | ---- | M] () -- C:\Windows\SysNative\PerfStringBackup.INI
[2010/06/07 00:32:33 | 000,615,360 | ---- | M] () -- C:\Windows\SysNative\perfh009.dat
[2010/06/07 00:32:33 | 000,103,702 | ---- | M] () -- C:\Windows\SysNative\perfc009.dat
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysWow64\drivers\mbamswissarmy.sys
[2010/04/29 15:39:28 | 000,024,664 | ---- | M] (Malwarebytes Corporation) -- C:\Windows\SysNative\drivers\mbam.sys
[2010/04/26 20:15:26 | 000,000,426 | ---- | M] () -- C:\Windows\BRWMARK.INI
[2010/04/24 16:31:58 | 000,001,849 | ---- | M] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2010/04/15 23:22:47 | 000,002,018 | ---- | M] () -- C:\Users\Public\Desktop\Adobe Reader 9.lnk
[2010/03/25 12:43:39 | 000,001,111 | ---- | M] () -- C:\Windows\Brpfx04a.ini
[2010/03/25 12:40:40 | 000,000,000 | ---- | M] () -- C:\Windows\brdfxspd.dat

========== Files Created - No Company Name ==========

[2010/06/09 10:25:39 | 000,001,640 | ---- | C] () -- C:\Users\Franis\Desktop\Sneaky Sniper.lnk
[2010/06/09 10:22:09 | 000,002,981 | ---- | C] () -- C:\Users\Franis\Desktop\HiJackThis.lnk
[2010/06/07 19:26:22 | 000,177,032 | ---- | C] () -- C:\Users\Franis\Desktop\activescan2_en.exe
[2010/06/07 12:43:32 | 000,002,070 | ---- | C] () -- C:\Users\Public\Desktop\Avira AntiVir Control Center.lnk
[2010/06/07 05:08:17 | 000,000,036 | ---- | C] () -- C:\Users\Franis\AppData\Local\housecall.guid.cache
[2010/06/07 04:16:58 | 000,001,013 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/06/07 04:00:29 | 000,001,085 | ---- | C] () -- C:\Users\Franis\Application Data\Microsoft\Internet Explorer\Quick Launch\Abexo Free Registry Cleaner.lnk
[2010/06/07 04:00:29 | 000,001,061 | ---- | C] () -- C:\Users\Franis\Desktop\Abexo Free Registry Cleaner.lnk
[2010/06/07 02:39:57 | 000,001,772 | ---- | C] () -- C:\Users\Public\Desktop\SUPERAntiSpyware Free Edition.lnk
[2010/06/07 01:23:17 | 000,001,889 | ---- | C] () -- C:\Users\Franis\Desktop\CCleaner.lnk
[2010/06/07 01:00:51 | 000,000,396 | ---- | C] () -- C:\Windows\tasks\AWC Startup.job
[2010/06/07 01:00:12 | 000,001,225 | ---- | C] () -- C:\Users\Public\Desktop\Advanced SystemCare.lnk
[2010/06/07 00:52:50 | 000,000,326 | ---- | C] () -- C:\Windows\tasks\GlaryInitialize.job
[2010/06/07 00:52:47 | 000,000,992 | ---- | C] () -- C:\Users\Franis\Desktop\Glary Utilities.lnk
[2010/06/07 00:48:57 | 000,000,284 | ---- | C] () -- C:\Windows\reimage.ini
[2010/04/24 16:31:58 | 000,001,849 | ---- | C] () -- C:\Users\Public\Desktop\QuickTime Player.lnk
[2009/12/31 21:11:00 | 000,003,120 | ---- | C] () -- C:\Windows\wlidr.ini
[2009/12/31 20:59:02 | 000,000,091 | ---- | C] () -- C:\Windows\HSASTROL.INI
[2009/12/31 20:57:41 | 000,000,173 | ---- | C] () -- C:\Windows\ACSATLAS.INI
[2009/12/31 20:57:30 | 000,147,456 | ---- | C] () -- C:\Windows\SysWow64\TwistedPNG.dll
[2009/12/31 20:57:30 | 000,129,024 | ---- | C] () -- C:\Windows\SysWow64\TwistedTiff.DLL
[2009/12/18 18:04:20 | 000,027,019 | ---- | C] () -- C:\Windows\maxlink.ini
[2009/11/20 19:25:21 | 000,000,426 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2009/11/20 19:20:52 | 000,001,111 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2009/11/20 19:20:52 | 000,000,164 | ---- | C] () -- C:\Windows\brpcfx.ini
[2009/11/20 19:18:49 | 000,000,066 | ---- | C] () -- C:\Windows\Brfaxrx.ini
[2009/11/20 19:18:46 | 000,106,496 | ---- | C] () -- C:\Windows\SysWow64\BrMuSNMP.dll
[2009/11/15 12:34:56 | 000,000,029 | ---- | C] () -- C:\Windows\CDMKR32.INI
[2009/11/15 10:28:46 | 000,000,116 | ---- | C] () -- C:\Windows\alletter.ini
[2009/07/13 13:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\SysWow64\BWContextHandler.dll
[2009/07/13 11:03:59 | 000,364,544 | ---- | C] () -- C:\Windows\SysWow64\msjetoledb40.dll
[2005/01/17 05:10:16 | 000,045,056 | ---- | C] () -- C:\Windows\SysWow64\BRTCPCON.DLL
[2004/08/09 05:00:42 | 000,000,114 | ---- | C] () -- C:\Windows\SysWow64\BRLMW03A.INI
[2002/03/04 10:16:34 | 000,110,592 | R--- | C] () -- C:\Windows\SysWow64\Jpeg32.dll

========== LOP Check ==========

[2009/11/11 12:37:43 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\Acer
[2010/06/07 00:55:42 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\GlarySoft
[2010/06/07 01:09:30 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\IObit
[2009/11/11 12:37:40 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\Leadertech
[2009/11/18 12:51:50 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\OpenOffice.org
[2010/03/25 12:04:47 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\PC-FAX TX
[2009/11/16 21:34:16 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\PowerCinema
[2010/02/16 22:14:24 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\SoftDMA
[2009/11/11 13:25:36 | 000,000,000 | ---D | M] -- C:\Users\Franis\AppData\Roaming\WildTangent
[2010/06/17 23:41:23 | 000,000,396 | ---- | M] () -- C:\Windows\Tasks\AWC Startup.job
[2010/06/17 23:41:23 | 000,000,326 | ---- | M] () -- C:\Windows\Tasks\GlaryInitialize.job
[2010/05/17 14:23:34 | 000,032,628 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT

========== Purity Check ==========

========== Custom Scans ==========

< %SYSTEMDRIVE%\*.exe >
[2007/11/07 08:44:20 | 000,855,040 | ---- | M] (Microsoft Corporation) -- C:\install.exe

< %systemroot%\*. /mp /s >

< c:\$recycle.bin\*.* /s >
[2010/06/07 12:18:16 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$I0DCLAG.exe
[2010/06/07 11:35:48 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$I0MFD8L.exe
[2010/06/15 13:27:25 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$ICGD9OW
[2010/06/07 19:28:51 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$IIYFLH2.exe
[2010/06/07 11:32:54 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$IKL0PLK.exe
[2010/06/07 12:15:40 | 044,089,904 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$R0DCLAG.exe
[2010/06/07 00:46:53 | 000,248,976 | ---- | M] (Reimage®) -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$R0MFD8L.exe
[2010/06/10 21:41:04 | 000,003,196 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$RCGD9OW
[2010/06/07 19:27:31 | 000,177,032 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$RIYFLH2.exe
[2010/06/07 00:56:28 | 008,292,104 | ---- | M] (Glarysoft Ltd ) -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\$RKL0PLK.exe
[2009/11/11 12:36:43 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1000\desktop.ini
[2009/11/11 13:35:22 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1001\desktop.ini
[2009/11/12 22:34:48 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1002\desktop.ini
[2010/02/07 12:51:30 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$I06HX4H.xps
[2010/02/06 10:57:34 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$I4MOYG3.AVI
[2010/02/06 10:57:10 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$I4WQ4XQ.AVI
[2010/02/06 10:57:10 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$I7377SB.AVI
[2010/02/06 10:57:48 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$I925KSH.AVI
[2010/02/06 10:57:10 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$IA4SEF2.AVI
[2010/02/06 10:57:10 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$IF3637V.AVI
[2010/02/06 10:57:34 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$IFFKHQE.AVI
[2009/12/12 06:16:03 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$IIU6WLT.odt
[2010/02/06 10:57:41 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$INBU2PW.AVI
[2010/02/06 10:57:34 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$IO6A0LY.AVI
[2010/02/06 10:57:10 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$ISRAK7C.AVI
[2010/02/06 10:57:10 | 000,000,544 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$IWUBEVZ.AVI
[2010/02/07 12:36:55 | 000,037,077 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$R06HX4H.xps
[2008/05/04 14:39:42 | 011,849,200 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$R4MOYG3.AVI
[2008/01/20 14:00:22 | 064,827,040 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$R4WQ4XQ.AVI
[2008/01/20 13:22:52 | 000,137,640 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$R7377SB.AVI
[2008/08/28 21:09:22 | 069,773,728 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$R925KSH.AVI
[2008/01/20 13:24:32 | 033,921,592 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RA4SEF2.AVI
[2008/01/20 13:48:30 | 067,866,656 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RF3637V.AVI
[2008/05/04 14:41:00 | 000,132,408 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RFFKHQE.AVI
[2009/12/12 06:00:45 | 000,020,057 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RIU6WLT.odt
[2008/05/04 14:46:02 | 044,412,232 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RNBU2PW.AVI
[2008/05/04 14:42:56 | 002,704,976 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RO6A0LY.AVI
[2008/01/20 13:56:30 | 064,905,248 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RSRAK7C.AVI
[2008/01/20 14:07:08 | 051,975,920 | ---- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\$RWUBEVZ.AVI
[2009/11/18 21:06:13 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-1003\desktop.ini
[2009/10/10 05:55:25 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-500\desktop.ini
[2009/11/18 09:28:51 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-1109757479-377625319-1456128612-501\desktop.ini
[2009/08/21 15:50:36 | 000,000,129 | -HS- | M] () -- c:\$recycle.bin\S-1-5-21-2153193998-18765845-4235578911-500\desktop.ini

< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs >

< MD5 for: AGP440.SYS >
[2009/07/13 15:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\SysWow64\DriverStore\FileRepository\machine.inf_amd64_neutral_9e6bb86c3b39a3e9\AGP440.sys
[2009/07/13 15:52:21 | 000,061,008 | ---- | M] (Microsoft Corporation) MD5=608C14DBA7299D8CB6ED035A68A15799 -- C:\Windows\winsxs\amd64_machine.inf_31bf3856ad364e35_6.1.7600.16385_none_1607dee2d861e021\AGP440.sys

< MD5 for: ATAPI.SYS >
[2009/07/13 15:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\SysWow64\DriverStore\FileRepository\mshdc.inf_amd64_neutral_a69a58a4286f0b22\atapi.sys
[2009/07/13 15:52:21 | 000,024,128 | ---- | M] (Microsoft Corporation) MD5=02062C0B390B7729EDC9E69C680A6F3C -- C:\Windows\winsxs\amd64_mshdc.inf_31bf3856ad364e35_6.1.7600.16385_none_392d19c13b3ad543\atapi.sys

< MD5 for: AUTOCHK.EXE >
[2009/07/13 15:14:12 | 000,668,160 | ---- | M] (Microsoft Corporation) MD5=41E4C8EBA464E7D6A5BA5E8827732AEB -- C:\Windows\SysWOW64\autochk.exe
[2009/07/13 15:14:12 | 000,668,160 | ---- | M] (Microsoft Corporation) MD5=41E4C8EBA464E7D6A5BA5E8827732AEB -- C:\Windows\SysWOW64\autochk.exe
[2009/07/13 15:14:12 | 000,668,160 | ---- | M] (Microsoft Corporation) MD5=41E4C8EBA464E7D6A5BA5E8827732AEB -- C:\Windows\winsxs\x86_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_e1ca436d2314b860\autochk.exe
[2009/07/13 15:38:56 | 000,777,728 | ---- | M] (Microsoft Corporation) MD5=8B7F8E882A649D81CEA1EDE9BBB68FFF -- C:\Windows\winsxs\amd64_microsoft-windows-autochk_31bf3856ad364e35_6.1.7600.16385_none_3de8def0db722996\autochk.exe

< MD5 for: BEEP.SYS >
[2009/07/13 14:00:13 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=16A47CE2DECC9B099349A5F840654746 -- C:\Windows\winsxs\amd64_mic

an8el · « **Reply #4 on:** June 22, 2010, 05:46:44 AM »

here's the rest of the first scan, starting with where we left on on the specified files to be scanned...

< MD5 for: CNGAUDIT.DLL >
[2009/07/13 15:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 15:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\SysWOW64\cngaudit.dll
[2009/07/13 15:15:06 | 000,012,288 | ---- | M] (Microsoft Corporation) MD5=50BA656134F78AF64E4DD3C8B6FEFD7E -- C:\Windows\winsxs\x86_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_e83a414890e8132b\cngaudit.dll
[2009/07/13 15:40:20 | 000,018,944 | ---- | M] (Microsoft Corporation) MD5=86FE1B1F8FD42CD0DB641AB1CDB13093 -- C:\Windows\winsxs\amd64_microsoft-windows-cngaudit-dll_31bf3856ad364e35_6.1.7600.16385_none_4458dccc49458461\cngaudit.dll

< MD5 for: EXPLORER.EXE >
[2009/07/13 15:14:20 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=15BC38A7492BEFE831966ADB477CF76F -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_b7fe430bc7ce3761\explorer.exe
[2009/10/30 19:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\SysWOW64\explorer.exe
[2009/10/30 19:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\SysWOW64\explorer.exe
[2009/10/30 19:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=2626FC9755BE22F805D3CFA0CE3EE727 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_b819b343c7ba6202\explorer.exe
[2009/08/02 20:19:07 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=700073016DAC1C3D2E7E2CE4223334B6 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_ae84b558ac4eb41c\explorer.exe
[2009/10/30 20:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\explorer.exe
[2009/10/30 20:34:59 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=9AAAEC8DAC27AA17B053E6352AD233AE -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16450_none_adc508f19359a007\explorer.exe
[2009/08/02 19:49:47 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=9FF6C4C91A3711C0A3B18F87B08B518D -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20500_none_b8d95faae0af7617\explorer.exe
[2009/10/30 20:38:38 | 002,870,272 | ---- | M] (Microsoft Corporation) MD5=B8EC4BD49CE8F6FC457721BFC210B67F -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_ae46d6aeac7ca7c7\explorer.exe
[2009/08/02 19:35:50 | 002,613,248 | ---- | M] (Microsoft Corporation) MD5=B95EEB0F4E5EFBF1038A35B3351CF047 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_b853c407c78e3ba9\explorer.exe
[2009/07/13 15:39:10 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=C235A51CB740E45FFA0EBFB9BAFCDA64 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16385_none_ada998b9936d7566\explorer.exe
[2009/10/30 20:00:51 | 002,614,272 | ---- | M] (Microsoft Corporation) MD5=C76153C7ECA00FA852BB0C193378F917 -- C:\Windows\winsxs\wow64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.20563_none_b89b8100e0dd69c2\explorer.exe
[2009/08/02 20:17:37 | 002,868,224 | ---- | M] (Microsoft Corporation) MD5=F170B4A061C9E026437B193B4D571799 -- C:\Windows\winsxs\amd64_microsoft-windows-explorer_31bf3856ad364e35_6.1.7600.16404_none_adff19b5932d79ae\explorer.exe

< MD5 for: IASTORV.SYS >
[2009/07/13 15:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\SysWow64\DriverStore\FileRepository\iastorv.inf_amd64_neutral_18cccb83b34e1453\iaStorV.sys
[2009/07/13 15:48:04 | 000,410,688 | ---- | M] (Intel Corporation) MD5=D83EFB6FD45DF9D55E9A1AFC63640D50 -- C:\Windows\winsxs\amd64_iastorv.inf_31bf3856ad364e35_6.1.7600.16385_none_0b06441fa1790136\iaStorV.sys

< MD5 for: IMM32.DLL >
[2009/07/13 15:11:21 | 000,119,808 | ---- | M] (Microsoft Corporation) MD5=0DE3069D6E09BA262856EF31C941BEFE -- C:\Windows\SysWOW64\imm32.dll
[2009/07/13 15:11:21 | 000,119,808 | ---- | M] (Microsoft Corporation) MD5=0DE3069D6E09BA262856EF31C941BEFE -- C:\Windows\SysWOW64\imm32.dll
[2009/07/13 15:11:21 | 000,119,808 | ---- | M] (Microsoft Corporation) MD5=0DE3069D6E09BA262856EF31C941BEFE -- C:\Windows\winsxs\wow64_microsoft-windows-imm32_31bf3856ad364e35_6.1.7600.16385_none_c29fba0fc87cc5a4\imm32.dll
[2009/07/13 15:41:09 | 000,167,424 | ---- | M] (Microsoft Corporation) MD5=AA2C08CE85653B1A0D2E4AB407FA176C -- C:\Windows\winsxs\amd64_microsoft-windows-imm32_31bf3856ad364e35_6.1.7600.16385_none_b84b0fbd941c03a9\imm32.dll

< MD5 for: KERNEL32.DLL >
[2009/07/13 15:41:13 | 001,162,240 | ---- | M] (Microsoft Corporation) MD5=5B4B379AD10DEDA4EDA01B8C6961B193 -- C:\Windows\winsxs\amd64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_efb2d6e86ffc8f55\kernel32.dll
[2009/07/13 15:11:23 | 000,836,608 | ---- | M] (Microsoft Corporation) MD5=606ECB76A424CC535407E7A24E2A34BC -- C:\Windows\SysWOW64\kernel32.dll
[2009/07/13 15:11:23 | 000,836,608 | ---- | M] (Microsoft Corporation) MD5=606ECB76A424CC535407E7A24E2A34BC -- C:\Windows\SysWOW64\kernel32.dll
[2009/07/13 15:11:23 | 000,836,608 | ---- | M] (Microsoft Corporation) MD5=606ECB76A424CC535407E7A24E2A34BC -- C:\Windows\winsxs\wow64_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16385_none_fa07813aa45d5150\kernel32.dll

< MD5 for: MSWSOCK.DLL >
[2009/07/13 15:15:51 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=11A41F17527ED75D6B758FDD7F4FD00D -- C:\Windows\SysWOW64\mswsock.dll
[2009/07/13 15:15:51 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=11A41F17527ED75D6B758FDD7F4FD00D -- C:\Windows\SysWOW64\mswsock.dll
[2009/07/13 15:15:51 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=11A41F17527ED75D6B758FDD7F4FD00D -- C:\Windows\winsxs\x86_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7600.16385_none_b829ad298e9f53ff\mswsock.dll
[2009/07/13 15:41:34 | 000,320,000 | ---- | M] (Microsoft Corporation) MD5=FC76FE3C1E1FDB761244D4F74EF560FD -- C:\Windows\winsxs\amd64_microsoft-windows-w..-infrastructure-bsp_31bf3856ad364e35_6.1.7600.16385_none_144848ad46fcc535\mswsock.dll

< MD5 for: NDIS.SYS >
[2009/07/13 15:48:27 | 000,947,776 | ---- | M] (Microsoft Corporation) MD5=CAD515DBD07D082BB317D9928CE8962C -- C:\Windows\winsxs\amd64_microsoft-windows-ndis_31bf3856ad364e35_6.1.7600.16385_none_03bc1d6e35c013bf\ndis.sys

< MD5 for: NETLOGON.DLL >
[2009/07/13 15:41:52 | 000,692,736 | ---- | M] (Microsoft Corporation) MD5=956D030D375F207B22FB111E06EF9C35 -- C:\Windows\winsxs\amd64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_59aca8ea51aaeefe\netlogon.dll
[2009/07/13 15:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 15:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\SysWOW64\netlogon.dll
[2009/07/13 15:16:02 | 000,563,712 | ---- | M] (Microsoft Corporation) MD5=EAA75D9000B71F10EEC04D2AE6C60E81 -- C:\Windows\winsxs\wow64_microsoft-windows-security-netlogon_31bf3856ad364e35_6.1.7600.16385_none_6401533c860bb0f9\netlogon.dll

< MD5 for: NTFS.SYS >
[2009/07/13 15:48:27 | 001,659,984 | ---- | M] (Microsoft Corporation) MD5=356698A13C4630D5B31C37378D469196 -- C:\Windows\winsxs\amd64_microsoft-windows-ntfs_31bf3856ad364e35_6.1.7600.16385_none_02661b64369ca03a\ntfs.sys

< MD5 for: NVSTOR.SYS >
[2009/07/13 15:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\SysWow64\DriverStore\FileRepository\nvraid.inf_amd64_neutral_5bde3fe2945bce9e\nvstor.sys
[2009/07/13 15:45:45 | 000,167,488 | ---- | M] (NVIDIA Corporation) MD5=477DC4D6DEB99BE37084C9AC6D013DA1 -- C:\Windows\winsxs\amd64_nvraid.inf_31bf3856ad364e35_6.1.7600.16385_none_95cfb4ced8afab0e\nvstor.sys

< MD5 for: PROQUOTA.EXE >
[2009/07/13 15:39:28 | 000,031,232 | ---- | M] (Microsoft Corporation) MD5=19117589BA265AAF89BEBE1E9040000C -- C:\Windows\winsxs\amd64_microsoft-windows-proquota_31bf3856ad364e35_6.1.7600.16385_none_83bbe97eac162e90\proquota.exe
[2009/07/13 15:14:29 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=8CDF71E78469BE54C29C1AD2FC8DE611 -- C:\Windows\SysWOW64\proquota.exe
[2009/07/13 15:14:29 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=8CDF71E78469BE54C29C1AD2FC8DE611 -- C:\Windows\SysWOW64\proquota.exe
[2009/07/13 15:14:29 | 000,028,160 | ---- | M] (Microsoft Corporation) MD5=8CDF71E78469BE54C29C1AD2FC8DE611 -- C:\Windows\winsxs\x86_microsoft-windows-proquota_31bf3856ad364e35_6.1.7600.16385_none_279d4dfaf3b8bd5a\proquota.exe

< MD5 for: QMGR.DLL >
[2009/07/13 15:41:53 | 000,848,384 | ---- | M] (Microsoft Corporation) MD5=7F0C323FE3DA28AA4AA1BDA3F575707F -- C:\Windows\winsxs\amd64_microsoft-windows-bits-client_31bf3856ad364e35_6.1.7600.16385_none_7f85b69413231233\qmgr.dll

< MD5 for: SCECLI.DLL >
[2009/07/13 15:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 15:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\SysWOW64\scecli.dll
[2009/07/13 15:16:13 | 000,175,616 | ---- | M] (Microsoft Corporation) MD5=26073302DAEA83CC5B944C546D6B47D2 -- C:\Windows\winsxs\wow64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9e577e55272d37b4\scecli.dll
[2009/07/13 15:41:53 | 000,232,448 | ---- | M] (Microsoft Corporation) MD5=398712DDDAEFB85EDF61DF6A07B65C79 -- C:\Windows\winsxs\amd64_microsoft-windows-s..urationengineclient_31bf3856ad364e35_6.1.7600.16385_none_9402d402f2cc75b9\scecli.dll

< MD5 for: SPOOLSV.EXE >
[2009/07/13 15:39:44 | 000,558,080 | ---- | M] (Microsoft Corporation) MD5=89E8550C5862999FCF482EA562B0E98E -- C:\Windows\winsxs\amd64_microsoft-windows-printing-spooler-core_31bf3856ad364e35_6.1.7600.16385_none_324094c8db39cbbd\spoolsv.exe

< MD5 for: SVCHOST.EXE >
[2009/07/13 15:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 15:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\SysWOW64\svchost.exe
[2009/07/13 15:14:41 | 000,020,992 | ---- | M] (Microsoft Corporation) MD5=54A47F6B5E09A77E61649109C6A08866 -- C:\Windows\winsxs\x86_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_b591afc466a15356\svchost.exe
[2009/07/13 15:39:46 | 000,027,136 | ---- | M] (Microsoft Corporation) MD5=C78655BC80301D76ED4FEF1C1EA40A7D -- C:\Windows\winsxs\amd64_microsoft-windows-services-svchost_31bf3856ad364e35_6.1.7600.16385_none_11b04b481efec48c\svchost.exe

< MD5 for: TERMSRV.DLL >
[2009/07/13 15:41:55 | 000,706,560 | ---- | M] (Microsoft Corporation) MD5=0F05EC2887BFE197AD82A13287D2F404 -- C:\Windows\winsxs\amd64_microsoft-windows-t..teconnectionmanager_31bf3856ad364e35_6.1.7600.16385_none_ea94336f6df51e09\termsrv.dll

< MD5 for: USERINIT.EXE >
[2009/07/13 15:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\SysWOW64\userinit.exe
[2009/07/13 15:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\SysWOW64\userinit.exe
[2009/07/13 15:14:43 | 000,026,112 | ---- | M] (Microsoft Corporation) MD5=6DE80F60D7DE9CE6B8C2DDFDF79EF175 -- C:\Windows\winsxs\x86_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_dbff103933038d7c\userinit.exe
[2009/07/13 15:39:48 | 000,030,208 | ---- | M] (Microsoft Corporation) MD5=6F8F1376A13114CC10C0E69274F5A4DE -- C:\Windows\winsxs\amd64_microsoft-windows-userinit_31bf3856ad364e35_6.1.7600.16385_none_381dabbceb60feb2\userinit.exe

< MD5 for: WS2_32.DLL >
[2009/07/13 15:41:58 | 000,296,448 | ---- | M] (Microsoft Corporation) MD5=7083F463788CB34FCC42F565D56F89E8 -- C:\Windows\winsxs\amd64_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7600.16385_none_4eaca269e8070c6b\ws2_32.dll
[2009/07/13 15:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\SysWOW64\ws2_32.dll
[2009/07/13 15:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\SysWOW64\ws2_32.dll
[2009/07/13 15:16:20 | 000,206,336 | ---- | M] (Microsoft Corporation) MD5=DAAE8A9B8C0ACC7F858454132553C30D -- C:\Windows\winsxs\x86_microsoft-windows-w..nfrastructure-ws232_31bf3856ad364e35_6.1.7600.16385_none_f28e06e62fa99b35\ws2_32.dll

< %systemroot%\system32\*.dll /lockedfiles >

< %systemroot%\Tasks\*.job /lockedfiles >
< End of report >

closed the second report by accident. repeating...

an8el · « **Reply #5 on:** June 22, 2010, 06:30:16 AM »

OK, forgot a part of the above file, due to more truncation:

< MD5 for: BEEP.SYS >
[2009/07/13 14:00:13 | 000,006,656 | ---- | M] (Microsoft Corporation) MD5=16A47CE2DECC9B099349A5F840654746 -- C:\Windows\winsxs\amd64_microsoft-windows-beepsys_31bf3856ad364e35_6.1.7600.16385_none_201592fa214e4f02\beep.sys

< MD5 for: CNGAUDIT.DLL >
[2009/07/13

here's the extras file:

OTL Extras logfile created on: 6/22/2010 12:26:43 AM - Run 1
OTL by OldTimer - Version 3.2.6.1 Folder = C:\Users\Franis\Desktop
64bit- Home Premium Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 59.00% Memory free
5.00 Gb Paging File | 4.00 Gb Available in Paging File | 76.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files (x86)
Drive C: | 136.95 Gb Total Space | 90.89 Gb Free Space | 66.37% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: ACERTAIN
Current User Name: Franis
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Include 64bit Scans
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========

========== File Associations ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\SysWow64\control.exe (Microsoft Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files (x86)\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
htmlfile [edit] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files (x86)\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
InternetShortcut [print] -- "C:\Windows\System32\rundll32.exe" "C:\Windows\System32\mshtml.dll",PrintHTML "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~2\MICROS~1\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = 28 4D B2 76 41 04 CA 01 [binary data]
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========

========== HKEY_LOCAL_MACHINE Uninstall List ==========

64bit: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{350AA351-21FA-3270-8B7A-835434E766AD}" = Microsoft Visual C++ 2008 Redistributable - x64 9.0.21022
"{90120000-002A-0000-1000-0000000FF1CE}" = Microsoft Office Office 64-bit Components 2007
"{90120000-002A-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit MUI (English) 2007
"{90120000-0116-0409-1000-0000000FF1CE}" = Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007
"{95120000-00B9-0409-1000-0000000FF1CE}" = Microsoft Application Error Reporting
"{ACCA82EB-7088-919E-5E1C-100A24F11CCF}" = ATI Catalyst Install Manager
"{B0EFB716-085B-4564-8060-212E41F5CE50}" = Windows Live ID Sign-in Assistant
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware
"{E2FCA441-6D7B-CD78-3ADF-42EA9FA06065}" = ccc-utility64
"{EE936C7A-EA40-31D5-9B65-8E3E089C3828}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x64 9.0.30729.4148
"SynTPDeinstKey" = Synaptics Pointing Device Driver

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now Standard
"{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"{183F0908-AD5E-8B3B-5F06-28B1A8C65C62}" = CCC Help Japanese
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{23E9588B-05ED-BC2F-EB69-101A96511EF1}" = ccc-core-static
"{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"{2484D1EA-CBA4-60BB-82B9-F8477D25C47A}" = CCC Help Dutch
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"{26A24AE4-039D-4CA4-87B4-2F83216020FF}" = Java(TM) 6 Update 20
"{287ECFA4-719A-2143-A09B-D6A12DE54E40}" = Acrobat.com
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{29802D65-9514-DB20-36CD-E47A94C8AEB9}" = Catalyst Control Center Graphics Full Existing
"{2F61E9D7-CD05-643E-A04E-CC1A8B6610BA}" = CCC Help Finnish
"{2FA3CDD8-1436-497D-6339-789936561E99}" = CCC Help German
"{3108C217-BE83-42E4-AE9E-A56A2A92E549}" = Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
"{34123E80-BE96-6282-1167-6696730AF6D2}" = CCC Help Korean
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3C52E7DA-C431-4239-B66B-1BF703D5B194}" = Windows Live Photo Gallery
"{3D20EF26-2E9A-D388-851D-E7675BBACFF5}" = Catalyst Control Center Core Implementation
"{3DB0448D-AD82-4923-B305-D001E521A964}" = Acer ePower Management
"{4024F49B-65D4-D6B2-2A1D-6DBF6F09F181}" = CCC Help Greek
"{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis
"{46E1B1F2-A279-4356-9B17-029F9CC72EAE}" = Brother MFL-Pro Suite
"{49A63237-FD38-AE77-6DF6-FFB41499A4E6}" = CCC Help Hungarian
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4DE3E3D9-AE81-45DE-9195-3015F7B1DBF3}" = Junk Mail filter update
"{4F0FC827-B693-F166-612E-EA89D798540C}" = CCC Help Chinese Traditional
"{52FBF90E-D2EF-A2A3-1CCA-6984596B1B02}" = CCC Help English
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{628CBFE4-3823-67FB-26D2-566899C3BB5C}" = CCC Help Italian
"{63C1109E-D977-49ED-BCE3-D00D0BF187D6}" = Windows Live Mail
"{63F26DAE-CB0D-98B6-3019-D4FC3D0DD203}" = Catalyst Control Center InstallProxy
"{652EB559-6865-DEF4-2409-D506963C15FD}" = CCC Help Polish
"{67E03279-F703-408F-B4BF-46B5FC8D70CD}" = Microsoft Works
"{68301905-2DEA-41CE-A4D4-E8B443B099BA}" = MyWinLocker
"{68987945-A387-4C25-0C59-21F2AF657E65}" = CCC Help Thai
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{6A92E5C5-0578-443D-91F3-92ECE5F2CAE2}" = Windows Live Writer
"{6ADD0603-16EF-400D-9F9E-486432835002}" = OpenOffice.org 3.2
"{6B45E33B-6BB4-234B-2F5F-65B1A103801D}" = CCC Help Russian
"{6B99737C-9FDC-50F9-C9A4-AB7DA5C9A336}" = Catalyst Control Center Graphics Full New
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7BE74C0E-F300-D0A6-780B-C93BB78DE58C}" = CCC Help Norwegian
"{7E75ACC5-B0EC-7006-183A-374974019911}" = Catalyst Control Center Graphics Light
"{7F811A54-5A09-4579-90E1-C93498E230D9}" = Acer eRecovery Management
"{82809116-D1EE-443C-AE31-F19E709DDF7A}" = AMD USB Filter Driver
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_HOMESTUDENTR_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_HOMESTUDENTR_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_HOMESTUDENTR_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90120000-002A-0000-1000-0000000FF1CE}_HOMESTUDENTR_{E64BA721-2310-4B55-BE5A-2925F9706192}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002A-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_HOMESTUDENTR_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{90120000-0116-0409-1000-0000000FF1CE}_HOMESTUDENTR_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}" = Microsoft Office Home and Student 2007
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = 2007 Microsoft Office Suite Service Pack 2 (SP2)
"{91120000-002F-0000-0000-0000000FF1CE}_HOMESTUDENTR_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{96AE7E41-E34E-47D0-AC07-1091A8127911}" = Realtek USB 2.0 Card Reader
"{97124B44-C17B-C352-44B1-403D0D706173}" = CCC Help Czech
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9ACA8261-11D1-F8A1-C154-7F8B23515C79}" = CCC Help Swedish
"{A17EABB6-D0C6-44E5-820C-72DC7F495064}" = PaperPort
"{A1BF9950-8CDB-468E-83FA-EACFB00EA7D5}" = Windows Live Sync
"{A2BCA9F1-566C-4805-97D1-7FDC93386723}" = Adobe AIR
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{A9574A7E-C024-EED1-7A81-CC4786A1915A}" = CCC Help Portuguese
"{AA32D2A6-1299-0F05-BF8D-04075A9F69EB}" = CCC Help Turkish
"{AAF89271-2594-468D-B578-96B2E30C41C4}" = eBay Worldwide
"{AC76BA86-7AD7-FFFF-7B44-A91000000001}" = Adobe Reader 9.3.2 MUI
"{AE3CF174-872C-46C6-B9F6-C0593F3BC7B8}" = Microsoft Office Live Add-in 1.4
"{BCC05B1F-7397-799A-9EDB-AC10123BB17A}" = CCC Help Chinese Standard
"{BEF4FD8A-29FF-C250-468A-5FC55F0E3451}" = Catalyst Control Center Localization All
"{C57BCDE1-7CB9-467D-B3BA-7E119916CDC1}" = Norton Online Backup
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{CF7A62B6-F712-412E-9914-D80033A7F8B8}" = Catalyst Control Center - Branding
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D41301F8-90FD-9CE8-CD2C-ED2B9D5F07E3}" = CCC Help Spanish
"{D43AD08C-BE76-8C5B-FD90-4B665EF60E2E}" = CCC Help Danish
"{DA4CA661-5ABF-9218-6E42-84BF89F43655}" = CCC Help French
"{E503B4BF-F7BB-3D5F-8BC8-F694B1CFF942}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022.218
"{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}" = Microsoft Office Suite Activation Assistant
"{EE171732-BEB4-4576-887D-CB62727F01CA}" = Acer Updater
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Abexo Free Registry Cleaner" = Abexo Free Registry Cleaner
"Acer Assist" = Acer Assist
"Acer Registration" = Acer Registration
"Acer Welcome Center" = Welcome Center
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Advanced SystemCare 3_is1" = Advanced SystemCare 3
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner
"Glary Utilities_is1" = Glary Utilities 2.23.0.923
"GridVista" = Acer GridVista
"HOMESTUDENTR" = Microsoft Office Home and Student 2007
"Identity Card" = Identity Card
"InstallShield_{12EFA1A4-AC3B-443C-8143-237EDE760403}" = NTI Backup Now 5
"InstallShield_{15D967B5-A4BE-42AE-9E84-64CD062B25AA}" = eSobi v2
"InstallShield_{2413930C-8309-47A6-BC61-5EF27A4222BC}" = NTI Media Maker 8
"InstallShield_{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade Deluxe
"IrfanView" = IrfanView (remove only)
"LManager" = Launch Manager
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"ST4UNST #1" = AstrolDeluxe ReportWriter
"ST4UNST #2" = Journey Returns interpretations
"ST6UNST #1" = Edit Interpretations
"WildTangent acer Master Uninstall" = Acer Games
"WinLiveSuite_Wave3" = Windows Live Essentials

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"Google Chrome" = Google Chrome

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 5/9/2010 3:12:55 AM | Computer Name = acertain | Source = Google Update | ID = 20
Description =

Error - 5/9/2010 2:43:04 PM | Computer Name = acertain | Source = Google Update | ID = 20
Description =

Error - 5/10/2010 1:00:02 AM | Computer Name = acertain | Source = Windows Backup | ID = 4103
Description =

Error - 5/10/2010 5:55:06 AM | Computer Name = acertain | Source = Google Update | ID = 20
Description =

Error - 5/11/2010 2:42:39 AM | Computer Name = acertain | Source = SideBySide | ID = 16842815
Description = Activation context generation failed for "c:\Program Files (x86)\Common
Files\Adobe AIR\Versions\1.0\Adobe AIR.dll".Error in manifest or policy file "c:\Program
Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR.dll" on line 3. The value
"MAJOR_VERSION.MINOR_VERSION.BUILD_NUMBE R_MAJOR.BUILD_NUMBER_MINOR" of attribute
"version" in element "assemblyIdentity" is invalid.

Error - 5/11/2010 2:45:15 AM | Computer Name = acertain | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksCal.exe".
Dependent
Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 5/11/2010 2:45:15 AM | Computer Name = acertain | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksdb.exe".
Dependent
Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 5/11/2010 2:45:15 AM | Computer Name = acertain | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\wksss.exe".
Dependent
Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 5/11/2010 2:45:15 AM | Computer Name = acertain | Source = SideBySide | ID = 16842785
Description = Activation context generation failed for "c:\Windows\Installer\{67E03279-F703-408F-B4BF-46B5FC8D70CD}\WksWP.exe".
Dependent
Assembly msadctls,processorArchitecture="x86",type="win32",version="1.0.1801.0"
could not be found. Please use sxstrace.exe for detailed diagnosis.

Error - 5/11/2010 5:10:20 AM | Computer Name = acertain | Source = Application Error | ID = 1000
Description = Faulting application name: iexplore.exe, version: 8.0.7600.16385,
time stamp: 0x4a5bc69e Faulting module name: SkypeIEPlugin.dll_unloaded, version:
0.0.0.0, time stamp: 0x4a77e4da Exception code: 0xc0000005 Fault offset: 0x100a3f2b
Faulting
process id: 0xbd8 Faulting application start time: 0x01caf0e21b3ea7f9 Faulting application
path: C:\Program Files (x86)\Internet Explorer\iexplore.exe Faulting module path:
SkypeIEPlugin.dll Report Id: 05486181-5cdd-11df-bb67-00262263e44d

[ System Events ]
Error - 6/7/2010 11:01:50 AM | Computer Name = acertain | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 6/7/2010 11:01:50 AM | Computer Name = acertain | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 6/7/2010 5:17:36 PM | Computer Name = acertain | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 6/7/2010 5:17:44 PM | Computer Name = acertain | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 6/7/2010 5:17:48 PM | Computer Name = acertain | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 6/7/2010 5:17:48 PM | Computer Name = acertain | Source = atikmdag | ID = 43029
Description = Display is not active

Error - 6/7/2010 6:35:45 PM | Computer Name = acertain | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 6/7/2010 6:35:52 PM | Computer Name = acertain | Source = volmgr | ID = 262190
Description = Crash dump initialization failed!

Error - 6/7/2010 6:35:55 PM | Computer Name = acertain | Source = atikmdag | ID = 52236
Description = CPLIB :: General - Invalid Parameter

Error - 6/7/2010 6:35:55 PM | Computer Name = acertain | Source = atikmdag | ID = 43029
Description = Display is not active

< End of report >

Crush · « **Reply #6 on:** June 22, 2010, 01:43:51 PM »

Quote

was beginning to wonder if I got myself into too big of a mess to be saved

Nothing is too much of a mess for us

I look forward to seeing you GMER log

an8el · « **Reply #7 on:** June 22, 2010, 04:32:47 PM »

Figured out how to download DeFogger and GMER by finding another post on this site.

It appears that GMER generates a random name, so I wrote that down so we can find it again to de-install later. So will post the results of GMER in a bit after they get done doing their thing.

Crush · « **Reply #8 on:** June 22, 2010, 05:55:28 PM »

There were download links to both programs in my post above but, ok. I look forward to it

an8el · « **Reply #9 on:** June 22, 2010, 06:04:48 PM »

For some strange reason, the links you supplied above didn't work. (These links also didn't work on my Linux box either, which I had the idea to try the USB "sneaker net" transferring files that way.)

Got the first on the part of the site that talked about why disable the CD emulation...and got the second, which pointed to the same place from another post here. Whatever I found to download, didn't come as a zip file. (Since the above link didn't work for some reason, maybe what I found wasn't the right version of GMER? Maybe a version that auto-runs by renaming itself as a random file?)

GMER says: GMER hasn't found any system modification. Then when I click "OK" it exits, but the prog window stays on the desktop. So I restarted, did the scan again with the wireless internet access turned on, Avira protection active and my extra keyboard unplugged. Same result.

Checked when I ran the scan was Servs, Regs, Files, ADS. The "show all" was unchecked, along with being unchecked: Sys, Sections, IAT/EAT DEvices, Modules Processes, Threads & Libraries.

Well, the rootkit may have had no system modifications, but just noticed that my delete key adds dots rather than deleting, so this is another suspicious symptom.

Crush · « **Reply #10 on:** June 22, 2010, 06:11:09 PM »

Quote

Got the first on the part of the site that talked about why disable the CD emulation...and got the second, which pointed to the same place from another post here. Whatever I found to download, didn't come as a zip file. (Since the above link didn't work for some reason, maybe what I found wasn't the right version of GMER? Maybe a version that auto-runs by renaming itself as a random file?)

Yes. There's another version of GMER that downloads as a randomly named exe file. I've never seen GMER just run through very quickly like that either.

Let's try another similar program but first,

Copy the entire contents of the Quote Box below to Notepad.
Name the file as gmer_uninstall.bat
Change the Save as Type to All Files
and Save it in the folderGMER was saved
Once saved, double click on the gmer_uninstall.bat file. the MSDOS window will be displayed. That is normal.

Quote

@echo off
sc stop gmer
sc delete gmer
if exist %SystemRoot%\System32\drivers\gmer.sys del /f /q %SystemRoot%\System32\drivers\gmer.sys
if exist %SystemRoot%\gmer.dll del /f /q %SystemRoot%\gmer.dll
if exist %SystemRoot%\gmer.exe del /f /q %SystemRoot%\gmer.exe
if exist %SystemRoot%\gmer.ini del /f /q %SystemRoot%\gmer.ini
if exist %SystemRoot%\gmer_uninstall.cmd del /f /q %SystemRoot%\gmer_uninstall.cmd
if exist %SystemRoot%\gmer.bat del /f /q %SystemRoot%\gmer.bat
if exist %SystemRoot%\gmer.reg del /f /q %SystemRoot%\gmer.reg
if exist %SystemRoot%\gmer.log del /f /q %SystemRoot%\gmer.log
rd /s /q gmer
del /f /q gmer_uninstall.bat
exit

=======

After that, download RootkitUnhooker and save the setup to your Desktop.

Right-click on the RootkitUnhooker setup and mouse-over 7-Zip then click Extract to "RKU***"
Once that is done, enter the folder, and double-click on the setup file. Navigate through setup and finish.
Once that is done, you will see another folder that was created inside the RKU folder. Enter that folder, and double-click on the randomly named file. (It will be alpha-numeric and have an EXE extension on it.)
It will initialize itself and load the scanner. It will also install its driver. Please wait for the interface to begin.
Once inside the interface, do not fix anything. Click on the Report tab.
Next, click on the Scan button and a popup will show. Make sure all are checked, then click on OK. It will begin scanning. When it gets to the Files tab, it will ask you what drives to scan. Just select C:\ and hit OK.
It will finish in about 5 minutes or a little longer depending on how badly infected the system is, or if your security software is enabled.
When finished, it will show the report in the Report tab. Please copy all of it, and post it in your next reply. Depending on how large the log is, you may have to use two or three posts to get all the information in.

an8el · « **Reply #11 on:** June 22, 2010, 06:27:00 PM »

The GMER uninstall: when I click on the .bat file, the MSdos window flashes a moment, then disappears. It doesn't uninstall GMER.

the "random" name that got generated of GMER is: 4s0otkov if that makes any difference.

Crush · « **Reply #12 on:** June 22, 2010, 06:55:58 PM »

Ok. Can you just manually delete those files? I look forward to seeing your Rootrepeal log

an8el · « **Reply #13 on:** June 22, 2010, 07:29:11 PM »

Am having trouble finding the files.
I changed the file views to "reveal all system files" and to show me file extensions, (file extension hiding for known file types had been reverted by the virus.)
Looked under windows- system32- drivers and I found the .dll list - but nothing that said gmer

also attempted to use the "search" feature to find the files, but the DOS window flashed and nothing happened.

However, the gmer file that was renamed something else still runs on the desktop, so it's not uninstalled and merely left the icon behind.

While looking under "properties" of the randomly renamed GMER, I noticed that under "security" on the "General" screen, this was checked: "this file came from another computer and might be blocked to help protect this computer."
Should I uncheck it?

Crush · « **Reply #14 on:** June 22, 2010, 07:54:08 PM »

hi an8el,

when we're through here we'll run a tool that will remove it, no worries. can you move on to Root Repeal please?

an8el · « **Reply #15 on:** June 22, 2010, 08:20:06 PM »

Didn't want to go further in case the Rootkit Unhooker was going to be affected by not uninstalling the previous scanning prog. Thanks for the reassurance that it's just house-cleaning to be uninstalled later.

OK, had to download 7-zip. extracted to a folder as directed, randomly renamed it letusbeunhooked in the sysWOW64 progs...

After installing, Rootkit Unhooker did not start automatically.
Found the folder in the start-programs list, clicked on it...got an error message:

Error loading driver, NTSTATUS code: 0xC000036B

Crush · « **Reply #16 on:** June 22, 2010, 11:04:13 PM »

Hi,

Have you disabled CD Emulation with defogger?

an8el · « **Reply #17 on:** June 22, 2010, 11:19:34 PM »

I ran DeFogger but it did not urge me to restart because it said there was no CD emulation to suspend. I restarted anyway.

I have a couple of ideas (that I won't try unless prompted to do so, because that's what I agreed.)

1. I have not yet re-tried the download and install of either rootkit scanner from safe mode.

2. What if I download a current version of linux to find out if the build includes AVClam? (It is a virus scanner for windows files that runs on Linux systems.) Without installing Linux right now, most Linux install CDs are also a bootable "live CD" ISO disc. If the AVClam program was part of the live CD, it could be an effective scanner for the C:\drive because it wouldn't activate the trojan's defenses. The thugs who built this scanner probably didn't provide a defense against another OS.

Not sure if the program AVClam is part of the newest build of Linux Ubuntu (LucidLynx, LongTermSupport) , but I believe an update was or is in beta to be released, which may be good enough for our purposes right now even though it probably has a few bugs on the final install. Not sure either if AVClam would be thorough enough to clean up the trojan entirely. But probably the people who designed the virus didn't imagine another OS could have access to the machine.

Vastly am appreciating the help and attention I'm getting - this is a teaser problem that I could never solve on my own!

Crush · « **Reply #18 on:** June 23, 2010, 11:27:09 AM »

Hi an8el,

Before we try anything drastic like using a bootable CD, let's see if we can troubleshoot your RKUnhooker issue. Are you using a 64 bit OS?

an8el · « **Reply #19 on:** June 24, 2010, 02:44:07 AM »

Sorry I couldn't reply sooner - for some reason this site was unavailable for me until now.

Yes I am - 64-bit with Win7, Home edition - without the emulation for XP.
It was pre-installed when I bought the machine new. Don't have the install CDs because I was a financially challenged when I bought the thing.

Crush · « **Reply #20 on:** June 24, 2010, 01:04:58 PM »

Ah. That's the issue then, rootrepeal doesn't work on 64 bit machines. Not many tools do.

Please download SpiderKill and save it to your Desktop.

Right-click on SpiderKill.zip and click Extract All. Follow the prompts and read carefully, to save it to your Desktop.
Double-click on the SpiderKill folder, and then double-click on SpiderKill.bat and follow all the prompts in the program.
Within a minute, it will save its log titled SpiderKill.txt. Please post that in your next reply. You may have to use two or three posts to be able to fit the information in.

an8el · « **Reply #21 on:** June 24, 2010, 04:17:45 PM »

OK it worked - was worrying that the trojan wouldn't let a DOS window up, but it happened fine, allowing me to pause at each state and continue. - All of the results fit into one post.

SpiderKill by DragonMaster Jay
Microsoft Windows [Version 6.1.7600]

********************Drivers list********************

Volume in drive C is Acer
Volume Serial Number is 1429-B159

Directory of C:\Windows\System32\Drivers

06/07/2010 12:43 PM <DIR> .
06/07/2010 12:43 PM <DIR> ..
07/13/2009 02:06 PM 68,096 1394bus.sys
07/13/2009 02:07 PM 227,840 1394ohci.sys
07/13/2009 03:52 PM 334,416 acpi.sys
07/13/2009 01:27 PM 12,288 acpipmi.sys
07/13/2009 03:52 PM 491,088 adp94xx.sys
07/13/2009 03:52 PM 339,536 adpahci.sys
07/13/2009 03:52 PM 182,864 adpu320.sys
07/13/2009 01:21 PM 500,224 afd.sys
07/13/2009 02:10 PM 60,416 agilevpn.sys
07/13/2009 03:52 PM 61,008 AGP440.sys
07/13/2009 03:52 PM 15,440 aliide.sys
07/13/2009 03:52 PM 15,440 amdide.sys
07/13/2009 01:19 PM 64,512 amdk8.sys
07/13/2009 01:19 PM 60,928 amdppm.sys
07/13/2009 03:52 PM 106,576 amdsata.sys
07/13/2009 03:52 PM 194,128 amdsbs.sys
07/13/2009 03:52 PM 28,752 amdxata.sys
07/13/2009 01:52 PM 61,440 appid.sys
07/13/2009 03:52 PM 87,632 arc.sys
07/13/2009 03:52 PM 97,856 arcsas.sys
07/13/2009 02:10 PM 23,040 asyncmac.sys
07/13/2009 03:52 PM 24,128 atapi.sys
07/13/2009 03:52 PM 155,728 ataport.sys
10/05/2009 02:34 PM 1,542,656 athrx.sys
07/29/2009 01:06 AM 53,248 ati2erec.dll
07/29/2009 12:11 PM 6,038,016 atikmdag.sys
05/04/2009 03:30 AM 16,440 AtiPcie.sys
06/10/2009 10:36 AM 655,825 ativcaxx.cpa
06/10/2009 10:36 AM 929 ativcaxx.vp
06/10/2009 10:36 AM 2,096 ativdkxx.vp
06/10/2009 10:36 AM 2,096 ativokxx.vp
06/10/2009 10:36 AM 2,096 ativpkxx.vp
06/10/2009 10:36 AM 19,392 ativvpxx.vp
02/16/2010 02:24 PM 81,072 avgntflt.sys
03/02/2010 01:35 PM 116,568 avipbb.sys
06/10/2009 10:34 AM 270,848 b57nd60a.sys
07/13/2009 03:52 PM 28,240 battc.sys
07/13/2009 02:00 PM 6,656 beep.sys
07/13/2009 01:35 PM 45,056 blbdrive.sys
07/13/2009 01:23 PM 90,624 bowser.sys
06/10/2009 10:41 AM 18,432 BrFiltLo.sys
06/10/2009 10:41 AM 8,704 BrFiltUp.sys
07/13/2009 03:01 PM 95,232 bridge.sys
07/13/2009 03:18 PM 281,088 BrSerIb.sys
07/13/2009 03:19 PM 286,720 BrSerId.sys
06/10/2009 10:41 AM 47,104 BrSerWdm.sys
06/10/2009 10:41 AM 14,976 BrUsbMdm.sys
06/10/2009 10:41 AM 14,720 BrUsbSer.sys
06/10/2009 10:41 AM 15,360 BrUsbSIb.sys
07/13/2009 02:06 PM 72,192 bthmodem.sys
06/10/2009 10:34 AM 468,480 bxvbda.sys
07/13/2009 01:19 PM 92,160 cdfs.sys
07/13/2009 01:19 PM 147,456 cdrom.sys
07/13/2009 02:06 PM 45,568 circlass.sys
07/13/2009 03:52 PM 178,752 Classpnp.sys
07/13/2009 01:31 PM 17,664 CmBatt.sys
07/13/2009 03:52 PM 17,488 cmdide.sys
07/13/2009 03:43 PM 460,504 cng.sys
07/13/2009 03:52 PM 21,584 compbatt.sys
07/13/2009 02:00 PM 38,912 CompositeBus.sys
07/13/2009 03:47 PM 39,504 crashdmp.sys
07/13/2009 03:47 PM 24,144 crcdisk.sys
11/04/2009 02:58 AM 22,528 dc3d.sys
07/13/2009 01:23 PM 102,400 dfsc.sys
07/13/2009 01:37 PM 40,448 discache.sys
07/13/2009 03:47 PM 73,280 disk.sys
07/13/2009 03:47 PM 27,216 Diskdump.sys
07/13/2009 03:01 PM 116,224 drmk.sys
07/13/2009 02:06 PM 5,632 drmkaud.sys
07/13/2009 03:47 PM 28,736 Dumpata.sys
07/13/2009 03:43 PM 55,128 dumpfve.sys
07/13/2009 01:38 PM 16,896 dxapi.sys
07/13/2009 01:38 PM 98,816 dxg.sys
10/01/2009 06:32 PM 982,600 dxgkrnl.sys
07/13/2009 01:38 PM 258,048 dxgmms1.sys
07/13/2009 03:47 PM 530,496 elxstor.sys
07/13/2009 07:37 PM <DIR> en-US
07/13/2009 01:31 PM 9,728 errdev.sys
07/13/2009 05:20 PM <DIR> etc
06/10/2009 10:34 AM 3,286,016 evbda.sys
07/13/2009 01:23 PM 195,072 exfat.sys
07/13/2009 01:23 PM 204,800 fastfat.sys
07/13/2009 02:00 PM 29,696 fdc.sys
07/13/2009 03:47 PM 70,224 fileinfo.sys
07/13/2009 01:25 PM 34,304 filetrace.sys
07/13/2009 02:00 PM 24,576 flpydisk.sys
07/13/2009 03:47 PM 290,368 fltMgr.sys
07/13/2009 03:47 PM 55,376 fsdepends.sys
07/13/2009 03:47 PM 23,104 fs_rec.sys
07/13/2009 03:43 PM 223,448 fvevol.sys
07/13/2009 03:47 PM 288,336 FWPKCLNT.SYS
07/13/2009 03:47 PM 65,088 GAGP30KX.SYS
06/10/2009 10:30 AM 3,440,660 gm.dls
06/10/2009 10:30 AM 646 gmreadme.txt
06/10/2009 10:31 AM 31,232 hcw85cir.sys
07/13/2009 02:06 PM 122,368 hdaudbus.sys
07/13/2009 02:07 PM 350,208 HdAudio.sys
07/13/2009 01:31 PM 26,624 hidbatt.sys
07/13/2009 02:06 PM 100,864 hidbth.sys
07/13/2009 02:06 PM 76,288 hidclass.sys
07/13/2009 02:06 PM 46,592 hidir.sys
07/13/2009 02:06 PM 32,896 hidparse.sys
07/13/2009 02:06 PM 30,208 hidusb.sys
07/13/2009 03:47 PM 77,888 HpSAMD.sys
07/13/2009 01:22 PM 751,616 http.sys
07/13/2009 03:48 PM 14,416 hwpolicy.sys
07/13/2009 01:19 PM 105,472 i8042prt.sys
07/13/2009 03:48 PM 410,688 iaStorV.sys
07/13/2009 03:48 PM 44,112 iirsp.sys
07/13/2009 03:48 PM 16,960 intelide.sys
07/13/2009 01:19 PM 62,464 intelppm.sys
07/13/2009 02:10 PM 82,944 ipfltdrv.sys
07/13/2009 01:47 PM 78,848 IPMIDrv.sys
07/13/2009 02:10 PM 116,224 ipnat.sys
07/13/2009 02:09 PM 120,320 irda.sys
07/13/2009 02:08 PM 17,920 irenum.sys
07/13/2009 03:48 PM 20,544 isapnp.sys
07/13/2009 03:48 PM 50,768 kbdclass.sys
07/13/2009 02:00 PM 33,280 kbdhid.sys
07/13/2009 02:00 PM 243,200 ks.sys
07/13/2009 03:48 PM 95,312 ksecdd.sys
12/11/2009 12:29 AM 153,160 ksecpkg.sys
07/13/2009 02:00 PM 20,992 ksthunk.sys
11/13/2009 09:47 AM 67,072 L1C62x64.sys
07/13/2009 02:08 PM 60,928 lltdio.sys
07/13/2009 03:48 PM 114,752 lsi_fc.sys
07/13/2009 03:48 PM 106,560 lsi_sas.sys
07/13/2009 03:48 PM 65,600 lsi_sas2.sys
07/13/2009 03:48 PM 115,776 lsi_scsi.sys
07/13/2009 01:26 PM 113,152 luafv.sys
04/29/2010 03:39 PM 24,664 mbam.sys
07/13/2009 02:01 PM 22,016 mcd.sys
07/13/2009 03:48 PM 35,392 megasas.sys
07/13/2009 03:48 PM 284,736 MegaSR.sys
07/13/2009 02:10 PM 40,448 modem.sys
07/13/2009 01:38 PM 30,208 monitor.sys
07/13/2009 03:48 PM 49,216 mouclass.sys
07/13/2009 02:00 PM 31,232 mouhid.sys
07/13/2009 03:48 PM 94,784 mountmgr.sys
07/13/2009 03:48 PM 155,216 mpio.sys
07/13/2009 02:08 PM 77,312 mpsdrv.sys
07/13/2009 01:23 PM 140,800 mrxdav.sys
02/26/2010 09:52 PM 157,696 mrxsmb.sys
02/26/2010 09:52 PM 286,720 mrxsmb10.sys
02/26/2010 09:52 PM 125,952 mrxsmb20.sys
07/13/2009 03:48 PM 30,272 msahci.sys
07/13/2009 03:48 PM 140,352 msdsm.sys
07/13/2009 01:19 PM 26,112 msfs.sys
06/10/2009 10:45 AM 3 MsftWdf_Kernel_01009_Inbox_Critical.Wdf
07/13/2009 02:06 PM 8,192 mshidkmdf.sys
07/13/2009 03:48 PM 15,424 msisadrv.sys
07/13/2009 03:48 PM 224,832 msiscsi.sys
07/13/2009 02:00 PM 11,136 mskssrv.sys
07/13/2009 02:00 PM 7,168 mspclock.sys
07/13/2009 02:00 PM 6,784 mspqm.sys
07/13/2009 03:48 PM 367,168 msrpc.sys
07/13/2009 03:48 PM 32,320 mssmbios.sys
07/13/2009 02:00 PM 8,064 mstee.sys
07/13/2009 02:02 PM 15,360 MTConfig.sys
07/13/2009 03:48 PM 60,496 mup.sys
06/02/2009 01:15 AM 22,576 mwlPSDFilter.sys
06/02/2009 01:15 AM 20,016 mwlPSDNserv.sys
06/02/2009 01:15 AM 60,464 mwlPSDVDisk.sys
07/13/2009 03:48 PM 947,776 ndis.sys
07/13/2009 02:08 PM 35,328 ndiscap.sys
07/13/2009 02:10 PM 24,064 ndistapi.sys
07/13/2009 02:09 PM 56,320 ndisuio.sys
07/13/2009 02:10 PM 164,352 ndiswan.sys
07/13/2009 02:10 PM 57,856 ndproxy.sys
07/13/2009 02:09 PM 44,544 netbios.sys
07/13/2009 01:21 PM 259,072 netbt.sys
07/13/2009 03:48 PM 374,864 netio.sys
07/13/2009 03:48 PM 51,264 nfrd960.sys
07/13/2009 01:19 PM 44,032 npfs.sys
07/13/2009 01:21 PM 24,576 nsiproxy.sys
07/13/2009 03:48 PM 1,659,984 ntfs.sys
05/04/2009 10:46 PM 18,432 NTIDrvr.sys
05/08/2009 11:14 PM 15,752 nuidfltr.sys
07/13/2009 01:19 PM 6,144 null.sys
07/13/2009 03:48 PM 149,056 nvraid.sys
07/13/2009 03:45 PM 167,488 nvstor.sys
07/13/2009 03:48 PM 122,960 NV_AGP.SYS
07/13/2009 02:07 PM 318,976 nwifi.sys
07/13/2009 02:06 PM 72,832 ohci1394.sys
07/13/2009 02:09 PM 131,584 pacer.sys
07/13/2009 02:00 PM 97,280 parport.sys
07/13/2009 03:45 PM 75,840 partmgr.sys
07/13/2009 03:45 PM 183,872 pci.sys
07/13/2009 03:45 PM 12,352 pciide.sys
07/13/2009 03:45 PM 48,720 pciidex.sys
07/13/2009 03:45 PM 220,752 pcmcia.sys
07/13/2009 03:45 PM 50,768 pcw.sys
07/13/2009 03:01 PM 651,264 PEAuth.sys
07/13/2009 02:06 PM 230,400 portcls.sys
07/13/2009 01:19 PM 60,416 processr.sys
07/13/2009 03:45 PM 1,524,816 ql2300.sys
07/13/2009 03:45 PM 128,592 ql40xx.sys
07/13/2009 02:09 PM 46,592 qwavedrv.sys
07/13/2009 02:10 PM 14,848 rasacd.sys
07/13/2009 02:10 PM 130,048 rasl2tp.sys
07/13/2009 02:10 PM 92,672 raspppoe.sys
07/13/2009 02:10 PM 111,616 raspptp.sys
07/13/2009 02:10 PM 83,968 rassstp.sys
07/13/2009 01:24 PM 309,248 rdbss.sys
07/13/2009 02:17 PM 24,064 rdpbus.sys
07/13/2009 02:16 PM 7,680 RDPCDD.sys
07/13/2009 02:16 PM 7,680 RDPENCDD.sys
07/13/2009 02:16 PM 8,192 RDPREFMP.sys
07/13/2009 02:16 PM 204,800 rdpwd.sys
07/13/2009 03:45 PM 214,096 rdyboost.sys
07/13/2009 02:09 PM 145,920 rmcast.sys
07/13/2009 02:09 PM 41,472 RNDISMP.sys
07/13/2009 02:10 PM 11,264 rootmdm.sys
07/13/2009 02:08 PM 76,800 rspndr.sys
07/30/2009 02:02 AM 173,292 RTConvEQ.dat
06/26/2005 11:29 AM 520 RTEQEX0.dat
06/26/2005 11:29 AM 520 RTEQEX1.dat
08/20/2008 07:43 PM 520 RTEQEX2.dat
07/30/2009 02:02 AM 1,016 RtHdatEx.dat
07/12/2007 08:11 PM 8 rtkhdaud.dat
07/28/2009 03:00 AM 1,966,624 RTKVHD64.sys
07/13/2009 03:45 PM 104,016 sbp2port.sys
07/13/2009 01:50 PM 29,696 scfilter.sys
07/13/2009 03:45 PM 171,600 scsiport.sys
06/10/2009 10:37 AM 23,040 secdrv.sys
07/13/2009 02:00 PM 23,552 serenum.sys
07/13/2009 02:00 PM 94,208 serial.sys
07/13/2009 02:00 PM 26,624 sermouse.sys
07/13/2009 02:01 PM 14,336 sffdisk.sys
07/13/2009 02:01 PM 13,824 sffp_mmc.sys
07/13/2009 02:01 PM 14,336 sffp_sd.sys
07/13/2009 02:01 PM 16,896 sfloppy.sys
07/13/2009 03:45 PM 43,584 sisraid2.sys
07/13/2009 03:45 PM 80,464 sisraid4.sys
07/13/2009 02:09 PM 93,184 smb.sys
07/13/2009 02:00 PM 20,992 smclib.sys
07/13/2009 03:45 PM 19,008 spldr.sys
06/10/2009 10:48 AM 426,496 spsys.sys
12/07/2009 10:32 PM 464,896 srv.sys
07/13/2009 01:25 PM 407,040 srv2.sys
12/07/2009 10:32 PM 162,304 srvnet.sys
07/13/2009 03:45 PM 24,656 stexstor.sys
07/13/2009 03:45 PM 185,936 storport.sys
07/13/2009 02:06 PM 68,864 stream.sys
07/13/2009 03:45 PM 12,496 swenum.sys
06/18/2009 02:12 AM 272,432 SynTP.sys
07/13/2009 02:01 PM 29,184 tape.sys
07/13/2009 03:45 PM 1,898,576 tcpip.sys
07/13/2009 02:09 PM 44,544 tcpipreg.sys
07/13/2009 01:21 PM 26,624 tdi.sys
07/13/2009 02:16 PM 15,872 tdpipe.sys
07/13/2009 02:16 PM 23,552 tdtcp.sys
07/13/2009 01:21 PM 99,840 tdx.sys
07/13/2009 03:45 PM 62,544 termdd.sys
07/13/2009 02:16 PM 38,400 tssecsrv.sys
07/13/2009 02:09 PM 125,440 tunnel.sys
07/13/2009 03:45 PM 64,080 UAGP35.SYS
05/04/2009 10:46 PM 16,896 UBHelper.sys
07/13/2009 01:23 PM 327,168 udfs.sys
07/13/2009 03:45 PM 64,592 ULIAGPKX.SYS
07/13/2009 02:06 PM 48,640 umbus.sys
11/12/2009 06:06 PM <DIR> UMDF
07/13/2009 02:06 PM 9,728 umpass.sys
07/13/2009 02:09 PM 19,968 usb8023.sys
07/13/2009 02:06 PM 32,896 USBCAMD2.sys
07/13/2009 02:06 PM 98,816 usbccgp.sys
07/13/2009 02:06 PM 100,352 usbcir.sys
07/13/2009 02:06 PM 7,936 usbd.sys
07/13/2009 02:06 PM 51,200 usbehci.sys
04/03/2009 03:39 AM 34,872 usbfilter.sys
07/13/2009 02:07 PM 343,040 usbhub.sys
07/13/2009 02:06 PM 25,600 usbohci.sys
07/13/2009 02:06 PM 324,608 usbport.sys
07/13/2009 02:38 PM 25,088 usbprint.sys
07/13/2009 02:35 PM 31,744 usbrpm.sys
07/13/2009 02:35 PM 41,984 usbscan.sys
07/13/2009 02:06 PM 89,600 USBSTOR.SYS
07/13/2009 02:06 PM 30,720 usbuhci.sys
07/13/2009 02:07 PM 184,576 usbvideo.sys
07/13/2009 03:45 PM 36,432 vdrvroot.sys
07/13/2009 01:38 PM 29,184 vga.sys
07/13/2009 01:38 PM 29,184 vgapnp.sys
07/13/2009 03:45 PM 217,680 vhdmp.sys
07/13/2009 03:45 PM 17,488 viaide.sys
07/13/2009 01:38 PM 129,024 videoprt.sys
07/13/2009 03:45 PM 71,760 volmgr.sys
07/13/2009 03:45 PM 363,584 volmgrx.sys
07/13/2009 03:45 PM 294,992 volsnap.sys
07/13/2009 03:45 PM 161,872 vsmraid.sys
07/13/2009 02:07 PM 24,576 vwifibus.sys
07/13/2009 02:07 PM 59,904 vwififlt.sys
07/13/2009 02:07 PM 17,920 vwifimp.sys
07/13/2009 02:02 PM 27,776 wacompen.sys
07/13/2009 02:10 PM 88,576 wanarp.sys
07/13/2009 01:37 PM 42,496 watchdog.sys
07/13/2009 03:45 PM 21,056 wd.sys
07/13/2009 03:45 PM 654,928 Wdf01000.sys
07/13/2009 03:45 PM 42,064 WdfLdr.sys
07/13/2009 02:09 PM 12,800 wfplwf.sys
07/13/2009 03:45 PM 22,096 wimmount.sys
07/13/2009 01:31 PM 14,336 wmiacpi.sys
07/13/2009 03:45 PM 16,464 wmilib.sys
07/13/2009 02:10 PM 21,504 ws2ifsl.sys
07/13/2009 02:05 PM 112,128 WUDFPf.sys
07/13/2009 02:06 PM 172,544 WUDFRd.sys
302 File(s) 53,344,563 bytes

Directory of C:\Windows\System32\Drivers\en-US

07/13/2009 07:37 PM <DIR> .
07/13/2009 07:37 PM <DIR> ..
07/13/2009 04:29 PM 11,776 1394ohci.sys.mui
07/13/2009 04:23 PM 9,216 acpi.sys.mui
07/13/2009 04:30 PM 14,848 afd.sys.mui
07/13/2009 04:25 PM 2,560 AGP440.sys.mui
07/13/2009 04:25 PM 2,048 amdide.sys.mui
07/13/2009 04:28 PM 14,336 amdk8.sys.mui
07/13/2009 04:28 PM 14,336 amdppm.sys.mui
07/13/2009 04:29 PM 3,072 ataport.sys.mui
07/13/2009 04:29 PM 3,072 atikmdag.sys.mui
07/13/2009 04:27 PM 7,168 battc.sys.mui
07/13/2009 04:30 PM 25,600 bfe.dll.mui
07/13/2009 04:28 PM 2,560 BrParwdm.sys.mui
07/13/2009 04:25 PM 10,240 BrSerIb.sys.mui
07/13/2009 04:30 PM 10,240 BrSerId.sys.mui
07/13/2009 04:30 PM 2,048 bthenum.sys.mui
07/13/2009 04:27 PM 4,608 bthpan.sys.mui
07/13/2009 04:27 PM 7,680 bthport.sys.mui
07/13/2009 04:30 PM 2,560 BTHUSB.SYS.mui
07/13/2009 04:29 PM 2,048 cdrom.sys.mui
07/13/2009 04:29 PM 2,048 disk.sys.mui
07/13/2009 04:28 PM 2,560 Dot4usb.sys.mui
07/13/2009 04:23 PM 5,120 fltmgr.sys.mui
07/13/2009 04:30 PM 14,336 fvevol.sys.mui
07/13/2009 04:29 PM 2,560 GAGP30KX.SYS.mui
07/13/2009 04:28 PM 4,096 hdaudbus.sys.mui
07/13/2009 04:30 PM 3,072 HdAudio.sys.mui
07/13/2009 04:24 PM 3,072 hidbth.sys.mui
07/13/2009 04:30 PM 32,256 http.sys.mui
07/13/2009 04:29 PM 10,240 i8042prt.sys.mui
07/13/2009 04:28 PM 14,336 intelppm.sys.mui
07/13/2009 04:29 PM 5,632 IPMIDrv.sys.mui
07/13/2009 04:23 PM 3,584 ipnat.sys.mui
07/13/2009 04:30 PM 3,584 isapnp.sys.mui
07/13/2009 04:30 PM 4,096 kbdclass.sys.mui
07/13/2009 04:24 PM 2,560 kbdhid.sys.mui
07/13/2009 04:29 PM 6,144 luafv.sys.mui
07/13/2009 04:28 PM 3,584 modem.sys.mui
07/13/2009 04:26 PM 4,096 mouclass.sys.mui
07/13/2009 04:24 PM 2,560 mouhid.sys.mui
07/13/2009 04:29 PM 2,560 mountmgr.sys.mui
07/13/2009 04:27 PM 26,624 mpio.sys.mui
07/13/2009 04:29 PM 5,632 msdsm.sys.mui
07/13/2009 04:24 PM 3,072 mssmbios.sys.mui
07/13/2009 04:27 PM 2,560 MTConfig.sys.mui
07/13/2009 04:29 PM 35,328 ndis.sys.mui
07/13/2009 04:29 PM 5,632 ndiscap.sys.mui
07/13/2009 04:23 PM 3,072 ndisuio.sys.mui
07/13/2009 04:26 PM 59,904 ntfs.sys.mui
07/13/2009 04:24 PM 2,560 NV_AGP.SYS.mui
07/13/2009 04:23 PM 13,824 nwifi.sys.mui
07/13/2009 04:29 PM 11,776 ohci1394.sys.mui
07/13/2009 04:25 PM 15,360 pacer.sys.mui
07/13/2009 04:29 PM 3,584 parport.sys.mui
07/13/2009 04:29 PM 2,560 partmgr.sys.mui
07/13/2009 04:29 PM 8,192 pci.sys.mui
07/13/2009 04:28 PM 4,096 pcmcia.sys.mui
07/13/2009 04:26 PM 2,560 pnpmem.sys.mui
07/13/2009 04:23 PM 3,584 portcls.sys.mui
07/13/2009 04:29 PM 14,336 processr.sys.mui
07/13/2009 04:30 PM 3,584 pscr.sys.mui
07/13/2009 04:24 PM 2,560 qwavedrv.sys.mui
07/13/2009 04:25 PM 4,608 rdbss.sys.mui
07/13/2009 04:28 PM 3,072 RNDISMP.sys.mui
07/13/2009 04:25 PM 3,072 rndismp6.sys.mui
07/13/2009 04:28 PM 3,072 rndismpx.sys.mui
07/13/2009 04:30 PM 2,560 scfilter.sys.mui
07/13/2009 04:24 PM 3,072 scsiport.sys.mui
07/13/2009 04:30 PM 10,240 serial.sys.mui
07/13/2009 04:29 PM 5,120 sermouse.sys.mui
07/13/2009 04:26 PM 2,560 serscan.sys.mui
07/13/2009 04:25 PM 2,560 srv.sys.mui
07/13/2009 04:28 PM 44,032 tcpip.sys.mui
07/13/2009 04:29 PM 4,096 tpm.sys.mui
07/13/2009 04:24 PM 7,680 tunnel.sys.mui
07/13/2009 04:24 PM 2,560 UAGP35.SYS.mui
07/13/2009 04:23 PM 2,560 ULIAGPKX.SYS.mui
07/13/2009 04:29 PM 3,072 umbus.sys.mui
07/13/2009 04:24 PM 11,776 usbhub.sys.mui
07/13/2009 04:26 PM 24,576 usbport.sys.mui
07/13/2009 04:24 PM 2,048 usbrpm.sys.mui
07/13/2009 04:26 PM 3,584 vdrvroot.sys.mui
07/13/2009 04:29 PM 3,584 vhdmp.sys.mui
07/13/2009 04:23 PM 2,560 volmgrx.sys.mui
07/13/2009 04:28 PM 23,552 volsnap.sys.mui
07/13/2009 04:29 PM 2,048 vwifibus.sys.mui
07/13/2009 04:27 PM 4,096 wacompen.sys.mui
07/13/2009 04:26 PM 2,048 wd.sys.mui
07/13/2009 04:27 PM 2,560 wdf01000.sys.mui
07/13/2009 04:29 PM 2,048 ws2ifsl.sys.mui
89 File(s) 700,928 bytes

Directory of C:\Windows\System32\Drivers\etc

07/13/2009 05:20 PM <DIR> .
07/13/2009 05:20 PM <DIR> ..
06/10/2009 11:00 AM 824 hosts
06/10/2009 11:00 AM 3,683 lmhosts.sam
06/10/2009 11:00 AM 407 networks
06/10/2009 11:00 AM 1,358 protocol
06/10/2009 11:00 AM 17,463 services
5 File(s) 23,735 bytes

Directory of C:\Windows\System32\Drivers\UMDF

11/12/2009 06:06 PM <DIR> .
11/12/2009 06:06 PM <DIR> ..
07/13/2009 07:37 PM <DIR> en-US
07/13/2009 03:41 PM 299,520 WpdFs.dll
1 File(s) 299,520 bytes

Directory of C:\Windows\System32\Drivers\UMDF\en-US

07/13/2009 07:37 PM <DIR> .
07/13/2009 07:37 PM <DIR> ..
07/13/2009 04:24 PM 2,560 WpdMtpDr.dll.mui
07/13/2009 04:26 PM 6,144 WUDFUsbccidDriver.dll.mui
2 File(s) 8,704 bytes

Total Files Listed:
399 File(s) 54,377,450 bytes
14 Dir(s) 97,384,931,328 bytes free

***********************Hidden Drivers********************
Volume in drive C is Acer
Volume Serial Number is 1429-B159

Directory of C:\Windows\System32\Drivers

12/11/2009 05:13 PM 0 Msft_Kernel_NuidFltr_01005.Wdf
10/10/2009 05:56 AM 0 Msft_Kernel_SynTP_01009.Wdf
11/12/2009 06:06 PM 0 Msft_User_WpdFs_01_09_00.Wdf
3 File(s) 0 bytes
0 Dir(s) 97,384,939,520 bytes free

*********************Processes*******************

PROCESS PID PRIO PATH
GoogleUpdate.exe 2384 Normal C:\Users\Franis\AppData\Local\Google\Update\GoogleUpdate.exe
EgisUpdate.exe 2848 Normal C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
ArcadeDeluxeAgent.exe 3324 Normal C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
pptd40nt.exe 3348 Normal C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
BrMfcWnd.exe 3368 Normal C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
PMVService.exe 3388 Normal C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
jusched.exe 3444 Normal C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
avgnt.exe 3468 Normal C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
brccMCtl.exe 3516 Normal C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
BrMfcmon.exe 3744 Normal C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe
firefox.exe 3752 Normal C:\Program Files (x86)\Mozilla Firefox\firefox.exe
processes.exe 2460 Normal C:\Users\Franis\Desktop\SpiderKill\SpiderKill\processes.exe

*********************Modules of explorer.exe and svchost.exe*******************

******************************************
EOF

Crush · « **Reply #22 on:** June 24, 2010, 11:22:03 PM »

hi an8el,

Sorry for the delay

Save these instructions so you can have access to them while in Safe Mode.

Please click here to download AVP Tool by Kaspersky.

Save it to your desktop.
Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
Double click the setup file to run it.
Click Next to continue.
Accept the License agreement and click on next.
It will, by default, install it to your desktop folder. Click Next.
It will then open a box There will be a tab that says Automatic scan.
Under Automatic scan make sure these are checked.

Hidden Startup Objects
System Memory
Disk Boot Sectors.
My Computer.
Also any other drives (Removable that you may have)[/color]

Leave the rest of the settings as they appear as default.

Then click on Scan at the to right hand Corner.
It will automatically Neutralize any objects found.
If some objects are left un-neutralized then click the button that says Neutralize all
If it says it cannot be neutralized then choose the delete option when prompted.
After that is done click on the reports button at the bottom and save it to file name it Kas.
Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

Note: This tool will self uninstall when you close it so please save the log before closing it.

an8el · « **Reply #23 on:** June 25, 2010, 04:13:53 AM »

(I'm writing you from my Linux OS on another computer.)
Crush, please do not ever feel you need to apologize for making me wait until you have the time to help me. I'm grateful for this help any time you have it to spare.

The scan is running now. Many files are coming up "password protected". These pop up and disappear really fast. Should I be concerned with these?

Started running the scan when I had inserted my USB drives before I understood how to include them in the full scan, which I canceled and restarted to do the full scan. This did allow me to see the results interface of the first cancelled scan and it was a little confusing.

Kapersky did not offer me a .txt file results, but perhaps that did not happen because I cancelled the first hiccup scan before I got both my USB drives inserted.

Guess I will copy and paste the results you requested to another .txt file when the scan finally gets done. (It's been 2 hours so far and it's 2/3rds done.)

The computer got turned off by a power outage, (had been hibernating each time.) When I started the computer this time, a "windows update" downloaded. This was the first time I did not use the wireless internet, and so it was plugged hardwire internet in at startup. Had never seen a "windows update" downloading at startup before, so made me very suspicious. Somehow, the windows updating feature got turned on again by itself because I'd turned all updates off before we started our work here. Wonder if re-initiating this setting in spite of it being turned off is another "charming feature" of this trojan? It also eliminated Avira entirely, so I figured this was a feature of the trojan re-installing itself.

(I'm using purely "safe mode" without networking while scanning.)

This particular trojan is really sneaky and nasty. Am really glad you are helping me with it!!

...OK scan is done now. I'm a little confused. My screen is a little short, so I may not be seeing all the options because I'm in safe mode with limited resolution. I do not see a button that says: Neutralize all.
My options are: Security level: recommended On threat detection: prompt for action... then I can see a button just peeking over the bottom that says "Report" and then "exit." I'm not going to exit yet.

My confusion is that if I click on the "on threat detection: prompt for action" link, it will not return to this screen to allow for a report. So I'm going to click that first, I guess.

an8el · « **Reply #24 on:** June 25, 2010, 05:46:37 AM »

...OK scan is done now. I'm a little confused. My screen is a little short, so I may not be seeing all the options because I'm in safe mode with limited resolution.

My options are: Security level: recommended On threat detection: prompt for action... then I can see two buttons just peeking over the bottom that say "Report" and then "exit."

A little box popped up that prompted me to close the program - twice - I spotted it twice during the three hour scan and once after the scan was done before I had looked at the results. I did not take the invitation. I'm not going to exit yet because I hadn't saved anything - as you warned.

My confusion is that if I click on the "on threat detection: prompt for action" link, it will not return to this screen to allow for a report. So I'm going to click that "report" option first.

That was good, it opened another window in front of the original scan window, which is still there.

I changed the screen resolution so I can see that there are no further options on Kapersky prog below where I couldn't see before.

On the "report" option, I chose "Important events" and scrolled through them, plugging in my external mouse because the touchpad was difficult to use on a list that was so long. I noticed that there is a little radio button at the head of each report. I used that radio button to look at the three hour scan that just completed, (the other two were the scans I interrupted while I was inserting my USB drives.) I didn't see any way to select a "neutralize" button or a "delete" option for any of these files that said "nothing was changed" under the Reason heading.

Then I chose "critical events" and there were only the two other scans listed that I interrupted.

Then when I went back to "Important events" and suddenly, there was nothing listed. The same in "critical events" - nothing listed now when before there were many files.

So I selected "all events." Did not see a way to save the report and was not offered a means to do this. So I used Shift key to highlight everything, and Control "C" to copy it...opened a .txt file in notepad and tried to paste - nothing happened. Tried "edit-paste" and nothing happened. Tried to close notepad to try something else to save the file but notepad window froze on the screen, behind the window of the results of the scan.

At this point the computer froze - all options do not work...except my mouse works fine! But it doesn't allow me to click on anything, just races around the screen looking like it is willing to do something, if it only could.

;o)

I'm just going to leave the computer on in the state it's in for right now, with it frozen until I get your advice. (and hope the electricity doesn't go off, but that's usually an unusual thing.) The computer's clock is not even updating the computer it is so frozen. Rebooting again in safe mode and doing the scan again seems to be the only option.

(I'm writing you about these results from my Linux OS on another computer.)

Before this freeze happened, I did get to scroll through the list and found there were quite a few files under the "reason" heading that said something similar to, " file not changed"

Hope I'm not putting you off with the blow-by-blow detail here, but I'm hoping somewhere in here is the information you might need next - since I can't give you the report.

an8el · « **Reply #25 on:** June 25, 2010, 05:56:44 AM »

After waiting, the clock started working again, got the taskbar back, and am able to select icons on the desktop with the mouse that are not covered up by Kapersky and notepad (but they are still frozen.) Took out the USB drives and noticed that one of them had stopped working and was hot. I'd had trouble with that particular USB drive before and had backed up most of what was on it on the linux box before I did this, so am not concerned.

Perhaps if I wait long enough, Kapersky will recover?

Am going to check to see if I just let the computer stay on, if it will not turn itself off after going into sleep mode for a certain period of time. OK, was able to change the power display to "always on"

.... OK, that's how it is until I hear what you say next, Crush

Crush · « **Reply #26 on:** June 25, 2010, 11:17:45 AM »

Hi again

Quote

The scan is running now. Many files are coming up "password protected". These pop up and disappear really fast. Should I be concerned with these?

Nah.

wow. sounds like you've had some fun! can you please run the scan again? It's important we get a workable log.

an8el · « **Reply #27 on:** June 25, 2010, 04:26:00 PM »

Yeah, I've been having some fun. Could be writing an ebook on the fun I've been having!
Maybe you guys should think about doing that from the info on this site?

OK, I restarted under safemode. Made sure this list was selected: "Disk boot sectors, Computer, Acer c:\ and rootkit This time I skipped including the USB flash drives.)
Learned that the way to get the report after the scan is done is under the tab : "Manual disinfection." I do not have to open up note pad to get that to happen; that is very good because notepad sets off the virus reactions!

Since you indicated it was appropriate, I also selected the feature, "disinfect, delete file if it can't be disinfected." It was not a default on my particular installation of kapersky. I left everything else the way it was by default. Now we'll see what happens in about three hours...

Crush · « **Reply #28 on:** June 25, 2010, 04:32:51 PM »

Quote

Yeah, I've been having some fun. Could be writing an ebook on the fun I've been having!
Maybe you guys should think about doing that from the info on this site?

We could call it the ComputerHope Computer Fixes Encyclopedia. A compendium of all computer related knowledge

Quote

Since you indicated it was appropriate, I also selected the feature, "disinfect, delete file if it can't be disinfected." It was not a default on my particular installation of kapersky. I left everything else the way it was by default. Now we'll see what happens in about three hours...

Sounds great

. I look forward to it. My fingers are crossed for you.

an8el · « **Reply #29 on:** June 25, 2010, 08:27:25 PM »

It appears that we should have started safe mode with networking, instead of just purely "safe mode" without networking. Because in Kapersky, hitting the button under the tab of "manual disinfection" and then doing "step one" which says "gathering system information" - the program needed to go online to get ...something.

So I'm going to skip that. (because I do not have networking, I'm in purely "Safe Mode" ) and I'm going to just hit "open folder". where is says my report is saved to file.
OK, it's a zip file. Then it says "send report" and I can't do that because I'm not online. Supposedly I can't get disinfection script to paste the text in it's little box and click "Execute."

So, I'm just going to copy the zip file to my USB drive - do the "sneaker net" thing and try to open the report on the Linux box here... We'll see if it works. [crossying fingeys]
OK, I was able to open the report that it did spit out - in spite of the fact that internet access was not available.
Appears that 20 files were scanned here and twelve of them are unrecognized processes...but not 12 are listed here:

Perhaps it's useful anyway.
Here's the first section, as requested:

csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   320           ??   error getting file info
Command line:
csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   364           ??   error getting file info
Command line:
c:\program files (x86)\mozilla firefox\firefox.exe
Script: Quarantine, Delete, BC delete, Terminate   1768   Firefox   ©Firefox and Mozilla Developers, according to the MPL 1.1/GPL 2.0/LGPL 2.1 licenses, as applicable.   ??   888.96 kb, rsAh,
created: 11/18/2009 1:09:34 PM,
modified: 5/5/2010 1:44:39 AM
Command line:
"C:\Program Files (x86)\Mozilla Firefox\firefox.exe" -requestPending -osint -url "http://avptool.virusinfo.info/en/AVPTool_helpdesk.htm"
lsass.exe
Script: Quarantine, Delete, BC delete, Terminate   432           ??   error getting file info
Command line:
lsm.exe
Script: Quarantine, Delete, BC delete, Terminate   440           ??   error getting file info
Command line:
SASCore64.exe
Script: Quarantine, Delete, BC delete, Terminate   924           ??   error getting file info
Command line:
services.exe
Script: Quarantine, Delete, BC delete, Terminate   424           ??   error getting file info
Command line:
smss.exe
Script: Quarantine, Delete, BC delete, Terminate   236           ??   error getting file info
Command line:
winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate   472           ??   error getting file info

Command line: Detected:20, recognized as trusted 12

Finally, here are the selections where I can Quarantine, Delete, BC delete, Terminate each specific file! But do we know what to do without Kapersky not being able to go online to get info about each file? Seems doubtful.

So, because the scan was not started in safe mode WITH NETWORKING, I'm going to do it yet again and I'll post the results here when it's done...now that I know how to work the program.

Good thing I'm a patient person. See you in about three hours again...

Crush · « **Reply #30 on:** June 25, 2010, 08:37:25 PM »

Hi an8el,

I can rule them out as legitimate vs malicious by researching

. But, if you want to scan again I certainly won't stop you

an8el · « **Reply #31 on:** June 26, 2010, 12:01:32 AM »

3rd scan is done now. Similar results. Sort of disappointing after going through the third three hour routine. Thought there would not be "?? error getting file info" if I had internet access after doing the scan. Evidently internet access is only needed if you would like to ask the Kapersky website for help.

Results of system analysis

Kaspersky Virus Removal Tool 2010 9.0.0.722 (database released 24/06/2010; 22:34)
List of processes
File name   PID   Description   Copyright   MD5   Information
csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   328           ??   error getting file info
Command line:
csrss.exe
Script: Quarantine, Delete, BC delete, Terminate   372           ??   error getting file info
Command line:
lsass.exe
Script: Quarantine, Delete, BC delete, Terminate   440           ??   error getting file info
Command line:
lsm.exe
Script: Quarantine, Delete, BC delete, Terminate   448           ??   error getting file info
Command line:
SASCore64.exe
Script: Quarantine, Delete, BC delete, Terminate   928           ??   error getting file info
Command line:
services.exe
Script: Quarantine, Delete, BC delete, Terminate   432           ??   error getting file info
Command line:
smss.exe
Script: Quarantine, Delete, BC delete, Terminate   240           ??   error getting file info
Command line:
winlogon.exe
Script: Quarantine, Delete, BC delete, Terminate   480           ??   error getting file info
Command line:
Detected:21, recognized as trusted 13
Module name   Handle   Description   Copyright   MD5   Used by processes
Modules detected:143, recognized as trusted 143

Crush · « **Reply #32 on:** June 26, 2010, 10:23:52 AM »

Those are all legitimate files. Are things running any better now?

an8el · « **Reply #33 on:** June 26, 2010, 05:15:09 PM »

thanks for doing that research, Crush.
I've still got my delete key adding a dot instead of deleting everything to the right. It's as though my keyboard works like a MAC that doesn't use a delete key, but only uses a backspace. So this is the main reason that makes me think I could still have problems. If this was a keylogger, they wouldn't want anything deleted.

duh - no light for indicating the Numlock was on. Now the delete key works just fine! Lemme check out the other stuff I listed to see if things are back to normal...

Crush · « **Reply #34 on:** June 26, 2010, 11:25:05 PM »

hi an8el,

Let's do one more scan and see if anything is hiding

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan[/i]

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install
Click Start
Make sure that the options Remove found threats and the option Scan unwanted applications is checked
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, you may close the window
Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic

an8el · « **Reply #35 on:** June 27, 2010, 04:26:43 AM »

OK, I followed your destructions. It didn't find anything!

Here's the report from the log:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner64.ocx - registred OK
OnlineScanner.ocx - registred OK

I guess since the first evidence that I hadn't cleaned the trojan completely out was from Hijackthis not being able to write to notepad and Avira Scanner taking forever - shall I do those scans too to verify that they're working as designed?

Thanks!

Crush · « **Reply #36 on:** June 27, 2010, 01:01:07 PM »

Yes. Please do

an8el · « **Reply #37 on:** June 28, 2010, 06:15:06 AM »

Here's my Avira file. It took about an hour, which is what it used to take before I got the virus. It told me there was no problems.

Avira AntiVir Personal
Report file date: Monday, June 28, 2010 00:40

Scanning for 2271330 virus strains and unwanted programs.

The program is running as an unrestricted full version.
Online services are available:

Licensee : Avira AntiVir Personal - FREE Antivirus
Serial number : 0000149996-ADJIE-0000001
Platform : Windows 7 x64
Windows version : (plain) [6.1.7600]
Boot mode : Normally booted
Username : SYSTEM
Computer name : ACERTAIN

Version information:
BUILD.DAT : 10.0.0.567 32097 Bytes 4/19/2010 15:07:00
AVSCAN.EXE : 10.0.3.0 433832 Bytes 4/1/2010 23:37:38
AVSCAN.DLL : 10.0.3.0 46440 Bytes 4/1/2010 23:57:04
LUKE.DLL : 10.0.2.3 104296 Bytes 3/8/2010 05:33:04
LUKERES.DLL : 10.0.0.1 12648 Bytes 2/11/2010 10:40:49
VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 20:05:36
VBASE001.VDF : 7.10.1.0 1372672 Bytes 11/19/2009 06:27:49
VBASE002.VDF : 7.10.3.1 3143680 Bytes 1/20/2010 04:37:42
VBASE003.VDF : 7.10.3.75 996864 Bytes 1/26/2010 03:37:42
VBASE004.VDF : 7.10.4.203 1579008 Bytes 3/5/2010 22:29:03
VBASE005.VDF : 7.10.6.82 2494464 Bytes 4/15/2010 22:44:29
VBASE006.VDF : 7.10.7.218 2294784 Bytes 6/2/2010 22:44:41
VBASE007.VDF : 7.10.7.219 2048 Bytes 6/2/2010 22:44:42
VBASE008.VDF : 7.10.7.220 2048 Bytes 6/2/2010 22:44:42
VBASE009.VDF : 7.10.7.221 2048 Bytes 6/2/2010 22:44:42
VBASE010.VDF : 7.10.7.222 2048 Bytes 6/2/2010 22:44:43
VBASE011.VDF : 7.10.7.223 2048 Bytes 6/2/2010 22:44:43
VBASE012.VDF : 7.10.7.224 2048 Bytes 6/2/2010 22:44:43
VBASE013.VDF : 7.10.8.37 270336 Bytes 6/10/2010 08:59:46
VBASE014.VDF : 7.10.8.69 138752 Bytes 6/14/2010 08:59:47
VBASE015.VDF : 7.10.8.102 130560 Bytes 6/16/2010 08:59:49
VBASE016.VDF : 7.10.8.135 152064 Bytes 6/21/2010 10:14:38
VBASE017.VDF : 7.10.8.163 432128 Bytes 6/23/2010 23:45:17
VBASE018.VDF : 7.10.8.164 2048 Bytes 6/23/2010 23:45:18
VBASE019.VDF : 7.10.8.165 2048 Bytes 6/23/2010 23:45:18
VBASE020.VDF : 7.10.8.166 2048 Bytes 6/23/2010 23:45:18
VBASE021.VDF : 7.10.8.167 2048 Bytes 6/23/2010 23:45:18
VBASE022.VDF : 7.10.8.168 2048 Bytes 6/23/2010 23:45:19
VBASE023.VDF : 7.10.8.169 2048 Bytes 6/23/2010 23:45:19
VBASE024.VDF : 7.10.8.170 2048 Bytes 6/23/2010 23:45:19
VBASE025.VDF : 7.10.8.171 2048 Bytes 6/23/2010 23:45:19
VBASE026.VDF : 7.10.8.172 2048 Bytes 6/23/2010 23:45:20
VBASE027.VDF : 7.10.8.173 2048 Bytes 6/23/2010 23:45:20
VBASE028.VDF : 7.10.8.174 2048 Bytes 6/23/2010 23:45:20
VBASE029.VDF : 7.10.8.175 2048 Bytes 6/23/2010 23:45:20
VBASE030.VDF : 7.10.8.176 2048 Bytes 6/23/2010 23:45:21
VBASE031.VDF : 7.10.8.192 134656 Bytes 6/28/2010 10:38:47
Engineversion : 8.2.4.2
AEVDF.DLL : 8.1.2.0 106868 Bytes 6/7/2010 22:45:13
AESCRIPT.DLL : 8.1.3.33 1356155 Bytes 6/26/2010 23:45:39
AESCN.DLL : 8.1.6.1 127347 Bytes 6/7/2010 22:45:08
AESBX.DLL : 8.1.3.1 254324 Bytes 6/7/2010 22:45:14
AERDL.DLL : 8.1.4.6 541043 Bytes 6/7/2010 22:45:07
AEPACK.DLL : 8.2.2.5 430453 Bytes 6/26/2010 23:45:36
AEOFFICE.DLL : 8.1.1.0 201081 Bytes 6/7/2010 22:45:04
AEHEUR.DLL : 8.1.1.38 2724214 Bytes 6/26/2010 23:45:34
AEHELP.DLL : 8.1.11.6 242038 Bytes 6/26/2010 23:45:26
AEGEN.DLL : 8.1.3.12 377204 Bytes 6/26/2010 23:45:24
AEEMU.DLL : 8.1.2.0 393588 Bytes 6/7/2010 22:44:55
AECORE.DLL : 8.1.15.3 192886 Bytes 6/7/2010 22:44:53
AEBB.DLL : 8.1.1.0 53618 Bytes 6/7/2010 22:44:52
AVWINLL.DLL : 10.0.0.0 19304 Bytes 1/14/2010 23:03:38
AVPREF.DLL : 10.0.0.0 44904 Bytes 1/14/2010 23:03:35
AVREP.DLL : 10.0.0.8 62209 Bytes 2/19/2010 03:47:40
AVREG.DLL : 10.0.3.0 53096 Bytes 4/1/2010 23:35:46
AVSCPLR.DLL : 10.0.3.0 83816 Bytes 4/1/2010 23:39:51
AVARKT.DLL : 10.0.0.14 227176 Bytes 4/1/2010 23:22:13
AVEVTLOG.DLL : 10.0.0.8 203112 Bytes 1/26/2010 20:53:30
SQLITE3.DLL : 3.6.19.0 355688 Bytes 1/28/2010 23:57:58
AVSMTP.DLL : 10.0.0.17 63848 Bytes 3/17/2010 02:38:56
NETNT.DLL : 10.0.0.0 11624 Bytes 2/20/2010 01:41:00
RCIMAGE.DLL : 10.0.0.26 2550120 Bytes 1/29/2010 00:10:20
RCTEXT.DLL : 10.0.53.0 97128 Bytes 4/10/2010 01:14:29

Configuration settings for the scan:
Jobname.............................: Complete system scan
Configuration file..................: C:\Program Files (x86)\Avira\AntiVir Desktop\sysscan.avp
Logging.............................: low
Primary action......................: interactive
Secondary action....................: ignore
Scan master boot sector.............: on
Scan boot sector....................: on
Boot sectors........................: C:,
Process scan........................: on
Extended process scan...............: on
Scan registry.......................: on
Search for rootkits.................: on
Integrity checking of system files..: off
Scan all files......................: All files
Scan archives.......................: on
Recursion depth.....................: 20
Smart extensions....................: on
Macro heuristic.....................: on
File heuristic......................: medium

Start of the scan: Monday, June 28, 2010 00:40

Starting search for hidden objects.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\381b4222-f694-41f0-9685-ff5bb260df2e
[NOTE] The registry entry is invisible.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Applets\SysTray\BattMeter\Flyout\8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
[NOTE] The registry entry is invisible.

The scan of running processes will be started
Scan process 'avscan.exe' - '87' Module(s) have been scanned
Scan process 'GoogleUpdate.exe' - '39' Module(s) have been scanned
Scan process 'BrMfcmon.exe' - '35' Module(s) have been scanned
Scan process 'brccMCtl.exe' - '72' Module(s) have been scanned
Scan process 'avgnt.exe' - '70' Module(s) have been scanned
Scan process 'jusched.exe' - '27' Module(s) have been scanned
Scan process 'PMVService.exe' - '51' Module(s) have been scanned
Scan process 'BrMfcWnd.exe' - '45' Module(s) have been scanned
Scan process 'pptd40nt.exe' - '28' Module(s) have been scanned
Scan process 'ArcadeDeluxeAgent.exe' - '53' Module(s) have been scanned
Scan process 'LManager.exe' - '55' Module(s) have been scanned
Scan process 'EgisUpdate.exe' - '40' Module(s) have been scanned
Scan process 'AWC.exe' - '78' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '70' Module(s) have been scanned
Scan process 'UpdaterService.exe' - '23' Module(s) have been scanned
Scan process 'SchedulerSvc.exe' - '39' Module(s) have been scanned
Scan process 'MWLService.exe' - '42' Module(s) have been scanned
Scan process 'GregHSRW.exe' - '24' Module(s) have been scanned
Scan process 'avguard.exe' - '68' Module(s) have been scanned
Scan process 'sched.exe' - '50' Module(s) have been scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan executable files (registry).
The registry was scanned ( '116' files ).

Starting the file scan:

Begin scan in 'C:\' <Acer>

End of the scan: Monday, June 28, 2010 01:47
Used time: 1:06:24 Hour(s)

The scan has been done completely.

24330 Scanned directories
754132 Files were scanned
0 Viruses and/or unwanted programs were found
0 Files were classified as suspicious
0 files were deleted
0 Viruses and unwanted programs were repaired
0 Files were moved to quarantine
0 Files were renamed
0 Files cannot be scanned
754132 Files not concerned
6228 Archives were scanned
0 Warnings
0 Notes
657736 Objects were scanned with rootkit scan
2 Hidden objects were found

an8el · « **Reply #38 on:** June 28, 2010, 06:22:09 AM »

I'm hoping........!

Here's the HIJackThis Logfile:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 2:21:33 AM, on 6/28/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16385)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\IObit\Advanced SystemCare 3\AWC.exe
C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\sniper.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://homepage.acer.com/rdr.aspx?b=ACAW&l=0409&m=aspire_5532&r=27361109d545l0334z1h5t4852x232
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.5.5126.1836\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [EgisTecLiveUpdate] "C:\Program Files (x86)\EgisTec Egis Software Update\EgisUpdate.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LManager] C:\Program Files (x86)\Launch Manager\LManager.exe
O4 - HKLM\..\Run: [ArcadeDeluxeAgent] "C:\Program Files (x86)\Acer Arcade Deluxe\Acer Arcade Deluxe\ArcadeDeluxeAgent.exe"
O4 - HKLM\..\Run: [Acer Assist Launcher] C:\Program Files (x86)\Acer\Acer Assist\launcher.exe
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [PlayMovie] "C:\Program Files (x86)\Acer Arcade Deluxe\PlayMovie\PMVService.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\Franis\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O10 - Unknown file in Winsock LSP: c:\program files (x86)\common files\microsoft shared\windows live\wlidnsp.dll
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~2\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files (x86)\Avira\AntiVir Desktop\avguard.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: Acer ePower Service (ePowerSvc) - Acer Incorporated - C:\Program Files\Acer\Acer ePower Management\ePowerSvc.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\Acer Games\Acer Game Console\GameConsoleService.exe
O23 - Service: GRegService (Greg_Service) - Acer Incorporated - C:\Program Files (x86)\Acer\Registration\GregHSRW.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: MyWinLocker Service (MWLService) - Egis Technology Inc. - C:\Program Files (x86)\EgisTec\MyWinLocker 3\x86\\MWLService.exe
O23 - Service: NTI Backup Now 5 Backup Service (NTIBackupSvc) - NewTech InfoSystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\BackupSvc.exe
O23 - Service: NTI Backup Now 5 Scheduler Service (NTISchedulerSvc) - NewTech Infosystems, Inc. - C:\Program Files (x86)\NewTech Infosystems\NTI Backup Now 5\SchedulerSvc.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: SAS Core Service (SASCORE) - SUPERAntiSpyware.com - C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Updater Service - Acer - C:\Program Files\Acer\Acer Updater\UpdaterService.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 11260 bytes

Crush · « **Reply #39 on:** June 28, 2010, 06:59:32 AM »

Hi again

.

Windows Vista and 7 wreak havoc on some of the tools we use. One of them is HijackThis. But as far as I can tell you're clean. Any symptoms to suggest otherwise?

an8el · « **Reply #40 on:** June 28, 2010, 07:24:43 AM »

Just did the last scan by this software, and it gave me a log this time!!

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 06/28/2010 at 03:12 AM

Application Version : 4.38.1004

Core Rules Database Version : 5126
Trace Rules Database Version: 2938

Scan type : Quick Scan
Total Scan Time : 00:46:34

Memory items scanned : 528
Memory threats detected : 0
Registry items scanned : 669
Registry threats detected : 0
File items scanned : 29277
File threats detected : 0

Hey Crush! I have something for you....!

an8el · « **Reply #41 on:** June 28, 2010, 07:27:55 AM »

Will take you to see your cousins in Hawaii when you come and visit! As you can see, only a couple of feet of water is required...!

I'm very Haaapppppeeey!

Crush · « **Reply #42 on:** June 28, 2010, 07:35:39 AM »

I love it.

It's been a ton of fun. You've been a pleasure to work with

Congratulations!! Your PC is all clean!

There are many things you can do to keep this from happening again. You can think of a computer like a car. It requires basic maintenance to keep in tip top shape and ready to go. Would you drive your car 100,000 miles without changing the oil? The same principle applies here.

Cleaning

Now that your PC is free of malware, it is important to clean up your PC. There are several good free cleaners available. You should make sure to clean up your temp files regularly, at least once a week.

ATF Cleaner
CCleaner

Defragmenting Your Hard Disk

Over time your PC can become fragmented, Windows comes with a defragmenting utility, however, it is very slow, and there are other options available.

To use the defragmenter included with Windows either go to Start/Run and type dfrg.msc, hit enter; or
right-click My Computer, choose Manage, Storage, Disk Defragmenter.

In the Defragmenter utility, select your main partition/HD, generally C:\ and select analyze . The analysis report will tell you whether or not your disk needs to be defragmented, if it does, click defragment. Be patient, this can take a long time.

Repeat for multiple partitions/hard disks.

System Restore Cleanup Instructions

If you are using Windows ME or XP then it is good to disable and re-enable system restore to make sure there are no infected files left in a restore point. (All restore points will be deleted that way)
You can find instructions on how to disable and re-enable system restore here:

Windows ME System Restore Guide

Windows XP System Restore Guide

Reading Tip:
Computer Health
Keep Your System Updated

Microsoft releases patches for Windows and Office products regularly to patch up Windows and Office products loopholes and fix any bugs found. Please ensure that you visit the following websites regularly or do update your system regularly.

Install the updates immediately, if they are found. Reboot your computer if necessary, revisit Windows Update and Office update sites until there are no more updates to be installed.

To update Windows and office

Go to Start > All Programs > Microsoft Update

Alternatively, you can visit the link below to update Windows and Office products.

Microsoft Update

If you are forgetful, you can change some settings so that you will be informed of updates. Here's how:

1. Go to Start > Control Panel > Automatic Updates
2. Select Automatic (recommended) radio button if you want the updates to be downloaded and installed without prompting you.
3. Select Download updates for me, but let me chose when to install them radio button if you want the updates to be downloaded automatically but to be installed at another time.4. Select Notify me but don't automatically download or install them radio button if you want to be notified of the updates.

Please make sure that you update your antivirus, firewall and anti-spyware programs at least once a week.

Be careful when opening attachments and downloading files.

1. Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.
2. Never open emails from unknown senders.
3. Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These are called hoaxes. The email addresses used in the hoaxes can be easily spoofed. Check the antivirus vendor websites to be sure.
4. Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on Sourceforge or Pricelessware.

Surf safely

Many security exploits on websites are directed to users of Internet Explorer and Firefox.

If you use Firefox, try the No-script Add On - which, by default, disables all scripts on all websites. If you trust the website, you can manually allow scripts to work.

Backup regularly

You never know when your PC will become unstable or become so infected that you can't recover it. Follow this Microsoft Article to learn how to backup. Follow This Article by Microsoft to restore your backups.

Alternatively, you can use 3rd-party programs to back up your data. Examples of these can be found at
Bleeping Computer

Avoid P2P

I see you have P2P software installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It is certainly contributing to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Prevent A Re-infection

1. Winpatrol

Winpatrol is a heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features Here

You can get a Free Copy of Winpatrol or use the Plus Version for more features.

You can read Win Patrol FAQ if you run into problems.

2. Hosts File

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your PC will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
MVPS Hosts File
Blue Tack’s Hosts File
Blue Tack’s Hosts Manager

3. Spybot Search and Destroy

Spybot Search & Destroy is another program for scanning spyware and adware. You are strongly encouraged to run a scan at least once per week.

Spybot Search & Destroy can be downloaded from here.

If you need help in using Spybot Search & Destroy, you can read Spybot Search and Destroy tutorial at Bleeping Computer.

4. SiteHound Toolbar

SiteHound is a toolbar that warns you if you go to a site that is known to scam people, that has potentially lots of viruses or spyware or other questionable content. If you know the site, you can enter it; if you don't, it will bring you back to the previous page. Currently, SiteHound works for Internet Explorer and Firefox only.

====

Stand Up and Be Counted ---> Malware Complaints<--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
============================================================
See this page for more info about malware and prevention.

Thank you for choosing ComputerHope

Before the thread is archived, do you have any more questions?

Happy surfing and stay clean!

an8el · « **Reply #43 on:** June 28, 2010, 08:07:52 AM »

Yeah, all that in the advice of how to not get malware - AND my most important advice is to make sure to turn off the auto-updates on the Acer game site, which is what got me the Trojan in the first place. ;o(( (You'd think that the manufacturer's endorsed website would be free of malware! But nooooooo.)

What I'm going to do is to install Linux and hang out online using that instead of windows most of the time. Only use this OS when I MUST because some software requires Windows for a certain purpose, or that I am traveling with this laptop.

...and Crush, you were very patient to be working with me. I can't imagine that you were anything but an expert - (probably Figuring that you are a famous Humblistic person in disguise.)

Am serious about showing you a good time if you want to come visit Hawaii! I'm on the Big Island where there are lots of turtles...who will come visit you, even if you can't swim with them.

an8el · « **Reply #44 on:** June 28, 2010, 08:08:59 AM »

OK - how do I mark this one [solved] ?

Crush · « **Reply #45 on:** June 28, 2010, 08:16:31 AM »

I'll look you up the next time I'm in Hawaii

Quote

OK - how do I mark this one [solved] ?

I can do that for you

Computer Hope Forum

News:

Author Topic: persistent TR/Crypt.Xpack.gen (Read 34627 times)

an8el

an8el

Crush

an8el

an8el

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

an8el

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

Crush

an8el

an8el

Crush

an8el

an8el

Crush

an8el

an8el

Crush