« previous next »
Pages: [1] 2   Go Down

Author Topic: Windows repair trojan  (Read 1053 times)

0 Members and 1 Guest are viewing this topic.

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Windows repair trojan
« on: April 25, 2011, 11:30:21 PM »
Good day,

  First time posting here...A few days ago, the Windows repair trojan somehow made it onboard my Toshiba laptop (Toshiba Satellite 7720, Win Vista Ultimate 64)My AV which is Avast Free and is always up to date along with SpywareBlaster, somehow let it thru...I new it was bogus because the windows logo looked like puzzle pieces and the obligatory warning ie your HDD has 34 unusable sectors, 38 infections found, your memory usage is at maximum etc along with the scanning bar going across the screen.
Well, I manage to get rid of the popup and luckily, of the few shortcuts and  icons that were left on my desktop, the start button was also there which allowed me to get to my Malwarebytes, which I had just updated that morning and ran a quick scan which found 6 trojans which were of course quarantined and deleted...after which I ran complete scan and found nothing.
  I did some online searching as to possible corrilation of my missing desktop icons & files etc and found that this nasty also hides them...so was instructed to go to folder options and uncheck the box "hide shortcuts and files..
Anyway, thats where I stand..no problems of any sort since..ran a recent MB and nothing found .RC over at Computer Help Forums at Garden web suggested a quick trip over to check things out...Here I am
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows repair trojan
« Reply #1 on: April 26, 2011, 12:02:00 AM »
Hi, saugen48.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

I would like to see the MBAM log that showed the trojans which were removed.  You can find it by launching MBAM and clicking the Logs tab.

So we can take a closer look, please do the following (allowing RSIT to download HijackThis if it is not installed on your computer):
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSITx64.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #2 on: April 26, 2011, 12:08:42 AM »
Logfile of random's system information tool 1.08 (written by random/random)
Run by Gene at 2011-04-25 21:04:00
Microsoft® Windows Vista™ Ultimate  Service Pack 2
System drive C: has 76 GB (51%) free of 147 GB
Total RAM: 4093 MB (54% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 9:04:09 PM, on 25/04/2011
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.19048)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files (x86)\TouchFreeze\TouchFreeze.exe
C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe
C:\Program Files (x86)\VueSoft\VueMinder\VueMinder.exe
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files (x86)\Launch Manager\LManager.exe
C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe
C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSMSNLoader32.exe
C:\Rocket\Flower\flower.exe
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files\trend micro\Gene.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cbc.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://en.ca.acer.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://en.ca.acer.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://ca.rd.yahoo.com/customize/ycomp/defaults/su/*http://ca.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files (x86)\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files (x86)\WOT\WOT.dll
O4 - HKLM\..\Run: [LManager] C:\PROGRA~2\LAUNCH~1\LManager.exe
O4 - HKLM\..\Run: [eAudio] "C:\Acer\Empowering Technology\eAudio\eAudio.exe"
O4 - HKLM\..\Run: [Performance Center] C:\Program Files (x86)\Ascentive\Performance Center\APCMain.exe -m
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] "C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
O4 - HKLM\..\Run: [IndexSearch] "C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe"
O4 - HKLM\..\Run: [PPort11reminder] "C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe" -r "C:\ProgramData\ScanSoft\PaperPort\11\Config\Ereg\Ereg.ini"
O4 - HKLM\..\Run: [BrMfcWnd] "C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] "C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe" /autorun
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [TouchFreeze] C:\Program Files (x86)\TouchFreeze\TouchFreeze.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [VueMinder] "C:\Program Files (x86)\VueSoft\VueMinder\VueMinder.exe" 1
O4 - HKCU\..\Run: [Messenger (Yahoo!)] "C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Google Update] "C:\Users\Gene\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe -update activex
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Empowering Technology Launcher.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\Windows\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files (x86)\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files (x86)\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files (x86)\a-squared Free\a2service.exe
O23 - Service: ALaunch Service (ALaunchService) - Unknown owner - C:\Acer\ALaunch\ALaunchSvc.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: WebEx Service Host for Support Center (atashost) - WebEx Communications, Inc. - C:\Windows\SysWOW64\atashost.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: eDataSecurity Service - HiTRSUT - C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eNet Service - Acer Inc. - C:\Acer\Empowering Technology\eNet\eNet Service.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: eSettings Service (eSettingsService) - Unknown owner - C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: Google Update Service (gupdate1c9f91a469fee10) (gupdate1c9f91a469fee10) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: ePower Service (WMIService) - acer - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
O23 - Service: XAudioService - Unknown owner - C:\Windows\system32\DRIVERS\xaudio64.exe (file missing)

--
End of file - 12845 bytes

======Listing Processes======

\SystemRoot\System32\smss.exe
C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
wininit.exe
C:\Windows\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
winlogon.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
"C:\Program Files\Alwil Software\Avast5\AvastSvc.exe"
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
taskeng.exe {E7FA65D8-B59F-42EF-9724-A48F586CC1CD}
taskeng.exe {F79CE9A3-09DA-4CB2-83FD-97B953096A5C}
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"C:\Program Files (x86)\a-squared Free\a2service.exe"
C:\Acer\ALaunch\ALaunchSvc.exe
"C:\Windows\SysWOW64\atashost.exe"
"C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe"
"C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe"
"C:\Acer\Empowering Technology\eNet\eNet Service.exe"
"C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe"
"C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe"
"C:\Acer\Mobility Center\MobilityService.exe" -p
"C:\Windows\Microsoft.NET\Framework64\v3.0\Windows Communication Foundation\SMSvcHost.exe"
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
"C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe"
C:\Windows\system32\svchost.exe -k imgsvc
"C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe"
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\DRIVERS\xaudio64.exe
"C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe"
"C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe"
"C:\Acer\Empowering Technology\ePower\ePowerSvc.exe"
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
"C:\Program Files\Windows Defender\MSASCui.exe" -hide
"C:\Windows\RAVCpl64.exe"
"C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe"
"C:\Windows\BR040264.exe"
"C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe"
"C:\Program Files\Apoint2K\Apoint.exe"
"C:\Windows\System32\rundll32.exe" C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
"C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
"C:\Windows\ehome\ehtray.exe"
"C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
"C:\Program Files (x86)\TouchFreeze\TouchFreeze.exe"
"C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
"C:\Program Files (x86)\VueSoft\VueMinder\VueMinder.exe" 1
"C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe" -quiet
"C:\Program Files (x86)\Launch Manager\LManager.exe"
"C:\Acer\Empowering Technology\eAudio\eAudio.exe"
"C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe"
"C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe" /AUTORUN
"C:\Program Files\Alwil Software\Avast5\AvastUI.exe" /nogui
"C:\Program Files (x86)\Launch Manager\MMDx64Fx.exe"
rundll32 NVSVC64.DLL,nvsvcInitialize
"C:\Program Files (x86)\Brother\ControlCenter3\brccMCtl.exe" /autorun
"C:\Program Files (x86)\Brother\Brmfcmon\BrMfcmon.exe"
C:\Windows\ehome\ehmsas.exe -Embedding
C:\Users\Gene\AppData\Local\Temp\RtkBtMnt.exe
"C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE"
"C:\Program Files\Apoint2K\ApMsgFwd.exe" -s{05FA8492-C047-4207-BE65-780D8591C113}
"Apntex.exe"
C:\Windows\system32\conime.exe
"C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE"
"C:\Acer\Empowering Technology\eDataSecurity\eDSMSNLoader32.exe"
"C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE"
"C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE"
"C:\Program Files\Windows Media Player\wmpnscfg.exe"
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
"C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe"
C:\Windows\system32\SearchIndexer.exe /Embedding
splwow64
C:\Windows\System32\mobsync.exe -Embedding
"C:\Rocket\Flower\flower.exe"
"C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe" -restart
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -Embedding
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:4908 CREDAT:71937
"C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbarUser_32.exe"
"C:\Windows\system32\SearchFilterHost.exe" 0 656 660 668 65536 664
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:4908 CREDAT:203009
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe194_ Global\UsGthrCtrlFltPipeMssGthrPipe194 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Users\Gene\Desktop\RSITx64.exe"

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4167856230-1268464880-2386899631-1000Core.job
C:\Windows\tasks\GoogleUpdateTaskUserS-1-5-21-4167856230-1268464880-2386899631-1000UA.job
C:\Windows\tasks\User_Feed_Synchronization-{8979867A-BD6B-48B8-B600-D4BEA81384F9}.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2011-03-18 400560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\5.6.6209.1142\swg64.dll [2011-03-18 335928]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
Yahoo! Toolbar Helper - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2006-11-29 436288]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-09-22 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
AskBar BHO - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll [2008-11-18 333192]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2011-03-18 298160]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.6.6209.1142\swg.dll [2011-03-18 848952]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C920E44A-7F78-4E64-BDD7-A57026E7FEB7}]
WOT Helper - C:\Program Files (x86)\WOT\WOT.dll [2010-12-20 1296544]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll [2010-01-11 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - Acer eDataSecurity Management - C:\Windows\system32\eDStoolbar.dll [2007-10-06 183296]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll [2011-03-18 400560]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Internet Explorer\Toolbar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} - Yahoo! Toolbar - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll [2006-11-29 436288]
{3041d03e-fd4b-44e0-b742-2d9b88305f98} - Foxit Toolbar - C:\Program Files (x86)\AskBarDis\bar\bin\askBar.dll [2008-11-18 333192]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - Google Toolbar - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll [2011-03-18 298160]
{71576546-354D-41c9-AAE8-31F2EC22BF0D} - WOT - C:\Program Files (x86)\WOT\WOT.dll [2010-12-20 1296544]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"=C:\Program Files\Windows Defender\MSASCui.exe [2008-01-19 1584184]
"ALaunch"=C:\Acer\ALaunch\AlaunchClient.exe []
"RtHDVCpl"=C:\Windows\RAVCpl64.exe [2007-08-09 5422592]
"Skytel"=C:\Windows\Skytel.exe [2007-08-03 1826816]
"eDataSecurity Loader"=C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe [2007-10-11 510496]
"BisonInst0402"=C:\Windows\BR040264.exe [2007-05-09 57856]
"IAAnotif"=C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaanotif.exe [2007-07-12 178712]
"Apoint"=C:\Program Files\Apoint2K\Apoint.exe [2007-06-06 217088]
"NvSvc"=C:\Windows\system32\nvsvc64.dll [2007-08-23 88064]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2007-08-23 10700288]
"NvMediaCenter"=C:\Windows\system32\NvMcTray.dll [2007-08-23 74752]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"=C:\Program Files\Windows Sidebar\sidebar.exe [2009-04-11 1555968]
"ehTray.exe"=C:\Windows\ehome\ehTray.exe [2008-01-19 138240]
"swg"=C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2009-11-27 39408]
"TouchFreeze"=C:\Program Files (x86)\TouchFreeze\TouchFreeze.exe [2005-04-29 45056]
"msnmsgr"=C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [2010-04-16 3872080]
"VueMinder"=C:\Program Files (x86)\VueSoft\VueMinder\VueMinder.exe [2010-08-27 3609088]
"Messenger (Yahoo!)"=C:\PROGRA~2\Yahoo!\MESSEN~1\YahooMessenger.exe [2010-06-01 5252408]
"Google Update"=C:\Users\Gene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-16 136176]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"=C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe [2011-03-24 235168]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Assist Launcher]
C:\Program Files (x86)\Acer Assist\launcher.exe [2007-02-02 1261568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Product Registration]
C:\Program Files (x86)\Acer Registration\ACE1.exe [2007-02-02 3383296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer Tour Reminder]
C:\Acer\AcerTour\Reminder.exe [2007-05-22 151552]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
C:\Users\Gene\AppData\Local\Google\Update\GoogleUpdate.exe [2010-10-16 136176]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
C:\PROGRA~2\ICQ6\ICQ.exe silent []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
C:\Program Files (x86)\Yahoo!\Messenger\YahooMessenger.exe [2010-06-01 5252408]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mirabilis ICQ]
C:\PROGRA~2\ICQ\ICQNet.exe [2003-10-14 38984]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PlayMovie]
C:\Program Files (x86)\Acer Arcade Deluxe\Play Movie\PMVService.exe [2007-10-16 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files (x86)\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe [2010-03-20 202256]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Gene^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OpenOffice.org 2.4.lnk]
C:\PROGRA~2\OPENOF~1.4\program\QUICKS~1.EXE [2008-01-21 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Users^Gene^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Stickies.lnk]
C:\PROGRA~2\Stickies\stickies.exe [2008-08-28 765952]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"Acer Tour"= []
"LManager"=C:\PROGRA~2\LAUNCH~1\LManager.exe [2007-08-15 772616]
"eRecoveryService"= []
"eAudio"=C:\Acer\Empowering Technology\eAudio\eAudio.exe [2007-10-12 1501184]
"Performance Center"=C:\Program Files (x86)\Ascentive\Performance Center\APCMain.exe -m []
"SSBkgdUpdate"=C:\Program Files (x86)\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-10-25 210472]
"PaperPort PTD"=C:\Program Files (x86)\ScanSoft\PaperPort\pptd40nt.exe [2007-10-11 29984]
"IndexSearch"=C:\Program Files (x86)\ScanSoft\PaperPort\IndexSearch.exe [2007-10-11 46368]
"PPort11reminder"=C:\Program Files (x86)\ScanSoft\PaperPort\Ereg\Ereg.exe [2007-08-31 328992]
"BrMfcWnd"=C:\Program Files (x86)\Brother\Brmfcmon\BrMfcWnd.exe [2007-11-05 741376]
"ControlCenter3"=C:\Program Files (x86)\Brother\ControlCenter3\brctrcen.exe [2007-10-30 77824]
"avast5"=C:\Program Files\Alwil Software\Avast5\avastUI.exe [2011-01-13 3396624]
"TkBellExe"=C:\Program Files (x86)\Common Files\Real\Update_OB\realsched.exe [2010-03-20 202256]
"SunJavaUpdateSched"=C:\Program Files (x86)\Java\jre6\bin\jusched.exe []
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [2011-01-31 35760]
"Adobe ARM"=C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-09-20 932288]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Empowering Technology Launcher.lnk - C:\Acer\Empowering Technology\eAPLauncher.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files (x86)\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\atashost]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfPf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfRd]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfSvc]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\WudfUsbccidDriver]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"EnableUIADesktopToggle"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"ForceActiveDesktopOn"=0
"NoActiveDesktopChanges"=0
"BindDirectlyToPropertySetStorage"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 months======

2011-04-25 21:04:00 ----D---- C:\rsit
2011-04-25 21:04:00 ----D---- C:\Program Files\trend micro
2011-04-22 20:47:09 ----D---- C:\Users\Gene\AppData\Roaming\TeamViewer
2011-04-22 11:25:02 ----D---- C:\ProgramData\AIM Toolbar
2011-04-22 11:25:02 ----D---- C:\Program Files (x86)\AIM Toolbar
2011-04-22 11:24:44 ----D---- C:\ProgramData\AIM
2011-04-22 11:24:41 ----D---- C:\Program Files (x86)\AIM
2011-04-21 21:24:07 ----D---- C:\Program Files (x86)\TeamViewer
2011-04-21 16:22:59 ----D---- C:\Program Files\Oracle
2011-04-18 23:11:10 ----SD---- C:\Windows\SYSWOW64\Microsoft
2011-04-17 19:32:44 ----HD---- C:\ProgramData\Trymedia
2011-04-13 16:36:48 ----A---- C:\Windows\dd_vcredistMSI1FE2.txt
2011-04-13 16:36:47 ----A---- C:\Windows\dd_vcredistUI1FE2.txt
2011-04-13 16:36:06 ----A---- C:\Windows\system32\drivers\mrxsmb20.sys
2011-04-13 16:36:06 ----A---- C:\Windows\system32\drivers\mrxsmb10.sys
2011-04-13 16:36:06 ----A---- C:\Windows\system32\drivers\mrxsmb.sys
2011-04-13 16:36:06 ----A---- C:\Windows\system32\drivers\bowser.sys
2011-04-13 16:36:05 ----A---- C:\Windows\system32\win32k.sys
2011-04-13 16:36:04 ----A---- C:\Windows\system32\inetcomm.dll
2011-04-13 16:36:04 ----A---- C:\Windows\system32\drivers\srvnet.sys
2011-04-13 16:36:04 ----A---- C:\Windows\system32\drivers\srv2.sys
2011-04-13 16:36:04 ----A---- C:\Windows\system32\drivers\srv.sys
2011-04-13 16:36:03 ----A---- C:\Windows\SYSWOW64\vbscript.dll
2011-04-13 16:36:03 ----A---- C:\Windows\SYSWOW64\jscript.dll
2011-04-13 16:36:03 ----A---- C:\Windows\SYSWOW64\inetcomm.dll
2011-04-13 16:36:03 ----A---- C:\Windows\system32\vbscript.dll
2011-04-13 16:36:03 ----A---- C:\Windows\system32\jscript.dll
2011-04-13 16:36:01 ----A---- C:\Windows\system32\winresume.exe
2011-04-13 16:36:01 ----A---- C:\Windows\system32\winload.exe
2011-04-13 16:36:01 ----A---- C:\Windows\system32\kdusb.dll
2011-04-13 16:36:01 ----A---- C:\Windows\system32\kdcom.dll
2011-04-13 16:36:01 ----A---- C:\Windows\system32\kd1394.dll
2011-04-13 16:35:33 ----A---- C:\Windows\SYSWOW64\atmlib.dll
2011-04-13 16:35:33 ----A---- C:\Windows\SYSWOW64\atmfd.dll
2011-04-13 16:35:33 ----A---- C:\Windows\system32\atmlib.dll
2011-04-13 16:35:33 ----A---- C:\Windows\system32\atmfd.dll
2011-04-13 16:35:32 ----A---- C:\Windows\system32\mfc42u.dll
2011-04-13 16:35:32 ----A---- C:\Windows\system32\mfc42.dll
2011-04-13 16:35:31 ----A---- C:\Windows\SYSWOW64\mfc42u.dll
2011-04-13 16:35:31 ----A---- C:\Windows\SYSWOW64\mfc42.dll
2011-04-13 16:35:00 ----A---- C:\Windows\system32\dnsapi.dll
2011-04-13 16:34:59 ----A---- C:\Windows\SYSWOW64\dnscacheugc.exe
2011-04-13 16:34:59 ----A---- C:\Windows\SYSWOW64\dnsapi.dll
2011-04-13 16:34:59 ----A---- C:\Windows\system32\dnsrslvr.dll
2011-04-13 16:34:59 ----A---- C:\Windows\system32\dnscacheugc.exe
2011-04-13 16:26:55 ----A---- C:\Windows\system32\mshtml.dll
2011-04-13 16:26:54 ----A---- C:\Windows\system32\ieframe.dll
2011-04-13 16:26:53 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2011-04-13 16:26:52 ----A---- C:\Windows\SYSWOW64\wininet.dll
2011-04-13 16:26:52 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2011-04-13 16:26:52 ----A---- C:\Windows\SYSWOW64\ieframe.dll
2011-04-13 16:26:52 ----A---- C:\Windows\system32\wininet.dll
2011-04-13 16:26:52 ----A---- C:\Windows\system32\urlmon.dll
2011-04-13 16:26:52 ----A---- C:\Windows\system32\msfeeds.dll
2011-04-13 16:26:52 ----A---- C:\Windows\system32\iertutil.dll
2011-04-13 16:26:52 ----A---- C:\Windows\system32\iedkcs32.dll
2011-04-13 16:26:51 ----A---- C:\Windows\system32\occache.dll
2011-04-13 16:26:49 ----A---- C:\Windows\system32\mstime.dll
2011-04-13 16:26:49 ----A---- C:\Windows\system32\msfeedsbs.dll
2011-04-13 16:26:49 ----A---- C:\Windows\system32\jsproxy.dll
2011-04-13 16:26:49 ----A---- C:\Windows\system32\ieui.dll
2011-04-13 16:26:49 ----A---- C:\Windows\system32\iernonce.dll
2011-04-13 16:26:49 ----A---- C:\Windows\system32\iepeers.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\occache.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\mstime.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\mshtmled.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\msfeedsbs.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\msfeeds.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\licmgr10.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\ieUnatt.exe
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\ieui.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\iesysprep.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\iesetup.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\iernonce.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\iepeers.dll
2011-04-13 16:26:48 ----A---- C:\Windows\SYSWOW64\iedkcs32.dll
2011-04-13 16:26:48 ----A---- C:\Windows\system32\mshtmled.dll
2011-04-13 16:26:48 ----A---- C:\Windows\system32\licmgr10.dll
2011-04-13 16:26:48 ----A---- C:\Windows\system32\ieUnatt.exe
2011-04-13 16:26:48 ----A---- C:\Windows\system32\iesysprep.dll
2011-04-13 16:26:48 ----A---- C:\Windows\system32\iesetup.dll
2011-04-13 16:26:48 ----A---- C:\Windows\system32\ie4uinit.exe
2011-04-13 16:26:44 ----A---- C:\Windows\SYSWOW64\msfeedssync.exe
2011-04-13 16:26:44 ----A---- C:\Windows\SYSWOW64\ie4uinit.exe
2011-04-13 16:26:44 ----A---- C:\Windows\system32\msfeedssync.exe
2011-04-13 16:26:35 ----A---- C:\Windows\system32\FXSCOVER.exe
2011-04-06 09:28:29 ----D---- C:\Program Files (x86)\WOT

======List of files/folders modified in the last 1 months======

2011-04-25 21:04:04 ----D---- C:\Windows\Temp
2011-04-25 21:04:00 ----RD---- C:\Program Files
2011-04-24 15:59:55 ----A---- C:\Windows\BRWMARK.INI
2011-04-23 18:52:24 ----D---- C:\Windows\System32
2011-04-23 18:52:24 ----D---- C:\Windows\inf
2011-04-23 18:52:24 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-04-23 07:12:42 ----SHD---- C:\Windows\Installer
2011-04-23 07:11:01 ----D---- C:\Program Files (x86)\Microsoft Silverlight
2011-04-23 07:08:38 ----A---- C:\Windows\system32\mrt.exe
2011-04-23 07:08:30 ----D---- C:\Windows\system32\catroot2
2011-04-23 07:08:29 ----SHD---- C:\System Volume Information
2011-04-22 21:12:02 ----D---- C:\Windows\Microsoft.NET
2011-04-22 21:12:01 ----RSD---- C:\Windows\assembly
2011-04-22 20:23:52 ----D---- C:\Windows\winsxs
2011-04-22 20:23:52 ----D---- C:\Windows\SysWOW64
2011-04-22 20:23:51 ----D---- C:\Windows\system32\Tasks
2011-04-22 20:23:51 ----D---- C:\Windows\system32\Msdtc
2011-04-22 20:23:47 ----D---- C:\Windows\system32\wbem
2011-04-22 20:23:47 ----D---- C:\Windows
2011-04-22 20:22:29 ----D---- C:\Windows\system32\config
2011-04-22 20:20:44 ----D---- C:\Windows\Tasks
2011-04-22 20:20:43 ----SD---- C:\Windows\Downloaded Program Files
2011-04-22 20:20:43 ----RSD---- C:\Windows\Media
2011-04-22 20:20:43 ----RD---- C:\Windows\Offline Web Pages
2011-04-22 20:20:43 ----D---- C:\Windows\SYSWOW64\wbem
2011-04-22 20:20:43 ----D---- C:\Windows\system32\spool
2011-04-22 20:20:43 ----D---- C:\Windows\system32\CodeIntegrity
2011-04-22 20:20:43 ----D---- C:\Windows\rescache
2011-04-22 20:20:38 ----D---- C:\Program Files (x86)\Opera
2011-04-22 20:20:33 ----D---- C:\Program Files (x86)\Common Files
2011-04-22 20:19:54 ----D---- C:\Windows\registration
2011-04-22 20:19:48 ----D---- C:\Windows\PolicyDefinitions
2011-04-22 20:19:48 ----D---- C:\Windows\AppPatch
2011-04-22 20:19:48 ----D---- C:\Program Files\Internet Explorer
2011-04-22 20:19:48 ----D---- C:\Program Files (x86)\Internet Explorer
2011-04-22 11:25:02 ----HD---- C:\ProgramData
2011-04-22 11:25:02 ----D---- C:\Program Files (x86)
2011-04-21 16:24:12 ----D---- C:\Windows\system32\catroot
2011-04-21 16:23:27 ----DC---- C:\Windows\system32\DRVSTORE
2011-04-19 08:06:50 ----AHD---- C:\ProgramData\TEMP
2011-04-19 08:06:46 ----D---- C:\Program Files (x86)\SpywareBlaster
2011-04-18 23:12:39 ----D---- C:\ProgramData\Pure Networks
2011-04-18 23:12:32 ----D---- C:\Windows\system32\drivers
2011-04-18 22:54:50 ----D---- C:\Users\Gene\AppData\Roaming\stickies
2011-04-18 22:54:50 ----D---- C:\Users\Gene\AppData\Roaming\Skype
2011-04-18 22:54:50 ----D---- C:\Users\Gene\AppData\Roaming\mIRC
2011-04-18 22:54:40 ----D---- C:\ProgramData\webex
2011-04-18 22:54:40 ----D---- C:\ProgramData\PMB Files
2011-04-18 22:54:39 ----D---- C:\Program Files (x86)\ICQ
2011-04-18 22:54:36 ----D---- C:\Acer
2011-04-18 22:53:04 ----D---- C:\ProgramData\Skype
2011-04-18 22:53:03 ----D---- C:\ProgramData\AOL Downloads
2011-04-18 22:53:02 ----D---- C:\ProgramData\acccore
2011-04-18 22:52:59 ----D---- C:\ProgramData\CyberLink
2011-04-18 22:52:58 ----D---- C:\ProgramData\Apple
2011-04-18 21:03:14 ----D---- C:\Windows\Prefetch
2011-04-13 16:47:26 ----D---- C:\Windows\system32\Boot
2011-04-13 16:47:25 ----D---- C:\Windows\SYSWOW64\migration
2011-04-13 16:47:25 ----D---- C:\Windows\system32\migration

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 fvevol;BitLocker Drive Encryption Filter Driver; C:\Windows\System32\DRIVERS\fvevol.sys [2009-04-11 160744]
R0 iaStor;Intel AHCI Controller; C:\Windows\system32\DRIVERS\iaStor.sys [2007-07-12 381976]
R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2011-01-13 29264]
R1 aswSP;aswSP; C:\Windows\system32\drivers\aswSP.sys [2011-01-13 273488]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2011-01-13 51792]
R1 DritekPortIO;Dritek General Port I/O; \??\C:\PROGRA~2\LAUNCH~1\DPortIO.sys [2006-11-02 21264]
R2 {49DE1C67-83F8-4102-99E0-C16DCC7EEC796};{49DE1C67-83F8-4102-99E0-C16DCC7EEC796}; \??\C:\Program Files (x86)\Acer Arcade Deluxe\Play Movie\000.fcl [2007-08-31 32240]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [2011-01-13 20560]
R2 aswMonFlt;aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [2011-01-13 62032]
R2 int15;int15; \??\C:\Acer\Empowering Technology\eRecovery\int15.sys [2006-10-04 15656]
R2 mdmxsdk;mdmxsdk; C:\Windows\system32\DRIVERS\mdmxsdk.sys [2006-06-19 17024]
R2 PSDFilter;PSDFilter; C:\Windows\system32\DRIVERS\psdfilter.sys [2007-09-28 22824]
R2 PSDNServ;PSDNServ; C:\Windows\system32\DRIVERS\PSDNServ.sys [2007-09-28 21288]
R2 psdvdisk;PSDVDisk; C:\Windows\system32\DRIVERS\PSDVdisk.sys [2007-09-28 61224]
R2 rimmptsk;rimmptsk; C:\Windows\system32\DRIVERS\rimmpx64.sys [2007-08-08 60928]
R2 rimsptsk;rimsptsk; C:\Windows\system32\DRIVERS\rimspx64.sys [2007-07-26 55296]
R2 rismxdp;Ricoh xD-Picture Card Driver; C:\Windows\system32\DRIVERS\rixdpx64.sys [2007-07-27 57856]
R2 XAudio;XAudio; C:\Windows\system32\DRIVERS\xaudio64.sys [2007-01-30 9728]
R3 ApfiltrService;Alps Pointing-device Filter Driver; C:\Windows\system32\DRIVERS\Apfiltr.sys [2007-06-14 189752]
R3 Cam5607;Acer Crystal Eye webcam; C:\Windows\System32\Drivers\BisonC07.sys [2007-07-26 762664]
R3 CAXHWAZL;CAXHWAZL; C:\Windows\system32\DRIVERS\CAXHWAZL.sys [2007-04-26 291840]
R3 DKbFltr;Dritek Keyboard Filter Driver (64-bit); C:\Windows\SysWOW64\Drivers\DKbFltr.sys [2006-11-02 25872]
R3 enecir;ENE CIR Receiver; C:\Windows\system32\DRIVERS\enecir.sys [2007-03-07 36864]
R3 HSF_DPV;HSF_DPV; C:\Windows\system32\DRIVERS\CAX_DPV.sys [2007-04-26 1478656]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2007-08-10 1196312]
R3 NETw5v64;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit; C:\Windows\system32\DRIVERS\NETw5v64.sys [2008-11-17 4751360]
R3 nvlddmkm;nvlddmkm; C:\Windows\system32\DRIVERS\nvlddmkm.sys [2007-08-23 9669152]
R3 sdbus;sdbus; C:\Windows\system32\DRIVERS\sdbus.sys [2009-04-11 111104]
R3 usbscan;USB Scanner Driver; C:\Windows\system32\DRIVERS\usbscan.sys [2008-01-19 41984]
R3 winachsf;winachsf; C:\Windows\system32\DRIVERS\CAX_CNXT.sys [2007-04-26 740864]
S1 SASDIFSV;SASDIFSV; \??\C:\Program Files (x86)\SUPERAntiSpyware\SASDIFSV.SYS [2008-02-29 8944]
S1 SASKUTIL;SASKUTIL; \??\C:\Program Files (x86)\SUPERAntiSpyware\SASKUTIL.sys [2008-02-29 51440]
S2 MBAMDrvService;MBAMDrvService; \??\C:\Windows\system32\drivers\mbam.sys [2010-11-29 24152]
S3 ALSysIO;ALSysIO; \??\C:\Users\Gene\AppData\Local\Temp\ALSysIO64.sys []
S3 b57nd60a;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0; C:\Windows\system32\DRIVERS\b57nd60a.sys [2007-07-22 216064]
S3 cpuz130;cpuz130; \??\C:\Users\Gene\AppData\Local\Temp\cpuz130\cpuz_x64.sys []
S3 CrucialSMBusScan;CrucialSMBusScan; \??\C:\Windows\system32\drivers\CrucialSMBusScan.sys [2008-04-22 18984]
S3 drmkaud;Microsoft Kernel DRM Audio Descrambler; C:\Windows\system32\drivers\drmkaud.sys [2006-11-02 6144]
S3 ENTECH64;ENTECH64; \??\C:\Windows\system32\DRIVERS\ENTECH64.sys [2008-09-17 12744]
S3 HdAudAddService;Microsoft 1.1 UAA Function Driver for High Definition Audio Service; C:\Windows\system32\drivers\HdAudio.sys [2006-11-02 273920]
S3 HSFHWAZL;HSFHWAZL; C:\Windows\system32\DRIVERS\VSTAZL6.SYS [2006-09-18 286720]
S3 MSKSSRV;Microsoft Streaming Service Proxy; C:\Windows\system32\drivers\MSKSSRV.sys [2008-01-19 11008]
S3 MSPCLOCK;Microsoft Streaming Clock Proxy; C:\Windows\system32\drivers\MSPCLOCK.sys [2006-11-02 7040]
S3 MSPQM;Microsoft Streaming Quality Manager Proxy; C:\Windows\system32\drivers\MSPQM.sys [2006-11-02 6656]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\Windows\system32\drivers\MSTEE.sys [2008-01-19 7936]
S3 NETw3v64;Intel(R) PRO/Wireless 3945BG Adapter Driver for Windows Vista 64 Bit; C:\Windows\system32\DRIVERS\NETw3v64.sys [2006-10-03 2471424]
S3 NETw4v64;Intel(R) Wireless WiFi Link Adapter Driver for Windows Vista 64 Bit; C:\Windows\system32\DRIVERS\NETw4v64.sys [2007-08-07 3154944]
S3 SASENUM;SASENUM; \??\C:\Program Files (x86)\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
S3 WpdUsb;WpdUsb; C:\Windows\system32\DRIVERS\wpdusb.sys [2009-09-30 46592]
S3 WSVD;WSVD; \??\C:\Windows\system32\drivers\WSVD.sys [2006-09-19 114024]
S3 WUDFRd;WUDFRd; C:\Windows\system32\DRIVERS\WUDFRd.sys [2008-01-19 108544]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 a2free;a-squared Free Service; C:\Program Files (x86)\a-squared Free\a2service.exe [2009-10-01 1858144]
R2 ALaunchService;ALaunch Service; C:\Acer\ALaunch\ALaunchSvc.exe [2007-01-26 59904]
R2 atashost;WebEx Service Host for Support Center; C:\Windows\SysWOW64\atashost.exe [2009-03-06 20376]
R2 avast! Antivirus;avast! Antivirus; C:\Program Files\Alwil Software\Avast5\AvastSvc.exe [2011-01-13 40384]
R2 eDataSecurity Service;eDataSecurity Service; C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe [2007-10-11 477728]
R2 eLockService;eLock Service; C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe [2007-03-14 24576]
R2 eNet Service;eNet Service; C:\Acer\Empowering Technology\eNet\eNet Service.exe [2007-08-28 147968]
R2 eRecoveryService;eRecovery Service; C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe [2007-09-10 57344]
R2 eSettingsService;eSettings Service; C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe [2007-12-10 24576]
R2 IAANTMON;Intel(R) Matrix Storage Event Monitor; C:\Program Files (X86)\Intel\Intel Matrix Storage Manager\Iaantmon.exe [2007-07-12 354840]
R2 LightScribeService;LightScribeService Direct Disc Labeling Service; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [2007-01-17 61440]
R2 MobilityService;MobilityService; C:\Acer\Mobility Center\MobilityService.exe [2006-11-24 129536]
R2 RichVideo;Cyberlink RichVideo Service(CRVS); C:\Program Files (x86)\CyberLink\Shared Files\RichVideo.exe [2007-01-23 266343]
R2 TeamViewer6;TeamViewer 6; C:\Program Files (x86)\TeamViewer\Version6\TeamViewer_Service.exe [2011-04-15 2280312]
R2 Viewpoint Manager Service;Viewpoint Manager Service; C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
R2 WMIService;ePower Service; C:\Acer\Empowering Technology\ePower\ePowerSvc.exe [2007-10-30 181760]
R2 XAudioService;XAudioService; C:\Windows\system32\DRIVERS\xaudio64.exe [2007-01-30 410624]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86; C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
S2 CLTNetCnService;Symantec Lic NetConnect service; C:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe /h ccCommon []
S2 gupdate1c9f91a469fee10;Google Update Service (gupdate1c9f91a469fee10); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2009-06-29 133104]
S3 aspnet_state;ASP.NET State Service; C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe []
S3 FontCache;@%systemroot%\system32\FntCache.dll,-100; C:\Windows\system32\svchost.exe [2008-01-19 27648]
S3 gusvc;Google Software Updater; C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-11-27 182768]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 PerfHost;@%systemroot%\sysWow64\perfhost.exe,-2; C:\Windows\SysWow64\perfhost.exe [2008-01-19 19968]
S3 WPFFontCache_v0400;@C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe,-100; C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 1020768]

-----------------EOF-----------------

Handle ID:   0x194

Process Information:
   Process ID:   0x148c
   Process Name:   C:\Acer\Empowering Technology\eRecovery\BackupMachine.exe

Auditing Settings:
   Original Security Descriptor:   
   New Security Descriptor:      S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 102222
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091225193944.907800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Common Files\Acronis\SnapAPI\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

-----------------EOF-----------------
Logged

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #3 on: April 26, 2011, 12:22:18 AM »
Bowing out for the nite will touch base again with you tomorrow...
tks

Gene
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows repair trojan
« Reply #4 on: April 26, 2011, 01:06:59 AM »
No problem, Gene. 

So far, I'm just seeing a couple little things but would like to see the info.txt log.  Please go to C:\rsit\info.txt and copy\paste the log as a reply.

I noticed that there are several few toolbars installed, one of which is the Ask Toolbar.  Was this intentionally installed?
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #5 on: April 26, 2011, 09:25:20 AM »
Corrine; Cant recall if the Ask toobar was intentionally installed or if it came as a hitchhiker...lol
here is the info file you wanted:

info.txt logfile of random's system information tool 1.08 2011-04-25 21:04:12

======Uninstall list======

-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{31403E22-2FDB-452F-AE9E-20854633226D}\Setup.EXE"  -uninst
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{A450831D-25F6-4F42-9662-D000B25E0D82}\setup.exe"  -uninstall
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{AA4BF92B-2AAF-11DA-9D78-000129760D75}\setup.exe"  -uninstall
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{B145EC69-66F5-11D8-9D75-000129760D75}\setup.exe"  -uninstall
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{B804C424-B66D-447A-84BD-C6B88C392C3A}\setup.exe"  -uninstall
-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F79A208D-D929-11D9-9D77-000129760D75}\setup.exe"  -uninstall
123 Free Solitaire-->C:\PROGRA~2\123FRE~1\UNWISE.EXE C:\PROGRA~2\123FRE~1\INSTALL.LOG
Acer Arcade Deluxe-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{EFBDC2B0-FAA8-4B78-8DE1-AEBE7958FA37}\setup.exe"  -uninstall
Acer Assist-->C:\Program Files (x86)\Acer Assist\uninstall.exe
Acer Crystal Eye webcam-->C:\Program Files (x86)\InstallShield Installation Information\{DD1DED37-2486-4F56-8F89-56AA814003F5}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer Crystal Eye-->C:\Program Files (x86)\InstallShield Installation Information\{4BB1DCED-84D3-47F9-B718-5947E904593E}\setup.exe -runfromtemp -l0x0009 -removeonly
Acer eAudio Management-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{57265292-228A-41FA-9AEC-4620CBCC2739}\SETUP.EXE"  -uninstall
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eDataSecurity Management-->C:\Acer\Empowering Technology\eDataSecurity\eDSnstHelper.exe -Operation UNINSTALL
Acer eLock Management-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}\setup.exe" -l0x9  -removeonly
Acer Empowering Technology-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{AB6097D9-D722-4987-BD9E-A076E2848EE2}\setup.exe" -l0x9  -removeonly
Acer eNet Management-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{C06554A1-2C1E-4D20-B613-EE62C79927CC}\setup.exe" -l0x9  -removeonly
Acer ePower Management-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{58E5844B-7CE2-413D-83D1-99294BF6C74F}\setup.exe" -l0x9  -removeonly
Acer ePresentation Management-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{BF839132-BD43-4056-ACBF-4377F4A88E2A}\setup.exe" -l0x9  -removeonly
Acer eSettings Management-->"C:\Program Files (x86)\InstallShield Installation Information\{CE65A9A0-9686-45C6-9098-3C9543A412F0}\setup.exe" -runfromtemp -l0x0009 -removeonly
Acer GridVista-->C:\Windows\UnInst32.exe GridV.UNI
Acer Mobility Center Plug-In-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{11316260-6666-467B-AC34-183FCB5D4335}\setup.exe" -l0x9  -removeonly
Acer Registration-->C:\Program Files (x86)\Acer Registration\uninstall.exe
Acer ScreenSaver-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}\setup.exe" -l0x9  -removeonly
Acer Tour-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{94389919-B0AA-4882-9BE8-9F0B004ECA35}\setup.exe" -l0x9  -removeonly
Adobe AIR-->C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{46C045BF-2B3F-4BC4-8E4C-00E0CF8BD9DB}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10o_ActiveX.exe -maintain activex
Adobe Flash Player 10 Plugin-->C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10l_Plugin.exe -maintain plugin
Adobe Reader 9.4.4-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A94000000001}
ALPS Touch Pad Driver-->C:\Program Files\Apoint2K\Uninstap.exe ADDREMOVE
Apple Application Support-->MsiExec.exe /I{EE6097DD-05F4-4178-9719-D3170BF098E8}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
a-squared Free 4.5-->"C:\Program Files (x86)\a-squared Free\unins000.exe"
avast! Free Antivirus-->C:\Program Files\Alwil Software\Avast5\aswRunDll.exe "C:\Program Files\Alwil Software\Avast5\Setup\setiface.dll" RunSetup
Batch Picture Resizer 2.9-->"C:\Program Files (x86)\Batch Picture Resizer\unins000.exe"
Belarc Advisor 8.1-->"C:\PROGRA~2\Belarc\Advisor\Uninstall.exe" "C:\PROGRA~2\Belarc\Advisor\INSTALL.LOG"
Brother MFL-Pro Suite-->"C:\Program Files (x86)\InstallShield Installation Information\{46E1B1F2-A279-4356-9B17-029F9CC72EAE}\Setup.exe"  -runfromtemp -l0x0009 Brunin03.dll -removeonly
Canon MP Toolbox 4.1.1.0.mp10-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{4669544E-20E4-4E56-8B44-2E6E1200051F}\Setup.exe" -l0x9 -Uninstall
CCleaner (remove only)-->"C:\Program Files (x86)\CCleaner\uninst.exe"
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
CPUID CPU-Z 1.51-->"C:\Program Files\CPUID\CPU-Z\unins000.exe"
Download Updater (AOL LLC)-->C:\Program Files (x86)\Common Files\Software Update Utility\uninstall.exe
Dungeons & Dragons Online ®:  Eberron Unlimited ™ v01.12.00.803-->"C:\Program Files (x86)\Turbine\DDO Unlimited\unins000.exe"
EasyBCD 1.7.2-->C:\Program Files (x86)\NeoSmart Technologies\EasyBCD\uninstall.exe
Flower 2009-->"C:\Rocket\Flower\unins000.exe"
Foxit Reader-->C:\Program Files (x86)\Foxit Software\Foxit Reader\Uninstall.exe
Foxit Toolbar-->"C:\Program Files (x86)\AskBarDis\unins000.exe"
FTMVistaUpdater-->MsiExec.exe /I{EE295D30-A10C-44F6-B14C-05E0D99429E4}
Futuremark SystemInfo-->"C:\Program Files (x86)\InstallShield Installation Information\{BEE64C14-BEF1-4610-8A68-A16EAA47B882}\setup.exe" -runfromtemp -l0x0009 -removeonly
Google Earth-->MsiExec.exe /X{4286E640-B5FB-11DF-AC4B-005056C00008}
Google Toolbar for Internet Explorer-->"C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarManager_C8CBFED7F00D3A8C.exe" /uninstall
Google Toolbar for Internet Explorer-->MsiExec.exe /I{18455581-E099-4BA8-BC6B-F34B2F06600C}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HDAUDIO Soft Data Fax Modem with SmartCP-->C:\Program Files\CONEXANT\CNXT_MODEM_HDAUDIO_VEN_14F1&DEV_2BFAOR2C06_118\UIU64m.exe -U -IAcrZUn64y.inf
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall  /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {08155812-0202-4D5F-A7FF-12A2782DC548} /qb+ REBOOTPROMPT=""
ImgBurn-->"C:\Program Files (x86)\ImgBurn\uninstall.exe"
Intel(R) Matrix Storage Manager-->C:\Windows\System32\Imsmudlg.exe
IrfanView (remove only)-->C:\Program Files (x86)\IrfanView\iv_uninstall.exe
Java(TM) 6 Update 18-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216012FF}
Ken Ward's Zipper 1.4000-->"C:\Program Files (x86)\Ken Ward's Zipper\unins000.exe"
K-Lite Codec Pack (64-bit) v2.3.4-->"C:\Program Files\KLCP64\unins000.exe"
Launch Manager-->C:\Windows\UnInst32.exe LManager.UNI
Logitech Harmony Remote Software-->C:\Program Files (x86)\InstallShield Installation Information\{634F79E1-2A41-4C40-9E8D-89EC740AC9D6}\setup.exe -runfromtemp -l0x0009 -removeonly
Malwarebytes' Anti-Malware-->"C:\Program Files (x86)\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 1.1 Security Update (KB2416447)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M2416447\M2416447Uninstall.msp"
Microsoft .NET Framework 1.1 Security Update (KB979906)-->"C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\hotfix.exe" "C:\Windows\Microsoft.NET\Framework\v1.1.4322\Updates\M979906\M979906Uninstall.msp"
Microsoft .NET Framework 1.1-->msiexec.exe /X {CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 1.1-->MsiExec.exe /X{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}
Microsoft .NET Framework 3.5 SP1-->C:\Windows\Microsoft.NET\Framework64\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft .NET Framework 4 Client Profile-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\Setup.exe /repair /x86 /x64 /parameterfolder Client
Microsoft .NET Framework 4 Client Profile-->MsiExec.exe /X{F5B09CFD-F0B2-36AF-8DF4-1DF6B63FC7B4}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Basic Edition 2003-->MsiExec.exe /I{91130409-6000-11D3-8CFE-0150048383C9}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft VC9 runtime libraries-->MsiExec.exe /I{C4124E95-5061-4776-8D5D-E3D931C778E1}
Microsoft Visual C++ 2005 ATL Update kb973923 - x64 8.0.50727.4053-->MsiExec.exe /X{B6E3757B-5E77-3915-866A-CCFC4B8D194C}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable - KB2467175-->MsiExec.exe /X{a0fe116e-9a8a-466f-aee0-625cb7c207e3}
Microsoft Visual C++ 2005 Redistributable (x64) - KB2467175-->MsiExec.exe /X{aac9fcc4-dd9e-4add-901c-b5496a07ab2e}
Microsoft Visual C++ 2005 Redistributable (x64)-->MsiExec.exe /X{071c9b48-7c32-4621-a0ac-3f809523288f}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570-->MsiExec.exe /X{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022-->MsiExec.exe /X{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Works-->MsiExec.exe /I{6D52C408-B09A-4520-9B18-475B81D393F1}
Mozilla Firefox (3.6.9)-->C:\Program Files (x86)\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB941833)-->MsiExec.exe /I{C523D256-313D-4866-B36A-F3DE528246EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NTI Backup NOW! 4.7-->"C:\Program Files (x86)\InstallShield Installation Information\{67ADE9AF-5CD9-4089-8825-55DE4B366799}\setup.exe" -removeonly
NTI CD & DVD-Maker-->C:\PROGRA~2\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2} /l1033 CDM7
NVIDIA Drivers-->C:\Windows\system32\NVUNINST.EXE UninstallGUI
OpenOffice.org 2.4-->MsiExec.exe /I{2CD2C0DB-81C3-416B-9FA6-589B9235359B}
Opera 10.63-->MsiExec.exe /X{87CC8013-56D1-43E1-A0A5-AD406B4EBA95}
Pando Media Booster-->C:\Program Files (x86)\Pando Networks\Media Booster\uninst.exe
PaperPort Image Printer 64-bit-->MsiExec.exe /X{ABA4FAF1-6389-45F9-92CE-3914A4E5C471}
Picasa 3-->"C:\Program Files (x86)\Google\Picasa3\Uninstall.exe"
RarZilla Free Unrar 2.53-->C:\Program Files (x86)\RarZilla Free Unrar\uninstall.exe
RealPlayer-->C:\Program Files (x86)\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|12.0
Realtek High Definition Audio Driver-->RtlUpd64.exe -r -m
RealUpgrade 1.0-->MsiExec.exe /I{F4F4F84E-804F-4E9A-84D7-C34283F0088F}
RICOH R5C83x/84x Flash Media Controller Driver Ver.3.52.02-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{59F6A514-9813-47A3-948C-8A155460CC2A}\setup.exe" -l0x9 anything
ScanSoft PaperPort 11-->MsiExec.exe /I{7A8FF745-BBC5-482B-88E4-18D3178249A9}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {8EAF4926-5B5D-398A-BA46-4603D8095BDE} /qb+ REBOOTPROMPT=""
Security Update for Microsoft .NET Framework 4 Client Profile (KB2160841)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {FD8D7C9A-E56A-3E7B-BA6D-FE68F13296E3} /parameterfolder Client
Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708)-->C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\Client\setup.exe /uninstallpatch {F66C3466-1FDB-347C-B3AE-FB6C50627B10} /parameterfolder Client
Speccy-->"C:\Program Files (x86)\Speccy\uninst.exe"
SpywareBlaster 4.4-->"C:\Program Files (x86)\SpywareBlaster\unins000.exe"
Stickies 6.7a-->"C:\Windows\lsb_un20.exe" /C=UC /N=Stickies 6.7a
SUPERAntiSpyware Free Edition-->MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
TeamViewer 6-->C:\Program Files (x86)\TeamViewer\Version6\uninstall.exe
TetriCrisis 100% 5.9 Remix-->"C:\Program Files (x86)\TetriCrisis 100%\unins000.exe"
Tiny Timer 1.0-->C:\Program Files (x86)\Tiny Timer 1.0\Uninstal.exe
TouchFreeze-->MsiExec.exe /I{D031E017-2434-40A7-A352-4DDD0199170D}
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\Windows\SysWOW64\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Viewpoint Media Player-->C:\Program Files (x86)\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
VueMinder Calendar Lite-->MsiExec.exe /X{EF083137-7C48-4260-B90C-7FC2C8C0E60D}
WebEx Support Manager for Internet Explorer-->MsiExec.exe /I{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}
Windows Live Call-->MsiExec.exe /I{E6158D07-2637-4ECF-B576-37C489669174}
Windows Live Communications Platform-->MsiExec.exe /I{3175E049-F9A9-4A3D-8F19-AC9FB04514D1}
Windows Live Essentials-->C:\Program Files (x86)\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{474F25F5-BDC9-40E5-B1B6-F6BF23FC106F}
Windows Live Messenger-->MsiExec.exe /X{B57EAFF2-D6EE-4C6C-9175-ED9F17BFC1BC}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
WOT for Internet Explorer-->MsiExec.exe /X{1D10C273-3F95-42A2-8371-AB6B1F59821B}
Yahoo! Messenger-->C:\PROGRA~2\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~2\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar-->C:\PROGRA~2\Yahoo!\common\unyt.exe

======Security center information======

AV: avast! antivirus 4.8.1290 [VPS 081125-0]
AS: Windows Defender
AS: SUPERAntiSpyware (disabled)
AS: avast! antivirus 4.8.1290 [VPS 081125-0]

======System event log======

Computer Name: Gene-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 149917
Source Name: Microsoft-Windows-Time-Service
Time Written: 20100912223923.000000-000
Event Type: Warning
User:

Computer Name: Gene-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 149914
Source Name: Microsoft-Windows-Time-Service
Time Written: 20100912223922.000000-000
Event Type: Warning
User:

Computer Name: Gene-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 149911
Source Name: Microsoft-Windows-Time-Service
Time Written: 20100912223916.000000-000
Event Type: Warning
User:

Computer Name: Gene-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 149910
Source Name: Microsoft-Windows-Time-Service
Time Written: 20100912223750.000000-000
Event Type: Warning
User:

Computer Name: Gene-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on 'time.windows.com,0x9'. NtpClient will try again in 15 minutes and double the reattempt interval thereafter. The error was: No such host is known. (0x80072AF9)
Record Number: 149907
Source Name: Microsoft-Windows-Time-Service
Time Written: 20100912223748.000000-000
Event Type: Warning
User:

=====Application event log=====

Computer Name: Gene-PC
Event Code: 33
Message: Activation context generation failed for "C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_c46a533c8a667ee7\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 8528
Source Name: SideBySide
Time Written: 20080908214834.000000-000
Event Type: Error
User:

Computer Name: Gene-PC
Event Code: 33
Message: Activation context generation failed for "C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_c46a533c8a667ee7\MFC80U.DLL". Dependent Assembly Microsoft.VC80.MFCLOC,processorArchitecture="amd64",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="8.0.50608.0" could not be found. Please use sxstrace.exe for detailed diagnosis.
Record Number: 8527
Source Name: SideBySide
Time Written: 20080908214834.000000-000
Event Type: Error
User:

Computer Name: Gene-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-4167856230-1268464880-2386899631-1000_Classes:
Process 968 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167856230-1268464880-2386899631-1000_CLASSES

Record Number: 8508
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080908214706.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Gene-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards. 

 DETAIL -
 1 user registry handles leaked from \Registry\User\S-1-5-21-4167856230-1268464880-2386899631-1000:
Process 968 (\Device\HarddiskVolume2\Windows\System32\svchost.exe) has opened key \REGISTRY\USER\S-1-5-21-4167856230-1268464880-2386899631-1000

Record Number: 8507
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20080908214706.000000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Gene-PC
Event Code: 3036
Message: The content source <csc://{s-1-5-21-4167856230-1268464880-2386899631-1000}/> cannot be accessed.

Context:  Application, SystemIndex Catalog

Details:
   The object was not found.   (0x80041201)

Record Number: 8501
Source Name: Microsoft-Windows-Search
Time Written: 20080908213435.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: Gene-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
   Security ID:      S-1-5-18
   Account Name:      GENE-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Object:
   Object Server:   Security
   Object Type:   File
   Object Name:   \Device\Wsvd\Z\Windows\winsxs\amd64_microsoft-windows-p..gssystems.resources_31bf3856ad364e35_6.0.6000.16386_en-us_b5e96548946d0af9\esrb.rs.mui
   Handle ID:   0x194

Process Information:
   Process ID:   0x148c
   Process Name:   C:\Acer\Empowering Technology\eRecovery\BackupMachine.exe

Auditing Settings:
   Original Security Descriptor:   
   New Security Descriptor:      S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 102226
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091225193945.095000-000
Event Type: Audit Success
User:

Computer Name: Gene-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
   Security ID:      S-1-5-18
   Account Name:      GENE-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Object:
   Object Server:   Security
   Object Type:   File
   Object Name:   \Device\Wsvd\Z\Windows\winsxs\amd64_microsoft-windows-p..gemanager.resources_31bf3856ad364e35_6.0.6000.16386_en-us_acd79d0020d28754\PkgMgr.exe.mui
   Handle ID:   0x188

Process Information:
   Process ID:   0x148c
   Process Name:   C:\Acer\Empowering Technology\eRecovery\BackupMachine.exe

Auditing Settings:
   Original Security Descriptor:   
   New Security Descriptor:      S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 102225
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091225193945.063800-000
Event Type: Audit Success
User:

Computer Name: Gene-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
   Security ID:      S-1-5-18
   Account Name:      GENE-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Object:
   Object Server:   Security
   Object Type:   File
   Object Name:   \Device\Wsvd\Z\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.0.6001.18000_none_7ef73a6e1b63bae7\prnms001.cat
   Handle ID:   0x194

Process Information:
   Process ID:   0x148c
   Process Name:   C:\Acer\Empowering Technology\eRecovery\BackupMachine.exe

Auditing Settings:
   Original Security Descriptor:   
   New Security Descriptor:      S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 102224
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091225193945.032600-000
Event Type: Audit Success
User:

Computer Name: Gene-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
   Security ID:      S-1-5-18
   Account Name:      GENE-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Object:
   Object Server:   Security
   Object Type:   File
   Object Name:   \Device\Wsvd\Z\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.0.6001.18000_none_7ef73a6e1b63bae7\mxdwdui.dll
   Handle ID:   0x188

Process Information:
   Process ID:   0x148c
   Process Name:   C:\Acer\Empowering Technology\eRecovery\BackupMachine.exe

Auditing Settings:
   Original Security Descriptor:   
   New Security Descriptor:      S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 102223
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091225193945.001400-000
Event Type: Audit Success
User:

Computer Name: Gene-PC
Event Code: 4907
Message: Auditing settings on object were changed.

Subject:
   Security ID:      S-1-5-18
   Account Name:      GENE-PC$
   Account Domain:      WORKGROUP
   Logon ID:      0x3e7

Object:
   Object Server:   Security
   Object Type:   File
   Object Name:   \Device\Wsvd\Z\Windows\winsxs\amd64_microsoft-windows-p..g-xpsdocumentwriter_31bf3856ad364e35_6.0.6000.16386_none_7cc078721e78aa13\prnms001.cat
   Handle ID:   0x194

Process Information:
   Process ID:   0x148c
   Process Name:   C:\Acer\Empowering Technology\eRecovery\BackupMachine.exe

Auditing Settings:
   Original Security Descriptor:   
   New Security Descriptor:      S:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
Record Number: 102222
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091225193944.907800-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\;C:\Program Files (x86)\Common Files\Acronis\SnapAPI\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=Intel64 Family 6 Model 23 Stepping 6, GenuineIntel
"PROCESSOR_REVISION"=1706
"NUMBER_OF_PROCESSORS"=2
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\

-----------------EOF-----------------
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows repair trojan
« Reply #6 on: April 26, 2011, 04:26:18 PM »
Hi, Gene.

Thank you for the extra log. 

Having had my fill of coffee this morning, I see what I missed last night regarding the Ask Toolbar.  It was incorporated in the Foxit PDF reader, disguised as the "Foxit Toolbar".  Based on questions of privacy, tracking, and other issues noted in the references appended to my blog post Beware Foxit Reader Includes AskToolbar!, personally, I would not want the Ask Toolbar on my computer.  If you do not use Foxit, you can uninstall both Foxit Reader and Foxit Toolbar from add/remove programs.

Although you have not updated to the latest Adobe Reader version 10 (X), you do have the version 9.4.4 that had a critical security vulnerability addressed last week.  Thus, do you really need both Foxit and Adobe Reader?  Should you be interested in an alternative PDF reader, I uninstalled Adobe Reader almost two years ago and switched to Sumatra PDF.   There are a number of open source readers available from http://pdfreaders.org/.  Others include Nitro Reader and Sumatra PDF.

The next thing you need to do is to address the outdated Java.  Numerous critical security issues have been addressed since you last updated.  Please start by going to add/remove programs and uninstalling the following:

Java(TM) 6 Update 18

Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.

Then download and install Java SE Runtime Environment (JRE) 6 Update 25.   

Download link: Java SE Runtime Environment 6u25

Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Close all programs leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Performance Center] C:\Program Files (x86)\Ascentive\Performance Center\APCMain.exe -m



Click on Fix Checked when finished and exit HijackThis.

Please go here to run an on-line scan from ESET.
  • Note: It is easiest if you use Internet explorer for this scan.  (If you use an alternate browser, it will be necessary to download the ESET Smart Installer)
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
  • Copy and paste that log as a reply to this topic and also let me know how things are now.
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #7 on: April 26, 2011, 06:11:34 PM »
Corrine,
Got as far as this...
Then download and install Java SE Runtime Environment (JRE) 6 Update 25.   

Download link: Java SE Runtime Environment 6u25.


I Installed and received this little window after I was told installation complete and clicked on finish

Installer: wrapper.CreateFile
Failed with error 5. access is denied

Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows repair trojan
« Reply #8 on: April 26, 2011, 07:09:37 PM »
Hi, Gene.

Did you select the correct version for your OS, Windows x64?
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #9 on: April 26, 2011, 08:38:48 PM »
Oooooooooooops, correct version downloaded.
Question for the next step it says:
Note:  UNCHECK any pre-checked toolbar and/or software options presented with the update.  They are not part of the software update and are completely optional.   

Close all programs leaving only HijackThis running.  Place a check against each of the following, making sure you get them all and not any others by mistake:

I dont recall having to download and run hijackthis...am I to download,install and run Hijackthis here???

Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows repair trojan
« Reply #10 on: April 26, 2011, 09:03:28 PM »
The Uncheck toolbar/software options was part of the Java instructions. :)

You'll find HijackThis here:  C:\Program Files\trend micro\Gene.exe (It was part of the RSIT install.)
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #11 on: April 27, 2011, 02:05:43 AM »
Corrine, just finished the secnd scan...after the first wasnt sure if I was to close out the scan program then find the log.text file with note pad..anyway, I did there was nothing there...right...so ran a  second scan  and now cant find the Eset\Eset online scanner\log.txt....
Never touched the scan, the window is still open. It found 5 threats identified in the first scan as possible variant of Win32/Hupigon.JFAQCEI Trojan

what to do....its an hour and 46 min scan of almost 200,000 files
Logged

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #12 on: April 27, 2011, 01:28:52 PM »
Corrine; Ran a third scan this morning and didnt want to take the chance of not being able to locate the log.txt file...so, you might not like this, I had the scan delete all the nasties it found...It found the same five and disposed of them...by the way, I did locate the log.txt file it was not in C:\Programs but was in C:\Programs (x86)..
Was there any other scans you wanted me to do????
Logged

Offline saugen48

  • Newbie
  • *
  • Posts: 12
Re: Windows repair trojan
« Reply #13 on: April 27, 2011, 02:41:24 PM »
By the way, the log file above didnt have anything in it
Logged

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 11530
  • "Stronger than the past, united in our goal."
    • Security Garden
Re: Windows repair trojan
« Reply #14 on: April 27, 2011, 05:06:59 PM »
Sorry, Gene, yes -- it would hve been in Programs (x86).  So few people post logs with 64-bit systems, that all my instructions point to Program Files.

Since your computer is scanning as clean now, are you having any further problems with it?
Logged
,  

Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.
Pages: [1] 2   Go Up
« previous next »