Rookit.agent help - Window 7

View previous topic View next topic Go down

Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 2:21 am

I have both Avast 4.8 & Malwarebyte 1.44 installed. Recently Avast has been detecting virus (rookits) on my computer, so I decided to run a full scan. The result says that one of the files cannot be scanned:

C:\Windows\System32\drivers\gpfinbc.sys

It can't be moved to chest, deleted or anything by Avast

Then i scanned the file with the Malwarebyte, and it says that it is a rookit.agent, and tried to delete it. but after i restarted the file/virus was still here.

This is the Malwarebyte log:

Malwarebytes' Anti-Malware 1.44
Database version: 3510
Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/24/2010 09:44:55
mbam-log-2010-05-24 (09-44-55).txt

Scan type: Quick Scan
Objects scanned: 136723
Time elapsed: 12 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\gpfinbc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.


Help appreciated alot

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 2:23 am

Oh, one more thing.

Avast has been detecting alot of Win32:Malware-gen in the temp folders as well

for example:
C:\Windows\Temp\uqax.tmp\svchost.exe

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 8:38 am

Hello.

Download [You must be registered and logged in to see this link.] by OldTimer to your Desktop.

  • Close all windows and double click OTL.exe
  • Click Run Scan and let the program run uninterrupted
  • It will produce two logs for you, one will pop up - OTL.txt, the other will be saved on your Desktop - Extras.txt. Post both logs in this thread.
  • You may need to use two posts to get it all.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 8:56 am

Thanks,

OLT.txt:

OTL logfile created on: 5/24/2010 16:53:02 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\RuDolF~\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 60.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 414.69 Gb Free Space | 89.05% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: RuDolF~
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Processes (SafeList) ==========

PRC - [2010/05/24 16:52:41 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\RuDolF~\Desktop\OTL.exe
PRC - [2010/04/20 16:05:16 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/04/19 22:25:11 | 000,039,408 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2010/04/19 02:45:56 | 000,061,480 | -HS- | M] (Doceqe Pekyronuve) -- C:\Users\RuDolF~\AppData\Local\Temp\gdst.exe
PRC - [2010/04/13 06:46:36 | 001,135,912 | ---- | M] () -- C:\Program Files\DivX\DivX Update\DivXUpdate.exe
PRC - [2010/04/07 03:44:44 | 000,107,056 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpntray.exe
PRC - [2010/04/07 03:44:14 | 000,247,856 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe
PRC - [2010/04/01 08:24:08 | 000,194,608 | ---- | M] () -- C:\Program Files\Hotspot Shield\bin\hsswd.exe
PRC - [2010/03/12 18:41:16 | 000,762,736 | ---- | M] (Microsoft Corporation) -- C:\Windows\vVX1000.exe
PRC - [2010/03/12 18:41:16 | 000,139,632 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe
PRC - [2010/01/15 20:49:20 | 000,255,536 | ---- | M] (McAfee, Inc.) -- C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
PRC - [2010/01/07 16:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2009/12/25 18:51:14 | 008,129,056 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
PRC - [2009/12/09 16:50:00 | 002,320,920 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2009/12/09 16:49:58 | 000,268,824 | R--- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
PRC - [2009/11/30 16:12:28 | 000,544,768 | ---- | M] (TODO: ) -- C:\Program Files\MSI\DirectOC\DirectOc.exe
PRC - [2009/10/31 13:45:39 | 002,614,272 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2009/10/14 10:46:52 | 000,151,552 | ---- | M] () -- C:\Program Files\Marvell\raid\svc\mvraidsvc.exe
PRC - [2009/10/02 23:32:51 | 000,640,376 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
PRC - [2009/09/15 18:56:48 | 000,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009/09/15 18:56:43 | 000,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009/09/15 18:56:28 | 000,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009/09/15 18:54:13 | 000,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009/09/15 18:49:40 | 000,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009/07/14 09:14:42 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2009/06/03 20:59:02 | 000,103,720 | ---- | M] (CyberLink) -- C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe
PRC - [2009/05/26 16:46:10 | 001,159,168 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
PRC - [2009/04/15 23:52:06 | 000,091,432 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
PRC - [2009/03/30 15:00:54 | 000,221,184 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\Brmfcmon\BrMfcMon.exe
PRC - [2009/03/23 17:02:50 | 000,872,448 | ---- | M] (Brother Industries, Ltd.) -- C:\Program Files\Brother\ControlCenter3\BrccMCtl.exe
PRC - [2008/06/13 04:05:04 | 000,024,635 | ---- | M] (Apache Software Foundation) -- C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe
PRC - [2007/08/07 08:05:46 | 000,200,704 | ---- | M] (PowerISO Computing, Inc.) -- C:\Program Files\PowerISO\PWRISOVM.EXE


========== Modules (SafeList) ==========

MOD - [2010/05/24 16:52:41 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\RuDolF~\Desktop\OTL.exe
MOD - [2009/07/14 09:16:15 | 000,099,840 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sspicli.dll
MOD - [2009/07/14 09:16:13 | 000,092,160 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\sechost.dll
MOD - [2009/07/14 09:16:12 | 000,031,744 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\profapi.dll
MOD - [2009/07/14 09:15:35 | 000,288,256 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\KernelBase.dll
MOD - [2009/07/14 09:15:13 | 000,067,072 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\dwmapi.dll
MOD - [2009/07/14 09:15:11 | 000,064,512 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\devobj.dll
MOD - [2009/07/14 09:15:07 | 000,036,864 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cryptbase.dll
MOD - [2009/07/14 09:15:02 | 000,145,920 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\cfgmgr32.dll
MOD - [2009/07/14 09:14:10 | 000,095,232 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx
MOD - [2009/07/14 09:03:50 | 001,680,896 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16385_none_421189da2b7fabfc\comctl32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/04/30 22:36:14 | 001,343,400 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/19 19:36:39 | 000,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2010/04/07 03:44:46 | 000,057,640 | ---- | M] () [On_Demand | Stopped] -- C:\Program Files\Hotspot Shield\bin\HssTrayService.exe -- (HssTrayService)
SRV - [2010/04/07 03:44:14 | 000,247,856 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\openvpnas.exe -- (HotspotShieldService)
SRV - [2010/04/01 08:24:08 | 000,194,608 | ---- | M] () [Auto | Running] -- C:\Program Files\Hotspot Shield\bin\hsswd.exe -- (HssWd)
SRV - [2010/03/12 18:41:16 | 000,139,632 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft LifeCam\MSCamS32.exe -- (MSCamSvc)
SRV - [2010/01/15 20:49:20 | 000,227,232 | ---- | M] (McAfee, Inc.) [On_Demand | Stopped] -- C:\Program Files\McAfee Security Scan\2.0.181\McCHSvc.exe -- (McComponentHostService)
SRV - [2010/01/07 16:07:10 | 000,236,368 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2009/12/09 16:50:00 | 002,320,920 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS) Intel(R)
SRV - [2009/12/09 16:49:58 | 000,268,824 | R--- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS) Intel(R)
SRV - [2009/10/14 10:46:52 | 000,151,552 | ---- | M] () [Auto | Running] -- C:\Program Files\Marvell\raid\svc\mvraidsvc.exe -- (Marvell RAID)
SRV - [2009/09/15 18:56:43 | 000,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009/09/15 18:56:28 | 000,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009/09/15 18:54:13 | 000,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009/09/15 18:49:40 | 000,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009/07/14 09:16:21 | 000,185,856 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wwansvc.dll -- (WwanSvc)
SRV - [2009/07/14 09:16:17 | 000,151,552 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\wbiosrvc.dll -- (WbioSrvc)
SRV - [2009/07/14 09:16:17 | 000,119,808 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\umpo.dll -- (Power)
SRV - [2009/07/14 09:16:16 | 000,037,376 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\themeservice.dll -- (Themes)
SRV - [2009/07/14 09:16:15 | 000,053,760 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sppuinotify.dll -- (sppuinotify)
SRV - [2009/07/14 09:16:13 | 000,043,520 | ---- | M] (Microsoft Corporation) [Unknown | Running] -- C:\Windows\System32\RpcEpMap.dll -- (RpcEptMapper)
SRV - [2009/07/14 09:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/14 09:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/14 09:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (PNRPsvc)
SRV - [2009/07/14 09:16:12 | 000,269,824 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\pnrpsvc.dll -- (p2pimsvc)
SRV - [2009/07/14 09:16:12 | 000,165,376 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\provsvc.dll -- (HomeGroupProvider)
SRV - [2009/07/14 09:16:12 | 000,020,480 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\pnrpauto.dll -- (PNRPAutoReg)
SRV - [2009/07/14 09:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/07/14 09:15:36 | 000,194,560 | ---- | M] (Microsoft Corporation) [On_Demand | Running] -- C:\Windows\System32\ListSvc.dll -- (HomeGroupListener)
SRV - [2009/07/14 09:15:21 | 000,797,696 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\FntCache.dll -- (FontCache)
SRV - [2009/07/14 09:15:11 | 000,253,440 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\System32\dhcpcore.dll -- (Dhcp)
SRV - [2009/07/14 09:15:10 | 000,218,624 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\defragsvc.dll -- (defragsvc)
SRV - [2009/07/14 09:14:59 | 000,076,800 | ---- | M] (Microsoft Corporation) [Unknown | Stopped] -- C:\Windows\System32\bdesvc.dll -- (BDESVC)
SRV - [2009/07/14 09:14:58 | 000,088,064 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\AxInstSv.dll -- (AxInstSV) ActiveX Installer (AxInstSV)
SRV - [2009/07/14 09:14:53 | 000,027,648 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\appidsvc.dll -- (AppIDSvc)
SRV - [2009/07/14 09:14:29 | 003,179,520 | ---- | M] (Microsoft Corporation) [Auto | Stopped] -- C:\Windows\System32\sppsvc.exe -- (sppsvc)
SRV - [2008/06/13 04:05:04 | 000,024,635 | ---- | M] (Apache Software Foundation) [Auto | Running] -- C:\Program Files\Marvell\raid\Apache2\bin\httpd.exe -- (MRUWebService)


========== Driver Services (SafeList) ==========

DRV - [2010/03/27 03:07:02 | 000,032,768 | ---- | M] (AnchorFree Inc) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\taphss.sys -- (taphss)
DRV - [2010/03/12 18:41:16 | 001,961,072 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\VX1000.sys -- (VX1000)
DRV - [2010/01/07 16:07:04 | 000,019,160 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2009/12/25 18:28:34 | 002,981,024 | ---- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\RTKVHDA.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2009/12/18 11:31:38 | 007,064,576 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx)
DRV - [2009/12/11 15:44:02 | 000,133,720 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\ksecpkg.sys -- (KSecPkg)
DRV - [2009/11/27 17:44:52 | 000,233,472 | ---- | M] (Realtek ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Rt86win7.sys -- (RTL8167)
DRV - [2009/11/27 05:13:42 | 000,209,920 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcDAud.sys -- (IntcDAud) Intel(R)
DRV - [2009/11/23 14:43:42 | 000,099,440 | ---- | M] (JMicron Technology Corp.) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\jraid.sys -- (JRAID)
DRV - [2009/11/02 12:45:44 | 000,014,808 | ---- | M] () [Kernel | Auto | Running] -- C:\Windows\System32\drivers\TurboB.sys -- (TurboB)
DRV - [2009/09/17 12:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI) Intel(R)
DRV - [2009/09/15 18:55:30 | 000,114,768 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2009/09/15 18:55:19 | 000,020,560 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2009/09/15 18:55:09 | 000,053,328 | ---- | M] (ALWIL Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2009/09/15 18:54:30 | 000,052,368 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2009/09/15 18:54:21 | 000,023,152 | ---- | M] (ALWIL Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr.sys -- (aswRdr)
DRV - [2009/07/14 09:26:21 | 000,015,952 | ---- | M] (CMD Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\cmdide.sys -- (cmdide)
DRV - [2009/07/14 09:26:17 | 000,297,552 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpahci.sys -- (adpahci)
DRV - [2009/07/14 09:26:15 | 000,422,976 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adp94xx.sys -- (adp94xx)
DRV - [2009/07/14 09:26:15 | 000,159,312 | ---- | M] (AMD Technologies Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsbs.sys -- (amdsbs)
DRV - [2009/07/14 09:26:15 | 000,146,512 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\adpu320.sys -- (adpu320)
DRV - [2009/07/14 09:26:15 | 000,086,608 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arcsas.sys -- (arcsas)
DRV - [2009/07/14 09:26:15 | 000,079,952 | ---- | M] (Advanced Micro Devices) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdsata.sys -- (amdsata)
DRV - [2009/07/14 09:26:15 | 000,076,368 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\arc.sys -- (arc)
DRV - [2009/07/14 09:26:15 | 000,023,616 | ---- | M] (Advanced Micro Devices) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\amdxata.sys -- (amdxata)
DRV - [2009/07/14 09:26:15 | 000,014,400 | ---- | M] (Acer Laboratories Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\aliide.sys -- (aliide)
DRV - [2009/07/14 09:20:44 | 000,142,416 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvstor.sys -- (nvstor)
DRV - [2009/07/14 09:20:44 | 000,117,312 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nvraid.sys -- (nvraid)
DRV - [2009/07/14 09:20:44 | 000,044,624 | ---- | M] (IBM Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\nfrd960.sys -- (nfrd960)
DRV - [2009/07/14 09:20:37 | 000,089,168 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas.sys -- (LSI_SAS)
DRV - [2009/07/14 09:20:36 | 000,332,352 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iaStorV.sys -- (iaStorV)
DRV - [2009/07/14 09:20:36 | 000,235,584 | ---- | M] (LSI Corporation, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MegaSR.sys -- (MegaSR)
DRV - [2009/07/14 09:20:36 | 000,096,848 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_scsi.sys -- (LSI_SCSI)
DRV - [2009/07/14 09:20:36 | 000,095,824 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_fc.sys -- (LSI_FC)
DRV - [2009/07/14 09:20:36 | 000,054,864 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\lsi_sas2.sys -- (LSI_SAS2)
DRV - [2009/07/14 09:20:36 | 000,041,040 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\iirsp.sys -- (iirsp)
DRV - [2009/07/14 09:20:36 | 000,030,800 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\megasas.sys -- (megasas)
DRV - [2009/07/14 09:20:36 | 000,013,904 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hwpolicy.sys -- (hwpolicy)
DRV - [2009/07/14 09:20:28 | 000,453,712 | ---- | M] (Emulex) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\elxstor.sys -- (elxstor)
DRV - [2009/07/14 09:20:28 | 000,070,720 | ---- | M] (Adaptec, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\djsvs.sys -- (aic78xx)
DRV - [2009/07/14 09:20:28 | 000,067,152 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HpSAMD.sys -- (HpSAMD)
DRV - [2009/07/14 09:20:28 | 000,046,160 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\fsdepends.sys -- (FsDepends)
DRV - [2009/07/14 09:19:11 | 000,141,904 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vsmraid.sys -- (vsmraid)
DRV - [2009/07/14 09:19:10 | 000,175,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vmbus.sys -- (vmbus)
DRV - [2009/07/14 09:19:10 | 000,159,824 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vhdmp.sys -- (vhdmp)
DRV - [2009/07/14 09:19:10 | 000,040,896 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vmstorfl.sys -- (storflt)
DRV - [2009/07/14 09:19:10 | 000,032,832 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\vdrvroot.sys -- (vdrvroot)
DRV - [2009/07/14 09:19:10 | 000,028,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\storvsc.sys -- (storvsc)
DRV - [2009/07/14 09:19:10 | 000,019,008 | ---- | M] (Microsoft Corporation) [File_System | On_Demand | Stopped] -- C:\Windows\System32\drivers\wimmount.sys -- (WIMMount)
DRV - [2009/07/14 09:19:10 | 000,016,976 | ---- | M] (VIA Technologies, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\viaide.sys -- (viaide)
DRV - [2009/07/14 09:19:04 | 001,383,488 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql2300.sys -- (ql2300)
DRV - [2009/07/14 09:19:04 | 000,173,648 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\rdyboost.sys -- (rdyboost)
DRV - [2009/07/14 09:19:04 | 000,106,064 | ---- | M] (QLogic Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\ql40xx.sys -- (ql40xx)
DRV - [2009/07/14 09:19:04 | 000,077,888 | ---- | M] (Silicon Integrated Systems) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\sisraid4.sys -- (SiSRaid4)
DRV - [2009/07/14 09:19:04 | 000,043,088 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\pcw.sys -- (pcw)
DRV - [2009/07/14 09:19:04 | 000,040,016 | ---- | M] (Silicon Integrated Systems Corp.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\SiSRaid2.sys -- (SiSRaid2)
DRV - [2009/07/14 09:19:04 | 000,021,072 | ---- | M] (Promise Technology) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\stexstor.sys -- (stexstor)
DRV - [2009/07/14 09:17:54 | 000,369,568 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\cng.sys -- (CNG)
DRV - [2009/07/14 08:57:25 | 000,272,128 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\Brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM)
DRV - [2009/07/14 08:02:41 | 000,018,944 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\rdpbus.sys -- (rdpbus)
DRV - [2009/07/14 08:01:41 | 000,007,168 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\RDPREFMP.sys -- (RDPREFMP)
DRV - [2009/07/14 07:55:00 | 000,049,152 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\agilevpn.sys -- (RasAgileVpn) WAN Miniport (IKEv2)
DRV - [2009/07/14 07:53:51 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\wfplwf.sys -- (WfpLwf)
DRV - [2009/07/14 07:52:44 | 000,027,136 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ndiscap.sys -- (NdisCap)
DRV - [2009/07/14 07:52:02 | 000,019,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vwifibus.sys -- (vwifibus)
DRV - [2009/07/14 07:52:00 | 000,163,328 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\1394ohci.sys -- (1394ohci)
DRV - [2009/07/14 07:51:35 | 000,008,192 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\umpass.sys -- (UmPass)
DRV - [2009/07/14 07:51:23 | 000,080,640 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2009/07/14 07:51:08 | 000,004,096 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\mshidkmdf.sys -- (mshidkmdf)
DRV - [2009/07/14 07:46:55 | 000,012,288 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\MTConfig.sys -- (MTConfig)
DRV - [2009/07/14 07:45:26 | 000,031,232 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CompositeBus.sys -- (CompositeBus)
DRV - [2009/07/14 07:36:52 | 000,050,176 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\appid.sys -- (AppID)
DRV - [2009/07/14 07:33:50 | 000,026,624 | ---- | M] (Microsoft Corporation) [Kernel | Unknown | Stopped] -- C:\Windows\System32\drivers\scfilter.sys -- (scfilter)
DRV - [2009/07/14 07:28:47 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\vms3cap.sys -- (s3cap)
DRV - [2009/07/14 07:28:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\VMBusHID.sys -- (VMBusHID)
DRV - [2009/07/14 07:24:05 | 000,032,256 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\discache.sys -- (discache)
DRV - [2009/07/14 07:19:21 | 000,021,504 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\HidBatt.sys -- (HidBatt)
DRV - [2009/07/14 07:16:36 | 000,009,728 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\acpipmi.sys -- (AcpiPmi)
DRV - [2009/07/14 07:11:04 | 000,052,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\amdppm.sys -- (AmdPPM)
DRV - [2009/07/14 06:54:14 | 000,026,624 | ---- | M] (Hauppauge Computer Works, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\hcw85cir.sys -- (hcw85cir)
DRV - [2009/07/14 06:53:33 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbMdm.sys -- (BrUsbMdm)
DRV - [2009/07/14 06:53:33 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrUsbSer.sys -- (BrUsbSer)
DRV - [2009/07/14 06:53:32 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\Drivers\BrSerWdm.sys -- (BrSerWdm)
DRV - [2009/07/14 06:53:28 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltLo.sys -- (BrFiltLo)
DRV - [2009/07/14 06:53:28 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\BrFiltUp.sys -- (BrFiltUp)
DRV - [2009/07/14 06:02:49 | 000,229,888 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\b57nd60x.sys -- (b57nd60x)
DRV - [2009/07/14 06:02:48 | 003,100,160 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\evbdx.sys -- (ebdrv)
DRV - [2009/07/14 06:02:48 | 000,430,080 | ---- | M] (Broadcom Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\DRIVERS\bxvbdx.sys -- (b06bdrv)
DRV - [2009/06/08 06:57:40 | 000,073,312 | ---- | M] (Adobe Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\adfs.sys -- (adfs)
DRV - [2009/04/29 15:37:26 | 000,025,088 | ---- | M] (Windows (R) Codename Longhorn DDK provider) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\KMWDFILTER.sys -- (KMWDFILTERx86)
DRV - [2009/04/25 05:07:20 | 000,007,680 | ---- | M] (MSI) [Kernel | On_Demand | Running] -- C:\Program Files\MSI\DirectOC\NTIOLib.sys -- (NTIOLib_1_0_0)
DRV - [2007/12/14 09:21:32 | 000,009,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Program Files\MSI\Live Update 4\LU4\FlashSys.sys -- (FLASHSYS)
DRV - [2007/08/07 08:15:07 | 000,033,052 | ---- | M] (PowerISO Computing, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\scdemu.sys -- (SCDEmu)
DRV - [2007/06/19 07:51:16 | 000,081,832 | ---- | M] (MCCI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\s816bus.sys -- (s816bus) Sony Ericsson Device 816 driver (WDM)
DRV - [2006/11/02 16:51:58 | 000,013,560 | ---- | M] (Cyberlink Corp.) [Kernel | Auto | Running] -- C:\Program Files\CyberLink\PowerDVD\000.fcl -- ({95808DC4-FA4A-4c74-92FE-5B863F82066B})


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = [You must be registered and logged in to see this link.]
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = E6 78 F8 C3 AF ED CA 01 [binary data]
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.mozilla.com/en-US/firefox/3.6.3/firstrun/"
FF - prefs.js..extensions.enabledItems: {b9db16a4-6edc-47ec-a1f4-b86292ed211d}:4.7.3

FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/24 08:20:48 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.6.3\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/04/27 09:45:22 | 000,000,000 | ---D | M]

[2010/04/19 09:53:35 | 000,000,000 | ---D | M] -- C:\Users\RuDolF~\AppData\Roaming\Mozilla\Extensions
[2010/05/24 08:11:08 | 000,000,000 | ---D | M] -- C:\Users\RuDolF~\AppData\Roaming\Mozilla\Firefox\Profiles\0pqnwlgr.default\extensions
[2010/04/19 10:04:10 | 000,000,000 | ---D | M] (DownloadHelper) -- C:\Users\RuDolF~\AppData\Roaming\Mozilla\Firefox\Profiles\0pqnwlgr.default\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
[2010/04/19 09:53:07 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2008/06/11 16:11:24 | 000,032,768 | ---- | M] (ShenZhen Thunder Networking Technologies Ltd.) -- C:\Program Files\Mozilla Firefox\plugins\npDapCtrlFirefox.dll

O1 HOSTS File: ([2010/05/24 08:35:01 | 000,001,366 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 activate.adobe.com
O1 - Hosts: 127.0.0.1 practivate.adobe.com
O1 - Hosts: 127.0.0.1 ereg.adobe.com
O1 - Hosts: 127.0.0.1 activate.wip3.adobe.com
O1 - Hosts: 127.0.0.1 wip3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-3.adobe.com
O1 - Hosts: 127.0.0.1 3dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-2.adobe.com
O1 - Hosts: 127.0.0.1 adobe-dns-3.adobe.com
O1 - Hosts: 127.0.0.1 ereg.wip3.adobe.com
O1 - Hosts: 127.0.0.1 activate-sea.adobe.com
O1 - Hosts: 127.0.0.1 wwis-dubc1-vip60.adobe.com
O1 - Hosts: 127.0.0.1 activate-sjc0.adobe.com
O1 - Hosts: 127.0.0.1 adobe.activate.com
O2 - BHO: (ThunderAtOnce Class) - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder\ComDlls\TDAtOnce_Now.dll (Thunder Networking Technologies,LTD)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O2 - BHO: (Thunder Browser Helper) - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll (Thunder Networking Technologies,LTD)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Adobe PDF Conversion Toolbar Helper) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Skype add-on for Internet Explorer) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll (Google Inc.)
O2 - BHO: (SmartSelect Class) - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O2 - BHO: (Hotspot Shield Class) - {F9E4A054-E9B1-4BC3-83A3-76A1AE736170} - C:\Program Files\Hotspot Shield\hssie\HssIE.dll (AnchorFree Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O3 - HKCU\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKCU\..\Toolbar\WebBrowser: (Adobe PDF) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [Acrobat Assistant 8.0] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe (Adobe Systems Inc.)
O4 - HKLM..\Run: [Adobe Acrobat Speed Launcher] C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [AdobeCS4ServiceManager] C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [CLMLServer] C:\Program Files\CyberLink\Power2Go\CLMLSvc.exe (CyberLink)
O4 - HKLM..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe (Brother Industries, Ltd.)
O4 - HKLM..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe ()
O4 - HKLM..\Run: [JMB36X IDE Setup] C:\Windows\RaidTool\xInsIDE.exe ()
O4 - HKLM..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe ()
O4 - HKLM..\Run: [LGODDFU] C:\Program Files\lg_fwupdate\fwupdate.exe (BitLeader)
O4 - HKLM..\Run: [LifeCam] C:\Program Files\Microsoft LifeCam\LifeExp.exe (Microsoft Corporation)
O4 - HKLM..\Run: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [MRUTray] C:\Program Files\Marvell\raid\tray\MarvellTray.exe ()
O4 - HKLM..\Run: [PDVD8LanguageShortcut] C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe (CyberLink Corp.)
O4 - HKLM..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE (PowerISO Computing, Inc.)
O4 - HKLM..\Run: [RemoteControl8] C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe (CyberLink Corp.)
O4 - HKLM..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [UCam_Menu] C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateLBPShortCut] C:\Program Files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdateP2GoShortCut] C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePPShortCut] C:\Program Files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [UpdatePSTShortCut] C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe (CyberLink Corp.)
O4 - HKLM..\Run: [VX1000] C:\Windows\vVX1000.exe (Microsoft Corporation)
O4 - HKCU..\Run: [AdobeBridge] File not found
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder\Program\geturl.htm ()
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder\Program\getAllurl.htm ()
O8 - Extra context menu item: Append Link Target to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Append to Existing PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert Link Target to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Convert to Adobe PDF - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
O8 - Extra context menu item: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll (Google Inc.)
O8 - Extra context menu item: 使用迅雷下載 - C:\Program Files\Thunder\Program\geturl.htm ()
O8 - Extra context menu item: 使用迅雷下載全部鏈接 - C:\Program Files\Thunder\Program\getAllurl.htm ()
O8 - Extra context menu item: 匯出至 Microsoft Excel(&X) - C:\Program Files\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: ゐ雄捃濘5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder\Thunder.exe (Thunder Networking Technologies,LTD)
O9 - Extra 'Tools' menuitem : ゐ雄捃濘5 - {09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - C:\Program Files\Thunder\Thunder.exe (Thunder Networking Technologies,LTD)
O9 - Extra Button: 傳送至 OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : 傳送至 OneNote(E) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation)
O9 - Extra Button: Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype add-on for Internet Explorer - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation)
O13 - gopher Prefix: missing
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} [You must be registered and logged in to see this link.] (Shockwave ActiveX Control)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} [You must be registered and logged in to see this link.] ()
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} [You must be registered and logged in to see this link.] (Solitaire Showdown Class)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} [You must be registered and logged in to see this link.] (MessengerStatsClient Class)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} [You must be registered and logged in to see this link.] (Shockwave Flash Object)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} [You must be registered and logged in to see this link.] (Reg Error: Key error.)
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} [You must be registered and logged in to see this link.] (Minesweeper Flags Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1
O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation)
O20 - AppInit_DLLs: (acaptuser32.dll) - C:\Windows\System32\acaptuser32.dll (Adobe Systems, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (/pagefile) - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - CLSID or File not found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation)
O30 - LSA: Security Packages - (pku2u) - C:\Windows\System32\pku2u.dll (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/11 05:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2010/05/24 16:52:26 | 000,571,904 | ---- | C] (OldTimer Tools) -- C:\Users\RuDolF~\Desktop\OTL.exe
[2010/05/24 14:10:51 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\Desktop\Comp Stuff
[2010/05/24 09:58:44 | 000,052,368 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswTdi.sys
[2010/05/24 09:58:44 | 000,023,152 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswRdr.sys
[2010/05/24 09:58:43 | 000,114,768 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswSP.sys
[2010/05/24 09:58:43 | 000,097,480 | ---- | C] (ALWIL Software) -- C:\Windows\System32\AvastSS.scr
[2010/05/24 09:58:43 | 000,020,560 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswFsBlk.sys
[2010/05/24 09:58:30 | 001,279,968 | ---- | C] (ALWIL Software) -- C:\Windows\System32\aswBoot.exe
[2010/05/24 09:58:30 | 000,053,328 | ---- | C] (ALWIL Software) -- C:\Windows\System32\drivers\aswMonFlt.sys
[2010/05/24 09:19:12 | 000,000,000 | ---D | C] -- C:\Program Files\Avas 4
[2010/05/24 09:18:31 | 000,000,000 | ---D | C] -- C:\Program Files\ALWIL Software Security
[2010/05/24 08:39:57 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\AppData\Roaming\Malwarebytes
[2010/05/24 08:39:54 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys
[2010/05/24 08:39:53 | 000,019,160 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys
[2010/05/24 08:39:53 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/05/24 08:39:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes
[2010/05/24 08:11:05 | 000,000,000 | ---D | C] -- C:\Program Files\Enigma Software Group
[2010/05/24 08:10:53 | 000,000,000 | ---D | C] -- C:\Windows\61D3AAE1D5214CD7939B37813DE8F955.TMP
[2010/05/24 08:10:52 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/05/24 00:28:46 | 000,000,000 | ---D | C] -- C:\ProgramData\Alwil Software
[2010/05/23 16:57:55 | 000,000,000 | ---D | C] -- C:\ProgramData\Office Genuine Advantage
[2010/05/21 14:32:45 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\Documents\Youcam
[2010/05/20 17:47:32 | 000,000,000 | ---D | C] -- C:\Windows\Minidump
[2010/05/15 20:17:31 | 000,000,000 | ---D | C] -- C:\Program Files\YouTube Downloader
[2010/05/15 20:15:33 | 000,609,584 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\COMCTL32.OCX
[2010/05/15 19:59:33 | 000,000,000 | ---D | C] -- C:\Program Files\AoA Audio Extractor
[2010/04/30 22:36:16 | 000,000,000 | ---D | C] -- C:\Windows\System32\Wat
[2010/04/30 20:33:02 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\Documents\Remote Assistance Logs
[2010/04/29 15:33:01 | 000,000,000 | ---D | C] -- C:\Program Files\Active X Control
[2010/04/28 09:50:30 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\dwhelper
[2010/04/28 09:41:57 | 001,037,312 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\lsasrv.dll
[2010/04/28 09:41:57 | 000,133,720 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\ksecpkg.sys
[2010/04/27 06:04:42 | 000,353,592 | ---- | C] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl
[2010/04/24 21:21:58 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\AppData\Roaming\ImgBurn
[2010/04/24 21:21:08 | 000,000,000 | ---D | C] -- C:\Users\RuDolF~\Documents\CyberLink
[2010/04/16 03:00:26 | 000,004,096 | ---- | C] ( ) -- C:\Windows\System32\IGFXDEVLib.dll
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2010/05/24 16:54:26 | 000,000,000 | ---- | M] () -- C:\Windows\System32\drivers\gpfinbc.sys
[2010/05/24 16:53:12 | 003,407,872 | -HS- | M] () -- C:\Users\RuDolF~\NTUSER.DAT
[2010/05/24 16:52:41 | 000,571,904 | ---- | M] (OldTimer Tools) -- C:\Users\RuDolF~\Desktop\OTL.exe
[2010/05/24 16:24:01 | 000,000,886 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job
[2010/05/24 14:00:00 | 000,000,374 | ---- | M] () -- C:\Windows\tasks\At1.job
[2010/05/24 13:58:11 | 000,054,016 | ---- | M] () -- C:\Windows\System32\drivers\qpnsarea.sys
[2010/05/24 13:25:01 | 000,017,360 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2010/05/24 13:25:01 | 000,017,360 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2010/05/24 13:21:31 | 001,635,192 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI
[2010/05/24 13:21:31 | 000,606,992 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2010/05/24 13:21:31 | 000,371,100 | ---- | M] () -- C:\Windows\System32\prfh0404.dat
[2010/05/24 13:21:31 | 000,355,130 | ---- | M] () -- C:\Windows\System32\prfh0804.dat
[2010/05/24 13:21:31 | 000,103,370 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2010/05/24 13:21:31 | 000,101,230 | ---- | M] () -- C:\Windows\System32\prfc0804.dat
[2010/05/24 13:21:31 | 000,096,316 | ---- | M] () -- C:\Windows\System32\prfc0404.dat
[2010/05/24 13:14:40 | 000,000,008 | ---- | M] () -- C:\Windows\mvraidver.dat
[2010/05/24 13:14:32 | 000,000,882 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
[2010/05/24 13:14:29 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT
[2010/05/24 13:14:17 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2010/05/24 13:14:08 | 259,870,856 | ---- | M] () -- C:\Windows\MEMORY.DMP
[2010/05/24 13:14:07 | 1452,625,920 | -HS- | M] () -- C:\hiberfil.sys
[2010/05/24 10:01:00 | 002,038,539 | -H-- | M] () -- C:\Users\RuDolF~\AppData\Local\IconCache.db
[2010/05/24 09:58:44 | 000,002,018 | ---- | M] () -- C:\Users\Public\Desktop\avast! Antivirus.lnk
[2010/05/24 09:58:42 | 000,002,577 | ---- | M] () -- C:\Windows\System32\config.nt
[2010/05/24 09:53:00 | 000,000,017 | ---- | M] () -- C:\Users\RuDolF~\AppData\Local\resmon.resmoncfg
[2010/05/24 08:20:50 | 000,000,000 | ---- | M] () -- C:\Windows\nsreg.dat
[2010/05/15 20:15:36 | 001,117,184 | ---- | M] () -- C:\Windows\System32\swfExt.dll
[2010/05/15 20:15:36 | 000,037,888 | ---- | M] () -- C:\Windows\System32\flash_lib.dll
[2010/05/15 19:50:49 | 000,002,537 | -H-- | M] () -- C:\Users\RuDolF~\Desktop\[MONOVA.ORG] AoA Audio Extractor Platinum v2.0 Inc. Keymaker.torrent
[2010/05/14 23:49:47 | 000,000,337 | ---- | M] () -- C:\Windows\lgfwup.ini
[2010/05/06 10:36:38 | 000,221,568 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\MpSigStub.exe
[2010/04/29 10:24:21 | 000,002,144 | ---- | M] () -- C:\Users\Public\Desktop\Google Chrome.lnk
[2010/04/27 06:04:42 | 000,353,592 | ---- | M] (DivX, Inc.) -- C:\Windows\System32\DivXControlPanelApplet.cpl
[1 C:\Windows\*.tmp files -> C:\Windows\*.tmp -> ]

========== Files Created - No Company Name ==========

[2010/05/24 13:58:11 | 000,054,016 | ---- | C] () -- C:\Windows\System32\drivers\qpnsarea.sys
[2010/05/24 09:58:44 | 000,002,018 | ---- | C] () -- C:\Users\Public\Desktop\avast! Antivirus.lnk
[2010/05/24 09:53:00 | 000,000,017 | ---- | C] () -- C:\Users\RuDolF~\AppData\Local\resmon.resmoncfg
[2010/05/24 08:20:50 | 000,000,000 | ---- | C] () -- C:\Windows\nsreg.dat
[2010/05/23 23:55:17 | 259,870,856 | ---- | C] () -- C:\Windows\MEMORY.DMP
[2010/05/20 14:01:59 | 000,823,808 | ---- | C] () -- C:\Windows\System32\drivers\gpfinbc.sys
[2010/05/15 20:15:36 | 001,117,184 | ---- | C] () -- C:\Windows\System32\swfExt.dll
[2010/05/15 20:15:36 | 000,037,888 | ---- | C] () -- C:\Windows\System32\flash_lib.dll
[2010/05/15 19:59:09 | 000,000,374 | ---- | C] () -- C:\Windows\tasks\At1.job
[2010/05/15 19:50:48 | 000,002,537 | -H-- | C] () -- C:\Users\RuDolF~\Desktop\[MONOVA.ORG] AoA Audio Extractor Platinum v2.0 Inc. Keymaker.torrent
[2010/04/20 18:24:17 | 003,673,360 | ---- | C] () -- C:\Windows\System32\MSO97RT.DLL
[2010/04/19 19:52:37 | 000,000,230 | ---- | C] () -- C:\Windows\Brpfx04a.ini
[2010/04/19 19:52:37 | 000,000,094 | ---- | C] () -- C:\Windows\brpcfx.ini
[2010/04/19 19:51:58 | 000,000,419 | ---- | C] () -- C:\Windows\BRWMARK.INI
[2010/04/19 19:51:58 | 000,000,027 | ---- | C] () -- C:\Windows\BRPP2KA.INI
[2010/04/19 19:30:58 | 000,053,248 | ---- | C] () -- C:\Windows\System32\PPadApi.dll
[2010/04/17 01:06:58 | 000,000,162 | ---- | C] () -- C:\Windows\ODBC.INI
[2010/04/16 04:43:10 | 000,000,337 | ---- | C] () -- C:\Windows\lgfwup.ini
[2010/04/16 04:29:37 | 000,032,768 | ---- | C] () -- C:\Windows\System32\Auxiliary.dll
[2010/04/16 03:02:20 | 000,140,288 | ---- | C] () -- C:\Windows\System32\igfxtvcx.dll
[2010/04/16 03:01:24 | 000,073,728 | ---- | C] () -- C:\Windows\System32\RtNicProp32.dll
[2010/04/16 03:00:26 | 000,208,896 | ---- | C] () -- C:\Windows\System32\iglhsip32.dll
[2010/04/16 03:00:26 | 000,143,360 | ---- | C] () -- C:\Windows\System32\iglhcp32.dll
[2009/11/02 12:45:44 | 000,014,808 | ---- | C] () -- C:\Windows\System32\drivers\TurboB.sys
[2009/09/30 09:44:52 | 000,000,127 | ---- | C] () -- C:\Windows\zraidtray.ini
[2009/09/29 17:18:02 | 000,050,360 | ---- | C] () -- C:\Windows\php.ini
[2009/08/03 15:07:42 | 000,403,816 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll
[2009/07/14 07:51:43 | 000,073,728 | ---- | C] () -- C:\Windows\System32\BthpanContextHandler.dll
[2009/07/14 07:42:10 | 000,064,000 | ---- | C] () -- C:\Windows\System32\BWContextHandler.dll
[2009/06/26 17:21:02 | 000,015,498 | ---- | C] () -- C:\Windows\VX1000.ini

========== Alternate Data Streams ==========

@Alternate Data Stream - 151 bytes -> C:\ProgramData\Temp:8CE646EE
< End of report >

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 8:56 am

Extras.txt:

OTL Extras logfile created on: 5/24/2010 16:53:02 - Run 1
OTL by OldTimer - Version 3.2.5.0 Folder = C:\Users\RuDolF~\Desktop
Ultimate Edition (Version = 6.1.7600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.7600.16385)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 57.00% Memory free
4.00 Gb Paging File | 2.00 Gb Available in Paging File | 60.00% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 465.66 Gb Total Space | 414.69 Gb Free Space | 89.05% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME
Current User Name: RuDolF~
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office12\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [OneNote.Open] -- C:\PROGRA~1\MICROS~2\Office12\ONENOTE.EXE "%L" (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"DisableNotifications" = 0
"EnableFirewall" = 1

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = LG CyberLink YouCam
"{05308C4E-7285-4066-BAE3-6B50DA6ED755}" = Adobe Update Manager CS4
"{054EFA56-2AC1-48F4-A883-0AB89874B972}" = Adobe Extension Manager CS4
"{098727E1-775A-4450-B573-3F441F1CA243}" = kuler
"{098A2A49-7CF3-4F08-A38D-FB879117152A}" = Adobe Color NA Extra Settings CS4
"{0D6013AB-A0C7-41DC-973C-E93129C9A29F}" = Adobe Color JA Extra Settings CS4
"{0D67A4E4-5BE0-4C9A-8AD8-AB552B433F23}" = Adobe Setup
"{0DC0E85F-36E4-463B-B3EA-4CD8ED2222A1}" = Adobe Color EU Recommended Settings CS4
"{0F723FC1-7606-4867-866C-CE80AD292DAF}" = Adobe CSI CS4
"{10106AA7-38E7-4348-8396-9F535DF763EF}" = MSTPCRT
"{1618734A-3957-4ADD-8199-F973763109A8}" = Adobe Anchor Service CS4
"{16E16F01-2E2D-4248-A42F-76261C147B6C}" = Adobe Drive CS4
"{16E6D2C1-7C90-4309-8EC4-D2212690AAA4}" = AdobeColorCommonSetRGB
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{197A3012-8C85-4FD3-AB66-9EC7E13DB92E}" = Adobe AIR
"{1a413f37-ed88-4fec-9666-5c48dc4b7bb7}" = YouTube Downloader 2.5.5
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{28BE306E-5DA6-4F9C-BDB0-DBA3C8C6FFFD}" = QuickTime
"{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = LG CyberLink PowerDVD
"{35D94F92-1D3A-43C5-8605-EA268B1A7BD9}" = PDF Settings CS4
"{39F6E2B4-CFE8-C30A-66E8-489651F0F34C}" = Adobe Media Player
"{3A1B5D40-41E9-43FA-8C7B-A8667F5586EF}" = JMicron JMB36X Driver
"{3A4E8896-C2E7-4084-A4A4-B8FD1894E739}" = Adobe XMP Panels CS4
"{3D2C9DE6-9ADE-4252-A241-E43723B0CE02}" = Adobe Color - Photoshop Specific CS4
"{3DA8DF9A-044E-46C4-8531-DEDBB0EE37FF}" = Adobe WinSoft Linguistics Plugin
"{3F9170C9-A7C2-408F-A4D8-EC77250040BF}" = Sound Forge Pro 10.0
"{40BF1E83-20EB-11D8-97C5-0009C5020658}" = LG CyberLink Power2Go
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{47A3FE80-528F-482B-8143-B3A4645557FC}" = Microsoft LifeCam
"{48D082B9-18F6-4426-AFAC-8B6A3E7021B1}" = Brother MFL-Pro Suite MFC-290C
"{4943EFF5-229F-435D-BEA9-BE3CAEA783A7}" = Adobe Service Manager Extension
"{520A8627-E1B7-4808-8F04-03A013CBBD10}" = Noise Reduction Plug-in 2.0i
"{553255F3-78FD-40F1-A6F8-6882140265FE}" = Apple Application Support
"{5EE7D259-D137-4438-9A5F-42F432EC0421}" = VC80CRTRedist - 8.0.50727.4053
"{6179550A-3E7C-499E-BCC9-9E8113E0A285}" = LG ODD Auto Firmware Update
"{63C24A08-70F3-4C8E-B9FB-9F21A903801D}" = Adobe Color Video Profiles CS CS4
"{63E5CDBF-8214-4F03-84F8-CD3CE48639AD}" = Adobe Photoshop CS4 Support
"{6412CECE-8172-4BE5-935B-6CECACD2CA87}" = Windows Live Mail
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{67F0E67A-8E93-4C2C-B29D-47C48262738A}" = Adobe Device Central CS4
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{68243FF8-83CA-466B-B2B8-9F99DA5479C4}" = AdobeColorCommonSetCMYK
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}" = Windows Live Essentials
"{820D3F45-F6EE-4AAF-81EF-CE21FF21D230}" = Adobe Type Support CS4
"{83877DB1-8B77-45BC-AB43-2BAC22E093E0}" = Adobe Bridge CS4
"{842B4B72-9E8F-4962-B3C1-1C422A5C4434}" = Suite Shared Configuration CS4
"{90120000-0015-0404-0000-0000000FF1CE}" = Microsoft Office Access MUI (Chinese (Traditional)) 2007
"{90120000-0015-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2007
"{90120000-0015-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0404-0000-0000000FF1CE}" = Microsoft Office Excel MUI (Chinese (Traditional)) 2007
"{90120000-0016-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2007
"{90120000-0016-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0017-0000-0000-0000000FF1CE}" = Microsoft Office SharePoint Designer 2007
"{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0017-0000-0000-0000000FF1CE}_SharePointDesigner_{E1C33B03-3FE9-45BF-91E4-0266F38618C6}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-0017-0404-0000-0000000FF1CE}" = Microsoft Office SharePoint Designer MUI (Chinese (Traditional)) 2007
"{90120000-0017-0404-0000-0000000FF1CE}_SharePointDesigner_{24FEEFAD-4399-4961-A4AA-5C64C7AFC1DE}" = Microsoft Office SharePoint Designer 2007 Service Pack 2 (SP2)
"{90120000-0018-0404-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (Chinese (Traditional)) 2007
"{90120000-0018-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2007
"{90120000-0018-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0404-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (Chinese (Traditional)) 2007
"{90120000-0019-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2007
"{90120000-0019-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0404-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (Chinese (Traditional)) 2007
"{90120000-001A-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2007
"{90120000-001A-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0404-0000-0000000FF1CE}" = Microsoft Office Word MUI (Chinese (Traditional)) 2007
"{90120000-001B-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2007
"{90120000-001B-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-001F-0404-0000-0000000FF1CE}" = Microsoft Office Proof (Chinese (Traditional)) 2007
"{90120000-001F-0404-0000-0000000FF1CE}_ENTERPRISE_{33FA7680-10ED-444E-BC72-214064317283}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0404-0000-0000000FF1CE}_PRJPRO_{33FA7680-10ED-444E-BC72-214064317283}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0404-0000-0000000FF1CE}_SharePointDesigner_{33FA7680-10ED-444E-BC72-214064317283}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0404-0000-0000000FF1CE}_VISPRO_{33FA7680-10ED-444E-BC72-214064317283}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2007
"{90120000-001F-0409-0000-0000000FF1CE}_ENTERPRISE_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_PRJPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_SharePointDesigner_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0409-0000-0000000FF1CE}_VISPRO_{ABDDE972-355B-4AF1-89A8-DA50B7B5C045}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2007
"{90120000-001F-040C-0000-0000000FF1CE}_ENTERPRISE_{F580DDD5-8D37-4998-968E-EBB76BB86787}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2007
"{90120000-001F-0C0A-0000-0000000FF1CE}_ENTERPRISE_{187308AB-5FA7-4F14-9AB9-D290383A10D9}" = Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
"{90120000-0028-0404-0000-0000000FF1CE}" = Microsoft Office IME (Chinese (Traditional)) 2007
"{90120000-0028-0404-0000-0000000FF1CE}_ENTERPRISE_{5E6C6E79-40BE-491B-9ABF-C665667E1B07}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0028-0404-0000-0000000FF1CE}_PRJPRO_{5E6C6E79-40BE-491B-9ABF-C665667E1B07}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0028-0404-0000-0000000FF1CE}_SharePointDesigner_{5E6C6E79-40BE-491B-9ABF-C665667E1B07}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0028-0404-0000-0000000FF1CE}_VISPRO_{5E6C6E79-40BE-491B-9ABF-C665667E1B07}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-002C-0404-0000-0000000FF1CE}" = Microsoft Office Proofing (Chinese (Traditional)) 2007
"{90120000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2007
"{90120000-0030-0000-0000-0000000FF1CE}" = Microsoft Office Enterprise 2007
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0030-0000-0000-0000000FF1CE}_ENTERPRISE_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-003B-0000-0000-0000000FF1CE}" = Microsoft Office Project Professional 2007
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-003B-0000-0000-0000000FF1CE}_PRJPRO_{9E73617F-2F38-4864-BD61-BB2DDFE43323}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-0044-0404-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (Chinese (Traditional)) 2007
"{90120000-0044-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2007
"{90120000-0044-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}" = Microsoft Office Visio Professional 2007
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{0FD405D3-CAF8-4CA6-8BFD-911D2F8A6585}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-0051-0000-0000-0000000FF1CE}_VISPRO_{3D019598-7B59-447A-80AE-815B703B84FF}" = Security Update for Microsoft Office system 2007 (972581)
"{90120000-0054-0404-0000-0000000FF1CE}" = Microsoft Office Visio MUI (Chinese (Traditional)) 2007
"{90120000-0054-0404-0000-0000000FF1CE}_VISPRO_{D6BB004A-798D-45A7-8F91-D9A35B2AAC54}" = Microsoft Office Visio 2007 Service Pack 2 (SP2)
"{90120000-006E-0404-0000-0000000FF1CE}" = Microsoft Office Shared MUI (Chinese (Traditional)) 2007
"{90120000-006E-0404-0000-0000000FF1CE}_ENTERPRISE_{3F96DD0A-F509-4CBD-8130-B3B3194A9C3D}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0404-0000-0000000FF1CE}_PRJPRO_{3F96DD0A-F509-4CBD-8130-B3B3194A9C3D}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0404-0000-0000000FF1CE}_SharePointDesigner_{3F96DD0A-F509-4CBD-8130-B3B3194A9C3D}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0404-0000-0000000FF1CE}_VISPRO_{3F96DD0A-F509-4CBD-8130-B3B3194A9C3D}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2007
"{90120000-006E-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0404-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (Chinese (Traditional)) 2007
"{90120000-00A1-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2007
"{90120000-00A1-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-00B4-0404-0000-0000000FF1CE}" = Microsoft Office Project MUI (Chinese (Traditional)) 2007
"{90120000-00B4-0404-0000-0000000FF1CE}_PRJPRO_{94524B96-2BE3-4CD3-B230-9AA764AB6249}" = Microsoft Office Project 2007 Service Pack 2 (SP2)
"{90120000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2007
"{90120000-00BA-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0404-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (Chinese (Traditional)) 2007
"{90120000-0114-0404-0000-0000000FF1CE}_ENTERPRISE_{E600B433-47CB-4AFC-90BF-2958E8E7EF99}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0114-0409-0000-0000000FF1CE}" = Microsoft Office Groove Setup Metadata MUI (English) 2007
"{90120000-0114-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2007
"{90120000-0115-0409-0000-0000000FF1CE}_ENTERPRISE_{DE5A002D-8122-4278-A7EE-3121E7EA254E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{90120000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2007
"{90120000-0117-0409-0000-0000000FF1CE}_ENTERPRISE_{2FC4457D-409E-466F-861F-FB0CB796B53E}" = Microsoft Office 2007 Service Pack 2 (SP2)
"{931AB7EA-3656-4BB7-864D-022B09E3DD67}" = Adobe Linguistics CS4
"{94D398EB-D2FD-4FD1-B8C4-592635E8A191}" = Adobe CMaps CS4
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{981029E0-7FC9-4CF3-AB39-6F133621921A}" = Skype Toolbars
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{A85FD55B-891B-4314-97A5-EA96C0BD80B5}" = Windows Live Messenger
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AC76BA86-1033-F400-7761-000000000004}" = Adobe Acrobat 9 Pro Extended - English, Fran蓷is, Deutsch
"{AC76BA86-1033-F400-7761-000000000004}_920" = Adobe Acrobat 9.2.0 - CPSID_50026
"{AC76BA86-1033-F400-7761-000000000004}{AC76BA86-1033-F400-7761-000000000004}" = Reg Error: Invalid data type.
"{AC76BA86-7AD7-1033-7B44-A93000000001}" = Adobe Reader 9.3
"{ADD5DB49-72CF-11D8-9D75-000129760D75}" = LG CyberLink PowerBackup
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{B29AD377-CC12-490A-A480-1452337C618D}" = Connect
"{B3BC9DB1-0B0A-48B0-B86B-EA77CAA7F800}" = Microsoft Corporation
"{B65BA85C-0A27-4BC0-A22D-A66F0E5B9494}" = Adobe Photoshop CS4
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
"{BB4E33EC-8181-4685-96F7-8554293DEC6A}" = Adobe Output Module
"{C52E3EC1-048C-45E1-8D53-10B0C6509683}" = Adobe Default Language CS4
"{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LG CyberLink LabelPrint
"{CC75AB5C-2110-4A7F-AF52-708680D22FE8}" = Photoshop Camera Raw
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype(TM) 4.2
"{D1725D54-279A-40C5-A70D-23C1785DB920}_is1" = AoA Audio Extractor Platinum
"{E2DFE069-083E-4631-9B6C-43C48E991DE5}" = Junk Mail filter update
"{E3B4B190-A5E9-4753-8E12-5BC457FBB8D8}" = SmartCode ViewerX VNC Viewer ActiveX 3.0.6.1
"{E4848436-0345-47E2-B648-8B522FCDA623}" = Adobe Photoshop CS4
"{ED00D08A-3C5F-488D-93A0-A04F21F23956}" = Windows Live Communications Platform
"{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}" = Microsoft Choice Guard
"{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}" = Intel(R) Graphics Media Accelerator Driver
"{F0E64E2E-3A60-40D8-A55D-92F6831875DA}" = Adobe Search for Help
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F4F4F84E-804F-4E9A-84D7-C34283F0088F}" = RealUpgrade 1.0
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"{F7D53B02-2C51-4CF5-9A51-F7A6D658EA5A}" = PenPowerJR-6.0
"{F8EF2B3F-C345-4F20-8FE4-791A20333CD5}" = Adobe Extendscript Toolkit CS4
"{F93C84A6-0DC6-42AF-89FA-776F7C377353}" = Adobe PDF Library Files CS4
"{FCDD51BB-CAD0-4BB1-B7DF-CE86D1032794}" = Adobe Fonts All
"Adobe AIR" = Adobe AIR
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Adobe_faf656ef605427ee2f42989c3ad31b8" = Adobe Photoshop CS4
"ALWIL Software Security 4.8.1296.0" = ALWIL Software Security 4.8.1296.0
"avast!" = avast! Antivirus
"com.adobe.amp.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1" = Adobe Media Player
"ControlCenter_is1" = ControlCenter
"DirectOC_is1" = DirectOC
"DivX Setup.divx.com" = DivX Setup
"ENTERPRISE" = Microsoft Office Enterprise 2007
"Google Chrome" = Google Chrome
"HotspotShield" = Hotspot Shield 1.41
"ImgBurn" = ImgBurn
"InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}" = LG CyberLink YouCam
"InstallShield_{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = LG Power Tools
"InstallShield_{2BF2E31F-B8BB-40A7-B650-98D28E0F7D47}" = LG CyberLink PowerDVD
"InstallShield_{40BF1E83-20EB-11D8-97C5-0009C5020658}" = LG CyberLink Power2Go
"InstallShield_{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = LG CyberLink PowerProducer
"InstallShield_{C59C179C-668D-49A9-B6EA-0121CCFC1243}" = LG CyberLink LabelPrint
"Liveupdate4_is1" = Liveupdate4
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"MapleStory" = MapleStory
"McAfee Security Scan" = McAfee Security Scan Plus
"Messenger Plus! Live" = Messenger Plus! Live
"Mozilla Firefox (3.6.3)" = Mozilla Firefox (3.6.3)
"MSTTS" = Microsoft Text-to-Speech Engine 4.0 (English)
"mv61xxMRU" = Marvell MRU V4
"Nostale Global_is1" = Nostale Global (Remove)
"PowerISO" = PowerISO
"PRJPRO" = Microsoft Office Project Professional 2007
"RealPlayer 12.0" = RealPlayer
"SharePointDesigner" = Microsoft Office SharePoint Designer 2007
"thunder_is1" = 捃濘5
"TVWiz" = Intel(R) TV Wizard
"VISPRO" = Microsoft Office Visio Professional 2007
"WinLiveSuite_Wave3" = Windows Live Essentials
"WinRAR archiver" = WinRAR archiver
"港華會計系統" = 港華會計系統

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 5/20/2010 07:19:43 | Computer Name = Home | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestOpenList Error 1753.

Error - 5/20/2010 07:19:43 | Computer Name = Home | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::LoadFiles()
chestOpenList() failed: 2147422219.

Error - 5/20/2010 07:19:46 | Computer Name = Home | Source = avast! | ID = 33554522
Description = aswChestInterface - Program error description: CChestListView::OnCreate()
!m_strErrorWnd.IsEmpty().

Error - 5/20/2010 07:29:54 | Computer Name = Home | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 1753.

Error - 5/20/2010 07:34:31 | Computer Name = Home | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 1753.

Error - 5/20/2010 07:34:36 | Computer Name = Home | Source = avast! | ID = 33554522
Description = Error in aswChestC: chestAddFile Error 1753.

[ Application Events ]
Error - 5/24/2010 02:16:27 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: unknown, version: 0.0.0.0, time stamp: 0x00000000
Exception
code: 0xc0000005 Fault offset: 0xff8bcccc Faulting process id: 0x87c Faulting application
start time: 0x01cafb089bac5005 Faulting application path: C:\Program Files\Windows
Live\Messenger\msnmsgr.exe Faulting module path: unknown Report Id: e247c328-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:16:44 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0xe3c Faulting application start time: 0x01cafb08acab0155 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: ec4b6d2f-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:16:50 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Exception code: 0xc0000005 Fault offset: 0x00306158 Faulting process
id: 0x135c Faulting application start time: 0x01cafb08afe4fed4 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Windows Live\Messenger\msnmsgr.exe Report Id: efe70319-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:16:56 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0xd4 Faulting application start time: 0x01cafb08b3d18388 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: f3afd329-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:17:02 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0xdb8 Faulting application start time: 0x01cafb08b797f237 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: f70b23ec-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:17:08 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0xef8 Faulting application start time: 0x01cafb08bb599e26 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: fab50218-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:17:13 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0x173c Faulting application start time: 0x01cafb08be55b7de Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: fdb5de90-66fb-11df-816f-4061869756fc

Error - 5/24/2010 02:17:18 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0x1268 Faulting application start time: 0x01cafb08c15432f6 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: 00aad427-66fc-11df-816f-4061869756fc

Error - 5/24/2010 02:17:30 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0x41c Faulting application start time: 0x01cafb08c8523dc4 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: 07a8def5-66fc-11df-816f-4061869756fc

Error - 5/24/2010 02:17:37 | Computer Name = Home | Source = Application Error | ID = 1000
Description = Faulting application name: msnmsgr.exe, version: 14.0.8089.726, time
stamp: 0x4a6ce533 Faulting module name: MsgPlusLive.dll, version: 4.84.0.382, time
stamp: 0x4bcb3590 Exception code: 0xc0000005 Fault offset: 0x000e3a49 Faulting process
id: 0xedc Faulting application start time: 0x01cafb08ccbceb66 Faulting application
path: C:\Program Files\Windows Live\Messenger\msnmsgr.exe Faulting module path:
C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll Report Id: 0c112b37-66fc-11df-816f-4061869756fc

[ System Events ]
Error - 5/23/2010 21:53:49 | Computer Name = Home | Source = Service Control Manager | ID = 7003
Description = The avast! Web Scanner service depends the following service: avast!
Antivirus. This service might not be installed.

Error - 5/23/2010 21:54:39 | Computer Name = Home | Source = Service Control Manager | ID = 7030
Description = The avast! Antivirus service is marked as an interactive service.
However, the system is configured to not allow interactive services. This service
may not function properly.

Error - 5/23/2010 21:58:43 | Computer Name = Home | Source = Service Control Manager | ID = 7030
Description = The avast! Antivirus service is marked as an interactive service.
However, the system is configured to not allow interactive services. This service
may not function properly.

Error - 5/23/2010 21:58:43 | Computer Name = Home | Source = Service Control Manager | ID = 7030
Description = The avast! iAVS4 Control Service service is marked as an interactive
service. However, the system is configured to not allow interactive services.
This service may not function properly.

Error - 5/23/2010 21:58:43 | Computer Name = Home | Source = Service Control Manager | ID = 7030
Description = The avast! Mail Scanner service is marked as an interactive service.
However, the system is configured to not allow interactive services. This service
may not function properly.

Error - 5/23/2010 21:58:44 | Computer Name = Home | Source = Service Control Manager | ID = 7030
Description = The avast! Web Scanner service is marked as an interactive service.
However, the system is configured to not allow interactive services. This service
may not function properly.

Error - 5/24/2010 01:02:41 | Computer Name = Home | Source = EventLog | ID = 6008
Description = The previous system shutdown at 1:00:40 PM on ?5/?24/?2010 was unexpected.

Error - 5/24/2010 01:02:42 | Computer Name = HOME | Source = BugCheck | ID = 1001
Description =

Error - 5/24/2010 01:14:19 | Computer Name = Home | Source = EventLog | ID = 6008
Description = The previous system shutdown at 1:09:25 PM on ?5/?24/?2010 was unexpected.

Error - 5/24/2010 01:14:21 | Computer Name = HOME | Source = BugCheck | ID = 1001
Description =


< End of report >

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 9:40 am

Hello.
1. If you are using Firefox, make sure that your download settings are as follows:

* Tools->Options->Main tab
* Set to "Always ask me where to Save the files".

2. During the download, rename Combofix to svchost as follows:





3. It is important you rename Combofix during the download, but not after.
4. Please do not rename Combofix to other names, but only to the one indicated.
5. Close any open browsers.
6. We need to disable your local AV (Anti-virus) before running Combofix.

  • See [You must be registered and logged in to see this link.] for how to disable your AV.
  • Double click on svchost.exe.
  • Follow the prompts. NOTE:
  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 10:07 am

combofix.txt:
part of it is in chinese because of my window, sorry about that - i can translate if needed


ComboFix 10-05-23.06 - RuDolF~ 4/2010 Mon 17:58:21.1.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.950.852.1033.18.1847.836 [GMT 8:00]
執行位置: c:\users\RuDolF~\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\VB6KO.DLL

發現受感染 c:\windows\system32\drivers\termdd.sys 並且成功解毒
從 - Kitty had a snack :p 恢復原來檔案
.
((((((((((((((((((((((((( 2010-04-24 至 2010-05-24 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-05-24 10:03 . 2010-05-24 10:04 -------- d-----w- c:\users\RuDolF~\AppData\Local\temp
2010-05-24 10:03 . 2010-05-24 10:03 -------- d-----w- c:\users\Fong\AppData\Local\temp
2010-05-24 10:03 . 2010-05-24 10:03 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-24 10:03 . 2010-05-24 10:03 -------- d-----w- c:\users\David\AppData\Local\temp
2010-05-24 10:03 . 2010-05-24 10:03 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-24 01:58 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-24 01:58 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-24 01:58 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-24 01:58 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-24 01:58 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-05-24 01:58 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-24 01:58 . 2009-09-15 10:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-24 01:19 . 2010-05-24 02:01 -------- d-----w- c:\program files\Avas 4
2010-05-23 08:57 . 2010-05-23 08:57 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 12:17 . 2010-05-15 12:17 -------- d-----w- c:\program files\YouTube Downloader
2010-05-15 12:15 . 2010-05-15 12:15 37888 ----a-w- c:\windows\system32\flash_lib.dll
2010-05-15 12:15 . 2010-05-15 12:15 1117184 ----a-w- c:\windows\system32\swfExt.dll
2010-05-15 11:59 . 2010-05-15 11:59 -------- d-----w- c:\program files\AoA Audio Extractor
2010-05-12 09:35 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-04 23:14 . 2010-05-04 23:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-04 23:14 . 2010-05-04 23:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-04 23:14 . 2010-05-04 23:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-04-30 14:36 . 2010-04-30 14:36 -------- d-----w- c:\windows\system32\Wat
2010-04-29 07:33 . 2010-04-29 07:33 -------- d-----w- c:\program files\Active X Control
2010-04-28 01:50 . 2010-04-28 01:50 -------- d-----w- c:\users\RuDolF~\dwhelper
2010-04-28 01:42 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 01:41 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 01:41 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll
2010-04-24 13:21 . 2010-04-24 13:38 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\ImgBurn

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 10:02 . 2010-04-15 20:28 355130 ----a-w- c:\windows\system32\prfh0804.dat
2010-05-24 10:02 . 2010-04-15 20:28 101230 ----a-w- c:\windows\system32\prfc0804.dat
2010-05-24 10:02 . 2010-04-15 20:18 96316 ----a-w- c:\windows\system32\prfc0404.dat
2010-05-24 10:02 . 2010-04-15 20:18 371100 ----a-w- c:\windows\system32\prfh0404.dat
2010-05-24 09:57 . 2010-04-15 19:56 8 ----a-w- c:\windows\mvraidver.dat
2010-05-24 09:56 . 2009-07-14 00:01 0 ----a-w- c:\windows\system32\drivers\TermDD.sys
2010-05-24 09:05 . 2010-05-24 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 01:58 . 2010-04-16 17:29 -------- d-----w- c:\program files\Alwil Software
2010-05-24 01:18 . 2010-05-24 01:18 -------- d-----w- c:\program files\ALWIL Software Security
2010-05-24 01:18 . 2010-05-23 16:28 -------- d-----w- c:\programdata\Alwil Software
2010-05-24 00:39 . 2010-05-24 00:39 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Malwarebytes
2010-05-24 00:39 . 2010-05-24 00:39 -------- d-----w- c:\programdata\Malwarebytes
2010-05-24 00:20 . 2010-05-24 00:20 0 ----a-w- c:\windows\nsreg.dat
2010-05-24 00:11 . 2010-05-24 00:11 -------- d-----w- c:\program files\Enigma Software Group
2010-05-24 00:10 . 2010-05-24 00:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-21 08:09 . 2010-04-19 05:51 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\skypePM
2010-05-21 06:46 . 2010-04-19 05:51 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Skype
2010-05-14 15:49 . 2010-04-20 02:23 129192 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-14 15:49 . 2010-04-15 20:43 -------- d-----w- c:\program files\lg_fwupdate
2010-05-12 13:22 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-12 13:22 . 2010-04-16 16:17 -------- d-----w- c:\programdata\Microsoft Help
2010-05-06 02:36 . 2010-04-15 20:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 23:14 . 2010-04-20 07:48 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-04 23:14 . 2010-04-20 07:46 -------- d-----w- c:\programdata\DivX
2010-05-04 23:14 . 2010-04-20 07:46 -------- d-----w- c:\program files\DivX
2010-05-04 23:13 . 2010-04-20 07:48 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-04 23:13 . 2010-04-20 07:48 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-04 23:13 . 2010-04-20 07:48 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-04 23:13 . 2010-04-20 07:46 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-30 14:08 . 2010-04-19 02:08 -------- d-----w- c:\programdata\Messenger Plus!
2010-04-29 07:39 . 2010-05-24 00:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2010-05-24 00:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 06:58 . 2010-04-20 07:48 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\DivX
2010-04-22 17:22 . 2010-04-15 20:29 129192 ----a-w- c:\users\David\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-22 10:22 . 2010-04-22 10:21 -------- d-----w- c:\program files\QuickTime
2010-04-22 10:21 . 2010-04-22 10:21 -------- d-----w- c:\programdata\Apple Computer
2010-04-22 10:20 . 2010-04-22 10:20 -------- d-----w- c:\program files\Common Files\Apple
2010-04-22 10:20 . 2010-04-22 10:20 -------- d-----w- c:\program files\Apple Software Update
2010-04-22 10:20 . 2010-04-22 10:20 -------- d-----w- c:\programdata\Apple
2010-04-21 01:53 . 2010-04-19 01:38 129192 ----a-w- c:\users\RuDolF~\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-20 16:25 . 2010-04-16 16:19 -------- d-----w- c:\program files\Microsoft Works
2010-04-20 11:22 . 2010-04-20 11:02 -------- d-----w- c:\program files\Sibelius Software
2010-04-20 11:04 . 2010-04-20 11:04 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Sibelius Software
2010-04-20 11:04 . 2010-04-20 11:04 604 ---ha-w- c:\program files\STLL Notifier
2010-04-20 11:04 . 2010-04-20 11:04 -------- d-----w- c:\programdata\Sibelius Software
2010-04-20 10:53 . 2010-04-19 05:44 115472 ----a-w- c:\users\Fong\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-20 10:24 . 2010-04-20 10:24 876032 ----a-w- c:\windows\system32\VFP6RENU.DLL
2010-04-20 10:24 . 2010-04-20 10:24 24990 ----a-w- c:\windows\system32\VFP6RUN.EXE
2010-04-20 10:24 . 2010-04-20 10:24 3370256 ----a-w- c:\windows\system32\VFP6R.DLL
2010-04-20 10:24 . 2010-04-20 10:24 3673360 ----a-w- c:\windows\system32\MSO97RT.DLL
2010-04-20 10:24 . 2010-04-20 10:24 487184 ----a-w- c:\windows\system32\MRT7ENU.DLL
2010-04-20 10:24 . 2010-04-20 10:24 161792 ----a-w- c:\windows\system32\GRINTL32.DLL
2010-04-20 10:24 . 2010-04-20 10:24 1584912 ----a-w- c:\windows\system32\GRAPH8.EXE
2010-04-20 10:24 . 2010-04-20 10:24 6656 ----a-w- c:\windows\system32\FOXHHELPPS.DLL
2010-04-20 10:24 . 2010-04-20 10:24 5120 ----a-w- c:\windows\system32\GR8409.DLL
2010-04-20 10:24 . 2010-04-20 10:24 26112 ----a-w- c:\windows\system32\FOXHHELP.EXE
2010-04-20 08:05 . 2010-04-20 08:05 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-20 08:05 . 2010-04-20 08:05 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-20 08:05 . 2010-04-20 08:05 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-20 08:05 . 2010-04-20 08:05 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-20 08:05 . 2010-04-20 08:05 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-20 08:05 . 2010-04-20 08:05 -------- d-----w- c:\program files\Common Files\Real
2010-04-20 08:05 . 2010-04-20 08:05 -------- d-----w- c:\program files\Real
2010-04-20 08:05 . 2010-04-20 08:05 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-20 07:48 . 2010-04-20 07:48 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 57609 ----a-w- c:\programdata\DivX\MFComponents\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54629 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-20 07:48 . 2010-04-20 07:48 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-04-20 03:22 . 2010-04-20 02:16 -------- d-----w- c:\program files\Sony
2010-04-20 03:21 . 2010-04-20 02:09 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Sony
2010-04-20 02:36 . 2010-04-20 02:36 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Publish Providers
2010-04-20 02:24 . 2010-04-20 02:24 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sony
2010-04-20 02:24 . 2010-04-20 02:24 -------- d-----w- c:\users\Administrator\AppData\Roaming\Publish Providers
2010-04-20 02:16 . 2010-04-20 02:16 -------- d-----w- c:\programdata\Sony
2010-04-20 01:56 . 2010-04-16 15:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 01:32 . 2010-04-20 01:31 -------- d-----w- c:\program files\Hotspot Shield
2010-04-20 01:25 . 2010-04-20 01:25 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7BF5.tmp.exe
2010-04-19 14:25 . 2010-04-16 15:12 -------- d-----w- c:\program files\Google
2010-04-19 12:25 . 2010-04-19 12:25 -------- d-----w- c:\programdata\FLEXnet
2010-04-19 11:50 . 2010-04-19 11:50 50 ----a-w- c:\windows\system32\bridf08b.dat
2010-04-19 11:50 . 2010-04-19 11:50 -------- d-----w- c:\program files\Brother
2010-04-19 11:50 . 2010-04-15 19:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 11:50 . 2010-04-19 11:50 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\InstallShield
2010-04-19 11:48 . 2010-04-19 11:47 250 ----a-w- c:\windows\system32\cid_store.dat
2010-04-19 11:48 . 2010-04-19 11:47 26 ----a-w- c:\windows\system32\xlhcc.dat
2010-04-19 11:44 . 2010-04-19 11:44 -------- d-----w- c:\programdata\Brother
2010-04-19 11:39 . 2010-04-19 11:39 -------- d-----w- c:\program files\Adobe Media Player
2010-04-19 11:38 . 2010-04-19 11:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2010-04-19 11:36 . 2010-04-19 11:36 -------- d-----w- c:\program files\Common Files\Macrovision Shared
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-04-20 01:31 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-12-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-12-18 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-12-18 166936]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-25 8129056]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"MRUTray"="c:\program files\Marvell\raid\tray\MarvellTray.exe" [2009-10-09 741376]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-15 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-17 218408]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-04-15 557056]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"VX1000"="c:\windows\vVX1000.exe" [2010-03-12 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-07 611712]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-02 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-02 640376]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-20 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
DirectOC.lnk - c:\program files\MSI\DirectOC\StartDirectOC.exe [2010-4-16 188416]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

R2 gupdate1cadd97e17c2797;Google Update Service (gupdate1cadd97e17c2797);c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 133104]
R3 aswArKrn;aswArKrn;c:\users\RuDolF~\AppData\Local\Temp\aswArKrn.sys [x]
R3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [2007-12-14 9216]
R3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [2010-01-15 227232]
R3 NTIOLib_1_0_0;NTIOLib_1_0_0;c:\program files\MSI\DirectOC\NTIOLib.sys [2009-04-24 7680]
R3 s816bus;Sony Ericsson Device 816 driver (WDM);c:\windows\system32\DRIVERS\s816bus.sys [2007-06-18 81832]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2010-04-30 1343400]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]
S2 HssWd;Hotspot Shield Monitoring Service;c:\program files\Hotspot Shield\bin\hsswd.exe [2010-04-01 194608]
S2 Marvell RAID;Marvell RAID Event Agent;c:\program files\Marvell\raid\svc\mvraidsvc.exe [2009-10-14 151552]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2010-04-29 304464]
S2 MRUWebService;MRU Web Service;c:\program files\Marvell\raid\Apache2\bin\httpd.exe [2008-06-12 24635]
S2 TurboB;Turbo Boost UI Monitor driver;c:\windows\system32\DRIVERS\TurboB.sys [2009-11-02 14808]
S2 UNS;Intel(R) Management & Security Application User Notification Service;c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe [2009-12-09 2320920]
S3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys [2009-11-26 209920]
S3 KMWDFILTERx86;HIDServiceDesc;c:\windows\system32\DRIVERS\KMWDFILTER.sys [2009-04-29 25088]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-04-29 20952]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2009-11-27 233472]


--- Other Services/Drivers In Memory ---

*Deregistered* - gpfinbc
.
計劃任務 文件夾 裡的內容

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:06]

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:06]
.
.
------- 而外的掃描 -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: ‥I¥I‥31p?U﹐u - c:\program files\Thunder\Program\GetUrl.htm
IE: ‥I¥I‥31p?U﹐u¥t3!Aiμ - c:\program files\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下載 - c:\program files\Thunder\Program\GetUrl.htm
IE: 使用迅雷下載全部鏈接 - c:\program files\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下? - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下?全部?接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder\Thunder.exe
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\users\RuDolF~\AppData\Roaming\Mozilla\Firefox\Profiles\0pqnwlgr.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(925).dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-AdobeBridge - (no file)
MSConfigStartUp-Uniblue RegistryBooster 2009 - c:\program files\uniblue\registrybooster\StartRegistryBooster.exe



[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpfinbc]

.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,30,26,43,d2,ef,4e,4b,98,a7,31,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,30,26,43,d2,ef,4e,4b,98,a7,31,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
完成時間: 2010-05-24 18:05:26
ComboFix-quarantined-files.txt 2010-05-24 10:05

Pre-Run: 445,110,689,792 bytes free
Post-Run: 445,182,930,944 bytes free

- - End Of File - - C432A126CA6F7D3825D1E58DB8984246

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 10:50 am

Hello.
Don't worry about the Chinese, I can read logs in any language, mainly because 90% of the logs are the same, it's usually just filepaths that change slightly, but even then, I can make an educated guess.

Okay, update and re-scan with MBAM, see if that .sys file returns and post the log.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 10:56 am

Thanks, I ran a quick scan, will be restarting to see if the file is still infected

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4136

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/24/2010 18:55:46
mbam-log-2010-05-24 (18-55-46).txt

Scan type: Quick scan
Objects scanned: 153044
Time elapsed: 3 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{988934a4-064b-11d3-bb80-00104b35e7f9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a1dd29ed-2598-48e9-9793-64a9cd08ac94} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{87ca3845-37fe-414c-81cf-e08a7d0f6779} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{802f530b-a8f6-4631-ae49-6bacaac6373e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{802f530b-a8f6-4631-ae49-6bacaac6373e} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> Delete on reboot.
C:\Windows\system32\Drivers\gpfinbc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 11:05 am

I've restarted & quick scanned again.
Seems like the problem is still here:

Malwarebytes' Anti-Malware 1.46
[You must be registered and logged in to see this link.]

Database version: 4136

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

5/24/2010 19:05:18
mbam-log-2010-05-24 (19-05-18).txt

Scan type: Quick scan
Objects scanned: 153662
Time elapsed: 4 minute(s), 37 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\system32\Drivers\gpfinbc.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 3:16 pm

Hello.


  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
    Code:

    KILLALL::

    File::
    C:\Windows\system32\Drivers\gpfinbc.sys

    Driver::
    gpfinbc

    Registry::
    [-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gpfinbc]

    FileLook::
    c:\windows\system32\drivers\fvevol.sys
    c:\windows\system32\drivers\ksecpkg.sys
    c:\windows\system32\lsasrv.dll
  4. Save this as CFScript.txt, in the same location as ComboFix.exe



  5. Referring to the picture above, drag CFScript into ComboFix.exe
  6. When finished, it shall produce a log for you at C:\ComboFix.txt
  7. Please post the contents of the log in your next reply.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 3:32 pm

Thanks, I checked system32/drivers and the gpfinbc.sys has be deleted so it seems.

ComboFix 10-05-23.06 - RuDolF~ 4/2010 Mon 23:20:51.2.4 - x86
Microsoft Windows 7 Ultimate 6.1.7600.0.950.852.1033.18.1847.1131 [GMT 8]
執行位置: c:\users\RuDolF~\Desktop\Comp Stuff\ComboFix.exe
Command switches used :: c:\users\RuDolF~\Desktop\Comp Stuff\CFScript.txt.txt

FILE ::
"c:\windows\system32\Drivers\gpfinbc.sys"
.

((((((((((((((((((((((((((((((((((((((( 被刪除的檔案 )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\Drivers\gpfinbc.sys
c:\windows\system32\drivers\xwsj.sys

.
((((((((((((((((((((((((((((((((((((((( 驅動/服務 )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GPFINBC
-------\Service_gpfinbc
-------\Service_rqrprhoh


((((((((((((((((((((((((( 2010-04-24 至 2010-05-24 的新的檔案 )))))))))))))))))))))))))))))))
.

2010-05-24 15:26 . 2010-05-24 15:26 -------- d-----w- C:\Device
2010-05-24 15:26 . 2010-05-24 15:26 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-05-24 15:26 . 2010-05-24 15:26 -------- d-----w- c:\users\Fong\AppData\Local\temp
2010-05-24 15:26 . 2010-05-24 15:26 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-05-24 15:26 . 2010-05-24 15:26 -------- d-----w- c:\users\David\AppData\Local\temp
2010-05-24 15:26 . 2010-05-24 15:26 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2010-05-24 15:19 . 2010-05-24 15:19 -------- d-----w- C:\32788R22FWJFW
2010-05-24 12:49 . 2010-05-24 12:49 -------- d-----w- c:\program files\Common Files\Java
2010-05-24 12:49 . 2010-05-24 12:49 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-24 12:49 . 2010-05-24 12:49 -------- d-----w- c:\program files\Java
2010-05-24 12:06 . 2010-05-24 12:06 -------- d-----w- c:\users\RuDolF~\Office Genuine Advantage
2010-05-24 10:05 . 2010-05-24 15:27 -------- d-----w- c:\users\RuDolF~\AppData\Local\temp
2010-05-24 01:58 . 2009-09-15 10:54 52368 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-24 01:58 . 2009-09-15 10:54 23152 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-24 01:58 . 2009-09-15 10:55 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-24 01:58 . 2009-09-15 10:55 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-24 01:58 . 2009-09-15 10:53 97480 ----a-w- c:\windows\system32\AvastSS.scr
2010-05-24 01:58 . 2009-09-15 10:59 1279968 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-24 01:58 . 2009-09-15 10:55 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2010-05-24 01:19 . 2010-05-24 02:01 -------- d-----w- c:\program files\Avas 4
2010-05-23 08:57 . 2010-05-23 08:57 -------- d-----w- c:\programdata\Office Genuine Advantage
2010-05-15 12:17 . 2010-05-15 12:17 -------- d-----w- c:\program files\YouTube Downloader
2010-05-15 12:15 . 2010-05-15 12:15 37888 ----a-w- c:\windows\system32\flash_lib.dll
2010-05-15 12:15 . 2010-05-15 12:15 1117184 ----a-w- c:\windows\system32\swfExt.dll
2010-05-15 11:59 . 2010-05-15 11:59 -------- d-----w- c:\program files\AoA Audio Extractor
2010-05-12 09:35 . 2010-03-04 07:33 740864 ----a-w- c:\windows\system32\inetcomm.dll
2010-05-04 23:14 . 2010-05-04 23:14 56766 ----a-w- c:\programdata\DivX\DivXPlusShortcuts\Uninstaller.exe
2010-05-04 23:14 . 2010-05-04 23:14 53600 ----a-w- c:\programdata\DivX\Update\Uninstaller.exe
2010-05-04 23:14 . 2010-05-04 23:14 57679 ----a-w- c:\programdata\DivX\Player\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 84040 ----a-w- c:\programdata\DivX\TransferWizard\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 54166 ----a-w- c:\programdata\DivX\DSAVCDecoder\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 57532 ----a-w- c:\programdata\DivX\DSASPDecoder\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 54153 ----a-w- c:\programdata\DivX\DFXPlugin\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 57409 ----a-w- c:\programdata\DivX\ControlPanel\Uninstaller.exe
2010-05-04 23:13 . 2010-05-04 23:13 54128 ----a-w- c:\programdata\DivX\Converter\Uninstaller.exe
2010-04-30 14:36 . 2010-04-30 14:36 -------- d-----w- c:\windows\system32\Wat
2010-04-29 07:33 . 2010-04-29 07:33 -------- d-----w- c:\program files\Active X Control
2010-04-28 01:50 . 2010-04-28 01:50 -------- d-----w- c:\users\RuDolF~\dwhelper
2010-04-28 01:42 . 2009-09-26 05:58 194488 ----a-w- c:\windows\system32\drivers\fvevol.sys
2010-04-28 01:41 . 2009-12-11 07:44 133720 ----a-w- c:\windows\system32\drivers\ksecpkg.sys
2010-04-28 01:41 . 2009-12-11 07:38 1037312 ----a-w- c:\windows\system32\lsasrv.dll

.
(((((((((((((((((((((((((((((((((((((((( 在三個月內被修改的檔案 ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-24 15:27 . 2010-04-15 19:56 8 ----a-w- c:\windows\mvraidver.dat
2010-05-24 15:07 . 2010-04-15 20:28 355130 ----a-w- c:\windows\system32\prfh0804.dat
2010-05-24 15:07 . 2010-04-15 20:28 101230 ----a-w- c:\windows\system32\prfc0804.dat
2010-05-24 15:07 . 2010-04-15 20:18 96316 ----a-w- c:\windows\system32\prfc0404.dat
2010-05-24 15:07 . 2010-04-15 20:18 371100 ----a-w- c:\windows\system32\prfh0404.dat
2010-05-24 15:06 . 2010-04-19 12:25 -------- d-----w- c:\programdata\FLEXnet
2010-05-24 09:56 . 2009-07-14 00:01 0 ----a-w- c:\windows\system32\drivers\TermDD.sys
2010-05-24 09:05 . 2010-05-24 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 01:58 . 2010-04-16 17:29 -------- d-----w- c:\program files\Alwil Software
2010-05-24 01:18 . 2010-05-24 01:18 -------- d-----w- c:\program files\ALWIL Software Security
2010-05-24 01:18 . 2010-05-23 16:28 -------- d-----w- c:\programdata\Alwil Software
2010-05-24 00:39 . 2010-05-24 00:39 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Malwarebytes
2010-05-24 00:39 . 2010-05-24 00:39 -------- d-----w- c:\programdata\Malwarebytes
2010-05-24 00:20 . 2010-05-24 00:20 0 ----a-w- c:\windows\nsreg.dat
2010-05-24 00:11 . 2010-05-24 00:11 -------- d-----w- c:\program files\Enigma Software Group
2010-05-24 00:10 . 2010-05-24 00:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-21 08:09 . 2010-04-19 05:51 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\skypePM
2010-05-21 06:46 . 2010-04-19 05:51 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Skype
2010-05-14 15:49 . 2010-04-20 02:23 129192 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2010-05-14 15:49 . 2010-04-15 20:43 -------- d-----w- c:\program files\lg_fwupdate
2010-05-12 13:22 . 2009-07-14 02:37 -------- d-----w- c:\program files\Windows Mail
2010-05-12 13:22 . 2010-04-16 16:17 -------- d-----w- c:\programdata\Microsoft Help
2010-05-12 03:21 . 2010-04-15 20:10 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-04 23:14 . 2010-04-20 07:48 57344 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.dll
2010-05-04 23:14 . 2010-04-20 07:46 -------- d-----w- c:\programdata\DivX
2010-05-04 23:14 . 2010-04-20 07:46 -------- d-----w- c:\program files\DivX
2010-05-04 23:13 . 2010-04-20 07:48 -------- d-----w- c:\program files\Common Files\PX Storage Engine
2010-05-04 23:13 . 2010-04-20 07:48 754984 ----a-w- c:\programdata\DivX\Setup\Resource.dll
2010-05-04 23:13 . 2010-04-20 07:48 1180952 ----a-w- c:\programdata\DivX\Setup\DivXSetup.exe
2010-05-04 23:13 . 2010-04-20 07:46 144696 ----a-w- c:\programdata\DivX\RunAsUser\RUNASUSERPROCESS.exe
2010-04-30 14:08 . 2010-04-19 02:08 -------- d-----w- c:\programdata\Messenger Plus!
2010-04-29 07:39 . 2010-05-24 00:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 07:39 . 2010-05-24 00:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-26 06:58 . 2010-04-20 07:48 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\DivX
2010-04-24 13:38 . 2010-04-24 13:21 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\ImgBurn
2010-04-22 17:22 . 2010-04-15 20:29 129192 ----a-w- c:\users\David\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-22 10:22 . 2010-04-22 10:21 -------- d-----w- c:\program files\QuickTime
2010-04-22 10:21 . 2010-04-22 10:21 -------- d-----w- c:\programdata\Apple Computer
2010-04-22 10:20 . 2010-04-22 10:20 -------- d-----w- c:\program files\Common Files\Apple
2010-04-22 10:20 . 2010-04-22 10:20 -------- d-----w- c:\program files\Apple Software Update
2010-04-22 10:20 . 2010-04-22 10:20 -------- d-----w- c:\programdata\Apple
2010-04-21 01:53 . 2010-04-19 01:38 129192 ----a-w- c:\users\RuDolF~\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-20 16:25 . 2010-04-16 16:19 -------- d-----w- c:\program files\Microsoft Works
2010-04-20 11:22 . 2010-04-20 11:02 -------- d-----w- c:\program files\Sibelius Software
2010-04-20 11:04 . 2010-04-20 11:04 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Sibelius Software
2010-04-20 11:04 . 2010-04-20 11:04 604 ---ha-w- c:\program files\STLL Notifier
2010-04-20 11:04 . 2010-04-20 11:04 -------- d-----w- c:\programdata\Sibelius Software
2010-04-20 10:53 . 2010-04-19 05:44 115472 ----a-w- c:\users\Fong\AppData\Local\GDIPFONTCACHEV1.DAT
2010-04-20 10:24 . 2010-04-20 10:24 876032 ----a-w- c:\windows\system32\VFP6RENU.DLL
2010-04-20 10:24 . 2010-04-20 10:24 24990 ----a-w- c:\windows\system32\VFP6RUN.EXE
2010-04-20 10:24 . 2010-04-20 10:24 3370256 ----a-w- c:\windows\system32\VFP6R.DLL
2010-04-20 10:24 . 2010-04-20 10:24 3673360 ----a-w- c:\windows\system32\MSO97RT.DLL
2010-04-20 10:24 . 2010-04-20 10:24 487184 ----a-w- c:\windows\system32\MRT7ENU.DLL
2010-04-20 10:24 . 2010-04-20 10:24 161792 ----a-w- c:\windows\system32\GRINTL32.DLL
2010-04-20 10:24 . 2010-04-20 10:24 1584912 ----a-w- c:\windows\system32\GRAPH8.EXE
2010-04-20 10:24 . 2010-04-20 10:24 6656 ----a-w- c:\windows\system32\FOXHHELPPS.DLL
2010-04-20 10:24 . 2010-04-20 10:24 5120 ----a-w- c:\windows\system32\GR8409.DLL
2010-04-20 10:24 . 2010-04-20 10:24 26112 ----a-w- c:\windows\system32\FOXHHELP.EXE
2010-04-20 08:05 . 2010-04-20 08:05 49152 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-20 08:05 . 2010-04-20 08:05 45056 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-20 08:05 . 2010-04-20 08:05 40960 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-20 08:05 . 2010-04-20 08:05 341600 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-20 08:05 . 2010-04-20 08:05 308808 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-20 08:05 . 2010-04-20 08:05 14848 ----a-w- c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-20 08:05 . 2010-04-20 08:05 -------- d-----w- c:\program files\Common Files\Real
2010-04-20 08:05 . 2010-04-20 08:05 -------- d-----w- c:\program files\Real
2010-04-20 08:05 . 2010-04-20 08:05 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-20 07:48 . 2010-04-20 07:48 56978 ----a-w- c:\programdata\DivX\WebPlayer\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 57609 ----a-w- c:\programdata\DivX\MFComponents\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 57054 ----a-w- c:\programdata\DivX\DSDesktopComponents\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 56458 ----a-w- c:\programdata\DivX\DivXDecoderShortcut\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54174 ----a-w- c:\programdata\DivX\DSAACDecoder\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54629 ----a-w- c:\programdata\DivX\TranscodeEngine\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54101 ----a-w- c:\programdata\DivX\MPEG2Plugin\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 52963 ----a-w- c:\programdata\DivX\MSVC80CRTRedist\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 54073 ----a-w- c:\programdata\DivX\Qt4.5\Uninstaller.exe
2010-04-20 07:48 . 2010-04-20 07:48 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-04-20 07:48 . 2010-04-20 07:48 56969 ----a-w- c:\programdata\DivX\ASPEncoder\Uninstaller.exe
2010-04-20 03:22 . 2010-04-20 02:16 -------- d-----w- c:\program files\Sony
2010-04-20 03:21 . 2010-04-20 02:09 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Sony
2010-04-20 02:36 . 2010-04-20 02:36 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\Publish Providers
2010-04-20 02:24 . 2010-04-20 02:24 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sony
2010-04-20 02:24 . 2010-04-20 02:24 -------- d-----w- c:\users\Administrator\AppData\Roaming\Publish Providers
2010-04-20 02:16 . 2010-04-20 02:16 -------- d-----w- c:\programdata\Sony
2010-04-20 01:56 . 2010-04-16 15:13 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-20 01:32 . 2010-04-20 01:31 -------- d-----w- c:\program files\Hotspot Shield
2010-04-20 01:25 . 2010-04-20 01:25 509552 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb7BF5.tmp.exe
2010-04-19 14:25 . 2010-04-16 15:12 -------- d-----w- c:\program files\Google
2010-04-19 11:50 . 2010-04-19 11:50 50 ----a-w- c:\windows\system32\bridf08b.dat
2010-04-19 11:50 . 2010-04-19 11:50 -------- d-----w- c:\program files\Brother
2010-04-19 11:50 . 2010-04-15 19:04 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-19 11:50 . 2010-04-19 11:50 -------- d-----w- c:\users\RuDolF~\AppData\Roaming\InstallShield
2010-04-19 11:48 . 2010-04-19 11:47 250 ----a-w- c:\windows\system32\cid_store.dat
2010-04-19 11:48 . 2010-04-19 11:47 26 ----a-w- c:\windows\system32\xlhcc.dat
2010-04-19 11:44 . 2010-04-19 11:44 -------- d-----w- c:\programdata\Brother
2010-04-19 11:39 . 2010-04-19 11:39 -------- d-----w- c:\program files\Adobe Media Player
2010-04-19 11:38 . 2010-04-19 11:38 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-06-10 21:26 . 2009-07-14 02:04 9633792 --sha-r- c:\windows\Fonts\StaticCache.dat
2009-07-14 01:14 . 2009-07-13 23:42 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

--- c:\windows\system32\drivers\fvevol.sys ---
Company: Microsoft Corporation
File Description: BitLocker Drive Encryption Driver
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name: Microsoft? Windows? Operating System
Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: FVEVOL.SYS.MUI
File size: 194488
Created time: 2010-04-28 01:42
Modified time: 2009-09-26 05:58
MD5: DAFBD9FE39197495AED6D51F3B85B5D2
SHA1: 24026D4CD6C558B559B292E9F44AC5A1AC44DCF1


--- c:\windows\system32\drivers\ksecpkg.sys ---
Company: Microsoft Corporation
File Description: Kernel Security Support Provider Interface Packages
File Version: 6.1.7600.16484 (win7_gdr.091210-1534)
Product Name: Microsoft? Windows? Operating System
Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: ksecpkg.sys
File size: 133720
Created time: 2010-04-28 01:41
Modified time: 2009-12-11 07:44
MD5: 365C6154BBBC5377173F1CA7BFB6CC59
SHA1: 8A596DC2F7CB01FFBFF21BDBF113375691D2324E


--- c:\windows\system32\lsasrv.dll ---
Company: Microsoft Corporation
File Description: LSA Server DLL
File Version: 6.1.7600.16385 (win7_rtm.090713-1255)
Product Name: Microsoft? Windows? Operating System
Copyright: ? Microsoft Corporation. All rights reserved.
Original Filename: lsasrv.dll.mui
File size: 1037312
Created time: 2010-04-28 01:41
Modified time: 2009-12-11 07:38
MD5: 4DDF6D393AD49DA2BEC4875B0B516A74
SHA1: 10A75D68C6ACFB4C7FCDEC063F27BE8D3CB4C989


((((((((((((((((((((((((((((((((((((( 重要登入點 ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*注意* 空白與合法缺省登錄將不會被顯示
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F9E4A054-E9B1-4BC3-83A3-76A1AE736170}]
2010-04-20 01:31 220208 ----a-w- c:\program files\Hotspot Shield\hssie\HssIE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-07-14 1173504]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-04-19 39408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-12-18 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-12-18 175640]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-12-18 166936]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-12-25 8129056]
"JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864]
"MRUTray"="c:\program files\Marvell\raid\tray\MarvellTray.exe" [2009-10-09 741376]
"UpdateLBPShortCut"="c:\program files\CyberLink\LabelPrint\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"CLMLServer"="c:\program files\CyberLink\Power2Go\CLMLSvc.exe" [2009-06-03 103720]
"UpdateP2GoShortCut"="c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"RemoteControl8"="c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe" [2009-04-15 91432]
"PDVD8LanguageShortcut"="c:\program files\CyberLink\PowerDVD8\Language\Language.exe" [2009-04-15 50472]
"UpdatePPShortCut"="c:\program files\CyberLink\PowerProducer\MUITransfer\MUIStartMenu.exe" [2009-05-19 222504]
"UCam_Menu"="c:\program files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2009-02-17 218408]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2010-04-15 557056]
"UpdatePSTShortCut"="c:\program files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" [2009-09-29 210216]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"VX1000"="c:\windows\vVX1000.exe" [2010-03-12 762736]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2010-03-12 119152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-21 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-06-07 611712]
"BrMfcWnd"="c:\program files\Brother\Brmfcmon\BrMfcWnd.exe" [2009-05-26 1159168]
"ControlCenter3"="c:\program files\Brother\ControlCenter3\brctrcen.exe" [2008-12-24 114688]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2009-10-02 38768]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2009-10-02 640376]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-04-20 202256]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-17 421888]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-04-12 1135912]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"avast!"="c:\program files\Alwil Software\Avast4\ashDisp.exe" [2009-09-15 81000]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
DirectOC.lnk - c:\program files\MSI\DirectOC\StartDirectOC.exe [2010-4-16 188416]
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv

R3 aswArKrn;aswArKrn;c:\users\RuDolF~\AppData\Local\Temp\aswArKrn.sys [x]
R3 FLASHSYS;FLASHSYS;c:\program files\MSI\Live Update 4\LU4\FLASHSYS.sys [2007-12-14 9216]
S1 aswSP;avast! Self Protection; [x]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-09-15 20560]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\DRIVERS\aswMonFlt.sys [2009-09-15 53328]

.
計劃任務 文件夾 裡的內容

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:06]

2010-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-16 19:06]
.
.
------- 而外的掃描 -------
.
uStart Page = [You must be registered and logged in to see this link.]
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
IE: ‥I¥I‥31p?U﹐u - c:\program files\Thunder\Program\GetUrl.htm
IE: ‥I¥I‥31p?U﹐u¥t3!Aiμ - c:\program files\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下載 - c:\program files\Thunder\Program\GetUrl.htm
IE: 使用迅雷下載全部鏈接 - c:\program files\Thunder\Program\GetAllUrl.htm
IE: 使用迅雷下? - c:\program files\Thunder Network\Thunder\Program\geturl.htm
IE: 使用迅雷下?全部?接 - c:\program files\Thunder Network\Thunder\Program\getallurl.htm
IE: 匯出至 Microsoft Excel(&X) - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{09BA8F6D-CB54-424B-839C-C2A6C8E6B436} - c:\program files\Thunder\Thunder.exe
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
FF - ProfilePath - c:\users\RuDolF~\AppData\Roaming\Mozilla\Firefox\Profiles\0pqnwlgr.default\
FF - prefs.js: browser.startup.homepage - [You must be registered and logged in to see this link.]
FF - plugin: c:\program files\Common Files\Thunder Network\KanKan\npDapCtrlFirefox.2.0.5901.12.(925).dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\NexonUS\NGM\npNxGameUS.dll
FF - plugin: c:\programdata\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll

---- 火狐配置文件 ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,30,26,43,d2,ef,4e,4b,98,a7,31,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,1f,30,26,43,d2,ef,4e,4b,98,a7,31,\

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ 其他運行進程 ------------------------
.
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\program files\Hotspot Shield\bin\openvpnas.exe
c:\program files\Hotspot Shield\bin\hsswd.exe
c:\program files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
c:\program files\Marvell\raid\Apache2\bin\httpd.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\Marvell\raid\Apache2\bin\httpd.exe
c:\windows\system32\taskhost.exe
c:\program files\Marvell\raid\svc\mvraidsvc.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\conhost.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Brother\Brmfcmon\BrMfcmon.exe
c:\program files\Brother\ControlCenter3\brccMCtl.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\consent.exe
c:\program files\Hotspot Shield\bin\openvpntray.exe
c:\program files\Windows Live\Contacts\wlcomm.exe
c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe
c:\windows\system32\sppsvc.exe
c:\program files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
.
**************************************************************************
.
完成時間: 2010-05-24 23:30:44 - 電腦已重新啟動
ComboFix-quarantined-files.txt 2010-05-24 15:30
ComboFix2.txt 2010-05-24 10:05

Pre-Run: 444,725,137,408 bytes free
Post-Run: 444,517,539,840 bytes free

- - End Of File - - 2D2366960B0015CE7E0426567B05B9E7

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 3:36 pm

Hello.

You are running two antivirus', I see from the uninstall list you have Avast installed, along with Mcafee. This is a bad idea as they can conflict and cause more problems. I would recommend that you remove Mcafee to avoid conflict and other future problems.

  • Click Start >> Control Panel.
  • Under the Programs click Uninstall a Program
  • Highlight the following:

    Adobe Reader 9.3
    McAfee Security Scan Plus

  • Click on the Uninstall/Change button at the top.

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /uninstall

This will also reset your restore points.

Run ESET Online Scan
Please do an online scan with [You must be registered and logged in to see this link.]. Please use Internet Explorer as it uses ActiveX.

  • Check (tick) this box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • When prompted to run ActiveX. click Yes.
  • You will be asked to install an ActiveX. Click Install.
  • Once installed, the scanner will be initialized.
  • After the scanner is initialized, click Start.
  • Check (tick) Remove found threats box.
  • Check (tick) Scan unwanted applications.
  • Click on Scan.
  • It will start scanning. Please be patient.
  • Once the scan is done, the log will be saved here: C:\Program Files\esetonlinescanner\log.txt.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 3:46 pm

do i uninstall the antivirus as well as the McAfee Security Scan Plus?

eset is still scanning, will post when it it done.

Also, can i delete all the program used here after the problem is resolved? (like oldtimer)

thanks,

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 4:02 pm

Hello.
Just remove the 2 programs listed, DON'T remove both antivirus programs, because then you wont have any protection.

You can delete the tools we used.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by rudcwt on Mon May 24, 2010 4:51 pm

eset finished with no virus. but i think for some reason the log didn't save properly:

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK

shoudl i re-run it?

rudcwt
Novice
Novice

Posts Posts : 10
Joined Joined : 2010-05-24
OS OS : Window 7
Points Points : 24008
# Likes # Likes : 0

View user profile

Back to top Go down

Re: Rookit.agent help - Window 7

Post by Belahzur on Mon May 24, 2010 4:53 pm

Yes, see what happens this time.


[You must be registered and logged in to see this link.] - [You must be registered and logged in to see this link.] - Please PM me if I fail to respond within 24hrs.


Belahzur
Administrator
Administrator

Posts Posts : 34916
Joined Joined : 2008-08-03
Gender Gender : Male
OS OS : XP SP3 Media Centre
Points Points : 245059
# Likes # Likes : 1

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum