Ruthless Cyber-Thugs - Help needed. [Archive]

View Full Version : Ruthless Cyber-Thugs - Help needed.

Lame Gamer

2011-09-05, 12:37

I was hacked by a ruthless pack of cyber-thugs - social networking gamers on Facebook. They even 'autographed' NT user dat files that I found hidden in temp directories. Since then, I've rolled my system back to the factory state 3 times. But, whatever they've done has changed the way my operating system installs. There are remote connections I can't get rid of, I'm locked out of system files, mysterious programs loading quietly in the background, and I can't seem to stop it. After this last factory reset, which included a complete format of all but recovery partition, while physically disconnected the internet... these programs are still installing themselves before the set up process is even complete, and I don't have 'permission' to get rid of them.

This is just one personal computer in my home - should not be connected to any networks, homegroups, workgroups. There should be no shared files. Before the last installation - my desktop was shared, my docss and settings were shared... and I couldn't unshare any of it. Not sure how to fix this. Any help would be greatly appreciated. The Erunt will only run once, but if I try to run it again... it produces errors, saying I'm not authorized. Here's my latest DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 8.0.7600.16385
Run by Leslie at 3:01:04 on 2011-09-05
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2734 [GMT -6:00]
.
AV: Norton Internet Security *Enabled/Updated* {88C95A36-8C3B-2F2C-1B8B-30FCCFDC4855}
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Norton Internet Security *Disabled/Updated* {33A8BBD2-AA01-20A2-213B-0B8EB45B02E8}
FW: Norton Internet Security *Disabled* {B0F2DB13-C654-2E74-30D4-99C9310F0F2E}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\16.7.0.30\InstStub.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhost.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
C:\Windows\system32\wbem\wmiprvse.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\IPSBHO.DLL
BHO: Partner BHO Class: {83ff80f4-8c74-4b80-b5ba-c8ddd434e5c4} - C:\ProgramData\Partner\Partner.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
uRun: [msnmsgr] "C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe" /background
uRun: [swg] "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
mRun: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
TCP: DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
TCP: Interfaces\{189A7EA4-E3E5-4BEB-805A-E0A751964664} : DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\CoIEPlg.dll
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO-X64: Symantec NCO BHO: {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
BHO-X64: Symantec NCO BHO - No File
BHO-X64: Symantec Intrusion Prevention: {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\IPSBHO.DLL
BHO-X64: Symantec Intrusion Prevention - No File
BHO-X64: Partner BHO Class: {83FF80F4-8C74-4b80-B5BA-C8DDD434E5C4} - C:\ProgramData\Partner\Partner.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO-X64: Google Toolbar Helper: {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
BHO-X64: Google Toolbar Notifier BHO: {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
BHO-X64: Google Dictionary Compression sdch: {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files (x86)\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
BHO-X64: Google Dictionary Compression sdch - No File
TB-X64: Google Toolbar: {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll
TB-X64: Norton Toolbar: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\coIEPlg.dll
mRun-x64: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe"
mRun-x64: [NortonOnlineBackupReminder] "C:\Program Files (x86)\Symantec\Norton Online Backup\Activation\NobuActivation.exe" UNATTENDED
.
============= SERVICES / DRIVERS ===============
.
R2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 Norton Internet Security;Norton Internet Security;C:\Program Files (x86)\Norton Internet Security\Engine\16.7.0.30\ccSvcHst.exe [2009-11-24 117640]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-24 240160]
S3 Partner Service;Partner Service;C:\ProgramData\Partner\Partner.exe [2009-11-24 332272]
.
=============== Created Last 30 ================
.
2011-09-05 09:59:51 -------- d-----w- C:\Windows\NAPP_Dism_Log
2011-09-05 08:48:18 -------- d-----w- C:\ERUNT
2011-09-05 08:42:44 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{77A5DAAC-8DC6-49F9-B9B8-C4A270EF2173}\mpengine.dll
2011-09-05 08:42:43 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-09-05 08:29:31 -------- d-----w- C:\Users\Leslie\AppData\Local\Google
2011-09-05 08:28:52 -------- d-----w- C:\Users\Leslie\Tracing
2011-09-05 08:28:24 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-09-05 08:28:24 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-09-05 08:28:02 -------- d-----w- C:\Program Files (x86)\Microsoft SQL Server Compact Edition
2011-09-05 08:27:16 -------- d-----w- C:\Program Files (x86)\Microsoft
2011-09-05 08:26:58 -------- d-----w- C:\Program Files (x86)\Windows Live SkyDrive
2011-09-05 08:26:02 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DSETUP.dll
2011-09-05 08:26:02 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DXSETUP.exe
2011-09-05 08:26:02 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\dsetup32.dll
2011-09-05 08:25:30 141402440 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\wlcCE65.tmp
2011-09-05 08:25:20 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-09-05 08:22:05 2868736 ----a-w- C:\Windows\explorer.exe
2011-09-05 08:22:05 2613248 ----a-w- C:\Windows\SysWow64\explorer.exe
2011-09-05 08:20:31 92160 ----a-w- C:\Program Files\Internet Explorer\iecompat.dll
2011-09-05 08:20:31 92160 ----a-w- C:\Program Files (x86)\Internet Explorer\iecompat.dll
2011-09-05 08:19:41 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-09-05 08:19:41 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-09-05 08:19:05 46592 ----a-w- C:\Windows\System32\msasn1.dll
2011-09-05 08:19:05 34816 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-09-05 08:16:11 1320960 ----a-w- C:\Windows\SysWow64\CertEnroll.dll
2011-09-05 08:16:10 71168 ----a-w- C:\Windows\SysWow64\fontsub.dll
2011-09-05 08:16:10 366080 ----a-w- C:\Windows\System32\atmfd.dll
2011-09-05 08:16:10 293888 ----a-w- C:\Windows\SysWow64\atmfd.dll
2011-09-05 08:16:10 1975296 ----a-w- C:\Windows\System32\CertEnroll.dll
2011-09-05 08:16:10 108544 ----a-w- C:\Windows\SysWow64\t2embed.dll
2011-09-05 08:16:09 982600 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-09-05 08:16:09 148480 ----a-w- C:\Windows\System32\t2embed.dll
2011-09-05 08:16:09 100864 ----a-w- C:\Windows\System32\fontsub.dll
2011-09-05 08:16:08 164864 ----a-w- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
2011-09-05 08:16:07 167424 ----a-w- C:\Program Files\Windows Media Player\wmplayer.exe
2011-09-05 08:15:53 12625920 ----a-w- C:\Windows\System32\wmploc.DLL
2011-09-05 08:15:53 12625408 ----a-w- C:\Windows\SysWow64\wmploc.DLL
2011-09-05 08:15:19 -------- d---a-w- C:\book
2011-09-05 08:14:51 -------- d-----w- C:\Users\Leslie\AppData\Local\VirtualStore
2011-09-05 08:13:04 -------- d-----w- C:\ProgramData\OEM_E471269A730D
2011-09-05 08:13:01 -------- d-----w- C:\Program Files (x86)\OEM
.
==================== Find3M ====================
.
2011-09-05 09:08:49 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
.
============= FINISH: 3:01:25.84 ===============

Scolabar

2011-09-06, 23:50

Hi Lame Gamer,

Firstly, welcome to Safer Networking. :)
My name is Scolabar, and I'll be helping you with your malware problems.
Logs can take a while to research, so please be patient.

I am currently working under the guidance of teachers, everything I post to you, will need to be reviewed by them.
This additional review process can add some extra time to my responses, but hopefully not too much. ;)

Please note the following important guidelines before proceeding:
The instructions that will be provided are for YOUR computer and system only!
Using these instructions on a different computer can cause damage to that computer and possibly render it inoperable!
If you have any questions or do not understand something, please do not hesitate to ask, don't guess or assume.
Only post your problem at One help site. Applying fixes from multiple help sites can cause problems.
Only reply to this thread, do not start another. Please, continue responding, until I give you the All Clean.
Absence of symptoms does not necessarily mean that everything is clear.
DO NOT run any other fix or removal tools unless instructed to do so!
DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.
Print each set of instructions, if possible. Your Internet connection will not be available during some fix processes.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Note: No Reply Within 3 Days Will Result In Your Topic Being Closed!
Please Note: If you haven't done so already, please read this topic "BEFORE You POST"(Please read this Procedure Before Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) where the conditions for receiving help here are explained.

Vista - W7 Advice:
Please Note: The programs I ask you to use will need to be run in Administrator Mode.
In order to do this Right-click on the program file and select the Run as Administrator option.
Additionally, the built-in User Account Control (UAC) utility, if enabled, may prompt you for permission to run the program.
If prompted, please click on the Allow button.
Reference: User Account Control (UAC) and Running as Administrator (http://support.microsoft.com/kb/922708)

Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.
In light of this, it would be advisable for you to back up any important files and folders that you don't want to lose before we start.

Backup Your Data - Windows 7 (http://support.microsoft.com/kb/971759)
If you follow these guidelines, things should proceed smoothly. :)
I am currently reviewing your log and will return, as soon as possible, with additional instructions.

Thank you for your patience.

Scolabar

Lame Gamer

2011-09-07, 03:17

Lame Gamer

2011-09-07, 03:31

Thank you. Just letting you know I'm still here.

I should probably mention a couple things... I found a bunch of strange computers connected to my system again, who seem to belong to this gaming group on Facebook. In the process of trying to get rid of them, my internet access was disabled for a while. I haven't run any fixes, but I downloaded/ran some of the diagnostic tools, added Spybot S&D, and Avast's free antivirus since then... I'm wondering if you need me to post fresh DDS logs?

Also, I don't own a printer... but can access any instructions online via my G4 phone. I'll wait to hear back from you, and appreciate the help.

Leslie

P.S. I backed up all my personal files to DVD prior to wiping out my hard drive. The USER files on this computer, that Windows 7 would be backing up are corrupted; er ah... 'autographed' by the people who hacked into my computer, so not sure I want to back those up. I did take screenshots of some of those altered system files, in cases where I could identify the author. (Yes, I know this probably seems weird. Not sure if I'm dealing with amateur hackers or professionals. Either way, this has not been fun.)

Lame Gamer

2011-09-07, 09:27

Sorry. Just noticed that my 'recovery partition' is listed in the storage snap in as 100% free space. Not sure why. I did make a system recovery disk, not sure if that will be corrupted or not, but made one anyway. Going to bed for now, but will check back here when I wake up.

Lame Gamer

2011-09-07, 21:23

Every time I turn my computer on now, I find things are getting worse. Its now telling me...not to power off, installing update 80 of 113. The only thing I've done since waking up today was try to view some of the pictures I had saved to dvd...which just caused the system to hang. It acted like it was trying to reformat so I ejected it...went to restart. Now its installing a million updates. :(

Lame Gamer

2011-09-08, 01:49

Sorry, not sure what to do since I haven't heard back from you since your first reply. But, since my computer keeps modifying itself spontaneously... I'm just going ahead with posting a fresh DDS log now. Just to remind you - the only two programs I've personally installed since the first logs are the avast antivirus, and spybot S & D. The really strange stuff appears on the other 'attach' log... which I'm not sure how to attach here. (i.e....The C++, google toolbar notifier, XML editors, script helpers, and other bazaar programs that have 'installed themselves' since the last 'factory' install - I have no clue what they are, and no idea where they came from.

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Leslie at 16:28:39 on 2011-09-07
Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3839.2332 [GMT -6:00]
.
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ===============
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe
C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\system32\LogonUI.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\SysWOW64\ctfmon.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\conhost.exe
C:\Windows\SysWOW64\cscript.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mDefault_Page_URL = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
mStart Page = hxxp://homepage.emachines.com/rdr.aspx?b=ACEW&l=0409&m=et1331g&r=17360911g406p04e5v165r45n1s29p
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [SpybotSD TeaTimer] C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe
mRun: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
mPolicies-explorer: NoActiveDesktop = 1 (0x1)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Google Sidewiki... - C:\Program Files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - C:\PROGRA~2\MICROS~1\Office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - C:\PROGRA~2\MICROS~1\Office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
TCP: DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
TCP: Interfaces\{189A7EA4-E3E5-4BEB-805A-E0A751964664} : DhcpNameServer = 66.129.55.2 72.19.160.2 72.19.128.53
BHO-X64: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
BHO-X64: AcroIEHelperStub - No File
BHO-X64: {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - No File
BHO-X64: Spybot-S&D IE Protection: {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~2\SPYBOT~1\SDHelper.dll
BHO-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
BHO-X64: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
TB-X64: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll
TB-X64: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
mRun-x64: [avast] "C:\Program Files\AVAST Software\Avast\avastUI.exe" /nogui
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;C:\Windows\system32\drivers\aswSnx.sys --> C:\Windows\system32\drivers\aswSnx.sys [?]
R1 aswSP;aswSP;C:\Windows\system32\drivers\aswSP.sys --> C:\Windows\system32\drivers\aswSP.sys [?]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\drivers\aswFsBlk.sys --> C:\Windows\system32\drivers\aswFsBlk.sys [?]
R2 aswMonFlt;aswMonFlt;\??\C:\Windows\system32\drivers\aswMonFlt.sys --> C:\Windows\system32\drivers\aswMonFlt.sys [?]
R2 avast! Antivirus;avast! Antivirus;C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-9-6 44768]
R2 Greg_Service;GRegService;C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-8-28 1150496]
R2 SBSDWSCService;SBSD Security Center Service;C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2011-9-5 1153368]
R2 Updater Service;Updater Service;C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-11-24 240160]
S2 gupdate;Google Update Service (gupdate);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-5 136176]
S3 gupdatem;Google Update Service (gupdatem);C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-9-5 136176]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]
.
=============== Created Last 30 ================
.
2011-09-07 22:22:31 607260 ------r- C:\dds.com
2011-09-07 18:57:35 -------- d-----w- C:\Windows\SysWow64\Wat
2011-09-07 18:57:35 -------- d-----w- C:\Windows\System32\Wat
2011-09-07 18:25:14 367104 ----a-w- C:\Windows\System32\wcncsvc.dll
2011-09-07 18:25:14 276992 ----a-w- C:\Windows\SysWow64\wcncsvc.dll
2011-09-07 18:06:30 99176 ----a-w- C:\Windows\SysWow64\PresentationHostProxy.dll
2011-09-07 18:06:30 49472 ----a-w- C:\Windows\SysWow64\netfxperf.dll
2011-09-07 18:06:30 48960 ----a-w- C:\Windows\System32\netfxperf.dll
2011-09-07 18:06:30 444752 ----a-w- C:\Windows\System32\mscoree.dll
2011-09-07 18:06:30 320352 ----a-w- C:\Windows\System32\PresentationHost.exe
2011-09-07 18:06:30 297808 ----a-w- C:\Windows\SysWow64\mscoree.dll
2011-09-07 18:06:30 295264 ----a-w- C:\Windows\SysWow64\PresentationHost.exe
2011-09-07 18:06:30 1942856 ----a-w- C:\Windows\System32\dfshim.dll
2011-09-07 18:06:30 1130824 ----a-w- C:\Windows\SysWow64\dfshim.dll
2011-09-07 18:06:30 109912 ----a-w- C:\Windows\System32\PresentationHostProxy.dll
2011-09-07 18:01:33 -------- d-----w- C:\Windows\PCHEALTH
2011-09-07 17:54:34 -------- d-sh--w- C:\Windows\SysWow64\%APPDATA%
2011-09-07 17:54:01 243712 ----a-w- C:\Windows\System32\drivers\ks.sys
2011-09-07 17:19:56 476160 ----a-w- C:\Windows\System32\XpsGdiConverter.dll
2011-09-07 17:18:56 197120 ----a-w- C:\Windows\System32\d3d10_1.dll
2011-09-07 17:17:59 976896 ----a-w- C:\Windows\System32\inetcomm.dll
2011-09-07 17:13:37 236032 ----a-w- C:\Windows\System32\srvsvc.dll
2011-09-07 17:13:36 9728 ----a-w- C:\Windows\SysWow64\sscore.dll
2011-09-07 17:12:35 5507968 ----a-w- C:\Windows\System32\ntoskrnl.exe
2011-09-07 17:12:33 3957120 ----a-w- C:\Windows\SysWow64\ntkrnlpa.exe
2011-09-07 17:12:33 3902336 ----a-w- C:\Windows\SysWow64\ntoskrnl.exe
2011-09-07 02:39:26 220672 ----a-w- C:\Windows\System32\wintrust.dll
2011-09-07 02:39:25 172032 ----a-w- C:\Windows\SysWow64\wintrust.dll
2011-09-07 02:39:25 139264 ----a-w- C:\Windows\System32\cabview.dll
2011-09-07 02:39:25 132608 ----a-w- C:\Windows\SysWow64\cabview.dll
2011-09-07 02:22:00 -------- d-----w- C:\Users\Leslie\LocaleMetaData
2011-09-06 02:20:22 601944 ----a-w- C:\Windows\System32\drivers\aswSnx.sys
2011-09-06 02:20:20 65368 ----a-w- C:\Windows\System32\drivers\aswMonFlt.sys
2011-09-06 02:19:54 41184 ----a-w- C:\Windows\avastSS.scr
2011-09-06 02:19:42 -------- d-----w- C:\ProgramData\AVAST Software
2011-09-06 02:19:42 -------- d-----w- C:\Program Files\AVAST Software
2011-09-06 00:13:39 982912 ----a-w- C:\Windows\System32\drivers\dxgkrnl.sys
2011-09-05 22:34:23 -------- d-----w- C:\Users\Leslie\AppData\Roaming\Safer Networking
2011-09-05 22:34:06 -------- d-----w- C:\Program Files (x86)\Safer Networking
2011-09-05 22:28:52 -------- d-----w- C:\Users\Leslie\AppData\Local\ElevatedDiagnostics
2011-09-05 22:20:10 -------- d-----w- C:\Users\Leslie\AppData\Local\Diagnostics
2011-09-05 11:12:12 -------- d-----w- C:\Program Files (x86)\ESET
2011-09-05 10:52:05 294400 ----a-w- C:\exeHelper.com
2011-09-05 10:37:43 -------- d-----w- C:\unhide
2011-09-05 10:13:09 -------- d-----w- C:\rk5
2011-09-05 10:12:31 -------- d-----w- C:\rk4
2011-09-05 10:11:45 -------- d-----w- C:\rk3
2011-09-05 10:11:09 -------- d-----w- C:\rk2
2011-09-05 10:06:14 -------- d-----w- C:\rk1
2011-09-05 09:59:51 -------- d-----w- C:\Windows\NAPP_Dism_Log
2011-09-05 09:10:44 -------- d-----w- C:\ProgramData\Spybot - Search & Destroy
2011-09-05 09:10:44 -------- d-----w- C:\Program Files (x86)\Spybot - Search & Destroy
2011-09-05 08:48:18 -------- d-----w- C:\ERUNT
2011-09-05 08:42:44 8862544 ----a-w- C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{77A5DAAC-8DC6-49F9-B9B8-C4A270EF2173}\mpengine.dll
2011-09-05 08:42:43 270720 ------w- C:\Windows\System32\MpSigStub.exe
2011-09-05 08:29:31 -------- d-----w- C:\Users\Leslie\AppData\Local\Google
2011-09-05 08:28:52 -------- d-----w- C:\Users\Leslie\Tracing
2011-09-05 08:28:24 4398360 ----a-w- C:\Windows\System32\d3dx9_32.dll
2011-09-05 08:28:24 3426072 ----a-w- C:\Windows\SysWow64\d3dx9_32.dll
2011-09-05 08:27:16 -------- d-----w- C:\Program Files (x86)\Microsoft
2011-09-05 08:26:02 74520 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DSETUP.dll
2011-09-05 08:26:02 484632 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\DXSETUP.exe
2011-09-05 08:26:02 1670936 ----a-w- C:\Program Files (x86)\Common Files\Windows Live\.cache\72d60be01cc6ba5\dsetup32.dll
2011-09-05 08:25:20 -------- d-----w- C:\Program Files (x86)\Common Files\Windows Live
2011-09-05 08:19:41 311808 ----a-w- C:\Windows\System32\msv1_0.dll
2011-09-05 08:19:41 257024 ----a-w- C:\Windows\SysWow64\msv1_0.dll
2011-09-05 08:19:05 46592 ----a-w- C:\Windows\System32\msasn1.dll
2011-09-05 08:19:05 34816 ----a-w- C:\Windows\SysWow64\msasn1.dll
2011-09-05 08:16:11 1320960 ----a-w- C:\Windows\SysWow64\CertEnroll.dll
2011-09-05 08:16:10 1975296 ----a-w- C:\Windows\System32\CertEnroll.dll
2011-09-05 08:15:19 -------- d---a-w- C:\book
2011-09-05 08:14:51 -------- d-----w- C:\Users\Leslie\AppData\Local\VirtualStore
2011-09-05 08:13:04 -------- d-----w- C:\ProgramData\OEM_E471269A730D
.
==================== Find3M ====================
.
2011-09-06 00:13:39 902656 ----a-w- C:\Windows\System32\d2d1.dll
2011-09-05 09:08:49 6 ----a-w- C:\Windows\System32\PLD_Framework.cmd
2011-07-16 05:26:54 362496 ----a-w- C:\Windows\System32\wow64win.dll
2011-07-16 05:26:53 243200 ----a-w- C:\Windows\System32\wow64.dll
2011-07-16 05:26:53 13312 ----a-w- C:\Windows\System32\wow64cpu.dll
2011-07-16 05:26:18 214528 ----a-w- C:\Windows\System32\winsrv.dll
2011-07-16 05:24:09 16384 ----a-w- C:\Windows\System32\ntvdm64.dll
2011-07-16 05:21:32 422400 ----a-w- C:\Windows\System32\KernelBase.dll
2011-07-16 05:17:46 338432 ----a-w- C:\Windows\System32\conhost.exe
2011-07-16 04:36:09 14336 ----a-w- C:\Windows\SysWow64\ntvdm64.dll
2011-07-16 04:32:14 44032 ----a-w- C:\Windows\apppatch\acwow64.dll
2011-07-16 04:31:50 25600 ----a-w- C:\Windows\SysWow64\setup16.exe
2011-07-16 04:30:29 5120 ----a-w- C:\Windows\SysWow64\wow32.dll
2011-07-16 04:30:27 272384 ----a-w- C:\Windows\SysWow64\KernelBase.dll
2011-07-16 02:26:12 7680 ----a-w- C:\Windows\SysWow64\instnm.exe
2011-07-16 02:26:11 2048 ----a-w- C:\Windows\SysWow64\user.exe
2011-07-16 02:21:47 6144 ---ha-w- C:\Windows\SysWow64\api-ms-win-security-base-l1-1-0.dll
2011-07-16 02:21:47 4608 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-threadpool-l1-1-0.dll
2011-07-16 02:21:47 3584 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-xstate-l1-1-0.dll
2011-07-16 02:21:47 3072 ---ha-w- C:\Windows\SysWow64\api-ms-win-core-util-l1-1-0.dll
2011-07-09 05:14:10 2048 ----a-w- C:\Windows\System32\tzres.dll
2011-07-09 04:30:52 2048 ----a-w- C:\Windows\SysWow64\tzres.dll
2011-07-09 02:44:55 287744 ----a-w- C:\Windows\System32\drivers\mrxsmb10.sys
2011-06-21 06:27:14 1896832 ----a-w- C:\Windows\System32\drivers\tcpip.sys
2011-06-15 09:58:31 212992 ----a-w- C:\Windows\System32\odbctrac.dll
2011-06-15 09:58:31 163840 ----a-w- C:\Windows\System32\odbccp32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccu32.dll
2011-06-15 09:58:31 106496 ----a-w- C:\Windows\System32\odbccr32.dll
2011-06-15 09:04:46 86016 ----a-w- C:\Windows\SysWow64\odbccu32.dll
2011-06-15 09:04:46 81920 ----a-w- C:\Windows\SysWow64\odbccr32.dll
2011-06-15 09:04:46 319488 ----a-w- C:\Windows\SysWow64\odbcjt32.dll
2011-06-15 09:04:46 163840 ----a-w- C:\Windows\SysWow64\odbctrac.dll
2011-06-15 09:04:46 122880 ----a-w- C:\Windows\SysWow64\odbccp32.dll
2011-06-11 02:56:44 3134464 ----a-w- C:\Windows\System32\win32k.sys
.
============= FINISH: 16:29:39.52 ===============

Scolabar

2011-09-08, 19:48

Hi Lame Gamer,

Thank you again for your patience. :)

Please read these instructions carefully before executing and perform the steps, in the order given.
lf you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Step 1:
Sensitive Data Query

I understand from what you have said that this computer has been seriously compromised, as a result of which you have attempted to remedy the situation by restoring the computer to the factory default state.
Please confirm whether or not this computer has been used to hold any sensitive, personal data. If so:

You are strongly advised to do the following:
Disconnect the computer from the Internet and from any networked computers until it is cleaned.
Call all your banks, financial institutions, credit card companies and inform them that you may be a victim of identity theft
and put a watch on your accounts. If you don't mind the hassle, change all your account numbers.
From a clean computer, change all your passwords
(ISP login password, your email address(es) passwords, financial accounts, PayPal, eBay, Amazon, any online activity you perform, requiring a username and password).
Do NOT change your passwords from this computer as the attacker will be able to get all the new passwords and transaction records.
Back up all your important data except programs. The programs can be reinstalled back from the original disc or from the Net.

Step 2:
Computer Access Query

Please confirm whether or not you have access to another computer (- a friend's or neighbour's computer) that you can use to download the the tools I will be asking you to use.

Step 3:
Rkill

Firstly we will try to stop any active rogue processes that may interfere with the cleanup attempt:

Please download Rkill (http://download.bleepingcomputer.com/grinler/rkill.com) by Grinler. Save it to your Desktop.
Alternate download links are available as follows: Two (http://download.bleepingcomputer.com/grinler/rkill.scr), Three (http://download.bleepingcomputer.com/grinler/rkill.pif) or Four (http://download.bleepingcomputer.com/grinler/rkill.exe).
Note: If your security software warns about Rkill, please ignore and allow the download to continue.
Double-click on the Rkill Desktop icon.
Vista - W7 users: Right-click on the Rkill Desktop icon and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
A command window will open then disappear upon completion, this is normal.
If this does not happen, delete the file, then download and use the next alternative link provided.
If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
Do not reboot your machine until asked to do so. If no version of Rkill would run, please let me know.
When finished, Notepad will open with a log file, automatically saved at C:\rkill.log.
Copy and Paste the entire contents of the rkill.log file into your next reply.
Note: Please leave Rkill on the Desktop unless instructed otherwise.

Note: If you get an alert that Rkill is infected, ignore it. The alert is a fake warning given by the rogue software, trying to "protect" itself from being terminated or removed. If you see such a warning, leave the warning on the screen, then run Rkill again. By not closing the warning, this sometimes allows you to bypass the malware's attempt to protect itself, so that Rkill can perform its routine.
Step 4:
RSIT (Random's System Information Tool)

Let's run RSIT to see if this tool can uncover some more information about the computer problems you have been experiencing.

Please download RSIT (http://images.malwareremoval.com/random/RSITx64.exe) by random/random and save it to your Desktop.
Double-click on RSITx64.exe to run the program. Read the disclaimer and then click on the Continue button.
Vista - W7 users: Right-click RSITx64.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
RSIT will start running.
When the program has finished two logs files will automatically open in Notepad:
log.txt <-- Will be opened, maximized.
info.txt <-- Will be minimized on task bar.
Please Copy and Paste the entire contents of both log.txt and info.txt files into your next reply.
Note: These logs can be lengthy, so post 1 log per reply please.

Step 5:
aswMBR - Scan

Please download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) © Avast Software ( 511KB ) and Save it to your Desktop.
Double-click on aswMBR.exe to run the program.
Vista - W7 users: Right-click on aswMBR.exe and select "Run As Administrator" to launch the program. If you receive a UAC prompt, please allow it.
Click on the Scan button to start the scan.
On completion of the scan the following message will be displayed: "Scan finished successfully". Click on the Save log button.
You will be prompted to save a file named aswMBR.txt. Save it to your Desktop.
Please Copy and Paste the contents of aswMBR.txt into your next reply.

Please Note: A file will be created and placed on your desktop when you execute aswMBR, named MBR.dat. This is a copy of your MBR record, before any changes are made, it can be used to recover the MBR record to it's previous condition, if problems exist after changes.

Step 6:
Include in Next Post

Did you have any problems carrying out the instructions?
Has the computer has been used to hold any sensitive, personal data at any point?
Do you have access to another computer (- either a friend's or neighbour's)?
rkill.log.
log.txt.
info.txt.
aswMBR.txt.
Do you have the original Windows installation media for your PC?

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Lame Gamer

2011-09-08, 20:54

Sooo relieved to hear from you, thanks so much for trying to help me with this.

Mostly, I've left this computer off over the last couple days - with internet access physically disconnected. Using my mobile phone to check this thread for replies. I already have rkill saved to disk... Need to download the others.

And, technically.... I don't have access to another pc right now - although I could put my old one back together. (I took it apart after I got this one.) The thing is... there is personal info on that hard drive. Since I don't really understand how these people are connecting to my system in the first place, I'm paranoid about hooking the other one back up right now. I've already backed up everything I'd wanted to save from this infected machine - would just need to download the other tools you want me to try from the internet. I could save those to dvd, then disconnect from the Ethernet adapter before I run them.

But...erm, how would I post the logs here. Lol.

More coffee is needed. Let me charge up my mobile batteries while I figure something out.

Lame Gamer

2011-09-09, 02:59

Okay. I pieced together a second system here, using parts of 'retired' computers which were just taking up closet space.

So in summary - here's where I'm at:

You said: Step 6/Include in Next Post:

a) Did you have any problems carrying out the instructions?
Not so far. Will let you know how the rest goes...

b) Has the computer has been used to hold any sensitive, personal data at any point?
Yes, but nothing that would include bank account numbers. I mostly used that system just for gaming, and emailing pictures to my mom. I've changed my Facebook passwords already, and saved anything I wanted to keep to DVD. (Not sure if anything I saved to DVD could start this all over again or not...

c) Do you have access to another computer (- either a friend's or neighbour's)?
I do now. (Even though, this second PC is connected through the same internet connection as the other one was - but the infected PC is no longer online, and will be kept totally isolated from this alternate system unless it gets fixed. )

d) I'll download rkill, RSIT, and aswMBR next; save those to disks. Will post the following logs after I've run those...
rkill.log.
log.txt.
info.txt.
aswMBR.txt.

e) Do you have the original Windows installation media for your PC?
hmmm. Yes and no.
The infected computer did not come with recovery disks. I had to make those myself. (and it's possible the computer was already compromised when I did that - not sure) Supposedly there is a 'recovery partition' too.

The thing is, both ways (recovery disks and recovery partition) have produced the same results so far... which was NOT like the factory state at all. Not sure how that was possible, but that's what kept happening. It was as if the process of actually restoring the PC to the factory state was re-routed somehow, and all this other junk I was trying to get rid of was restored right along with it. Besides that... the so-called 'recovery partition' is most recently listed as '100% Free space' in the disk management snap-in. lol. (I won't pretend to understand why - I just don't remember it being listed that way before.)

Therefore, I can't promise that the recovery disks or the recovery partition will function as intended. I also made a 'repair disk' via one of the control panel options inside Window 7 - (post infection, for sure) which I have not tried. (The other 'recovery' disks were created using the eMachines application. Those appear to be borked, IMHO... I have the option to remake those, if you think it would help.. at any point during the cleaning process?)

Again... thanks so much for your help with this. I had completely run out of ideas to try by the time I left this post here.

Lame Gamer

2011-09-09, 04:36

Ah ha ha! I can tell already, this is gonna be fun. The bad news is...

A. I only have one monitor. (and my tv won't work, wrong cord...already tried. So...sending this message via mobile phone.

B. Avast's security keeps telling me to only play in the sand box with rk. It started out with not just one warning message - but dozens. But... It's not just about avant telling me to be careful with rk. It's Also warning me that all sorts of these temp files are trying to open rk too...as well as rk itself trying to open various other applications, many of them are also temp files. Avast wants everyone to play in this sandbox.

At first I thought it was the same message appearing over and over - so i started checking the 'remember my answer...' option. Now I'm not sure what I've done...so going to program settings now (Avast) to undo whatever I just did. Just hoping to verify....that we don't want anything kept in this sandbox. (Or, do we?...I'm confused because I wasn't expecting errors over other programs trying to mess with rk and vise versa- I was only expecting warnings about opening rk in the first place.

Speaking of never having done this before, until now.... Only one version of rk is giving me the option to run as admin. FYI.

Lame Gamer

2011-09-09, 04:48

Arghrrr! Rk appears not to have found anything...however, the sand box messges won't go away now. Sand box warnings still flocking in.... Interfering with my ability to view program settings for avast. lol. (A hard reset seems rather tempting at this point... I shall try to restrain myself.

Lame Gamer

2011-09-09, 05:46

It seems everything on my desktop is shared ...again. I think this is interfering with my ability to run anything on my desktop 'as admin.'

With rk - the last thing I see on the DOS window before it vanishes is a list of filed it 'cant find' ...'can't open'....or whatever. But this list of items goes away before I can read the whole thing... And the log files appear as if the program has found nothing.

Going to try copying rk directly to c: drive...will try to run it from there. It's like there are hidden 'user' files set up which, if I can see them...I don't have permissions to access.

(Not to mention...I keep 'un-sharing all my files/folders...over and over. They go right back to sharing themselves again. So frustrating....those settings refuse to stick.

Lame Gamer

2011-09-09, 07:05

Okay. Unless it's possible to execute rk directly from the command line, in a way that applies to all users... that's not going to work, so I'm giving up. All it's doing is giving me the creeps, probably because I know who these people are.

(Not that having my computer taken over by total strangers would be any better...I'm just saying, finding their 'autographed' handy work all over my system files ...it's pretty darn creepy.)

Anyway, moving on to this RSIT step. My 'impromptu' computer will not read the DVD where I saved those logs. Not sure why, but I'll go back and try saving them to regular CD instead. It's always something... :/

Lame Gamer

2011-09-09, 07:14

RSIT 1 of 2:

Logfile of random's system information tool 1.09 (written by random/random)
Run by Leslie at 2011-09-08 21:39:56
Microsoft Windows 7 Home Premium
System drive C: has 565 GB (94%) free of 598 GB
Total RAM: 3839 MB (77% free)

HijackThis download failed

======Listing Processes======

\SystemRoot\System32\smss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
wininit.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
winlogon.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\nvvsvc.exe -session -first
"C:\Program Files\AVAST Software\Avast\AvastSvc.exe"
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
"taskhost.exe"
"C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe"
"C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe"
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe"
"C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe"
"C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe"
"C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe"
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\SearchIndexer.exe /Embedding
"C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe"
"C:\Program Files\AVAST Software\Avast\AvastUI.exe" /nogui
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
taskeng.exe {704FB9B7-CB56-4D95-960E-205BA10EE57F}
"C:\Program Files\eMachines\eMachines Recovery Management\NotificationCenter\Notification.exe"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 520 524 532 65536 528
C:\Windows\system32\wbem\wmiprvse.exe
"C:\Users\Leslie\Desktop\RSITx64.exe"

======Scheduled tasks folder======

C:\Windows\tasks\GoogleUpdateTaskMachineCore.job
C:\Windows\tasks\GoogleUpdateTaskMachineUA.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}]
avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2011-09-06 959432]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5}]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~2\SPYBOT~1\SDHelper.dll [2009-01-26 1879896]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8E5E2654-AD2D-48bf-AC2D-D17F00898D06}]
avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2011-09-06 806456]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} - avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2011-09-06 959432]

[HKEY_LOCAL_MACHINE\SOFTWARE\wow6432node\Microsoft\Internet Explorer\Toolbar]
{8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - avast! WebRep - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2011-09-06 806456]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"=C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe [2009-07-20 7981088]
"NvCplDaemon"=C:\Windows\system32\NvCpl.dll [2009-07-14 16333856]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"=C:\Program Files (x86)\Spybot - Search & Destroy\TeaTimer.exe [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\Software\wow6432node\Microsoft\Windows\CurrentVersion\Run]
"avast"=C:\Program Files\AVAST Software\Avast\avastUI.exe [2011-09-06 3722416]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=credssp.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\AFD]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableCMD"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"ConsentPromptBehaviorUser"=3
"EnableUIADesktopToggle"=0
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
"DisableTaskMgr"=0
"DisableCMD"=0

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoActiveDesktop"=1
"ForceActiveDesktopOn"=0
"NoFolderOptions"=0

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
"vidc.mrle"=msrle32.dll
"vidc.msvc"=msvidc32.dll
"msacm.imaadpcm"=imaadp32.acm
"msacm.msg711"=msg711.acm
"msacm.msgsm610"=msgsm32.acm
"msacm.msadpcm"=msadp32.acm
"midimapper"=midimap.dll
"wavemapper"=msacm32.drv
"vidc.uyvy"=msyuv.dll
"vidc.yuy2"=msyuv.dll
"vidc.yvyu"=msyuv.dll
"vidc.iyuv"=iyuv_32.dll
"vidc.i420"=iyuv_32.dll
"vidc.yvu9"=tsbyuv.dll
"msacm.l3acm"=C:\Windows\System32\l3codeca.acm
"wave"=wdmaud.drv
"midi"=wdmaud.drv
"mixer"=wdmaud.drv
"aux"=wdmaud.drv

======File associations======

.js - edit - C:\Windows\System32\Notepad.exe %1
.js - open - C:\Windows\System32\WScript.exe "%1" %*

======List of files/folders created in the last 1 month======

2011-09-08 21:39:57 ----D---- C:\Program Files\trend micro
2011-09-08 21:39:56 ----D---- C:\rsit
2011-09-08 21:09:19 ----RA---- C:\rkill.com
2011-09-08 20:59:53 ----D---- C:\LESLIES FILES - hands off
2011-09-07 19:11:08 ----D---- C:\Program Files (x86)\MSXML 4.0
2011-09-07 16:22:31 ----R---- C:\dds.com
2011-09-07 15:10:53 ----A---- C:\Windows\system32\drivers\usbport.sys
2011-09-07 15:10:53 ----A---- C:\Windows\system32\drivers\usbhub.sys
2011-09-07 15:10:53 ----A---- C:\Windows\system32\drivers\usbehci.sys
2011-09-07 15:10:52 ----A---- C:\Windows\system32\drivers\usbuhci.sys
2011-09-07 15:10:52 ----A---- C:\Windows\system32\drivers\usbohci.sys
2011-09-07 15:10:52 ----A---- C:\Windows\system32\drivers\usbd.sys
2011-09-07 15:10:52 ----A---- C:\Windows\system32\drivers\usbccgp.sys
2011-09-07 15:10:46 ----A---- C:\Windows\system32\esent.dll
2011-09-07 15:10:46 ----A---- C:\Windows\system32\drivers\nvstor.sys
2011-09-07 15:10:46 ----A---- C:\Windows\system32\drivers\ntfs.sys
2011-09-07 15:10:45 ----A---- C:\Windows\SYSWOW64\esent.dll
2011-09-07 15:10:45 ----A---- C:\Windows\system32\fsutil.exe
2011-09-07 15:10:45 ----A---- C:\Windows\system32\drivers\USBSTOR.SYS
2011-09-07 15:10:45 ----A---- C:\Windows\system32\drivers\storport.sys
2011-09-07 15:10:45 ----A---- C:\Windows\system32\drivers\nvraid.sys
2011-09-07 15:10:45 ----A---- C:\Windows\system32\drivers\iaStorV.sys
2011-09-07 15:10:45 ----A---- C:\Windows\system32\drivers\amdxata.sys
2011-09-07 15:10:45 ----A---- C:\Windows\system32\drivers\amdsata.sys
2011-09-07 15:10:44 ----A---- C:\Windows\SYSWOW64\fsutil.exe
2011-09-07 12:57:35 ----D---- C:\Windows\SYSWOW64\Wat
2011-09-07 12:57:35 ----D---- C:\Windows\system32\Wat
2011-09-07 12:25:14 ----A---- C:\Windows\SYSWOW64\wcncsvc.dll
2011-09-07 12:25:14 ----A---- C:\Windows\system32\wcncsvc.dll
2011-09-07 12:06:30 ----A---- C:\Windows\SYSWOW64\PresentationHostProxy.dll
2011-09-07 12:06:30 ----A---- C:\Windows\SYSWOW64\PresentationHost.exe
2011-09-07 12:06:30 ----A---- C:\Windows\SYSWOW64\netfxperf.dll
2011-09-07 12:06:30 ----A---- C:\Windows\SYSWOW64\mscoree.dll
2011-09-07 12:06:30 ----A---- C:\Windows\SYSWOW64\dfshim.dll
2011-09-07 12:06:30 ----A---- C:\Windows\system32\PresentationHostProxy.dll
2011-09-07 12:06:30 ----A---- C:\Windows\system32\PresentationHost.exe
2011-09-07 12:06:30 ----A---- C:\Windows\system32\netfxperf.dll
2011-09-07 12:06:30 ----A---- C:\Windows\system32\mscoree.dll
2011-09-07 12:06:30 ----A---- C:\Windows\system32\dfshim.dll
2011-09-07 12:01:33 ----D---- C:\Windows\PCHEALTH
2011-09-07 11:54:34 ----SHD---- C:\Windows\SYSWOW64\%APPDATA%
2011-09-07 11:54:01 ----A---- C:\Windows\system32\drivers\ks.sys
2011-09-07 11:20:52 ----A---- C:\Windows\SYSWOW64\tzres.dll
2011-09-07 11:20:52 ----A---- C:\Windows\system32\tzres.dll
2011-09-07 11:20:46 ----A---- C:\Windows\SYSWOW64\xmllite.dll
2011-09-07 11:20:46 ----A---- C:\Windows\system32\xmllite.dll
2011-09-07 11:20:44 ----A---- C:\Windows\SYSWOW64\kerberos.dll
2011-09-07 11:20:44 ----A---- C:\Windows\system32\kerberos.dll
2011-09-07 11:20:40 ----A---- C:\Windows\SYSWOW64\odbctrac.dll
2011-09-07 11:20:40 ----A---- C:\Windows\SYSWOW64\odbcjt32.dll
2011-09-07 11:20:40 ----A---- C:\Windows\SYSWOW64\odbccu32.dll
2011-09-07 11:20:40 ----A---- C:\Windows\SYSWOW64\odbccr32.dll
2011-09-07 11:20:40 ----A---- C:\Windows\SYSWOW64\odbccp32.dll
2011-09-07 11:20:40 ----A---- C:\Windows\system32\odbctrac.dll
2011-09-07 11:20:40 ----A---- C:\Windows\system32\odbccu32.dll
2011-09-07 11:20:40 ----A---- C:\Windows\system32\odbccr32.dll
2011-09-07 11:20:40 ----A---- C:\Windows\system32\odbccp32.dll
2011-09-07 11:20:38 ----A---- C:\Windows\SYSWOW64\asycfilt.dll
2011-09-07 11:20:38 ----A---- C:\Windows\system32\drivers\dfsc.sys
2011-09-07 11:20:38 ----A---- C:\Windows\system32\asycfilt.dll
2011-09-07 11:20:32 ----A---- C:\Windows\SYSWOW64\poqexec.exe
2011-09-07 11:20:32 ----A---- C:\Windows\system32\poqexec.exe
2011-09-07 11:20:31 ----A---- C:\Windows\explorer.exe
2011-09-07 11:20:30 ----A---- C:\Windows\SYSWOW64\explorer.exe
2011-09-07 11:20:29 ----A---- C:\Windows\system32\CPFilters.dll
2011-09-07 11:20:28 ----A---- C:\Windows\SYSWOW64\EncDec.dll
2011-09-07 11:20:28 ----A---- C:\Windows\SYSWOW64\CPFilters.dll
2011-09-07 11:20:28 ----A---- C:\Windows\system32\sbe.dll
2011-09-07 11:20:28 ----A---- C:\Windows\system32\EncDec.dll
2011-09-07 11:20:27 ----A---- C:\Windows\SYSWOW64\sbe.dll
2011-09-07 11:20:26 ----A---- C:\Windows\SYSWOW64\t2embed.dll
2011-09-07 11:20:26 ----A---- C:\Windows\system32\t2embed.dll
2011-09-07 11:20:25 ----A---- C:\Windows\system32\ole32.dll
2011-09-07 11:20:24 ----A---- C:\Windows\SYSWOW64\ole32.dll
2011-09-07 11:20:23 ----A---- C:\Windows\SYSWOW64\StructuredQuery.dll
2011-09-07 11:20:23 ----A---- C:\Windows\system32\StructuredQuery.dll
2011-09-07 11:20:20 ----A---- C:\Windows\SYSWOW64\mssrch.dll
2011-09-07 11:20:20 ----A---- C:\Windows\system32\mssrch.dll
2011-09-07 11:20:19 ----A---- C:\Windows\SYSWOW64\tquery.dll
2011-09-07 11:20:19 ----A---- C:\Windows\system32\tquery.dll
2011-09-07 11:20:19 ----A---- C:\Windows\system32\SearchIndexer.exe
2011-09-07 11:20:19 ----A---- C:\Windows\system32\mssph.dll
2011-09-07 11:20:18 ----A---- C:\Windows\SYSWOW64\SearchProtocolHost.exe
2011-09-07 11:20:18 ----A---- C:\Windows\SYSWOW64\SearchIndexer.exe
2011-09-07 11:20:18 ----A---- C:\Windows\SYSWOW64\SearchFilterHost.exe
2011-09-07 11:20:18 ----A---- C:\Windows\SYSWOW64\mssvp.dll
2011-09-07 11:20:18 ----A---- C:\Windows\SYSWOW64\mssphtb.dll
2011-09-07 11:20:18 ----A---- C:\Windows\SYSWOW64\mssph.dll
2011-09-07 11:20:18 ----A---- C:\Windows\system32\SearchProtocolHost.exe
2011-09-07 11:20:18 ----A---- C:\Windows\system32\SearchFilterHost.exe
2011-09-07 11:20:18 ----A---- C:\Windows\system32\mssvp.dll
2011-09-07 11:20:18 ----A---- C:\Windows\system32\msscntrs.dll
2011-09-07 11:20:17 ----A---- C:\Windows\SYSWOW64\msscntrs.dll
2011-09-07 11:20:17 ----A---- C:\Windows\system32\mssphtb.dll
2011-09-07 11:20:16 ----A---- C:\Windows\system32\taskschd.dll
2011-09-07 11:20:16 ----A---- C:\Windows\system32\taskeng.exe
2011-09-07 11:20:16 ----A---- C:\Windows\system32\schedsvc.dll
2011-09-07 11:20:15 ----A---- C:\Windows\SYSWOW64\taskschd.dll
2011-09-07 11:20:15 ----A---- C:\Windows\SYSWOW64\taskeng.exe
2011-09-07 11:20:15 ----A---- C:\Windows\SYSWOW64\taskcomp.dll
2011-09-07 11:20:15 ----A---- C:\Windows\SYSWOW64\schtasks.exe
2011-09-07 11:20:15 ----A---- C:\Windows\system32\wmicmiplugin.dll
2011-09-07 11:20:15 ----A---- C:\Windows\system32\taskcomp.dll
2011-09-07 11:20:15 ----A---- C:\Windows\system32\schtasks.exe
2011-09-07 11:20:14 ----A---- C:\Windows\system32\drivers\mrxsmb20.sys
2011-09-07 11:20:14 ----A---- C:\Windows\system32\drivers\mrxsmb10.sys
2011-09-07 11:20:14 ----A---- C:\Windows\system32\drivers\mrxsmb.sys
2011-09-07 11:20:11 ----A---- C:\Windows\system32\shell32.dll
2011-09-07 11:20:10 ----A---- C:\Windows\SYSWOW64\shell32.dll
2011-09-07 11:20:08 ----A---- C:\Windows\SYSWOW64\secproc_isv.dll
2011-09-07 11:20:08 ----A---- C:\Windows\SYSWOW64\secproc.dll
2011-09-07 11:20:08 ----A---- C:\Windows\SYSWOW64\RMActivate_isv.exe
2011-09-07 11:20:08 ----A---- C:\Windows\SYSWOW64\RMActivate.exe
2011-09-07 11:20:08 ----A---- C:\Windows\system32\secproc_ssp_isv.dll
2011-09-07 11:20:08 ----A---- C:\Windows\system32\secproc_ssp.dll
2011-09-07 11:20:08 ----A---- C:\Windows\system32\secproc_isv.dll
2011-09-07 11:20:08 ----A---- C:\Windows\system32\secproc.dll
2011-09-07 11:20:08 ----A---- C:\Windows\system32\RMActivate_ssp_isv.exe
2011-09-07 11:20:08 ----A---- C:\Windows\system32\RMActivate_ssp.exe
2011-09-07 11:20:08 ----A---- C:\Windows\system32\RMActivate_isv.exe
2011-09-07 11:20:08 ----A---- C:\Windows\system32\RMActivate.exe
2011-09-07 11:20:07 ----A---- C:\Windows\SYSWOW64\secproc_ssp_isv.dll
2011-09-07 11:20:07 ----A---- C:\Windows\SYSWOW64\secproc_ssp.dll
2011-09-07 11:20:07 ----A---- C:\Windows\SYSWOW64\RMActivate_ssp_isv.exe
2011-09-07 11:20:07 ----A---- C:\Windows\SYSWOW64\RMActivate_ssp.exe
2011-09-07 11:20:05 ----A---- C:\Windows\system32\drivers\afd.sys
2011-09-07 11:20:00 ----A---- C:\Windows\SYSWOW64\psisdecd.dll
2011-09-07 11:20:00 ----A---- C:\Windows\system32\psisdecd.dll
2011-09-07 11:20:00 ----A---- C:\Windows\system32\msdri.dll
2011-09-07 11:19:56 ----A---- C:\Windows\SYSWOW64\XpsGdiConverter.dll
2011-09-07 11:19:56 ----A---- C:\Windows\system32\XpsGdiConverter.dll
2011-09-07 11:19:54 ----A---- C:\Windows\SYSWOW64\schannel.dll
2011-09-07 11:19:54 ----A---- C:\Windows\system32\schannel.dll
2011-09-07 11:19:52 ----A---- C:\Windows\SYSWOW64\comctl32.dll
2011-09-07 11:19:52 ----A---- C:\Windows\system32\comctl32.dll
2011-09-07 11:19:48 ----A---- C:\Windows\system32\upnp.dll
2011-09-07 11:19:48 ----A---- C:\Windows\system32\msxml6.dll
2011-09-07 11:19:48 ----A---- C:\Windows\system32\msxml3.dll
2011-09-07 11:19:47 ----A---- C:\Windows\SYSWOW64\upnp.dll
2011-09-07 11:19:47 ----A---- C:\Windows\SYSWOW64\msxml6.dll
2011-09-07 11:19:47 ----A---- C:\Windows\system32\winhttp.dll
2011-09-07 11:19:46 ----A---- C:\Windows\SYSWOW64\wscapi.dll
2011-09-07 11:19:46 ----A---- C:\Windows\SYSWOW64\winhttp.dll
2011-09-07 11:19:46 ----A---- C:\Windows\SYSWOW64\WebClnt.dll
2011-09-07 11:19:46 ----A---- C:\Windows\SYSWOW64\slwga.dll
2011-09-07 11:19:46 ----A---- C:\Windows\SYSWOW64\msxml3.dll
2011-09-07 11:19:46 ----A---- C:\Windows\SYSWOW64\davclnt.dll
2011-09-07 11:19:46 ----A---- C:\Windows\system32\wscsvc.dll
2011-09-07 11:19:46 ----A---- C:\Windows\system32\wscapi.dll
2011-09-07 11:19:46 ----A---- C:\Windows\system32\WebClnt.dll
2011-09-07 11:19:46 ----A---- C:\Windows\system32\slwga.dll
2011-09-07 11:19:46 ----A---- C:\Windows\system32\davclnt.dll
2011-09-07 11:19:44 ----A---- C:\Windows\SYSWOW64\XpsPrint.dll
2011-09-07 11:19:44 ----A---- C:\Windows\system32\XpsPrint.dll
2011-09-07 11:19:42 ----A---- C:\Windows\system32\winlogon.exe
2011-09-07 11:19:41 ----A---- C:\Windows\system32\mfc42u.dll
2011-09-07 11:19:40 ----A---- C:\Windows\SYSWOW64\mfc42u.dll
2011-09-07 11:19:40 ----A---- C:\Windows\SYSWOW64\mfc42.dll
2011-09-07 11:19:40 ----A---- C:\Windows\system32\mfc42.dll
2011-09-07 11:19:38 ----A---- C:\Windows\SYSWOW64\rtutils.dll
2011-09-07 11:19:38 ----A---- C:\Windows\system32\rtutils.dll
2011-09-07 11:19:32 ----A---- C:\Windows\SYSWOW64\fontsub.dll
2011-09-07 11:19:32 ----A---- C:\Windows\SYSWOW64\atmlib.dll
2011-09-07 11:19:32 ----A---- C:\Windows\SYSWOW64\atmfd.dll
2011-09-07 11:19:32 ----A---- C:\Windows\system32\fontsub.dll
2011-09-07 11:19:32 ----A---- C:\Windows\system32\atmlib.dll
2011-09-07 11:19:32 ----A---- C:\Windows\system32\atmfd.dll
2011-09-07 11:19:31 ----A---- C:\Windows\SYSWOW64\dnscacheugc.exe
2011-09-07 11:19:31 ----A---- C:\Windows\SYSWOW64\dnsapi.dll
2011-09-07 11:19:31 ----A---- C:\Windows\system32\dnsrslvr.dll
2011-09-07 11:19:31 ----A---- C:\Windows\system32\dnscacheugc.exe
2011-09-07 11:19:31 ----A---- C:\Windows\system32\dnsapi.dll
2011-09-07 11:19:28 ----A---- C:\Windows\system32\spoolsv.exe
2011-09-07 11:19:03 ----A---- C:\Windows\SYSWOW64\iccvid.dll
2011-09-07 11:19:03 ----A---- C:\Windows\system32\drivers\fvevol.sys
2011-09-07 11:19:02 ----A---- C:\Windows\SYSWOW64\webio.dll
2011-09-07 11:19:02 ----A---- C:\Windows\system32\webio.dll
2011-09-07 11:19:02 ----A---- C:\Windows\system32\drivers\Diskdump.sys
2011-09-07 11:19:01 ----A---- C:\Windows\SYSWOW64\quartz.dll
2011-09-07 11:19:01 ----A---- C:\Windows\SYSWOW64\msvidc32.dll
2011-09-07 11:19:01 ----A---- C:\Windows\SYSWOW64\mciavi32.dll
2011-09-07 11:19:01 ----A---- C:\Windows\SYSWOW64\avifil32.dll
2011-09-07 11:19:01 ----A---- C:\Windows\system32\tsbyuv.dll
2011-09-07 11:19:01 ----A---- C:\Windows\system32\quartz.dll
2011-09-07 11:19:01 ----A---- C:\Windows\system32\msyuv.dll
2011-09-07 11:19:01 ----A---- C:\Windows\system32\msvidc32.dll
2011-09-07 11:19:01 ----A---- C:\Windows\system32\msrle32.dll
2011-09-07 11:19:01 ----A---- C:\Windows\system32\iyuv_32.dll
2011-09-07 11:19:00 ----A---- C:\Windows\SYSWOW64\wmpmde.dll
2011-09-07 11:19:00 ----A---- C:\Windows\SYSWOW64\tsbyuv.dll
2011-09-07 11:19:00 ----A---- C:\Windows\SYSWOW64\msyuv.dll
2011-09-07 11:19:00 ----A---- C:\Windows\SYSWOW64\msrle32.dll
2011-09-07 11:19:00 ----A---- C:\Windows\SYSWOW64\iyuv_32.dll
2011-09-07 11:19:00 ----A---- C:\Windows\system32\wmpmde.dll
2011-09-07 11:18:56 ----A---- C:\Windows\SYSWOW64\d3d10_1.dll
2011-09-07 11:18:56 ----A---- C:\Windows\system32\d3d10_1.dll
2011-09-07 11:18:54 ----A---- C:\Windows\system32\drivers\srvnet.sys
2011-09-07 11:18:54 ----A---- C:\Windows\system32\drivers\srv2.sys
2011-09-07 11:18:54 ----A---- C:\Windows\system32\drivers\srv.sys
2011-09-07 11:18:47 ----A---- C:\Windows\SYSWOW64\ntdll.dll
2011-09-07 11:18:47 ----A---- C:\Windows\system32\ntdll.dll
2011-09-07 11:18:40 ----A---- C:\Windows\SYSWOW64\sspicli.dll
2011-09-07 11:18:40 ----A---- C:\Windows\SYSWOW64\secur32.dll
2011-09-07 11:18:40 ----A---- C:\Windows\system32\lsasrv.dll
2011-09-07 11:18:40 ----A---- C:\Windows\system32\drivers\ksecpkg.sys
2011-09-07 11:18:35 ----A---- C:\Windows\system32\winload.exe
2011-09-07 11:18:34 ----A---- C:\Windows\system32\winresume.exe
2011-09-07 11:18:34 ----A---- C:\Windows\system32\kdusb.dll
2011-09-07 11:18:34 ----A---- C:\Windows\system32\kdcom.dll
2011-09-07 11:18:34 ----A---- C:\Windows\system32\kd1394.dll
2011-09-07 11:18:32 ----A---- C:\Windows\SYSWOW64\oleaut32.dll
2011-09-07 11:18:32 ----A---- C:\Windows\system32\oleaut32.dll
2011-09-07 11:18:31 ----A---- C:\Windows\SYSWOW64\mfc40u.dll
2011-09-07 11:18:31 ----A---- C:\Windows\SYSWOW64\mfc40.dll
2011-09-07 11:18:22 ----A---- C:\Windows\system32\KernelBase.dll
2011-09-07 11:18:22 ----A---- C:\Windows\system32\kernel32.dll
2011-09-07 11:18:20 ----A---- C:\Windows\SYSWOW64\KernelBase.dll
2011-09-07 11:18:20 ----A---- C:\Windows\system32\wow64win.dll
2011-09-07 11:18:20 ----A---- C:\Windows\system32\winsrv.dll
2011-09-07 11:18:20 ----A---- C:\Windows\system32\conhost.exe
2011-09-07 11:18:19 ----A---- C:\Windows\system32\wow64.dll
2011-09-07 11:18:18 ----A---- C:\Windows\SYSWOW64\setup16.exe
2011-09-07 11:18:18 ----A---- C:\Windows\SYSWOW64\kernel32.dll
2011-09-07 11:18:17 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-libraryloader-l1-1-0.dll
2011-09-07 11:18:17 ----AH---- C:\Windows\system32\api-ms-win-core-libraryloader-l1-1-0.dll
2011-09-07 11:18:17 ----A---- C:\Windows\SYSWOW64\wow32.dll
2011-09-07 11:18:17 ----A---- C:\Windows\SYSWOW64\ntvdm64.dll
2011-09-07 11:18:17 ----A---- C:\Windows\SYSWOW64\instnm.exe
2011-09-07 11:18:17 ----A---- C:\Windows\system32\wow64cpu.dll
2011-09-07 11:18:17 ----A---- C:\Windows\system32\ntvdm64.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-security-base-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-sysinfo-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-synch-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-string-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-profile-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-processenvironment-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-namedpipe-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-misc-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-memory-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-localregistry-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-io-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-interlocked-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-heap-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-handle-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-file-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-fibers-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-errorhandling-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-delayload-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-debug-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-datetime-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-security-base-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-util-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-sysinfo-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-synch-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-string-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-rtlsupport-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-profile-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-processthreads-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-processenvironment-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-namedpipe-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-misc-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-memory-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-localregistry-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-io-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-interlocked-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-heap-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-handle-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-file-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-fibers-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-errorhandling-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-delayload-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-debug-l1-1-0.dll
2011-09-07 11:18:15 ----AH---- C:\Windows\system32\api-ms-win-core-datetime-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-xstate-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-util-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-threadpool-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-processthreads-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-localization-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\SYSWOW64\api-ms-win-core-console-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\system32\api-ms-win-core-localization-l1-1-0.dll
2011-09-07 11:18:14 ----AH---- C:\Windows\system32\api-ms-win-core-console-l1-1-0.dll
2011-09-07 11:18:14 ----A---- C:\Windows\SYSWOW64\user.exe
2011-09-07 11:18:12 ----A---- C:\Windows\SYSWOW64\drvinst.exe
2011-09-07 11:18:12 ----A---- C:\Windows\SYSWOW64\devrtl.dll
2011-09-07 11:18:12 ----A---- C:\Windows\SYSWOW64\devobj.dll
2011-09-07 11:18:12 ----A---- C:\Windows\SYSWOW64\cfgmgr32.dll
2011-09-07 11:18:12 ----A---- C:\Windows\system32\umpnpmgr.dll
2011-09-07 11:18:10 ----A---- C:\Windows\SYSWOW64\mstscax.dll
2011-09-07 11:18:10 ----A---- C:\Windows\SYSWOW64\mstsc.exe
2011-09-07 11:18:10 ----A---- C:\Windows\system32\mstscax.dll
2011-09-07 11:18:10 ----A---- C:\Windows\system32\mstsc.exe
2011-09-07 11:18:08 ----A---- C:\Windows\system32\win32k.sys
2011-09-07 11:18:07 ----A---- C:\Windows\system32\drivers\tcpip.sys
2011-09-07 11:18:04 ----A---- C:\Windows\system32\wmp.dll
2011-09-07 11:18:02 ----A---- C:\Windows\SYSWOW64\wmp.dll
2011-09-07 11:18:01 ----A---- C:\Windows\SYSWOW64\wmploc.DLL
2011-09-07 11:18:00 ----A---- C:\Windows\system32\wmploc.DLL
2011-09-07 11:17:59 ----A---- C:\Windows\SYSWOW64\inetcomm.dll
2011-09-07 11:17:59 ----A---- C:\Windows\system32\inetcomm.dll
2011-09-07 11:17:58 ----A---- C:\Windows\system32\FXSCOVER.exe
2011-09-07 11:17:57 ----A---- C:\Windows\SYSWOW64\prevhost.exe
2011-09-07 11:17:57 ----A---- C:\Windows\system32\prevhost.exe
2011-09-07 11:17:57 ----A---- C:\Windows\system32\consent.exe
2011-09-07 11:17:55 ----A---- C:\Windows\system32\drivers\bowser.sys
2011-09-07 11:17:54 ----A---- C:\Windows\SYSWOW64\odbc32.dll
2011-09-07 11:17:54 ----A---- C:\Windows\system32\odbc32.dll
2011-09-07 11:13:37 ----A---- C:\Windows\system32\srvsvc.dll
2011-09-07 11:13:36 ----A---- C:\Windows\SYSWOW64\sscore.dll
2011-09-07 11:12:35 ----A---- C:\Windows\system32\ntoskrnl.exe
2011-09-07 11:12:33 ----A---- C:\Windows\SYSWOW64\ntoskrnl.exe
2011-09-07 11:12:33 ----A---- C:\Windows\SYSWOW64\ntkrnlpa.exe
2011-09-06 20:39:26 ----A---- C:\Windows\system32\wintrust.dll
2011-09-06 20:39:25 ----A---- C:\Windows\SYSWOW64\wintrust.dll
2011-09-06 20:39:25 ----A---- C:\Windows\SYSWOW64\cabview.dll
2011-09-06 20:39:25 ----A---- C:\Windows\system32\cabview.dll
2011-09-05 20:20:26 ----A---- C:\Windows\system32\drivers\aswFsBlk.sys
2011-09-05 20:20:25 ----A---- C:\Windows\system32\drivers\aswSP.sys
2011-09-05 20:20:23 ----A---- C:\Windows\system32\drivers\aswRdr.sys
2011-09-05 20:20:22 ----A---- C:\Windows\system32\drivers\aswTdi.sys
2011-09-05 20:20:22 ----A---- C:\Windows\system32\drivers\aswSnx.sys
2011-09-05 20:20:20 ----A---- C:\Windows\system32\drivers\aswMonFlt.sys
2011-09-05 20:20:20 ----A---- C:\Windows\system32\aswBoot.exe
2011-09-05 20:19:54 ----A---- C:\Windows\avastSS.scr
2011-09-05 20:19:53 ----A---- C:\Windows\SYSWOW64\aswBoot.exe
2011-09-05 20:19:42 ----D---- C:\ProgramData\AVAST Software
2011-09-05 20:19:42 ----D---- C:\Program Files\AVAST Software
2011-09-05 18:22:47 ----ASH---- C:\pagefile.sys
2011-09-05 18:22:24 ----D---- C:\Windows\Minidump
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\wininet.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\wextract.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\webcheck.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\vbscript.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\urlmon.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\url.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\SetIEInstalledDate.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\RegisterIEPKEYs.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\pngfilt.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\occache.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\msrating.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\msls31.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\mshtmler.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\mshtmled.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\mshtml.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\mshta.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\msfeedssync.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\msfeedsbs.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\msfeeds.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\licmgr10.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\jsproxy.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\jscript9.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\jscript.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\inseng.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\imgutil.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iexpress.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieUnatt.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieui.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iesysprep.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iesetup.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iertutil.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iernonce.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iepeers.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieframe.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\iedkcs32.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieapfltr.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieapfltr.dat
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieakui.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieaksie.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ieakeng.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\IEAdvpack.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\ie4uinit.exe
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\icardie.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\dxtrans.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\dxtmsft.dll
2011-09-05 18:15:28 ----A---- C:\Windows\SYSWOW64\admparse.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\wininet.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\wextract.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\webcheck.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\vbscript.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\urlmon.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\url.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\SetIEInstalledDate.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\RegisterIEPKEYs.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\pngfilt.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\occache.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\msrating.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\msls31.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\mshtmler.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\mshtmled.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\mshtml.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\mshta.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\msfeedssync.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\msfeedsbs.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\msfeeds.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\licmgr10.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\jsproxy.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\jscript9.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\jscript.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\inseng.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\imgutil.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iexpress.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieUnatt.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieui.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iesysprep.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iesetup.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iertutil.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iernonce.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iepeers.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieframe.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\iedkcs32.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieapfltr.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieapfltr.dat
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieakui.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieaksie.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ieakeng.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\IEAdvpack.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\ie4uinit.exe
2011-09-05 18:15:28 ----A---- C:\Windows\system32\icardie.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\dxtrans.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\dxtmsft.dll
2011-09-05 18:15:28 ----A---- C:\Windows\system32\admparse.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\XpsRasterService.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\WMVDECOD.DLL
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\mfreadwrite.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\mf.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\ExplorerFrame.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\DWrite.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\d3d10warp.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\d3d10_1core.dll
2011-09-05 18:13:39 ----A---- C:\Windows\SYSWOW64\d2d1.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\XpsRasterService.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\WMVDECOD.DLL
2011-09-05 18:13:39 ----A---- C:\Windows\system32\mfreadwrite.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\mfps.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\mf.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\FntCache.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\ExplorerFrame.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\DWrite.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\drivers\dxgmms1.sys
2011-09-05 18:13:39 ----A---- C:\Windows\system32\drivers\dxgkrnl.sys
2011-09-05 18:13:39 ----A---- C:\Windows\system32\d3d10warp.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\d3d10_1core.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\d2d1.dll
2011-09-05 18:13:39 ----A---- C:\Windows\system32\cdd.dll
2011-09-05 16:34:23 ----D---- C:\Users\Leslie\AppData\Roaming\Safer Networking
2011-09-05 16:34:06 ----D---- C:\Program Files (x86)\Safer Networking
2011-09-05 05:12:12 ----D---- C:\Program Files (x86)\ESET
2011-09-05 04:52:05 ----A---- C:\exeHelper.com
2011-09-05 03:59:51 ----D---- C:\Windows\NAPP_Dism_Log
2011-09-05 03:11:10 ----D---- C:\Users\Leslie\AppData\Roaming\Adobe
2011-09-05 03:10:44 ----D---- C:\ProgramData\Spybot - Search & Destroy
2011-09-05 03:10:44 ----D---- C:\Program Files (x86)\Spybot - Search & Destroy
2011-09-05 03:07:10 ----D---- C:\ProgramData\NVIDIA
2011-09-05 03:05:57 ----D---- C:\Windows\SoftwareDistribution
2011-09-05 03:05:13 ----A---- C:\Windows\ATIDetect.txt
2011-09-05 03:02:49 ----SHD---- C:\System Volume Information
2011-09-05 03:02:49 ----ASH---- C:\hiberfil.sys
2011-09-05 02:48:40 ----D---- C:\Windows\ERDNT
2011-09-05 02:48:18 ----D---- C:\ERUNT
2011-09-05 02:42:43 ----N---- C:\Windows\system32\MpSigStub.exe
2011-09-05 02:32:08 ----D---- C:\Users\Leslie\AppData\Roaming\Macromedia
2011-09-05 02:29:31 ----D---- C:\Users\Leslie\AppData\Roaming\Google
2011-09-05 02:28:24 ----A---- C:\Windows\SYSWOW64\d3dx9_32.dll
2011-09-05 02:28:24 ----A---- C:\Windows\system32\d3dx9_32.dll
2011-09-05 02:27:16 ----D---- C:\Program Files (x86)\Microsoft
2011-09-05 02:19:41 ----A---- C:\Windows\SYSWOW64\msv1_0.dll
2011-09-05 02:19:41 ----A---- C:\Windows\system32\msv1_0.dll
2011-09-05 02:19:05 ----A---- C:\Windows\SYSWOW64\msasn1.dll
2011-09-05 02:19:05 ----A---- C:\Windows\system32\msasn1.dll
2011-09-05 02:16:11 ----A---- C:\Windows\SYSWOW64\CertEnroll.dll
2011-09-05 02:16:10 ----A---- C:\Windows\system32\CertEnroll.dll
2011-09-05 02:15:19 ----AD---- C:\book
2011-09-05 02:14:56 ----D---- C:\Users\Leslie\AppData\Roaming\Identities
2011-09-05 02:13:04 ----D---- C:\ProgramData\OEM_E471269A730D
2011-09-05 02:12:30 ----SD---- C:\Users\Leslie\AppData\Roaming\Microsoft
2011-09-05 02:12:30 ----D---- C:\Users\Leslie\AppData\Roaming\Media Center Programs
2011-09-05 02:12:22 ----SHD---- C:\Recovery

======List of files/folders modified in the last 1 month======

2011-09-08 21:39:57 ----RD---- C:\Program Files
2011-09-08 21:33:33 ----D---- C:\Windows\System32
2011-09-08 21:33:33 ----D---- C:\Windows\inf
2011-09-08 21:33:33 ----A---- C:\Windows\system32\PerfStringBackup.INI
2011-09-08 21:31:18 ----D---- C:\Windows\Temp
2011-09-08 21:28:11 ----D---- C:\Windows\system32\config
2011-09-08 19:45:08 ----D---- C:\Windows\Microsoft.NET
2011-09-08 19:44:55 ----RSD---- C:\Windows\assembly
2011-09-07 19:12:26 ----SHD---- C:\Windows\Installer
2011-09-07 19:12:16 ----D---- C:\Windows\winsxs
2011-09-07 19:11:29 ----D---- C:\Windows\SysWOW64
2011-09-07 19:11:08 ----D---- C:\Program Files (x86)
2011-09-07 18:06:08 ----D---- C:\Windows\AppPatch
2011-09-07 18:06:07 ----D---- C:\Windows\SYSWOW64\en-US
2011-09-07 18:06:07 ----D---- C:\Windows\system32\en-US
2011-09-07 18:06:07 ----D---- C:\Windows\system32\drivers
2011-09-07 18:06:06 ----D---- C:\Windows\system32\DriverStore
2011-09-07 17:18:37 ----D---- C:\Windows\system32\catroot2
2011-09-07 17:18:37 ----D---- C:\Windows\system32\catroot
2011-09-07 13:16:51 ----D---- C:\Windows\system32\drivers\etc
2011-09-07 12:57:43 ----AD---- C:\Windows
2011-09-07 12:57:41 ----D---- C:\Windows\ehome
2011-09-07 12:57:41 ----D---- C:\Program Files\Windows Mail
2011-09-07 12:57:41 ----D---- C:\Program Files (x86)\Windows Mail
2011-09-07 12:57:40 ----RSD---- C:\Windows\Fonts
2011-09-07 12:57:32 ----D---- C:\Windows\system32\Boot
2011-09-07 12:57:28 ----D---- C:\Program Files\Windows Media Player
2011-09-07 12:57:28 ----D---- C:\Program Files (x86)\Windows Media Player
2011-09-07 12:24:56 ----D---- C:\ProgramData\Microsoft Help
2011-09-07 12:13:24 ----SD---- C:\ProgramData\Microsoft
2011-09-07 12:12:58 ----D---- C:\Program Files (x86)\Microsoft Silverlight
2011-09-07 12:01:04 ----D---- C:\Program Files (x86)\Microsoft Works
2011-09-07 00:08:25 ----HD---- C:\OEM
2011-09-06 23:55:46 ----D---- C:\Windows\system32\NDF
2011-09-06 20:40:19 ----D---- C:\Windows\system32\wdi
2011-09-06 20:31:20 ----D---- C:\Windows\Logs
2011-09-05 20:22:53 ----D---- C:\Program Files (x86)\Google
2011-09-05 20:20:31 ----D---- C:\Windows\Tasks
2011-09-05 20:20:31 ----D---- C:\Windows\system32\Tasks
2011-09-05 20:19:42 ----D---- C:\ProgramData
2011-09-05 18:16:23 ----D---- C:\Windows\SYSWOW64\migration
2011-09-05 18:16:22 ----D---- C:\Windows\system32\migration
2011-09-05 18:16:22 ----D---- C:\Windows\PolicyDefinitions
2011-09-05 18:16:22 ----D---- C:\Program Files\Internet Explorer
2011-09-05 18:16:21 ----D---- C:\Program Files (x86)\Internet Explorer
2011-09-05 16:11:04 ----D---- C:\ProgramData\Partner
2011-09-05 16:11:04 ----D---- C:\Program Files\Google
2011-09-05 15:22:55 ----D---- C:\Windows\Prefetch
2011-09-05 05:45:15 ----D---- C:\Program Files\Common Files\Microsoft Shared
2011-09-05 05:41:01 ----D---- C:\ProgramData\WildTangent
2011-09-05 05:39:34 ----D---- C:\ProgramData\Google
2011-09-05 05:12:13 ----D---- C:\Windows\Downloaded Program Files
2011-09-05 04:58:34 ----D---- C:\ProgramData\Norton
2011-09-05 03:11:53 ----D---- C:\Windows\debug
2011-09-05 03:08:49 ----A---- C:\Windows\system32\PLD_Framework.cmd
2011-09-05 03:08:42 ----D---- C:\Program Files\Preload
2011-09-05 02:46:15 ----D---- C:\Windows\system32\LogFiles
2011-09-05 02:37:01 ----D---- C:\Windows\system32\OEM
2011-09-05 02:32:28 ----D---- C:\Windows\Help
2011-09-05 02:32:08 ----D---- C:\Program Files (x86)\eMachines
2011-09-05 02:25:20 ----D---- C:\Program Files (x86)\Common Files
2011-09-05 02:15:34 ----D---- C:\Windows\system32\restore
2011-09-05 02:15:27 ----AD---- C:\Windows\DeployWinRE2
2011-09-05 02:14:53 ----SHD---- C:\$Recycle.Bin
2011-09-05 02:13:09 ----D---- C:\Windows\rescache
2011-09-05 02:12:46 ----D---- C:\ProgramData\OEM
2011-09-05 02:12:30 ----RD---- C:\Users
2011-09-05 02:12:26 ----D---- C:\Windows\Panther
2011-09-05 02:12:22 ----D---- C:\Windows\system32\Recovery

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 nvstor64;nvstor64; C:\Windows\system32\DRIVERS\nvstor64.sys [2009-04-29 239136]
R0 pciide;pciide; C:\Windows\system32\DRIVERS\pciide.sys [2009-07-13 12352]
R0 rdyboost;ReadyBoost; C:\Windows\System32\drivers\rdyboost.sys [2009-07-13 214096]
R1 aswRdr;aswRdr; C:\Windows\system32\drivers\aswRdr.sys [2011-09-06 42328]
R1 aswSnx;aswSnx; C:\Windows\system32\drivers\aswSnx.sys [2011-09-06 601944]
R1 aswSP;aswSP; C:\Windows\system32\drivers\aswSP.sys [2011-09-06 301912]
R1 aswTdi;avast! Network Shield Support; C:\Windows\system32\drivers\aswTdi.sys [2011-09-06 58200]
R2 aswFsBlk;aswFsBlk; C:\Windows\system32\drivers\aswFsBlk.sys [2011-09-06 24408]
R2 aswMonFlt;aswMonFlt; \??\C:\Windows\system32\drivers\aswMonFlt.sys [2011-09-06 65368]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\Windows\system32\drivers\RTKVHD64.sys [2009-07-20 1831968]
R3 NVNET;NVIDIA nForce 10/100 Mbps Ethernet ; C:\Windows\system32\DRIVERS\nvmf6264.sys [2009-04-29 339360]
S3 NuidFltr;NUID filter driver; C:\Windows\system32\DRIVERS\NuidFltr.sys [2009-05-09 15752]
S3 NVENETFD;NVIDIA nForce Networking Controller Driver; C:\Windows\system32\DRIVERS\nvm62x64.sys [2009-06-10 408960]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 avast! Antivirus;avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [2011-09-06 44768]
R2 ForceWare Intelligent Application Manager (IAM);ForceWare Intelligent Application Manager (IAM); C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe [2009-04-19 625184]
R2 Greg_Service;GRegService; C:\Program Files (x86)\eMachines\Registration\GregHSRW.exe [2009-08-28 1150496]
R2 nSvcIp;ForceWare IP service; C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe [2009-04-19 207904]
R2 nvsvc;NVIDIA Display Driver Service; C:\Windows\system32\nvvsvc.exe [2009-07-14 382496]
R2 SBSDWSCService;SBSD Security Center Service; C:\Program Files (x86)\Spybot - Search & Destroy\SDWinSec.exe [2009-01-26 1153368]
R2 Updater Service;Updater Service; C:\Program Files\eMachines\eMachines Updater\UpdaterService.exe [2009-07-03 240160]
S2 gupdate;Google Update Service (gupdate); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-09-05 136176]
S3 gupdatem;Google Update Service (gupdatem); C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2011-09-05 136176]
S3 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0; C:\Program Files (x86)\Common Files\Nero\Nero BackItUp 4\NBService.exe [2009-08-25 935208]
S3 odserv;Microsoft Office Diagnostics Service; C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE [2008-11-04 441712]
S3 ose;Office Source Engine; C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2006-10-26 145184]
S3 WatAdminSvc;@%SystemRoot%\system32\Wat\WatUX.exe,-601; C:\Windows\system32\Wat\WatAdminSvc.exe [2011-09-07 1255736]

-----------------EOF-----------------

Lame Gamer

2011-09-09, 07:18

RSIT 2 of 2:
(no idea what most of this means)

info.txt logfile of random's system information tool 1.09 2011-09-08 21:40:00

======Uninstall list======

Update for Microsoft Office 2007 (KB2508958)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0C5823AA-7B6F-44E1-8D5B-8FD1FF0E6438}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {ABDDE972-355B-4AF1-89A8-DA50B7B5C045}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {F580DDD5-8D37-4998-968E-EBB76BB86787}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {187308AB-5FA7-4F14-9AB9-D290383A10D9}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {E64BA721-2310-4B55-BE5A-2925F9706192}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-002A-0409-1000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2FC4457D-409E-466F-861F-FB0CB796B53E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {90120000-0116-0409-1000-0000000FF1CE} /uninstall {DE5A002D-8122-4278-A7EE-3121E7EA254E}
2007 Microsoft Office Suite Service Pack 2 (SP2)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B36C6D6-F5D8-4EAF-BF94-4376A230AD5B}
Acrobat.com-->MsiExec.exe /X{287ECFA4-719A-2143-A09B-D6A12DE54E40}
Adobe AIR-->c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Resources\Adobe AIR Updater.exe -arp:uninstall
Adobe AIR-->MsiExec.exe /I{A2BCA9F1-566C-4805-97D1-7FDC93386723}
Adobe Flash Player 10 ActiveX-->C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 9.1 MUI-->MsiExec.exe /I{AC76BA86-7AD7-FFFF-7B44-A91000000001}
Advertising Center-->MsiExec.exe /X{b2ec4a38-b545-4a00-8214-13fe0e915e6d}
avast! Free Antivirus-->C:\Program Files\AVAST Software\Avast\aswRunDll.exe "C:\Program Files\AVAST Software\Avast\Setup\setiface.dll" RunSetup
Compatibility Pack for the 2007 Office system-->MsiExec.exe /X{90120000-0020-0409-0000-0000000FF1CE}
eMachines Recovery Management-->"C:\Program Files (x86)\InstallShield Installation Information\{7F811A54-5A09-4579-90E1-C93498E230D9}\setup.exe" -runfromtemp -l0x409 -removeonly
eMachines Registration-->C:\Program Files (x86)\eMachines\Registration\Uninstall.exe
eMachines ScreenSaver-->C:\Program Files (x86)\eMachines\Screensaver\Uninstall.exe
eMachines Updater-->"C:\Program Files (x86)\InstallShield Installation Information\{EE171732-BEB4-4576-887D-CB62727F01CA}\setup.exe" -runfromtemp -l0x409 -removeonly
ERUNT 1.1j-->C:\ERUNT\unins000.exe
ESET Online Scanner v3-->C:\Program Files (x86)\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Google Chrome-->"C:\Program Files (x86)\Google\Chrome\Application\13.0.782.220\Installer\setup.exe" --uninstall --system-level
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Identity Card-->C:\Program Files (x86)\eMachines\Identity Card\Uninstall.exe
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Office Excel MUI (English) 2007-->MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Home and Student 2007-->"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall HOMESTUDENTR /dll OSETUP.DLL
Microsoft Office Home and Student 2007-->MsiExec.exe /X{91120000-002F-0000-0000-0000000FF1CE}
Microsoft Office Office 64-bit Components 2007-->MsiExec.exe /X{90120000-002A-0000-1000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007-->MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007-->MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint Viewer 2007 (English)-->MsiExec.exe /X{95120000-00AF-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007-->MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007-->MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007-->MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007-->MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Shared 64-bit MUI (English) 2007-->MsiExec.exe /X{90120000-002A-0409-1000-0000000FF1CE}
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0116-0409-1000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007-->MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007-->MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Suite Activation Assistant-->MsiExec.exe /X{E50AE784-FABE-46DA-A1F8-7B6B56DCB22E}
Microsoft Office Word MUI (English) 2007-->MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 Redistributable (x64)-->MsiExec.exe /X{071c9b48-7c32-4621-a0ac-3f809523288f}
Microsoft Visual C++ 2005 Redistributable (x64)-->MsiExec.exe /X{ad8a2fa1-06e7-4b0d-927d-6e54b3d31028}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161-->MsiExec.exe /X{9BE518E6-ECC6-35A9-88E4-87755C07200F}
Microsoft Works-->MsiExec.exe /I{67E03279-F703-408F-B4BF-46B5FC8D70CD}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
Nero 9 Essentials-->C:\Program Files (x86)\Common Files\Nero\Nero ProductInstaller 4\SetupX.exe REMOVESERIALNUMBER="2M02-K088-U46Z-AX7Z-01PW-46AX-L715-1677-H9L9-P288-2P9U-AZ0M-1E68-AE4Z-0000"
Nero ControlCenter-->MsiExec.exe /X{bd5ca0da-71ad-43da-b19e-6eee0c9adc9a}
Nero ControlCenter-->MsiExec.exe /X{f4041dce-3fe1-4e18-8a9e-9de65231ee36}
Nero DiscSpeed Help-->MsiExec.exe /X{cc019e3f-59d2-4486-8d4b-878105b62a71}
Nero DiscSpeed-->MsiExec.exe /X{869200db-287a-4dc0-b02b-2b6787fbcd4c}
Nero DriveSpeed Help-->MsiExec.exe /X{e5c7d048-f9b4-4219-b323-8bdb01a2563d}
Nero DriveSpeed-->MsiExec.exe /X{33cf58f5-48d8-4575-83d6-96f574e4d83a}
Nero Express Help-->MsiExec.exe /X{83202942-84b3-4c50-8622-b8c0aa2d2885}
Nero InfoTool Help-->MsiExec.exe /X{20400dbd-e6db-45b8-9b6b-1dd7033818ec}
Nero InfoTool-->MsiExec.exe /X{fbcdfd61-7dcf-4e71-9226-873ba0053139}
Nero Installer-->MsiExec.exe /X{e8a80433-302b-4ff1-815d-fcc8eac482ff}
Nero Online Upgrade-->MsiExec.exe /X{dba84796-8503-4ff0-af57-1747dd9a166d}
Nero StartSmart Help-->MsiExec.exe /X{2348b586-c9ae-46ce-936c-a68e9426e214}
Nero StartSmart OEM-->MsiExec.exe /X{4D43D635-6FDA-4fa5-AA9B-23CF73D058EA}
Nero StartSmart-->MsiExec.exe /X{7748ac8c-18e3-43bb-959b-088faea16fb2}
NeroExpress-->MsiExec.exe /X{595a3116-40bb-4e0f-a2e8-d7951da56270}
neroxml-->MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
NVIDIA Drivers-->C:\Windows\system32\nvuninst.exe UninstallGUI
NVIDIA ForceWare Network Access Manager-->"C:\Program Files (x86)\InstallShield Installation Information\{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}\setup.exe" -runfromtemp -l0x0409 -removeonly
NVIDIA ForceWare Network Access Manager-->MsiExec.exe /I{7CFA46E3-CC2F-4355-82AE-6012DC3633FD}
Realtek High Definition Audio Driver-->RunDll32 C:\PROGRA~2\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files (x86)\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" -removeonly
RegAlyzer-->"C:\Program Files (x86)\Safer Networking\RegAlyzer\unins000.exe"
Security Update for 2007 Microsoft Office System (KB2288621)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {5C497F0B-2061-4CC9-A61C-6B45B867354D}
Security Update for 2007 Microsoft Office System (KB2288931)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {CD769337-C8AC-46DB-A7DC-643E50089263}
Security Update for 2007 Microsoft Office System (KB2345043)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {536FB502-775F-4494-BACE-C02CC90B7A5B}
Security Update for 2007 Microsoft Office System (KB2509488)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {AD0DE453-0804-4495-9C91-33D0F9AA5463}
Security Update for 2007 Microsoft Office System (KB969559)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {69F52148-9BF6-4CDC-BF76-103DEAF3DD08}
Security Update for 2007 Microsoft Office System (KB976321)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7F207DCA-3399-40CB-A968-6E5991B1421A}
Security Update for Microsoft Office 2007 System (KB2541012)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {CD907315-705A-4475-A1A0-2A1245803E4D}
Security Update for Microsoft Office Excel 2007 (KB2541007)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {A0173254-F442-4D04-9154-43FA157B83D0}
Security Update for Microsoft Office InfoPath 2007 (KB979441)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8CCB781A-CF6B-4FCB-B6D8-59C64DF5C6DB}
Security Update for Microsoft Office PowerPoint 2007 (KB2535818)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {8588DD11-6BD7-4400-B55C-DD5AB74B43E1}
Security Update for Microsoft Office PowerPoint Viewer 2007 (KB2464623)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {D75E6D0C-BADF-4F41-98B2-0C0F02C15062}
Security Update for Microsoft Office system 2007 (972581)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {3D019598-7B59-447A-80AE-815B703B84FF}
Security Update for Microsoft Office system 2007 (KB974234)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {FCD742B9-7A55-44BC-A776-F795F21FEDDC}
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {71127777-8B2C-4F97-AF7A-6CF8CAC8224D}
Security Update for Microsoft Office Word 2007 (KB2344993)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {7A5B74FA-7A92-4FC9-821A-2DD5D4E73E48}
Spybot - Search & Destroy-->"C:\Program Files (x86)\Spybot - Search & Destroy\unins000.exe"
Update for 2007 Microsoft Office System (KB2284654)-->msiexec /package {90120000-002A-0000-1000-0000000FF1CE} /uninstall {FB166E7C-8AA6-48C8-B726-1F25BEE7825A}
Update for 2007 Microsoft Office System (KB967642)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {C444285D-5E4F-48A4-91DD-47AAAA68E92D}
Update for Microsoft Office 2007 Help for Common Features (KB963673)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {AB365889-0395-4FAD-B702-CA5985D53D42}
Update for Microsoft Office 2007 System (KB2539530)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {0B4CEEAE-AA88-490C-BCB2-AAC3421981A4}
Update for Microsoft Office Excel 2007 Help (KB963678)-->msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {199DF7B6-169C-448C-B511-1054101BE9C9}
Update for Microsoft Office OneNote 2007 (KB980729)-->msiexec /package {91120000-002F-0000-0000-0000000FF1CE} /uninstall {329050A9-EF80-40F9-B633-74508F54C1FF}
Update for Microsoft Office OneNote 2007 Help (KB963670)-->msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {2744EF05-38E1-4D5D-B333-E021EDAEA245}
Update for Microsoft Office Powerpoint 2007 Help (KB963669)-->msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {397B1D4F-ED7B-4ACA-A637-43B670843876}
Update for Microsoft Office Script Editor Help (KB963671)-->msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {CD11C6A2-FFC6-4271-8EAB-79C3582F505C}
Update for Microsoft Office Word 2007 Help (KB963665)-->msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {80E762AA-C921-4839-9D7D-DB62A72C0726}
Welcome Center-->C:\Program Files (x86)\eMachines\Welcome Center\Uninstall.exe
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}

======Hosts File======

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

======System event log======

Computer Name: Leslie-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Record Number: 1639
Source Name: Microsoft-Windows-Time-Service
Time Written: 20110905104532.488000-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: Leslie-PC
Event Code: 1014
Message: Name resolution for the name re.gtm.acer.com timed out after none of the configured DNS servers responded.
Record Number: 1588
Source Name: Microsoft-Windows-DNS-Client
Time Written: 20110905090505.664200-000
Event Type: Warning
User: NT AUTHORITY\NETWORK SERVICE

Computer Name: Leslie-PC
Event Code: 134
Message: NtpClient was unable to set a manual peer to use as a time source because of DNS resolution error on ''. NtpClient will try again in 3473457 minutes and double the reattempt interval thereafter. The error was: The requested name is valid, but no data of the requested type was found. (0x80072AFC)
Record Number: 1558
Source Name: Microsoft-Windows-Time-Service
Time Written: 20110905084528.492200-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 205
Message: The Program Compatibility Assistant service failed to perform the phase two initialization.
Record Number: 1217
Source Name: Microsoft-Windows-Application-Experience
Time Written: 20110905090512.888000-000
Event Type: Error
User: NT AUTHORITY\SYSTEM

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 10010
Message: The server {7D096C5F-AC08-4F1F-BEB7-5C22C517CE39} did not register with DCOM within the required timeout.
Record Number: 969
Source Name: Microsoft-Windows-DistributedCOM
Time Written: 20091124175525.000000-000
Event Type: Error
User:

=====Application event log=====

Computer Name: Leslie-PC
Event Code: 1002
Message: The program mspaint.exe version 6.1.7600.16385 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Action Center control panel.
Process ID: cbc
Start Time: 01cc6ba7ab8eaad0
Termination Time: 18408
Application Path: C:\Windows\system32\mspaint.exe
Report Id: 5318d551-d79b-11e0-b9b0-4487fc920c94

Record Number: 1125
Source Name: Application Hang
Time Written: 20110905084521.000000-000
Event Type: Error
User:

Computer Name: Leslie-PC
Event Code: 11
Message: Possible Memory Leak. Application (C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted) (PID: 888) has passed a non-NULL pointer to RPC for an [out] parameter marked [allocate(all_nodes)]. [allocate(all_nodes)] parameters are always reallocated; if the original pointer contained the address of valid memory, that memory will be leaked. The call originated on the interface with UUID ({3F31C91E-2545-4B7B-9311-9529E8BFFEF6}), Method number (20). User Action: Contact your application vendor for an updated version of the application.
Record Number: 1112
Source Name: Microsoft-Windows-RPC-Events
Time Written: 20110905084125.749000-000
Event Type: Warning
User: NT AUTHORITY\LOCAL SERVICE

Computer Name: Leslie-PC
Event Code: 1530
Message: Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-1820399808-86902098-3680342916-1000:
Process 472 (\Device\HarddiskVolume2\Windows\System32\winlogon.exe) has opened key \REGISTRY\USER\S-1-5-21-1820399808-86902098-3680342916-1000

Record Number: 979
Source Name: Microsoft-Windows-User Profiles Service
Time Written: 20110905082252.971000-000
Event Type: Warning
User: NT AUTHORITY\SYSTEM

Computer Name: Leslie-PC
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 911
Source Name: Microsoft-Windows-Search
Time Written: 20110905081223.000000-000
Event Type: Warning
User:

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 1008
Message: The Windows Search Service is starting up and attempting to remove the old search index {Reason: Full Index Reset}.

Record Number: 900
Source Name: Microsoft-Windows-Search
Time Written: 20110905090857.000000-000
Event Type: Warning
User:

=====Security event log=====

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 4672
Message: Special privileges assigned to new logon.

Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7

Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege
Record Number: 387
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091124175325.555800-000
Event Type: Audit Success
User:

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 4624
Message: An account was successfully logged on.

Subject:
Security ID: S-1-5-18
Account Name: WIN-K2BOJQ6UH6V$
Account Domain: WORKGROUP
Logon ID: 0x3e7

Logon Type: 5

New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:
Process ID: 0x1d8
Process Name: C:\Windows\System32\services.exe

Network Information:
Workstation Name:
Source Network Address: -
Source Port: -

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

This event is generated when a logon session is created. It is generated on the computer that was accessed.

The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).

The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.

The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Record Number: 386
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091124175325.555800-000
Event Type: Audit Success
User:

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 4738
Message: A user account was changed.

Subject:
Security ID: S-1-5-21-2275034426-2890930685-121024525-500
Account Name: Administrator
Account Domain: WIN-K2BOJQ6UH6V
Logon ID: 0x253e9

Target Account:
Security ID: S-1-5-21-2275034426-2890930685-121024525-500
Account Name: Administrator
Account Domain: WIN-K2BOJQ6UH6V

Changed Attributes:
SAM Account Name: -
Display Name: -
User Principal Name: -
Home Directory: -
Home Drive: -
Script Path: -
Profile Path: -
User Workstations: -
Password Last Set: -
Account Expires: -
Primary Group ID: -
AllowedToDelegateTo: -
Old UAC Value: 0x210
New UAC Value: 0x211
User Account Control:
Account Disabled
User Parameters: -
SID History: -
Logon Hours: -

Additional Information:
Privileges: -
Record Number: 385
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091124175323.496600-000
Event Type: Audit Success
User:

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 4725
Message: A user account was disabled.

Subject:
Security ID: S-1-5-21-2275034426-2890930685-121024525-500
Account Name: Administrator
Account Domain: WIN-K2BOJQ6UH6V
Logon ID: 0x253e9

Target Account:
Security ID: S-1-5-21-2275034426-2890930685-121024525-500
Account Name: Administrator
Account Domain: WIN-K2BOJQ6UH6V
Record Number: 384
Source Name: Microsoft-Windows-Security-Auditing
Time Written: 20091124175323.496600-000
Event Type: Audit Success
User:

Computer Name: WIN-K2BOJQ6UH6V
Event Code: 1102
Message: The audit log was cleared.
Subject:
Security ID: S-1-5-21-2275034426-2890930685-121024525-500
Account Name: Administrator
Domain Name: WIN-K2BOJQ6UH6V
Logon ID: 0x253e9
Record Number: 383
Source Name: Microsoft-Windows-Eventlog
Time Written: 20091124175318.520200-000
Event Type: Audit Success
User:

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
"PROCESSOR_ARCHITECTURE"=AMD64
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"USERNAME"=SYSTEM
"windir"=%SystemRoot%
"PSModulePath"=%SystemRoot%\system32\WindowsPowerShell\v1.0\Modules\
"NUMBER_OF_PROCESSORS"=2
"PROCESSOR_LEVEL"=16
"PROCESSOR_IDENTIFIER"=AMD64 Family 16 Model 6 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=0602

-----------------EOF-----------------

Lame Gamer

2011-09-09, 07:47

Is anyone out there? You said I could ask questions... lol. And I have a bunch.

1. Rather than saving these logs to removable disk, would it be safe to transfer them via bluetooth? Or, would that be a big NO.

2. While messing with that RK program, trying to get that to run... I noticed some pretty strange looking files in my C: drive. I've been taking screenshots of some of those things, as they occasionally become invisible shortly after I 'find' them. (adding to the overall creepy-ness of all this) Is it okay to post some of those screenshots here as attachments so you can see what I'm talking about? Seriously - I've never seen anything like this before. There are all sorts of these strange locked folders in my TEMP directories. For example, one file - with only special characters in the name field made me curious. Explorer reported the file size as 1 kb. So I clicked to look at it's properties, and the file is actually HUGE. Almost 17 GB!

3. In regards to this reference:

S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\system32\Wat\WatAdminSvc.exe --> C:\Windows\system32\Wat\WatAdminSvc.exe [?]

Is this common? The reason I ask, there's an 'MIT guy' by that name in the FB group where these other hackers found me. This is a really big FB group too, so it's hard for me to say who's in on this, and who isn't - except in cases where it's really obvious. (Like when they've autographed the NT USER dat file's, for example - which I've taken screenshots of that too) Either way, I haven't logged on to Facebook since I found out these people had actually invaded my PC. (except to change my password... of course.) The really scary part is, there's so many of them... and most have alter egos besides. If it's possible to get them out of my computer, how am I going to know who needs to be 'unfriended' in Facebook after this - so it never happens again? I mean, I have almost 2,500 FB friends who all play this same game. Of those, several hundred came from this one group. They can't all be hackers... can they? What a mess... :(

Lame Gamer

2011-09-09, 08:54

With the aswMBR application, I hope you were asking for the log fom the quick scan option? (Because if I try to scan C: the app crashes every time.)

Here's the log from the quick scan anyway
(also saved it to disk, along with aswMBR dat file.)

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-08 23:12:22
-----------------------------
23:12:22.811 OS Version: Windows x64 6.1.7600
23:12:22.827 Number of processors: 2 586 0x602
23:12:22.827 ComputerName: LESLIE-PC UserName: Leslie
23:12:24.480 Initialize success
23:12:24.746 AVAST engine defs: 11090800
23:12:43.996 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\00000055
23:12:43.996 Disk 0 Vendor: WDC_WD64 01.0 Size: 610480MB BusType: 3
23:12:46.040 Disk 0 MBR read successfully
23:12:46.040 Disk 0 MBR scan
23:12:46.040 Disk 0 unknown MBR code
23:12:46.055 Service scanning
23:12:47.615 Modules scanning
23:12:47.615 Disk 0 trace - called modules:
23:12:47.631 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys storport.sys hal.dll nvstor64.sys
23:12:47.631 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ba1060]
23:12:47.646 3 CLASSPNP.SYS[fffff880019b843f] -> nt!IofCallDriver -> [0xfffffa800487de40]
23:12:47.662 5 ACPI.sys[fffff88000f76781] -> nt!IofCallDriver -> \Device\00000055[0xfffffa800487b7e0]
23:12:49.004 AVAST engine scan C:\Windows
23:12:51.281 AVAST engine scan C:\Windows\system32
23:13:37.847 AVAST engine scan C:\Windows\system32\drivers
23:13:42.839 AVAST engine scan C:\Users\Leslie
23:14:15.006 AVAST engine scan C:\ProgramData
23:14:22.900 Scan finished successfully
23:22:36.188 Disk 0 MBR has been saved successfully to "C:\Users\Leslie\Desktop\MBR.dat"
23:22:36.203 The log file has been saved successfully to "C:\Users\Leslie\Desktop\aswMBR.txt"
23:24:06.369 Disk 0 MBR has been saved successfully to "C:\Users\Leslie\AppData\Local\Microsoft\Windows\Burn\Burn\MBR.dat"
23:24:06.385 The log file has been saved successfully to "C:\Users\Leslie\AppData\Local\Microsoft\Windows\Burn\Burn\aswMBR.txt"

Scolabar

2011-09-09, 09:00

Hi Lame Gamer,

If you do not have access to another computer please follow the procedure below to download, update and run the tools as requested:

Step 1:
Reconnect Computer to Internet

Please reconnect the computer to the Internet in order to download all the tools required for the set of instructions provided.

Step 2:
Download & Update Tools

Download and update (if required) the tools necessary to complete all the steps in my post.

Step 3:
Disconnect Computer from Internet

Disconnect the computer from the Internet for the duration of running the tools.

Step 4:
Run Tools

Run all the tools exactly in the order given in my post and either save the logs to the Desktop or know where the logs are saved to.

Please Note: If a tool requires an active Internet question I will ask you to reconnect the computer to the Internet for the duration of completing that step.

Step 5:
Post Logs

Reconnect the computer to the Internet briefly in order to post back the logs.

Step 6:
Await Next Instructions

Disconnect the computer from the Internet and wait for the next set of instructions.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Lame Gamer

2011-09-09, 11:47

You want me to do it again? Except, I should download tools directly to the infected machine this time, instead of moving them over from a disk?

(And just as I was getting really good at switching the monitor connection back and forth between the two.... that'll teach me. I'll never try to build a computer out of random closet clutter again, I promise. lol.

Okay. I'm off to fetch new logs...

Lame Gamer

2011-09-09, 13:49

Okay. I am online with the problem computer - it's as problematic as ever.
Problems listed in the order in which they occurred:

1. Apparently - my ISP only allows me to have one PC online at a time - unless I use a router. (which, seems like a bad idea in my case) Called ISP to swap my internet access back to the infected PC, from the temporary PC I had conjured from closet-clutter.

2. So I wouldn't get them mixed up with the duplicates I am about to download directly, I decided to delete the existing versions of tools I had copied to this PC from disk.

3. Before I could do that, I had to search for my desktop - as it had gone missing. All the icons that used to be here... they were just not here anymore. No idea why. This was a new one that I hadn't seen before. Anyways - while trying to restore those, I kept getting error messages - saying there was not enough free space to add anything to my desktop. Again - not sure why. Knowing that I should have almost 600 GB of free space laying around somewhere, I stopped by disk manager to check - and the 'not enough free space' messages went away after that. So, I proceeded to delete existing copies of these tools.

4. Strangely, some of those tools were impossible to delete - because, they were in use by another program! It was some DOS application with letters, numerals, and at least one "$" for a name. The error window closed itself before I had time to grab a screenshot. After a couple additional restarts, I was able to find/delete all remaining tools (that I know of) At least, I don't think I missed any.

I shall now attempt to download the tools once again. Sorry it's taking so long - but I'm telling you, this computer is haunted. I have no control over it what-so-ever. I've looked at these logs, and at least half of the programs that have been installed on this system I've never even heard of, in many cases - I've no idea what these programs are for. I only know they weren't here before, and I've had this computer for almost a year without all the strangeness I'm seeing now.

After those are downloaded, I'll disconnect cable from my network adapter, run the tools again, in order. Will post the logs here as I go... assuming I ever get past RK.

P.S. I should also mention, all these files and folders have mysteriously shared themselves, once again. I'm unable to 'unshare' any of them. No matter what I try, those settings refuse to stick. I have no idea why; the computer never gives me a reason - it just sits there quietly and ignores me while I make repeated attempts to unshare everything, over and over again. Something is seriously messed up here, and it's making me feel crazy - whatever it is.

Lame Gamer

2011-09-09, 14:06

Files successfully downloaded to *current desktop* of haunted PC:

rk1
rk2
(rk3 produced 404 error/file not found)
rk4
RSITx64
aswMBR

Will post logs next...

Scolabar

2011-09-09, 20:49

Hi Lame Gamer,

I appreciate you are trying to be helpful, but please can you slow down and not to make too many replies unrelated to the instructions or information I have requested. I will have to digest everything you have posted and then try to work out an effective next set of instructions. The more posts you make the longer it is going to take me to process everything and come back to you. :sad:

Please can you just perform the steps requested and, if you are unsure of anything, please stop and ask the question. Then please wait for my next response and be patient. Otherwise it will only impede our progress and will mean the attempted cleanup process will take much longer.

:thanks:

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar

2011-09-10, 19:57

Hi Lame Gamer,

Apologies for the confusion and inconvenience. Thank you also again for your patience. :)

I would like you to download and install an alternative Anti-virus product to avoid the problems you have been encountering.

I need to reiterate the importance of following exactly the instructions below:

Please read these instructions carefully before executing and perform the steps, in the order given.
lf you have any questions about or problems with, executing these instructions, <STOP> do not proceed, post back with the question or problem before going any further.

Before we proceed please make sure any open programs are closed.

Please make sure your 'infected' computer is connected to the Internet.

Step 1:
Uninstall Spybot - Search & Destroy

I need you to uninstall Spybot - Search & Destroy temporarily as it can interfere with any of the cleanup tools I ask you to use. You can reinstall this programs once the system has been declared clean:

Depending on your view setting under Control Panel, select either:

Start > Control Panel > Uninstall a program.
or
Start > Control Panel > Programs and Features and then under the Programs heading, click on Uninstall a program.

Scroll down the list of installed programs and locate the following program:

Spybot - Search & Destroy
Right-click on Uninstall to uninstall it.
When finished Close the Control Panel window.
Restart the computer to complete removal of the program.
Step 2:
Install Anti-virus Software

I need you to install an alternative reliable Anti-virus program.

To protect your computer from infection download a (free for personal use) anti-virus program from one the following reliable vendors, but please do not install it until I ask you to do so.

Microsoft Security Essentials ** (http://www.microsoft.com/security_essentials/) - New, from Microsoft, with email scanning, easy to install, easy to use.
** Your PC must run a genuine version of the Windows OS to install Microsoft Security Essentials.
Download the new Anti-virus product to your computer desktop.
Save any work. Close all applications, especially your Internet connection.
Uninstall Avast! Anti-virus product as follows:

Then depending on your view setting under Control Panel, select either:

Start > Control Panel > Uninstall a program.
or
Start > Control Panel > Programs and Features and then under the Programs heading, click on Uninstall a program.
Scroll down the list of installed programs and locate the following program:

avast! Free Antivirus
Right-click on Uninstall to uninstall it.
When finished Close the Control Panel window.
Reboot your computer, if not done during the uninstall.
Install the new Anti-virus product following the installation instructions. You may be asked to reboot the computer to complete the installation. Please do so, if asked.
Check for updates to the new Anti-virus product, if not done during install setup.
Run a full scan of your computer.
Please Note: You should run only one Anti-virus program at a time. Having more than one Anti-virus program active in memory uses additional resources and results in program conflicts and false virus alerts.

Step 3:
RSIT (Random's System Information Tool)

Let's now re-run RSIT.

Ensure RSITx64.exe is on your Desktop.
Select Start > All programs > Accessories > Run.
Copy and paste the following command into the run box and click OK, Do not include the word Quote:

"%userprofile%\desktop\rsitx64.exe" /info
Click on the Continue button at the disclaimer screen.
RSIT will start running.
When the program has finished two logs files will automatically open in Notepad:
log.txt <-- Will be opened, maximized.
info.txt <-- Will be minimized on task bar.
Please Copy and Paste the entire contents of both log.txt and info.txt files into your next reply.
Note: These logs can be lengthy, so post 1 log per reply please.
Step 4:
Include in Next Post

Did you have any problems carrying out the instructions?
log.txt.
info.txt.
Please also attach any screen shots you mentioned in your earlier posts that you may still have and might help assist us in resolving your malware issues.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Lame Gamer

2011-09-11, 07:52

Hello... and, please don't close me! lol. I had to go out the the woods and help with firewood unexpectedly today. Tomorrow too, but I should get done early. Either way... I'll be working on this by sunset tomorrow.

And I see you've changed the game plan on me! lol... My turn to try to keep up with you this time? I don't mind, but sorry if I've been holding up the show here. It wasn't my intention. But, since you DID change the game plan... I suppose my small victory with RKILL yesterday is kind of irrelevant now. Hmffffph. lol.

What I was planning to tell you is, I actually got RKILL to run... kinda. I worked on it all day yesterday. Look:

====
This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 09/09/2011 at 21:28:55.
Operating System: Windows 7 Home Premium

Processes terminated by Rkill or while it was running:

C:\Users\Leslie\Desktop\rkill.com
C:\Users\Leslie\Desktop\rkill.scr
C:\Windows\SysWOW64\grpconv.exe

Rkill completed on 09/09/2011 at 21:28:59.
=====

(Erm... try to overlook those 2/3 entries where RK has terminated itself for now. K? lol. It's a log, it exists... and it's not blank. After waging war on that sucker for a whole day, trying to figure out why I was having so much trouble.. the fact that I GOT a log at all felt somewhat LANDMARK to me at the time. :D

The bad news is...in the process of trying to figure out why I was having such a hard time with RK, and trying to get that to run? I found some other stuff that might need to be fixed too now. I'm not sure.

I found at least 4 unique processes that were, (er, are still) interfering with my ability to run RK on this machine, and preventing RK from detecting anything. (Either directly, or indirectly - through Avast.) The really bad news is - for every single time I tried to run RK from here? It seems a huge folder was created in the process. Over and over again. (Can't remember exactly how many of those I have now, I was too tired by the time I went to bed... but I do know it's at least 84 so far...lol. Normal? :/

Either way... with the new game plan, I'm not sure if you will want to take a closer look at that right now or not. I don't mind uninstalling anything, and if RK is off the agenda.. that doesn't bother me either. RK isn't going to run on this system as it is now anyway - at least not without causing some major hissy fits. I did made a screenshot for you, which attempts to illustrate what seemed to be happening when I ran RK. I'll post that here, but if it's irrelevant now - no worries, just ignore it.

As for me, I need to go get some sleep. I shall return in 20 hours (hopefully sooner than) ... to work on whatever is on the to-do list when I get back. Again, thank you so much for helping me with this big yukky mess... (and please don't close my thread. lol)

~Les

Scolabar

2011-09-11, 10:18

Hi Lame Gamer,

Thank you for the update.

Please can you make sure you carefully read all the instructions provided in my previous post and follow them exactly as requested.
Also, please make sure you close all open program and explorer windows before proceeding with the instructions.

I addition, as mentioned in my initial post:

5. DO NOT run any other fix or removal tools unless instructed to do so!
6. DO NOT install any other software (or hardware) during the cleaning process. This adds more items to be researched.

I'll wait to hear back from you. :bigthumb:

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Scolabar

2011-09-13, 14:24

Hi Lame Gamer,

It has been over 48 hours since my last post.

Do you still need help?
Do you need more time?
Are you having problems following my instructions?
In line with Malware Removal's latest policy, topics will be closed after 3 days without a response.
If you do not reply within the next 24 hours, this topic will be closed.

Scolabar
--------------------------------------------------------------------------
No Reply Within 3 Days Will Result In Your Topic Being Closed

Cypher

2011-09-14, 21:04

This topic has been archived due to inactivity.

If it has been three days or more since your last post, and the helper assisting you posted a response to which you did not reply, your thread will not be re-opened. At that point, if you still require help, please start a new topic and include a new DDS log with a link to your previous thread. Please do not add any logs that might have been requested previously, you would be starting fresh.

If it has been less than three days since your last response and you need the thread re-opened, please send your helper a private message (pm). A valid, working link to the closed topic is required.