What are the indications of a root infection?

[dje]

I have several pointers that make me believe that I have either malware or a virus. Norton, Kaspersky, AVG, Spybot and Malware bytes do not indicate anything and I know a lot of you would say, "Well why are you writing this question". Well, this is why. Everytime I run sfc /scannow I get a message at the end saying there were some corrupt files that could not be rpaired. So I have looked at various points on my computer and I wonder if anyone can put me straight. In the system32 folder I have 3 drivers folders "drivers", "DriverStore" and "DRVSTORE". The last one is highlighted in blue and contains listings of the GEARAspi driver, all highlighted. My wireless network adapter wont install properly and when I look in Device Manager > Network Adapters > Atheros ........ > properties > tab to details, it shows 1 parent and 16 siblings. I have never seen this reference before. Is it a sign of something malicious or is it a regular entry in the properties of an item. Can anybody also tell me what differences I would see in "Command > BCDEDIT" if somethiing was infecting my bootup.

 

[niemiro]

Hi,

I am willing to try to help. Certain really nasty viruses will not show up until some of them, the bits that hide them, have already been deleted. Can you therefore upload the log files (sfcdetails.txt) of your "sfc /scannow" run. See the yellow box at the top of this tutorial: http://www.vistax64.com/tutorials/66978-system-files-sfc-command.html

Richard

 

[niemiro]

Hi again,

Just answering some of your questions. The System32 driver folders all look fine and the GEAR reference looks OK. Remember that viruses usually overtake a secondary driver and replace it with its own code (a secondary driver is not required for system startup and does not matter too much if it is lost) Therefore, just looking at driver names will not be enough, you need to scan them.

Do tell me if you have any suspicions on what this might be, how you got it, or any files that might be infected. Do not worry about making mistakes, there is no harm in that.

Richard

 

[niemiro]

Hi,

Also, can you please run HiJackThis and upload the log file. Please upload the log file as an attachment, not in the main body of the message. Thanks! HijackThis - Trend Micro USA

Richard

 

[niemiro]

Hi,

Press the Windows Key + R to open the Run dialogue. Type "cmd" and press enter. In Command Prompt, type:

"ipconfig /flushdns"

and press enter. Tell me if this is successful.

Richard

 

[dje]

Thanks niemiro, Do you know about the entries in device manager and bcdedit. If i could see what a correct entry should look like then that might be good

 

[dje]

Hi, I have flushed dns and I am going to run sfc but I am also going to have some breakfast (8.00 in uk) thanks for your help. Can we pick this up again later?

 

[niemiro]

Hi, I have flushed dns and I am going to run sfc but I am also going to have some breakfast (8.00 in uk) thanks for your help. Can we pick this up again later?

No problem. It can wait days if you want. There is never an obligation to be online together, and I have just had my breakfast! We sometimes wait for people to go on holiday and then pick up the issue afterwards. You enjoy your breakfast and don't rush it!

Richard

 

[niemiro]

Right, open Command Prompt and type "bcdedit.exe" followed by enter. Once it has loaded, expand the Windows so everything is visible, right click anywhere on the Console and click Mark. Highlight everything (this may take a few attemps to get right, as it is not quite like normal highlighting) and right click within the highlighted area. The highlighting will disappear, but nothing else will look like it has happened. However, it has been copied, so just paste it in your next reply. Here is mine:

Microsoft Windows [Version 6.0.6002]
Copyright (c) 2006 Microsoft Corporation. All rights reserved.

C:\Users\Richard>bcdedit.exe

Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {82bde735-f669-11de-81e9-bde3a6336df3}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 3
resume No

Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {bootloadersettings}
osdevice partition=C:
systemroot \Windows
resumeobject {82bde735-f669-11de-81e9-bde3a6336df3}
nx OptIn

C:\Users\Richard>


Can you also download, run and upload the log of the "Vistax64.com SysInfo Tool". Please do not include the log inline, but as an attachment. http://www.vistax64.com/tutorials/176785-vistaforums-sysinfo-tool.html

Richard

 

[niemiro]

Hi,

The Atheros in Device Manager is usually fine. It really depends on whether you have any network cards from Atheros. Do you normally use wireless or wired internet. Is this a Desktop or Laptop? Do you know what your network cards are? If so, what are they? Do not worry if you do not know.

I will now wait for the logs, but there is no rush or urgency. In your own time.

Richard

 

[dje]

Hi. Long breakfast - yum. Ok I'll paste bcdedit results and sysinfo. I have run hijack this and because I beleive java may be involved I deleted a Java file which has subsequently reappeared.

Oh Yes, I haven't told you how this appeared to start and little indicators that gave it away.

Firstly, I started being redirected in my IE browser to yahoo and ask.com search pages. Then I realised that an earlier indication was in the search field, I had stopped getting "drop down" suggestions. Then rather belatedly Norton told me I had a trojan but it couldn't remove it I had to do this manually. It was backdoor.tidserv. Downoaded malwarebytes and tdskiller but i think there were still some files hiding in a second partition in the recycle bin or volume information. AsI said, Norton, Kaspersky and all the other programmes like Windows Defender, MRT, chkdsk, sfc /scannow didn't find anything until a while later I had a warning about another trojan called fake alert. I can't remeber what made me look but I was checking the drivers and I must have read something about the network adapter being involved. While I was checking the listings on the properties page of anything I fancied I saw the entry for the Atheros Wireless adapter in the drop down menu of details, of parent and siblings and was amazed to see 16 siblings. So then I formatted the drive using windows XP to try and avoid any crossover and now when i look at the Network adapter there are no siblings. Now one of my questions is about that very thing. Is it normal to have siblings, it's not something I have noticed before. And in case we don't get together again, thanks for your help

 

[dje]

IDIOT - I forgot to paste the info!!

C:\Windows\system32>bcdedit.exe
Windows Boot Manager
--------------------
identifier {bootmgr}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {globalsettings}
default {current}
resumeobject {449e13a1-3b7f-11df-91f7-b7ff966976ae}
displayorder {current}
toolsdisplayorder {memdiag}
timeout 30
Windows Boot Loader
-------------------
identifier {current}
device partition=C:
path \Windows\system32\winload.exe
description Microsoft Windows Vista
locale en-US
inherit {bootloadersettings}
osdevice partition=C:
systemroot \Windows
resumeobject {449e13a1-3b7f-11df-91f7-b7ff966976ae}
nx OptIn

*************************************************************
********************** Computer Info ************************
*************************************************************
Logged in user: David-PC\David
Computer Model: AMILO Li1705
Computer Manufacturer: FUJITSU SIEMENS
OS Name: Microsoft® Windows Vista™ Home Basic |C:\Windows|\Device\Harddisk0\Partition1
OS Version: 6.0.6000
System Type: X86-based PC
Total Physical Memory: 1790 MB
Windows Directory: C:\Windows
BIOS Version: Phoenix NoteBIOS 4.0 Release 6.1     
CPU: Intel(R) Celeron(R) M CPU        430  @ 1.73GHz
Video Card: VIA Chrome9 HC IGP WDDM  
Resolution: 1280 x 800 x 4294967296 colors

*************************************************************
*********************** UAC Status **************************
*************************************************************
UAC is currently enabled

*************************************************************
***************** Installed Applications ********************
*************************************************************
Microsoft Application Error Reporting - Location:  
Microsoft Visual C++ 2005 Redistributable - Location:  
Windows Live Sign-in Assistant - Location:  
35mm Film Scanner X86 - Location: C:\Program Files\35mm Film Scanner\35mm Film Scanner X86\ 
MSVCRT - Location:  
Windows Live Essentials - Location:  
Junk Mail filter update - Location:  
Windows Live Communications Platform - Location:  
Microsoft Choice Guard - Location: C:\Program Files\Microsoft\Search Enhancement Pack\Choice Guard\ 
OpenOffice.org 3.2 - Location: C:\Program Files\ 
Windows Live Upload Tool - Location:  
Windows Live Mail - Location:  

*************************************************************
************************* Services **************************
*************************************************************
------------------------------------------
Name: Application Experience
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Application Layer Gateway Service
Path: C:\Windows\System32\alg.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Application Information
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Manual
State: Running
------------------------------------------
Name: Windows Audio Endpoint Builder
Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Audio
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: AVG Security Toolbar Service
Path: C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: AVG Free E-mail Scanner
Path: "C:\Program Files\AVG\AVG9\avgemc.exe"
StartMode: Auto
State: Running
------------------------------------------
Name: AVG Free WatchDog
Path: "C:\Program Files\AVG\AVG9\avgwdsvc.exe"
StartMode: Auto
State: Running
------------------------------------------
Name: Base Filtering Engine
Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
StartMode: Auto
State: Running
------------------------------------------
Name: Background Intelligent Transfer Service
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Computer Browser
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Auto
State: Stopped
------------------------------------------
Name: Certificate Propagation
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Microsoft .NET Framework NGEN v2.0.50727_X86
Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: COM+ System Application
Path: C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
StartMode: Manual
State: Stopped
------------------------------------------
Name: Cryptographic Services
Path: C:\Windows\system32\svchost.exe -k NetworkService
StartMode: Auto
State: Running
------------------------------------------
Name: DCOM Server Process Launcher
Path: C:\Windows\system32\svchost.exe -k DcomLaunch
StartMode: Auto
State: Running
------------------------------------------
Name: DFS Replication
Path: C:\Windows\system32\DFSR.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: DHCP Client
Path: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: DNS Client
Path: C:\Windows\system32\svchost.exe -k NetworkService
StartMode: Auto
State: Running
------------------------------------------
Name: Wired AutoConfig
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: Diagnostic Policy Service
Path: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
StartMode: Auto
State: Running
------------------------------------------
Name: Extensible Authentication Protocol
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Manual
State: Running
------------------------------------------
Name: ReadyBoost
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Event Log
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: COM+ Event System
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Function Discovery Provider Host
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Function Discovery Resource Publication
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Presentation Foundation Font Cache 3.0.0.0
Path: C:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Group Policy Client
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Human Interface Device Access
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: Health Key and Certificate Management
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows CardSpace
Path: "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe"
StartMode: Manual
State: Stopped
------------------------------------------
Name: IKE and AuthIP IPsec Keying Modules
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: PnP-X IP Bus Enumerator
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: IP Helper
Path: C:\Windows\System32\svchost.exe -k NetSvcs
StartMode: Auto
State: Running
------------------------------------------
Name: CNG Key Isolation
Path: C:\Windows\system32\lsass.exe
StartMode: Manual
State: Running
------------------------------------------
Name: KtmRm for Distributed Transaction Coordinator
Path: C:\Windows\System32\svchost.exe -k NetworkService
StartMode: Auto
State: Running
------------------------------------------
Name: Server
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Workstation
Path: C:\Windows\System32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Link-Layer Topology Discovery Mapper
Path: C:\Windows\System32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: TCP/IP NetBIOS Helper
Path: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Multimedia Class Scheduler
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Firewall
Path: C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
StartMode: Auto
State: Running
------------------------------------------
Name: Distributed Transaction Coordinator
Path: C:\Windows\System32\msdtc.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Microsoft iSCSI Initiator Service
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Installer
Path: C:\Windows\system32\msiexec /V
StartMode: Manual
State: Running
------------------------------------------
Name: Network Access Protection Agent
Path: C:\Windows\System32\svchost.exe -k NetworkService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Netlogon
Path: C:\Windows\system32\lsass.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Network Connections
Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Manual
State: Running
------------------------------------------
Name: Network List Service
Path: C:\Windows\System32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Net.Tcp Port Sharing Service
Path: "C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe"
StartMode: Disabled
State: Stopped
------------------------------------------
Name: Network Location Awareness
Path: C:\Windows\System32\svchost.exe -k NetworkService
StartMode: Auto
State: Running
------------------------------------------
Name: Network Store Interface Service
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Peer Networking Identity Manager
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: Peer Networking Grouping
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: Program Compatibility Assistant Service
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Performance Logs & Alerts
Path: C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork
StartMode: Manual
State: Stopped
------------------------------------------
Name: Plug and Play
Path: C:\Windows\system32\svchost.exe -k DcomLaunch
StartMode: Auto
State: Running
------------------------------------------
Name: PNRP Machine Name Publication Service
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: Peer Name Resolution Protocol
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: IPsec Policy Agent
Path: C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: User Profile Service
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Protected Storage
Path: C:\Windows\system32\lsass.exe
StartMode: Manual
State: Running
------------------------------------------
Name: Quality Windows Audio Video Experience
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Remote Access Auto Connection Manager
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Remote Access Connection Manager
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Manual
State: Running
------------------------------------------
Name: Routing and Remote Access
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Disabled
State: Stopped
------------------------------------------
Name: Remote Registry
Path: C:\Windows\system32\svchost.exe -k regsvc
StartMode: Manual
State: Stopped
------------------------------------------
Name: Remote Procedure Call (RPC) Locator
Path: C:\Windows\system32\locator.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Remote Procedure Call (RPC)
Path: C:\Windows\system32\svchost.exe -k rpcss
StartMode: Auto
State: Running
------------------------------------------
Name: Security Accounts Manager
Path: C:\Windows\system32\lsass.exe
StartMode: Auto
State: Running
------------------------------------------
Name: Smart Card
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Task Scheduler
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Smart Card Removal Policy
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Backup
Path: C:\Windows\system32\svchost.exe -k SDRSVC
StartMode: Manual
State: Stopped
------------------------------------------
Name: Secondary Logon
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: System Event Notification Service
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Terminal Services Configuration
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Internet Connection Sharing (ICS)
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Disabled
State: Stopped
------------------------------------------
Name: Shell Hardware Detection
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Software Licensing
Path: C:\Windows\system32\SLsvc.exe
StartMode: Auto
State: Running
------------------------------------------
Name: SL UI Notification Service
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: SNMP Trap
Path: C:\Windows\System32\snmptrap.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Print Spooler
Path: C:\Windows\System32\spoolsv.exe
StartMode: Auto
State: Running
------------------------------------------
Name: SSDP Discovery
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Running
------------------------------------------
Name: Windows Image Acquisition (WIA)
Path: C:\Windows\system32\svchost.exe -k imgsvc
StartMode: Auto
State: Running
------------------------------------------
Name: Microsoft Software Shadow Copy Provider
Path: C:\Windows\System32\svchost.exe -k swprv
StartMode: Manual
State: Stopped
------------------------------------------
Name: Superfetch
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Tablet PC Input Service
Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Telephony
Path: C:\Windows\System32\svchost.exe -k NetworkService
StartMode: Manual
State: Running
------------------------------------------
Name: TPM Base Services
Path: C:\Windows\System32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Terminal Services
Path: C:\Windows\System32\svchost.exe -k NetworkService
StartMode: Auto
State: Running
------------------------------------------
Name: Themes
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Thread Ordering Server
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Distributed Link Tracking Client
Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Modules Installer
Path: C:\Windows\servicing\TrustedInstaller.exe
StartMode: Auto
State: Running
------------------------------------------
Name: Interactive Services Detection
Path: C:\Windows\system32\UI0Detect.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: UPnP Device Host
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Desktop Window Manager Session Manager
Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Virtual Disk
Path: C:\Windows\System32\vds.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Volume Shadow Copy
Path: C:\Windows\system32\vssvc.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Time
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Connect Now - Config Registrar
Path: C:\Windows\System32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Color System
Path: C:\Windows\system32\svchost.exe -k wcssvc
StartMode: Manual
State: Stopped
------------------------------------------
Name: Diagnostic Service Host
Path: C:\Windows\System32\svchost.exe -k wdisvc
StartMode: Manual
State: Stopped
------------------------------------------
Name: Diagnostic System Host
Path: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Manual
State: Running
------------------------------------------
Name: WebClient
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Event Collector
Path: C:\Windows\system32\svchost.exe -k NetworkService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Problem Reports and Solutions Control Panel Support
Path: C:\Windows\System32\svchost.exe -k netsvcs
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Error Reporting Service
Path: C:\Windows\System32\svchost.exe -k WerSvcGroup
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Defender
Path: C:\Windows\System32\svchost.exe -k secsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: WinHTTP Web Proxy Auto-Discovery Service
Path: C:\Windows\system32\svchost.exe -k LocalService
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Management Instrumentation
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Remote Management (WS-Management)
Path: C:\Windows\System32\svchost.exe -k NetworkService
StartMode: Manual
State: Stopped
------------------------------------------
Name: WLAN AutoConfig
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: WMI Performance Adapter
Path: C:\Windows\system32\wbem\WmiApSrv.exe
StartMode: Manual
State: Stopped
------------------------------------------
Name: Windows Media Player Network Sharing Service
Path: "C:\Program Files\Windows Media Player\wmpnetwk.exe"
StartMode: Manual
State: Stopped
------------------------------------------
Name: Parental Controls
Path: C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Manual
State: Stopped
------------------------------------------
Name: Portable Device Enumerator Service
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Security Center
Path: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Search
Path: C:\Windows\system32\SearchIndexer.exe /Embedding
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Update
Path: C:\Windows\system32\svchost.exe -k netsvcs
StartMode: Auto
State: Running
------------------------------------------
Name: Windows Driver Foundation - User-mode Driver Framework
Path: C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
StartMode: Auto
State: Running
------------------------------------------
Name: XAudioService
Path: C:\Windows\system32\DRIVERS\xaudio.exe
StartMode: Disabled
State: Stopped
------------------------------------------

*************************************************************
******************** Installed Codecs ***********************
*************************************************************
------------------------------------------
Name: C:\Windows\system32\TSBYUV.DLL Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: tsbyuv
------------------------------------------
Name: C:\Windows\system32\IYUV_32.DLL Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: iyuv_32
------------------------------------------
Name: C:\Windows\system32\MSYUV.DLL Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: msyuv
------------------------------------------
Name: C:\Windows\system32\MSADP32.ACM Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: msadp32
------------------------------------------
Name: C:\Windows\system32\MSGSM32.ACM Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: msgsm32
------------------------------------------
Name: C:\Windows\system32\MSG711.ACM Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: msg711
------------------------------------------
Name: C:\Windows\system32\IMAADP32.ACM Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: imaadp32
------------------------------------------
Name: C:\Windows\system32\MSVIDC32.DLL Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: msvidc32
------------------------------------------
Name: C:\Windows\system32\MSRLE32.DLL Description: 
Version: 6.0.6000.16386
Path: \windows\system32\
FileName: msrle32
------------------------------------------
Name: C:\Windows\system32\L3CODECA.ACM Description: Fraunhofer IIS MPEG Layer-3 Codec
Version: 1.9.0.401
Path: \windows\system32\
FileName: l3codeca
------------------------------------------
Name: C:\Windows\system32\ICCVID.DLL Description: 
Version: 1.10.0.12
Path: \windows\system32\
FileName: iccvid
------------------------------------------

*************************************************************
*********************** Hot Fixes ***************************
*************************************************************
Description: Security Update
HotFixID: KB925902
------------------------------------------
Description: Update
HotFixID: KB931573
------------------------------------------
Description: Security Update
HotFixID: KB938127
------------------------------------------
Description: Update
HotFixID: KB939159
------------------------------------------
Description: Update
HotFixID: KB949939
------------------------------------------
Description: Security Update
HotFixID: KB931213
------------------------------------------
Description: Security Update
HotFixID: KB942624
------------------------------------------
Description: Security Update
HotFixID: KB950760
------------------------------------------
Description: Security Update
HotFixID: KB951066
------------------------------------------
Description: Security Update
HotFixID: KB952069
------------------------------------------
Description: Security Update
HotFixID: KB954155
------------------------------------------
Description: Security Update
HotFixID: KB954459
------------------------------------------
Description: Update
HotFixID: KB959130
------------------------------------------
Description: Security Update
HotFixID: KB970238
------------------------------------------
Description: Update
HotFixID: KB972036
------------------------------------------
Description: Update
HotFixID: KB972145
------------------------------------------
Description: Security Update
HotFixID: KB973565
------------------------------------------
Description: Security Update
HotFixID: KB974318
------------------------------------------
Description: Security Update
HotFixID: KB974571
------------------------------------------
Description: Security Update
HotFixID: KB975517
------------------------------------------
Description: Security Update
HotFixID: KB975560
------------------------------------------
Description: Hotfix
HotFixID: KB975929
------------------------------------------
Description: Security Update
HotFixID: KB978251
------------------------------------------

*************************************************************
************************* Event Log *************************
*************************************************************
Application - 02/04/2010 18:29:43: Windows Installer reconfigured the product. Product Name: Windows Live Sign-in Assistant. Product Version: 5.000.818.5. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:44: Windows Installer reconfigured the product. Product Name: 35mm Film Scanner X86. Product Version: 5.00.0000. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:44: Windows Installer reconfigured the product. Product Name: MSVCRT. Product Version: 14.0.1468.721. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:45: Windows Installer reconfigured the product. Product Name: Windows Live Essentials. Product Version: 14.0.8089.726. Product Language: 9. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:45: Windows Installer reconfigured the product. Product Name: Junk Mail filter update. Product Version: 14.0.8089.726. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:45: Windows Installer reconfigured the product. Product Name: Windows Live Communications Platform. Product Version: 14.0.8098.930. Product Language: 0. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:45: Windows Installer reconfigured the product. Product Name: Microsoft Choice Guard. Product Version: 2.0.48.0. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:48: Windows Installer reconfigured the product. Product Name: OpenOffice.org 3.2. Product Version: 3.2.9483. Product Language: 2057. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:48: Windows Installer reconfigured the product. Product Name: Windows Live Upload Tool. Product Version: 14.0.8014.1029. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Application - 02/04/2010 18:29:49: Windows Installer reconfigured the product. Product Name: Windows Live Mail. Product Version: 14.0.8089.0726. Product Language: 1033. Reconfiguration success or error status: 0.
------------------------------------------
Security - 02/04/2010 11:00:23: The description for Event ID '4624' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', 'S-1-5-18', 'SYSTEM', 'NT AUTHORITY', '0x3e7', '5', 'Advapi  ', 'Negotiate', '', '{00000000-0000-0000-0000-000000000000}', '-', '-', '0', '0x320', 'C:\Windows\System32\services.exe', '-', '-'
------------------------------------------
Security - 02/04/2010 11:00:23: The description for Event ID '4672' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'SYSTEM', 'NT AUTHORITY', '0x3e7', 'SeAssignPrimaryTokenPrivilege
   SeTcbPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeDebugPrivilege
   SeAuditPrivilege
   SeSystemEnvironmentPrivilege
   SeImpersonatePrivilege'
------------------------------------------
Security - 02/04/2010 18:09:05: The description for Event ID '4648' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', '{00000000-0000-0000-0000-000000000000}', 'SYSTEM', 'NT AUTHORITY', '{00000000-0000-0000-0000-000000000000}', 'localhost', 'localhost', '0x320', 'C:\Windows\System32\services.exe', '-', '-'
------------------------------------------
Security - 02/04/2010 18:09:05: The description for Event ID '4624' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', 'S-1-5-18', 'SYSTEM', 'NT AUTHORITY', '0x3e7', '5', 'Advapi  ', 'Negotiate', '', '{00000000-0000-0000-0000-000000000000}', '-', '-', '0', '0x320', 'C:\Windows\System32\services.exe', '-', '-'
------------------------------------------
Security - 02/04/2010 18:09:05: The description for Event ID '4672' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'SYSTEM', 'NT AUTHORITY', '0x3e7', 'SeAssignPrimaryTokenPrivilege
   SeTcbPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeDebugPrivilege
   SeAuditPrivilege
   SeSystemEnvironmentPrivilege
   SeImpersonatePrivilege'
------------------------------------------
Security - 02/04/2010 18:12:09: The description for Event ID '4904' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', 'VSSAudit', '0xafa4b1', '0x11a4', 'C:\Windows\System32\VSSVC.exe'
------------------------------------------
Security - 02/04/2010 18:12:09: The description for Event ID '4905' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', 'VSSAudit', '0xafa4b1', '0x11a4', 'C:\Windows\System32\VSSVC.exe'
------------------------------------------
Security - 02/04/2010 18:29:38: The description for Event ID '4648' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', '{00000000-0000-0000-0000-000000000000}', 'SYSTEM', 'NT AUTHORITY', '{00000000-0000-0000-0000-000000000000}', 'localhost', 'localhost', '0x320', 'C:\Windows\System32\services.exe', '-', '-'
------------------------------------------
Security - 02/04/2010 18:29:38: The description for Event ID '4624' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'DAVID-PC$', 'WORKGROUP', '0x3e7', 'S-1-5-18', 'SYSTEM', 'NT AUTHORITY', '0x3e7', '5', 'Advapi  ', 'Negotiate', '', '{00000000-0000-0000-0000-000000000000}', '-', '-', '0', '0x320', 'C:\Windows\System32\services.exe', '-', '-'
------------------------------------------
Security - 02/04/2010 18:29:38: The description for Event ID '4672' in Source 'Microsoft-Windows-Security-Auditing' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'S-1-5-18', 'SYSTEM', 'NT AUTHORITY', '0x3e7', 'SeAssignPrimaryTokenPrivilege
   SeTcbPrivilege
   SeSecurityPrivilege
   SeTakeOwnershipPrivilege
   SeLoadDriverPrivilege
   SeBackupPrivilege
   SeRestorePrivilege
   SeDebugPrivilege
   SeAuditPrivilege
   SeSystemEnvironmentPrivilege
   SeImpersonatePrivilege'
------------------------------------------
System - 02/04/2010 18:21:48: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:21:48: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:21:48: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:23:20: The description for Event ID '1073748860' in Source 'Service Control Manager' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'WinHTTP Web Proxy Auto-Discovery Service', 'stopped'
------------------------------------------
System - 02/04/2010 18:23:28: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:26:08: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:26:43: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:26:44: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:26:44: Windows Servicing is setting package KB948609(Update) state to Resolving(Resolving)
------------------------------------------
System - 02/04/2010 18:29:38: The description for Event ID '1073748860' in Source 'Service Control Manager' cannot be found.  The local computer may not have the necessary registry information or message DLL files to display the message, or you may not have permission to access them.  The following information is part of the event:'Windows Installer', 'running'
------------------------------------------

*************************************************************
**************** Windows Experience Index *******************
*************************************************************
CPU Score: 3.5
Disk Score: 4.8
Graphics Score: 1
Direct 3D Score: 1
Memory Score: 4.3
WEI Score: 1

*************************************************************
************************* Users *****************************
*************************************************************
------------------------------------------
Name: Administrator Domain: David-PC
FullName:  Description: Built-in account for administering the computer/domain
Disabled: True
Status: Degraded
LocalAccount: True
PasswordChangeable: True
PasswordExpires: False
PasswordRequired: True
------------------------------------------
Name: David Domain: David-PC
FullName:  Description: 
Disabled: False
Status: OK
LocalAccount: True
PasswordChangeable: True
PasswordExpires: False
PasswordRequired: False
------------------------------------------
Name: Guest Domain: David-PC
FullName:  Description: Built-in account for guest access to the computer/domain
Disabled: True
Status: Degraded
LocalAccount: True
PasswordChangeable: False
PasswordExpires: False
PasswordRequired: False
------------------------------------------

*************************************************************
************************** Memory ***************************
*************************************************************
------------------------------------------
Manufacturer: 
Model: 
Name: Physical Memory
Bank Label: Bank 1
Capacity: 1024 MB
Description: Physical Memory
Tag: Physical Memory 0
------------------------------------------
Manufacturer: 
Model: 
Name: Physical Memory
Bank Label: Bank 2
Capacity: 1024 MB
Description: Physical Memory
Tag: Physical Memory 1
------------------------------------------

*************************************************************
************************ Video Card *************************
*************************************************************
Brand: S3 Graphics Co. Ltd.
Model: VIA Chrome9 HC IGP WDDM  
Adapter DAC Type: Internal
Adapter RAM: 256 MB
Current BitsPerPixel: 32
Current Number Of Colors: 4294967296
Current Refresh Rate: 60
Driver Date: 12/24/2006 06:53:18
Driver Version: 7.14.10.0053-15.31.07.06
MaxRefreshRate: 60
MinRefreshRate: 56
Status: OK
Video Memory Type: 2
Video Mode Description: 1280 x 800 x 4294967296 colors
Video Processor: VIA Chrome9 HC IGP

*************************************************************
************************** Drives ***************************
*************************************************************
Model: ST980811AS ATA Device
Description: Disk drive
InterfaceType: IDE
Partitions: 2
SCSIBus: 0
SCSILogicalUnit: 0
SCSIPort: 0
SCSITargetId: 0
SectorsPerTrack: 63
Size: 75 GB
Status: OK
------------------------------------------

*************************************************************
************************ CD/DVD Rom *************************
*************************************************************
Name: HL-DT-ST DVDRAM GSA-T10N ATA Device
Description: CD-ROM Drive
LastErrorCode: 
Manufacturer: (Standard CD-ROM drives)
Media Type: DVD Writer
------------------------------------------

*************************************************************
************************* IDE/SATA **************************
*************************************************************
------------------------------------------
Manufacturer: VIA Technologies, Inc.
Name: VIA Serial ATA Controller - 0591
Last Error Code: 
Status: OK
------------------------------------------
Manufacturer: (Standard IDE ATA/ATAPI controllers)
Name: ATA Channel 0
Last Error Code: 
Status: OK
------------------------------------------
Manufacturer: (Standard IDE ATA/ATAPI controllers)
Name: ATA Channel 1
Last Error Code: 
Status: OK
------------------------------------------
Manufacturer: VIA Technologies, Inc.
Name: VIA Bus Master IDE Controller - 0571
Last Error Code: 
Status: OK
------------------------------------------
Manufacturer: (Standard IDE ATA/ATAPI controllers)
Name: ATA Channel 1
Last Error Code: 
Status: OK
------------------------------------------

*************************************************************
************************** Network **************************
*************************************************************

Windows IP Configuration
   Host Name . . . . . . . . . . . . : David-PC
   Primary Dns Suffix  . . . . . . . : 
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : lan
Wireless LAN adapter Wireless Network Connection:
   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : Atheros AR5005G Wireless Network Adapter
   Physical Address. . . . . . . . . : 00-C0-A8-D0-36-F0
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::ec85:c50:e14c:885f%11(Preferred) 
   IPv4 Address. . . . . . . . . . . : 192.168.1.73(Preferred) 
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 02 April 2010 09:11:42
   Lease Expires . . . . . . . . . . : 03 April 2010 09:11:41
   Default Gateway . . . . . . . . . : 192.168.1.254
   DHCP Server . . . . . . . . . . . : 192.168.1.254
   DHCPv6 IAID . . . . . . . . . . . : 151044264
   DNS Servers . . . . . . . . . . . : 192.168.1.254
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Local Area Connection:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : VIA Rhine II Compatible Fast Ethernet Adapter #2
   Physical Address. . . . . . . . . : 00-14-0B-0A-0E-E4
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 6:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : lan
   Description . . . . . . . . . . . : isatap.lan
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Local Area Connection* 9:
   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   Physical Address. . . . . . . . . : 02-00-54-55-4E-01
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2001:0:5ef5:73ba:5d:10a3:3f57:feb6(Preferred) 
   Link-local IPv6 Address . . . . . : fe80::5d:10a3:3f57:feb6%8(Preferred) 
   Default Gateway . . . . . . . . . : ::
   NetBIOS over Tcpip. . . . . . . . : Disabled

*************************************************************
********************* Systerm Restore ***********************
*************************************************************
------------------------------------------
Description: Avg Update
Creation Time: 04/01/2010 08:34:19
SequenceNumber: 15
------------------------------------------
Description: Device Driver Package Install: FILMSCAN Imaging devices
Creation Time: 04/01/2010 13:11:27
SequenceNumber: 16
------------------------------------------
Description: Installed 35mm Film Scanner X86.
Creation Time: 04/01/2010 13:44:17
SequenceNumber: 17
------------------------------------------
Description: Installed Java(TM) 6 Update 18
Creation Time: 04/01/2010 19:21:19
SequenceNumber: 18
------------------------------------------
Description: Installed OpenOffice.org 3.2
Creation Time: 04/01/2010 19:22:54
SequenceNumber: 19
------------------------------------------
Description: Removed Java(TM) 6 Update 18
Creation Time: 04/02/2010 06:44:16
SequenceNumber: 20
------------------------------------------
Description: Avg Update
Creation Time: 04/02/2010 08:49:49
SequenceNumber: 22
------------------------------------------
Description: Avg Update
Creation Time: 04/02/2010 08:52:10
SequenceNumber: 24
------------------------------------------
Description: Windows Update
Creation Time: 04/02/2010 17:10:57
SequenceNumber: 25
------------------------------------------

*************************************************************
******************** Running Processes **********************
*************************************************************
------------------------------------------
Name: System Idle Process
------------------------------------------
Name: System
------------------------------------------
Name: smss.exe
------------------------------------------
Name: csrss.exe
------------------------------------------
Name: wininit.exe
------------------------------------------
Name: csrss.exe
------------------------------------------
Name: winlogon.exe
------------------------------------------
Name: services.exe
------------------------------------------
Name: lsass.exe
------------------------------------------
Name: lsm.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: audiodg.exe
------------------------------------------
Name: SLsvc.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: spoolsv.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: SearchIndexer.exe
------------------------------------------
Name: taskeng.exe
------------------------------------------
Name: dwm.exe
------------------------------------------
Name: explorer.exe
------------------------------------------
Name: taskeng.exe
------------------------------------------
Name: s3trayp.exe
------------------------------------------
Name: Apoint.exe
------------------------------------------
Name: sidebar.exe
------------------------------------------
Name: ApMsgFwd.exe
------------------------------------------
Name: ApntEx.exe
------------------------------------------
Name: MSASCui.exe
------------------------------------------
Name: avgchsvx.exe
------------------------------------------
Name: avgrsx.exe
------------------------------------------
Name: avgchsvx.exe
------------------------------------------
Name: avgcsrvx.exe
------------------------------------------
Name: avgwdsvc.exe
------------------------------------------
Name: avgnsx.exe
------------------------------------------
Name: avgemc.exe
------------------------------------------
Name: avgcsrvx.exe
------------------------------------------
Name: avgtray.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: wuauclt.exe
------------------------------------------
Name: svchost.exe
------------------------------------------
Name: TrustedInstaller.exe
------------------------------------------
Name: wlmail.exe
------------------------------------------
Name: wlcomm.exe
------------------------------------------
Name: wuauclt.exe
------------------------------------------
Name: ieuser.exe
------------------------------------------
Name: iexplore.exe
------------------------------------------
Name: FlashUtil10e.exe
------------------------------------------
Name: cmd.exe
------------------------------------------
Name: notepad.exe
------------------------------------------
Name: VistaForums SysInfo.exe
------------------------------------------
Name: WmiPrvSE.exe
------------------------------------------
Name: WmiPrvSE.exe
------------------------------------------
Name: msiexec.exe
------------------------------------------
Name: dllhost.exe
------------------------------------------
Name: VSSVC.exe
------------------------------------------
Name: svchost.exe
------------------------------------------

 

[niemiro]

Hi,

The log I really need is the HiJackThis log, as it is HiJackThis that can remove the parts of the virus hiding the other parts. Your bsdedit.exe log looks fine, and having a quick look over your SystemInfo log (this is slightly unrelated) it looks as though your system would see far better graphics results by installing the correct drivers for your graphics card, rather than just the Windows standard.

Richard

 

[niemiro]

Hi,

Forgot to say in my last post, having siblings is fine, my wireless card has three and one parent. You do have quite a lot, but it is not necessarily bad.

Also, since some websites are redirecting, there is one more thing to try (until I get the HiJackThis log)

Navigate to the C:\Windows\System32\Drivers\etc folder,

• Right click on the Hosts file and select Properties.
• Under the Security tab, click Advanced.
• Under the Owner tab, click Edit.
• Click "Other Users and Groups".
• Click Advanced.
• Click "Find Now".
• Scroll down and double click on Everyone.
• Click OK THREE times.
• Click Edit (now on the standard file Property window under the Security tab).
• Click Add.
• Click Advanced.
• Click "Find Now".
• Scroll down and double click on Everyone.
• Click OK.
• Single click on Everyone and then tick the "Full Control" box under Allow.
• Click OK TWO times.

Now delete the Hosts file (Window will re-create it) It is probable that the virus will reinfect it, but it is worth a try. Log off and back on again and see if anything has changed.

Richard

 

[dje]

Hi Richard, Thanks for the advice on the graphics and here is the Hijackthis log, well would yo believe it. EVery time I try to run it says Hijack this is already running. I'll post an old log and shut down and restart.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:57, on 02/04/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\s3trayp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
--
End of file - 3781 bytes

 

[dje]

Hi, Just deleted hosts file and and restarted and this is the hijack this log file immediately after restart

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:57, on 02/04/2010
Platform: Windows Vista (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16386)
Boot mode: Normal
Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\s3trayp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Apoint2K\ApMsgFwd.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O1 - Hosts: ::1 localhost
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG Security Toolbar Service - Unknown owner - C:\Program Files\AVG\AVG9\Toolbar\ToolbarBroker.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
--
End of file - 3781 bytes

 

[niemiro]

Hi,

Can you please download and run this tool: Downloads

Also, it may be that you are infected with the SearchCentrix Hijacker. Your HiJackThis log however, does look very clean. If you ever want to scan just one file, here is a very good online tool: VirusTotal - Free Online Virus and Malware Scan

Back soon,

Richard

 

[dje]

Hi, Back again. As you say things look quite clear now but i would like to continue as i am finding this quite interesting.

Here are the results of a deep scan but the next three entries are copies of key names from the registry that i found just browsing the registry. What i found unusual about these was that although it denied me access and it said it couldnt show me who the current owner was, I would be allowed to change permissions. Is this a regular entry?


// info: Rootkit removal help file
// copyright: (c) 2008-2009 Safer-Networking Ltd. All rights reserved.
:: RootAlyzer Results
File:"No admin in ACL","C:\Users\All Users\avg9\Log\history.xml"
File:"No admin in ACL","C:\ProgramData\avg9\Log\history.xml"



HKEY_USERS\.DEFAULT\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_USERS\S-1-5-18\Software\Microsoft\SystemCertificates\Root\ProtectedRoots
HKEY_USERS\S-1-5-20\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

 

[niemiro]

Hi,

Those registry entries are curious! I have never heard of them before, but I have got them too, just as you describe with those curious permissions! I have found this: You cannot view certificate information in Windows Internet Explorer 7 or in Certificate Manager after you successfully import a certificate on a Windows Vista-based computer but it is for a different ProtectedRoots and I do have read permissions. Anyway, looks normal but slightly weird!

Richard

 

[dje]

Hi Richard, i forgot about the comment regarding my graphics card. I have tried as hard as i can to get a via driver but because S3 technologies are integrated with via products I cant get anything from via. If you could reccommend a driver i would appreciate it.