Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

hijacked? [RESOLVED]

Started by crazhorse , Apr 26 2008 10:27 PM

  • This topic is locked This topic is locked

#1
crazhorse
Posted 26 April 2008 - 10:27 PM

crazhorse

    Member

  • Member
  • PipPip
  • 17 posts
Hello,

anytime I open firefox and browse the web I get IE windows that pop up. I downloaded and installed the folllowing adaware, super antispyware, I ran a panda online virus scan and also installed kaspersky. And nothing has got rid of the IE popping up.

Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:56 PM, on 4/26/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
C:\Program Files\ASUS\AASP\1.00.28\aaCenter.exe
C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe
C:\Program Files\Razer\Reclusa\razerhid.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Windows\vVX3000.exe
C:\Program Files\Mediafour\XPlay 3\XPlay.exe
C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe
C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\Explorer.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [SoundTray] C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe
O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe"
O4 - HKLM\..\Run: [Reclusa] C:\Program Files\Razer\Reclusa\razerhid.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\Windows\vVX3000.exe
O4 - HKLM\..\Run: [{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}] "C:\Program Files\Mediafour\XPlay 3\XPlay.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{B179023B-6238-4499-8F26-CD73E9D90E0A}] "C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe"
O4 - HKLM\..\Run: [MDGetStarted.exe] "C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" /auto
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Motorola PcSync] "C:\Program Files\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [mRouterConfig] "C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll (file missing)
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\MelodyCan\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\MelodyCan\YouTubeRipper.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...282/mcfscan.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Andrea ADI Filters Service (AEADIFilters) - Andrea Electronics Corporation - C:\Windows\system32\AEADISRV.EXE
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: M4iPodWPDService - Mediafour Corporation - C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe
O23 - Service: MacDriveService - Mediafour Corporation - C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\Windows\system32\snmvtsvc.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: Stuffit Archive Name Service - Smith Micro Software, Inc. - C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe

--
End of file - 9757 bytes


combo log:

ComboFix 08-04-24.1 - John Doe 2008-04-26 23:01:00.3 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.994 [GMT -5:00]
Running from: C:\Users\John Doe\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 23:08 . 2008-04-26 23:08 <DIR> d-------- C:\Temp\tn3
2008-04-26 20:21 . 2008-04-26 20:21 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-26 20:21 . 2008-04-26 20:21 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 20:21 . 2008-04-26 20:22 <DIR> d-------- C:\Program Files\Panda Security
2008-04-26 20:21 . 2008-04-26 20:21 1,866 --a------ C:\Windows\mozver.dat
2008-04-26 20:20 . 2008-04-26 20:20 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 20:20 . 2008-04-26 22:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 19:51 . 2008-04-26 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 16:14 . 2008-04-26 16:14 167,545 --a------ C:\Windows\System32\drivers\core.cache.dsk
2008-04-26 15:57 . 2008-04-26 15:57 268 --ah----- C:\sqmdata19.sqm
2008-04-26 15:57 . 2008-04-26 15:57 244 --ah----- C:\sqmnoopt19.sqm
2008-04-26 15:47 . 2008-04-26 15:47 268 --ah----- C:\sqmdata18.sqm
2008-04-26 15:47 . 2008-04-26 15:47 244 --ah----- C:\sqmnoopt18.sqm
2008-04-26 15:23 . 2008-04-26 15:23 268 --ah----- C:\sqmdata17.sqm
2008-04-26 15:23 . 2008-04-26 15:23 244 --ah----- C:\sqmnoopt17.sqm
2008-04-26 14:55 . 2008-04-26 14:55 268 --ah----- C:\sqmdata16.sqm
2008-04-26 14:55 . 2008-04-26 14:55 244 --ah----- C:\sqmnoopt16.sqm
2008-04-26 14:35 . 2008-04-26 14:35 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:34 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:34 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 14:23 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-04-26 14:23 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-04-26 14:23 . 2008-04-24 08:10 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-04-26 14:23 . 2008-04-23 22:14 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-04-26 14:23 . 2008-04-23 22:14 82,944 --a------ C:\Windows\System32\404Fix.exe
2008-04-26 14:23 . 2003-06-05 21:13 53,248 --a------ C:\Windows\System32\Process.exe
2008-04-26 14:23 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-04-26 14:23 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-04-26 14:23 . 2008-04-26 14:23 5,410 --a------ C:\Windows\System32\tmp.reg
2008-04-26 14:05 . 2008-04-26 14:05 268 --ah----- C:\sqmdata15.sqm
2008-04-26 14:05 . 2008-04-26 14:05 244 --ah----- C:\sqmnoopt15.sqm
2008-04-26 13:54 . 2008-04-26 13:54 268 --ah----- C:\sqmdata14.sqm
2008-04-26 13:54 . 2008-04-26 13:54 244 --ah----- C:\sqmnoopt14.sqm
2008-04-26 12:39 . 2008-04-26 13:17 96,645 --a------ C:\Windows\System32\drivers\klin.dat
2008-04-26 12:39 . 2008-04-26 13:17 87,941 --a------ C:\Windows\System32\drivers\klick.dat
2008-04-26 12:36 . 2008-04-26 23:10 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-26 12:36 . 2008-04-26 23:10 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-26 12:36 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-26 12:36 . 2008-04-26 23:09 63,311,392 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-04-26 12:36 . 2008-04-26 23:06 849,392 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-04-26 12:32 . 2008-04-26 12:32 <DIR> d-------- C:\kav
2008-04-26 11:28 . 2008-04-26 11:29 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-26 11:28 . 2008-04-26 11:29 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-26 11:28 . 2008-04-26 11:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-26 11:18 . 2008-04-26 11:18 <DIR> d-------- C:\Windows\McAfee.com
2008-04-26 11:09 . 2008-04-26 11:09 10 --a------ C:\Windows\wintst32.tmp
2008-04-26 10:36 . 2008-04-26 10:36 268 --ah----- C:\sqmdata13.sqm
2008-04-26 10:36 . 2008-04-26 10:36 244 --ah----- C:\sqmnoopt13.sqm
2008-04-26 10:35 . 2008-04-26 11:08 220 --a------ C:\Windows\wininit.ini
2008-04-26 10:17 . 2008-04-26 10:17 4 -r-hs---- C:\Users\All Users\sysqcl0.dat
2008-04-26 10:17 . 2008-04-26 10:17 4 -r-hs---- C:\ProgramData\sysqcl0.dat
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-26 10:10 . 2008-04-26 10:10 <DIR> d-------- C:\Program Files\plasq
2008-04-26 10:08 . 2008-04-26 10:08 <DIR> d-------- C:\Windows\System32\wTMP
2008-04-26 10:08 . 2008-04-26 18:11 <DIR> d-------- C:\Windows\System32\pnVes06
2008-04-26 10:08 . 2008-04-26 10:08 <DIR> d-------- C:\Temp\zvebs14
2008-04-26 10:08 . 2008-04-26 10:08 <DIR> d-------- C:\Temp\kvebs14
2008-04-26 10:08 . 2008-04-26 23:08 <DIR> d-------- C:\Temp
2008-04-26 10:08 . 2008-04-26 10:08 86,144 --------- C:\Windows\System32\drivers\swenumm.sys
2008-04-26 10:08 . 2008-04-26 10:08 194 -r-hs---- C:\Windows\mainms.vpi
2008-04-26 10:08 . 2008-04-26 13:57 33 -r-hs---- C:\Windows\muotr.so
2008-04-26 10:08 . 2008-04-26 14:05 8 -r-hs---- C:\Windows\megavid.cdt
2008-04-23 19:30 . 2008-04-23 19:30 268 --ah----- C:\sqmdata12.sqm
2008-04-23 19:30 . 2008-04-23 19:30 244 --ah----- C:\sqmnoopt12.sqm
2008-04-22 21:33 . 2008-04-22 21:33 268 --ah----- C:\sqmdata11.sqm
2008-04-22 21:33 . 2008-04-22 21:33 244 --ah----- C:\sqmnoopt11.sqm
2008-04-22 21:31 . 2008-04-22 21:31 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-04-22 21:30 . 2008-04-22 21:30 <DIR> d-------- C:\wd
2008-04-22 20:44 . 2008-04-22 20:48 <DIR> d-------- C:\partition
2008-04-22 20:17 . 2008-04-22 20:17 268 --ah----- C:\sqmdata10.sqm
2008-04-22 20:17 . 2008-04-22 20:17 244 --ah----- C:\sqmnoopt10.sqm
2008-04-22 20:09 . 2008-04-22 20:09 268 --ah----- C:\sqmdata09.sqm
2008-04-22 20:09 . 2008-04-22 20:09 244 --ah----- C:\sqmnoopt09.sqm
2008-04-19 23:41 . 2008-04-19 23:41 <DIR> d-------- C:\cpu
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Users\All Users\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\ProgramData\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Program Files\Ipswitch
2008-04-19 21:52 . 2007-08-09 12:50 606,293 --a------ C:\Windows\System32\wbocx.ocx
2008-04-19 21:52 . 2007-08-09 12:50 50,688 --a------ C:\Windows\System32\wbhelp2.dll
2008-04-18 23:48 . 2008-04-18 23:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_M4iPodWPDDriver_01_00_00.Wdf
2008-04-18 21:48 . 2008-04-18 21:48 268 --ah----- C:\sqmdata08.sqm
2008-04-18 21:48 . 2008-04-18 21:48 244 --ah----- C:\sqmnoopt08.sqm
2008-04-15 20:54 . 2008-04-22 17:31 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Azureus
2008-04-15 20:54 . 2008-04-15 20:54 <DIR> d-------- C:\Users\All Users\Azureus
2008-04-15 20:54 . 2008-04-15 20:54 <DIR> d-------- C:\ProgramData\Azureus
2008-04-15 20:53 . 2008-04-15 20:53 <DIR> d-------- C:\Program Files\Azureus
2008-04-13 13:44 . 2008-04-13 13:46 <DIR> d-------- C:\LITEON
2008-04-11 17:23 . 2008-04-11 17:23 38,400 --a------ C:\Windows\System32\SoundSchemes.exe
2008-04-08 16:03 . 2008-04-26 23:06 12 --a------ C:\Windows\bthservsdp.dat
2008-04-08 09:10 . 2008-04-08 09:10 170,224 --ah----- C:\Windows\System32\mlfcache.dat
2008-04-07 19:03 . 2008-04-08 17:09 <DIR> d-------- C:\Iphone music
2008-04-07 18:51 . 2008-04-07 19:04 <DIR> d-------- C:\Program Files\Tansee iPhone Transfer
2008-04-06 14:55 . 2008-04-06 14:55 <DIR> d-------- C:\Program Files\Microsoft Speech SDK 5.1
2008-04-06 14:54 . 2008-04-06 14:54 <DIR> d-------- C:\speech
2008-04-05 12:57 . 2008-04-05 12:59 <DIR> d-------- C:\p2k
2008-04-04 17:21 . 2008-04-04 17:27 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-04-04 17:02 . 2008-04-04 17:26 <DIR> d-------- C:\Program Files\LiveUpdate
2008-04-04 17:00 . 2008-04-04 17:24 <DIR> d-------- C:\Users\All Users\BVRP Software
2008-04-04 17:00 . 2008-04-04 17:24 <DIR> d-------- C:\ProgramData\BVRP Software
2008-04-04 16:58 . 2008-04-04 16:58 <DIR> d-------- C:\tools
2008-04-02 21:23 . 2008-04-26 23:08 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-02 21:23 . 2008-04-02 21:23 1,409 --a------ C:\Windows\QTFont.for
2008-04-02 21:22 . 2008-04-02 21:22 <DIR> d-------- C:\Program Files\iPod
2008-04-02 21:12 . 2008-04-02 21:12 <DIR> d-------- C:\Program Files\QuickTime
2008-04-02 21:03 . 2008-04-02 21:03 268 --ah----- C:\sqmdata07.sqm
2008-04-02 21:03 . 2008-04-02 21:03 244 --ah----- C:\sqmnoopt07.sqm
2008-04-02 20:47 . 2008-04-02 20:47 268 --ah----- C:\sqmdata06.sqm
2008-04-02 20:47 . 2008-04-02 20:47 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 04:09 --------- d-----w C:\Program Files\Steam
2008-04-27 01:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 00:57 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-26 19:59 --------- d-----w C:\Program Files\Common Files\Steam
2008-04-26 03:43 --------- d-----w C:\Users\John Doe\AppData\Roaming\NewsLeecher
2008-04-26 03:41 --------- d-----w C:\Program Files\NewsLeecher
2008-04-23 01:09 --------- d-----w C:\Program Files\mIRC
2008-04-22 22:43 --------- d-----w C:\Program Files\Windows Mail
2008-04-20 02:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 23:46 --------- d-----w C:\Program Files\Music Rescue
2008-04-03 02:22 --------- d-----w C:\Program Files\iTunes
2008-03-27 01:42 --------- d-----w C:\Program Files\iLiberty
2008-03-22 04:16 --------- d-----w C:\Program Files\Motorola
2008-03-22 04:00 --------- d-----w C:\Users\John Doe\AppData\Roaming\Teleca
2008-03-22 03:59 --------- d-----w C:\Users\John Doe\AppData\Roaming\PhoneAppMgr
2008-03-22 02:55 --------- d-----w C:\Users\John Doe\AppData\Roaming\Motorola
2008-03-22 02:53 --------- d-----w C:\Program Files\Symbian
2008-03-22 02:53 --------- d-----w C:\Program Files\Intuwave
2008-03-22 02:52 --------- d-----w C:\ProgramData\Teleca
2008-03-22 02:52 --------- d-----w C:\ProgramData\Motorola
2008-03-22 02:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-21 04:23 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-19 22:29 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-03-19 02:12 --------- d-----w C:\ProgramData\NVIDIA
2008-03-19 02:09 174 --sha-w C:\Program Files\desktop.ini
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Journal
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Defender
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Calendar
2008-03-19 01:48 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-19 01:48 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-19 01:25 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-03-19 01:25 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-03-15 16:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-12 20:21 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-03-10 02:56 --------- d-----w C:\Program Files\Java
2008-03-09 17:13 --------- d-----w C:\Program Files\SoundTaxi
2008-03-07 23:53 --------- d-----w C:\Program Files\KC Softwares
2008-03-07 23:35 --------- d-----w C:\Users\John Doe\AppData\Roaming\Media Player Classic
2008-03-07 23:35 --------- d-----w C:\Users\John Doe\AppData\Roaming\DivX
2008-03-07 23:19 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-07 23:11 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-03-07 23:11 47,360 ----a-w C:\Users\John Doe\AppData\Roaming\pcouffin.sys
2008-03-07 23:11 --------- d-----w C:\Users\John Doe\AppData\Roaming\Vso
2008-03-07 23:11 --------- d-----w C:\Program Files\IdealDVDCopy
2008-03-07 22:56 11,114 ----a-w C:\Users\All Users\MainApp.dll
2008-03-07 22:56 11,114 ----a-w C:\ProgramData\MainApp.dll
2008-03-07 03:44 --------- d-----w C:\Program Files\CloneDVD
2008-03-07 03:40 81,920 ----a-w C:\Users\John Doe\AppData\Roaming\ezpinst.exe
2008-03-07 03:40 --------- d-----w C:\ProgramData\DVDXStudio
2008-03-04 22:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-04 22:06 --------- d-----w C:\ProgramData\Logitech
2008-03-04 05:18 --------- d-----w C:\ProgramData\Symantec
2008-03-04 05:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 23:51 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-02 23:03 --------- d-----w C:\Program Files\VistaCodecPack
2008-03-02 18:45 --------- d-----w C:\Program Files\PicoZipRT
2008-03-02 18:26 --------- d-----w C:\Program Files\ElcomSoft
2008-03-02 17:28 --------- d-----w C:\Users\John Doe\AppData\Roaming\InterVideo
2008-03-01 21:34 --------- d-----w C:\ProgramData\Apple Computer
2008-03-01 21:33 --------- d-----w C:\Program Files\InterVideo Information Service
2008-03-01 21:33 --------- d-----w C:\Program Files\Common Files\Ulead
2008-03-01 21:31 --------- d-----w C:\Program Files\InterVideo
2008-03-01 21:31 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-03-01 19:24 --------- d-----w C:\Program Files\Real
2008-03-01 19:24 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-01 19:24 --------- d-----w C:\Program Files\Common Files\Real
2008-03-01 19:18 --------- d-----w C:\Program Files\RM Converter
2008-03-01 17:48 --------- d-----w C:\Users\John Doe\AppData\Roaming\Apple Computer
2008-03-01 17:48 --------- d-----w C:\Program Files\Safari
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-23 02:21 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-02-08 23:37 219,664 ----a-w C:\Windows\System32\klogon.dll
2008-01-29 17:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2007-11-12 05:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-12 05:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-12 05:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-26_15.33.18.48 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-26 20:25:04 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-27 04:08:12 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-26 17:39:11 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-04-27 00:46:47 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-04-26 17:39:11 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-04-27 00:46:45 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-04-26 17:39:11 143,360 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-27 00:46:47 143,360 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-04-27 01:20:49 29,696 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-04-27 01:20:49 18,944 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-04-27 01:20:50 65,024 ----a-r C:\Windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2008-04-26 20:27:08 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-27 04:04:38 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-26 20:25:59 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-27 04:08:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-26 20:17:30 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-27 04:02:02 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-26 20:25:59 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 04:08:44 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 04:08:44 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-26 20:25:28 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-04-26 21:15:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-04-26 20:25:28 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-26 21:15:17 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-04-26 20:25:28 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-04-26 21:15:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-04-26 20:04:14 101,988 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-27 03:55:08 101,988 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-26 20:04:14 598,350 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-27 03:55:08 598,350 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-26 20:27:55 13,346 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3753868638-1166536986-4250003746-1000_UserData.bin
+ 2008-04-27 03:50:40 13,520 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3753868638-1166536986-4250003746-1000_UserData.bin
- 2008-04-26 20:27:55 106,244 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-27 03:50:40 107,460 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-26 20:27:26 66,790 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-27 03:50:37 67,894 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{FD8348AB-D74A-4C76-B2FE-926FF6D7CC40}]
@=MacDrive Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43 4670704]
"Steam"="c:\program files\steam\steam.exe" [2008-04-02 20:52 1271032]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 23:56 218032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 11:54 290816]
"P2kAutostart"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-26 22:50 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe" [2007-04-01 12:44 49152]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 14:49 1423360]
"Reclusa"="C:\Program Files\Razer\Reclusa\razerhid.exe" [2007-03-07 17:49 167936]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\Windows\KHALMNPR.Exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 20:48 275800]
"VX3000"="C:\Windows\vVX3000.exe" [2006-12-05 18:38 707360]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="C:\Program Files\Mediafour\XPlay 3\XPlay.exe" [2008-01-31 16:02 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 11:57 179288]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 14:23 139264]
"TkBellExe"="C:\Program Files\VistaCodecPack\rm\Update_OB\realsched.exe" [ ]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-02 11:32 1261568]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-06 21:00 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 21:00 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-06 21:00 81920]
"Motorola PcSync"="C:\Program Files\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" [2007-10-02 12:47 544768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 21:05:16 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-06-28 20:42:33 692224]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-26 22:50 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= divxa32.acm
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4916AE0E-A2DF-4A53-ADA9-E0DC6BA2B160}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{863C54F9-86B5-4AB9-8013-13AF5799D281}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7B25B8DA-6227-446A-99D8-DF6FB630F262}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E7A76F84-B061-4976-BE4B-DC844719D9BF}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9CE75A46-CB32-4D58-9133-FCFC50FC0EE2}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{F59BED3A-5284-447F-B7BD-5BA453EB3C02}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"TCP Query User{78CE494B-7E78-4B0D-A34F-C6B280047DD9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{21DBC182-B3AD-4918-B145-92D5A9152361}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{7519BB5F-29E2-4BBE-ABC8-FEA2B577A7AE}C:\\program files\\best buy rhapsody\\rhapsody.exe"= UDP:C:\program files\best buy rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{55D8A642-8684-4BC8-87FB-B171E336B428}C:\\program files\\best buy rhapsody\\rhapsody.exe"= TCP:C:\program files\best buy rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{403A5E2B-24B9-4E98-883A-3632AF922282}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B93790AB-26AF-4BEF-907F-A2DD1543AABB}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{07539FE7-B541-48C7-ACE1-4DACA8A7817E}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{036BC00C-8C14-4BD6-931B-DCFAD56E13F5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CFF4F6FC-EBEA-4ED2-9BD5-B4E5C54A7502}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1D21C00B-1763-45EF-93B7-E1EBCC616DA5}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{9B7403CF-F936-4515-B55C-DBAB57C3EE8A}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B01776D2-9084-40EE-8DB3-C26D21741890}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{37A129D0-59C9-4A7D-81EF-586492841C99}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{1F404CB4-E5EE-4042-93E3-7552986DE61D}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{DEAA83D6-92D5-4A5A-BFED-12E1416DBA10}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{8CB5CF58-CCC5-497E-9337-4632F24F49C6}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{F49F8B11-2125-461B-B008-2CB0C5B966AF}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{2ED1E4E8-76B5-47DE-89A8-D4C3AE7A76F7}C:\\users\\john doe\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\john doe\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{EA9E5B8E-DACD-4B46-91A9-5B7995B59AC9}C:\\users\\john doe\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\john doe\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"{D58F0834-4044-49C8-87F5-4E717D5CE98F}"= UDP:C:\Program Files\Steam\Steam.exe:Steam Client
"{D6A4A30D-2357-453B-91A0-C4C837FD5138}"= TCP:C:\Program Files\Steam\Steam.exe:Steam Client
"TCP Query User{988D5A89-D5F3-4603-A098-964677921D83}C:\\program files\\atari\\boiling point\\xenus.exe"= UDP:C:\program files\atari\boiling point\xenus.exe:Xenus
"UDP Query User{F3B4D19F-482D-4F6C-BEB1-6E33633AF284}C:\\program files\\atari\\boiling point\\xenus.exe"= TCP:C:\program files\atari\boiling point\xenus.exe:Xenus
"{FE03A966-FD75-4237-8F90-4B723D933B8F}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5DFBD29B-52AF-40BF-8766-A8453FFDCBA7}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{CDEC1F12-76D6-417C-8A58-DB9CD614B140}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{4B2F9999-ADA9-462E-A986-22435D2D347F}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{01A090FF-AAE8-4A3D-83FA-2E61471AA574}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4690CEBC-67A6-459D-A9C3-753A47CF1115}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{371D09FA-BFE0-468E-99A3-1DEE8799C963}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3F04110F-BBA6-4241-B5E3-75D63D230629}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6C7F87AF-51B2-422D-B348-3342EB1BAA92}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{264F1859-9056-4171-90EB-553D189E5497}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9F94BD8E-279F-48F7-A28B-1373872CD56A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F0569049-814F-46F8-BC28-DD07FA25541C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {A5B1F7C1-5288-46FE-AF95-9825D626F119}

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R0 MDFSYSNT;MacDrive file system driver;C:\Windows\system32\drivers\MDFSYSNT.sys [2008-01-29 22:35]
R0 MDPMGRNT;MDPMGRNT;C:\Windows\system32\drivers\MDPMGRNT.sys [2007-02-28 12:15]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;C:\Windows\system32\DRIVERS\rtlprot.sys [2007-04-02 10:57]
R2 AEADIFilters;Andrea ADI Filters Service;C:\Windows\system32\AEADISRV.EXE [2007-02-05 17:44]
R2 M4iPodWPDService;M4iPodWPDService;"C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe" [2008-01-23 13:31]
R2 MacDriveService;MacDriveService;"C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 15:55]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 17:13]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe" [2007-07-18 15:26]
R3 CamdDriverV32;CamdDriverV32;C:\Windows\system32\drivers\CamdDriverV32.sys [2007-12-28 15:57]
R3 CamdVideo32;CamdVideo32;C:\Windows\system32\DRIVERS\CamdVideo32.sys [2007-12-28 15:57]
R3 RecFltr;Reclusa Keyboard;C:\Windows\system32\Drivers\RecFltr.sys [2007-01-18 09:21]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187.sys [2007-11-19 07:59]
R3 SndTDriverV32;SndTDriverV32;C:\Windows\system32\drivers\SndTDriverV32.sys [2007-09-28 13:17]
R3 WmaCDriverV32;WmaCDriverV32;C:\Windows\system32\drivers\WmaCDriverV32.sys [2007-12-06 15:44]
R3 WmaCVideo32;WmaCVideo32;C:\Windows\system32\DRIVERS\WmaCVideo32.sys [2007-12-06 15:44]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 10:51]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys [2007-06-18 15:18]
S3 SoundMovieServer;SoundMovieServer;"C:\Windows\system32\snmvtsvc.exe" [2007-09-28 13:14]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-26 14:09]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 00:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7050012-50fc-11dc-bf15-001bfc2d0d2e}]
\shell\AutoRun\command - G:\LaunchU3.exe -a

*Newly Created Service* - SASDIFSV

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 04:04:17 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-27 04:08:31 C:\Windows\Tasks\RtlVistaStart.job"
- C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
"2008-04-26 16:37:24 C:\Windows\Tasks\User_Feed_Synchronization-{52EA01DA-AC6C-4D26-8930-FB1C29CED8CA}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-26 23:09:49
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ASUS\AASP\1.00.28\aaCenter.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
C:\Windows\assembly\GAC_32\mcupdate\6.0.6000.0__31bf3856ad364e35\mcupdate.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-04-26 23:17:28 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 04:17:05
ComboFix2.txt 2008-04-26 20:56:53
ComboFix3.txt 2008-04-26 20:34:38

Pre-Run: 484,412,002,304 bytes free
Post-Run: 484,255,731,712 bytes free

459 --- E O F --- 2008-04-27 00:46:55

I've been working on this for hours, any help is appreciated.

thanks
  • 0

Advertisements

#2
greyknight17
Posted 27 April 2008 - 08:43 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Open up C:\Windows\wininit.ini in Notepad and copy/paste the contents of that file here. Once you post it here, I want you to clear out that file and copy/paste the following two lines in it and save the file:

[rename]
nul=

Download ATF Cleaner at http://www.atribune..../click.php?id=1
Double-click ATF-Cleaner.exe to run the program. Under Main choose Select All
Click the Empty Selected button.

If you use the Firefox browser click Firefox at the top and choose Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser click 'Opera' at the top and choose 'Select All'
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy and paste the text into the quotebox below:

File::
C:\Windows\System32\drivers\core.cache.dsk
C:\Windows\wintst32.tmp
C:\Users\All Users\sysqcl0.dat
C:\ProgramData\sysqcl0.dat
C:\Windows\System32\drivers\swenumm.sys
C:\Windows\mainms.vpi
C:\Windows\muotr.so
C:\Windows\megavid.cdt
Folder::
C:\Temp\tn3
C:\Program Files\plasq
C:\Windows\System32\wTMP
C:\Windows\System32\pnVes06
C:\Temp\zvebs14
C:\Temp\kvebs14

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is the computer running so far?
  • 0

#3
crazhorse
Posted 27 April 2008 - 08:55 AM

crazhorse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
here are the contents of wini

[rename]
c:\tempjunk7373.tmp=C:\Windows\System32\drivers\core.cache.dsk
nul=c:\tempjunk8899.tmp
c:\tempjunk5580.tmp=C:\Windows\mrofinu1000106.exe_old
c:\tempjunk8899.tmp=C:\Windows\System32\drivers\core.cache.dsk

heres the CF log file

ComboFix 08-04-24.1 - John Doe 2008-04-27 10:02:03.5 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.966 [GMT -5:00]
Running from: C:\Users\John Doe\Desktop\ComboFix.exe
Command switches used :: C:\Users\John Doe\Desktop\CFScript (2).lnk
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 10:07 . 2008-04-27 10:07 <DIR> d-------- C:\Temp\tn3
2008-04-27 09:16 . 2008-04-27 09:16 <DIR> d-------- C:\Users\All Users\Yahoo! Companion
2008-04-27 09:16 . 2008-04-27 09:16 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-04-27 09:06 . 2008-04-27 09:06 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 08:52 . 2008-04-27 08:52 167,545 --a------ C:\Windows\System32\drivers\core.cache.dsk
2008-04-26 23:38 . 2008-04-26 23:38 <DIR> d-------- C:\VundoFix Backups
2008-04-26 23:36 . 2008-04-26 23:36 <DIR> d-------- C:\!KillBox
2008-04-26 20:21 . 2008-04-26 20:21 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-26 20:21 . 2008-04-26 20:21 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 20:21 . 2008-04-26 20:22 <DIR> d-------- C:\Program Files\Panda Security
2008-04-26 20:21 . 2008-04-26 20:21 1,866 --a------ C:\Windows\mozver.dat
2008-04-26 20:20 . 2008-04-26 20:20 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 20:20 . 2008-04-26 22:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 19:51 . 2008-04-26 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 15:57 . 2008-04-26 15:57 268 --ah----- C:\sqmdata19.sqm
2008-04-26 15:57 . 2008-04-26 15:57 244 --ah----- C:\sqmnoopt19.sqm
2008-04-26 15:47 . 2008-04-26 15:47 268 --ah----- C:\sqmdata18.sqm
2008-04-26 15:47 . 2008-04-26 15:47 244 --ah----- C:\sqmnoopt18.sqm
2008-04-26 15:23 . 2008-04-26 15:23 268 --ah----- C:\sqmdata17.sqm
2008-04-26 15:23 . 2008-04-26 15:23 244 --ah----- C:\sqmnoopt17.sqm
2008-04-26 14:55 . 2008-04-26 14:55 268 --ah----- C:\sqmdata16.sqm
2008-04-26 14:55 . 2008-04-26 14:55 244 --ah----- C:\sqmnoopt16.sqm
2008-04-26 14:35 . 2008-04-26 14:35 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:34 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:34 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 14:23 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-04-26 14:23 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-04-26 14:23 . 2008-04-24 08:10 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-04-26 14:23 . 2008-04-23 22:14 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-04-26 14:23 . 2008-04-23 22:14 82,944 --a------ C:\Windows\System32\404Fix.exe
2008-04-26 14:23 . 2003-06-05 21:13 53,248 --a------ C:\Windows\System32\Process.exe
2008-04-26 14:23 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-04-26 14:23 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-04-26 14:23 . 2008-04-26 14:23 5,410 --a------ C:\Windows\System32\tmp.reg
2008-04-26 14:05 . 2008-04-26 14:05 268 --ah----- C:\sqmdata15.sqm
2008-04-26 14:05 . 2008-04-26 14:05 244 --ah----- C:\sqmnoopt15.sqm
2008-04-26 13:54 . 2008-04-26 13:54 268 --ah----- C:\sqmdata14.sqm
2008-04-26 13:54 . 2008-04-26 13:54 244 --ah----- C:\sqmnoopt14.sqm
2008-04-26 12:39 . 2008-04-26 13:17 96,645 --a------ C:\Windows\System32\drivers\klin.dat
2008-04-26 12:39 . 2008-04-26 13:17 87,941 --a------ C:\Windows\System32\drivers\klick.dat
2008-04-26 12:36 . 2008-04-27 10:09 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-26 12:36 . 2008-04-27 10:09 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-26 12:36 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-26 12:36 . 2008-04-27 10:09 68,011,808 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-04-26 12:36 . 2008-04-27 10:05 912,152 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-04-26 12:32 . 2008-04-26 12:32 <DIR> d-------- C:\kav
2008-04-26 11:28 . 2008-04-26 11:29 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-26 11:28 . 2008-04-26 11:29 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-26 11:28 . 2008-04-26 11:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-26 11:18 . 2008-04-26 11:18 <DIR> d-------- C:\Windows\McAfee.com
2008-04-26 11:09 . 2008-04-26 11:09 10 --a------ C:\Windows\wintst32.tmp
2008-04-26 10:36 . 2008-04-26 10:36 268 --ah----- C:\sqmdata13.sqm
2008-04-26 10:36 . 2008-04-26 10:36 244 --ah----- C:\sqmnoopt13.sqm
2008-04-26 10:35 . 2008-04-27 09:58 16 --a------ C:\Windows\wininit.ini
2008-04-26 10:17 . 2008-04-26 10:17 4 -r-hs---- C:\Users\All Users\sysqcl0.dat
2008-04-26 10:17 . 2008-04-26 10:17 4 -r-hs---- C:\ProgramData\sysqcl0.dat
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-26 10:10 . 2008-04-26 10:10 <DIR> d-------- C:\Program Files\plasq
2008-04-26 10:08 . 2008-04-26 10:08 <DIR> d-------- C:\Windows\System32\wTMP
2008-04-26 10:08 . 2008-04-26 18:11 <DIR> d-------- C:\Windows\System32\pnVes06
2008-04-26 10:08 . 2008-04-27 08:51 <DIR> d-------- C:\Temp\kvebs14
2008-04-26 10:08 . 2008-04-27 10:07 <DIR> d-------- C:\Temp
2008-04-26 10:08 . 2008-04-26 10:08 86,144 --------- C:\Windows\System32\drivers\swenumm.sys
2008-04-26 10:08 . 2008-04-26 10:08 194 -r-hs---- C:\Windows\mainms.vpi
2008-04-26 10:08 . 2008-04-26 13:57 33 -r-hs---- C:\Windows\muotr.so
2008-04-26 10:08 . 2008-04-26 14:05 8 -r-hs---- C:\Windows\megavid.cdt
2008-04-23 19:30 . 2008-04-23 19:30 268 --ah----- C:\sqmdata12.sqm
2008-04-23 19:30 . 2008-04-23 19:30 244 --ah----- C:\sqmnoopt12.sqm
2008-04-22 21:33 . 2008-04-22 21:33 268 --ah----- C:\sqmdata11.sqm
2008-04-22 21:33 . 2008-04-22 21:33 244 --ah----- C:\sqmnoopt11.sqm
2008-04-22 21:31 . 2008-04-22 21:31 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-04-22 21:30 . 2008-04-22 21:30 <DIR> d-------- C:\wd
2008-04-22 20:44 . 2008-04-22 20:48 <DIR> d-------- C:\partition
2008-04-22 20:17 . 2008-04-22 20:17 268 --ah----- C:\sqmdata10.sqm
2008-04-22 20:17 . 2008-04-22 20:17 244 --ah----- C:\sqmnoopt10.sqm
2008-04-22 20:09 . 2008-04-22 20:09 268 --ah----- C:\sqmdata09.sqm
2008-04-22 20:09 . 2008-04-22 20:09 244 --ah----- C:\sqmnoopt09.sqm
2008-04-19 23:41 . 2008-04-19 23:41 <DIR> d-------- C:\cpu
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Users\All Users\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\ProgramData\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Program Files\Ipswitch
2008-04-19 21:52 . 2007-08-09 12:50 606,293 --a------ C:\Windows\System32\wbocx.ocx
2008-04-19 21:52 . 2007-08-09 12:50 50,688 --a------ C:\Windows\System32\wbhelp2.dll
2008-04-18 23:48 . 2008-04-18 23:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_M4iPodWPDDriver_01_00_00.Wdf
2008-04-18 21:48 . 2008-04-18 21:48 268 --ah----- C:\sqmdata08.sqm
2008-04-18 21:48 . 2008-04-18 21:48 244 --ah----- C:\sqmnoopt08.sqm
2008-04-15 20:54 . 2008-04-22 17:31 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Azureus
2008-04-15 20:54 . 2008-04-15 20:54 <DIR> d-------- C:\Users\All Users\Azureus
2008-04-15 20:54 . 2008-04-15 20:54 <DIR> d-------- C:\ProgramData\Azureus
2008-04-15 20:53 . 2008-04-15 20:53 <DIR> d-------- C:\Program Files\Azureus
2008-04-13 13:44 . 2008-04-13 13:46 <DIR> d-------- C:\LITEON
2008-04-11 17:23 . 2008-04-11 17:23 38,400 --a------ C:\Windows\System32\SoundSchemes.exe
2008-04-08 16:03 . 2008-04-27 10:05 12 --a------ C:\Windows\bthservsdp.dat
2008-04-08 09:10 . 2008-04-08 09:10 170,224 --ah----- C:\Windows\System32\mlfcache.dat
2008-04-07 19:03 . 2008-04-08 17:09 <DIR> d-------- C:\Iphone music
2008-04-07 18:51 . 2008-04-07 19:04 <DIR> d-------- C:\Program Files\Tansee iPhone Transfer
2008-04-06 14:55 . 2008-04-06 14:55 <DIR> d-------- C:\Program Files\Microsoft Speech SDK 5.1
2008-04-06 14:54 . 2008-04-06 14:54 <DIR> d-------- C:\speech
2008-04-05 12:57 . 2008-04-05 12:59 <DIR> d-------- C:\p2k
2008-04-04 17:21 . 2008-04-04 17:27 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-04-04 17:02 . 2008-04-04 17:26 <DIR> d-------- C:\Program Files\LiveUpdate
2008-04-04 17:00 . 2008-04-04 17:24 <DIR> d-------- C:\Users\All Users\BVRP Software
2008-04-04 17:00 . 2008-04-04 17:24 <DIR> d-------- C:\ProgramData\BVRP Software
2008-04-04 16:58 . 2008-04-04 16:58 <DIR> d-------- C:\tools
2008-04-02 21:23 . 2008-04-27 10:07 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-02 21:23 . 2008-04-02 21:23 1,409 --a------ C:\Windows\QTFont.for
2008-04-02 21:22 . 2008-04-02 21:22 <DIR> d-------- C:\Program Files\iPod
2008-04-02 21:12 . 2008-04-02 21:12 <DIR> d-------- C:\Program Files\QuickTime
2008-04-02 21:03 . 2008-04-02 21:03 268 --ah----- C:\sqmdata07.sqm
2008-04-02 21:03 . 2008-04-02 21:03 244 --ah----- C:\sqmnoopt07.sqm
2008-04-02 20:47 . 2008-04-02 20:47 268 --ah----- C:\sqmdata06.sqm
2008-04-02 20:47 . 2008-04-02 20:47 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 14:06 --------- d-----w C:\Program Files\Yahoo!
2008-04-27 04:09 --------- d-----w C:\Program Files\Steam
2008-04-27 01:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 00:57 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-26 19:59 --------- d-----w C:\Program Files\Common Files\Steam
2008-04-26 03:43 --------- d-----w C:\Users\John Doe\AppData\Roaming\NewsLeecher
2008-04-26 03:41 --------- d-----w C:\Program Files\NewsLeecher
2008-04-23 01:09 --------- d-----w C:\Program Files\mIRC
2008-04-22 22:43 --------- d-----w C:\Program Files\Windows Mail
2008-04-20 02:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 23:46 --------- d-----w C:\Program Files\Music Rescue
2008-04-03 02:22 --------- d-----w C:\Program Files\iTunes
2008-03-27 01:42 --------- d-----w C:\Program Files\iLiberty
2008-03-22 04:16 --------- d-----w C:\Program Files\Motorola
2008-03-22 04:00 --------- d-----w C:\Users\John Doe\AppData\Roaming\Teleca
2008-03-22 03:59 --------- d-----w C:\Users\John Doe\AppData\Roaming\PhoneAppMgr
2008-03-22 02:55 --------- d-----w C:\Users\John Doe\AppData\Roaming\Motorola
2008-03-22 02:53 --------- d-----w C:\Program Files\Symbian
2008-03-22 02:53 --------- d-----w C:\Program Files\Intuwave
2008-03-22 02:52 --------- d-----w C:\ProgramData\Teleca
2008-03-22 02:52 --------- d-----w C:\ProgramData\Motorola
2008-03-22 02:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-21 04:23 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-19 22:29 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-03-19 02:12 --------- d-----w C:\ProgramData\NVIDIA
2008-03-19 02:09 174 --sha-w C:\Program Files\desktop.ini
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Journal
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Defender
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Calendar
2008-03-19 01:48 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-19 01:48 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-19 01:25 47,560 ----a-w C:\Windows\System32\SPReview.exe
2008-03-19 01:25 152,576 ----a-w C:\Windows\System32\SPWizUI.dll
2008-03-15 16:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-12 20:21 678,408 ----a-w C:\Windows\System32\gpprefcl.dll
2008-03-10 02:56 --------- d-----w C:\Program Files\Java
2008-03-09 17:13 --------- d-----w C:\Program Files\SoundTaxi
2008-03-07 23:53 --------- d-----w C:\Program Files\KC Softwares
2008-03-07 23:35 --------- d-----w C:\Users\John Doe\AppData\Roaming\Media Player Classic
2008-03-07 23:35 --------- d-----w C:\Users\John Doe\AppData\Roaming\DivX
2008-03-07 23:19 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-07 23:11 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-03-07 23:11 47,360 ----a-w C:\Users\John Doe\AppData\Roaming\pcouffin.sys
2008-03-07 23:11 --------- d-----w C:\Users\John Doe\AppData\Roaming\Vso
2008-03-07 23:11 --------- d-----w C:\Program Files\IdealDVDCopy
2008-03-07 22:56 11,114 ----a-w C:\Users\All Users\MainApp.dll
2008-03-07 22:56 11,114 ----a-w C:\ProgramData\MainApp.dll
2008-03-07 03:44 --------- d-----w C:\Program Files\CloneDVD
2008-03-07 03:40 81,920 ----a-w C:\Users\John Doe\AppData\Roaming\ezpinst.exe
2008-03-07 03:40 --------- d-----w C:\ProgramData\DVDXStudio
2008-03-04 22:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-04 22:06 --------- d-----w C:\ProgramData\Logitech
2008-03-04 05:18 --------- d-----w C:\ProgramData\Symantec
2008-03-04 05:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 23:51 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-02 23:03 --------- d-----w C:\Program Files\VistaCodecPack
2008-03-02 18:45 --------- d-----w C:\Program Files\PicoZipRT
2008-03-02 18:26 --------- d-----w C:\Program Files\ElcomSoft
2008-03-02 17:28 --------- d-----w C:\Users\John Doe\AppData\Roaming\InterVideo
2008-03-01 21:34 --------- d-----w C:\ProgramData\Apple Computer
2008-03-01 21:33 --------- d-----w C:\Program Files\InterVideo Information Service
2008-03-01 21:33 --------- d-----w C:\Program Files\Common Files\Ulead
2008-03-01 21:31 --------- d-----w C:\Program Files\InterVideo
2008-03-01 21:31 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-03-01 19:24 --------- d-----w C:\Program Files\Real
2008-03-01 19:24 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-01 19:24 --------- d-----w C:\Program Files\Common Files\Real
2008-03-01 19:18 --------- d-----w C:\Program Files\RM Converter
2008-03-01 17:48 --------- d-----w C:\Users\John Doe\AppData\Roaming\Apple Computer
2008-03-01 17:48 --------- d-----w C:\Program Files\Safari
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-23 02:21 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2008-02-08 23:37 219,664 ----a-w C:\Windows\System32\klogon.dll
2008-01-29 17:02 107,368 ----a-w C:\Windows\System32\GEARAspi.dll
2007-11-12 05:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-12 05:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-12 05:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-27_ 9.49.25.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 14:42:36 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-27 15:07:05 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-04-27 14:29:53 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-27 14:57:48 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-27 14:43:19 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-27 15:07:42 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-27 14:35:28 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-27 15:01:00 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-27 14:43:19 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 15:07:42 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 15:07:42 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-27 14:21:10 101,988 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-27 14:49:03 101,988 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-27 14:21:10 598,350 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-27 14:49:03 598,350 ----a-w C:\Windows\System32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{FD8348AB-D74A-4C76-B2FE-926FF6D7CC40}]
@=MacDrive Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 23:56 218032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 11:54 290816]
"P2kAutostart"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-26 22:50 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe" [2007-04-01 12:44 49152]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 14:49 1423360]
"Reclusa"="C:\Program Files\Razer\Reclusa\razerhid.exe" [2007-03-07 17:49 167936]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\Windows\KHALMNPR.Exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 20:48 275800]
"VX3000"="C:\Windows\vVX3000.exe" [2006-12-05 18:38 707360]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="C:\Program Files\Mediafour\XPlay 3\XPlay.exe" [2008-01-31 16:02 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 11:57 179288]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 14:23 139264]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-02 11:32 1261568]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-06 21:00 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 21:00 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-06 21:00 81920]
"Motorola PcSync"="C:\Program Files\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" [2007-10-02 12:47 544768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 21:05:16 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-06-28 20:42:33 692224]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-26 22:50 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= divxa32.acm
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4916AE0E-A2DF-4A53-ADA9-E0DC6BA2B160}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{863C54F9-86B5-4AB9-8013-13AF5799D281}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7B25B8DA-6227-446A-99D8-DF6FB630F262}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E7A76F84-B061-4976-BE4B-DC844719D9BF}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9CE75A46-CB32-4D58-9133-FCFC50FC0EE2}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{F59BED3A-5284-447F-B7BD-5BA453EB3C02}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"TCP Query User{78CE494B-7E78-4B0D-A34F-C6B280047DD9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{21DBC182-B3AD-4918-B145-92D5A9152361}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{7519BB5F-29E2-4BBE-ABC8-FEA2B577A7AE}C:\\program files\\best buy rhapsody\\rhapsody.exe"= UDP:C:\program files\best buy rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{55D8A642-8684-4BC8-87FB-B171E336B428}C:\\program files\\best buy rhapsody\\rhapsody.exe"= TCP:C:\program files\best buy rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{403A5E2B-24B9-4E98-883A-3632AF922282}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B93790AB-26AF-4BEF-907F-A2DD1543AABB}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{07539FE7-B541-48C7-ACE1-4DACA8A7817E}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{036BC00C-8C14-4BD6-931B-DCFAD56E13F5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CFF4F6FC-EBEA-4ED2-9BD5-B4E5C54A7502}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1D21C00B-1763-45EF-93B7-E1EBCC616DA5}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{9B7403CF-F936-4515-B55C-DBAB57C3EE8A}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B01776D2-9084-40EE-8DB3-C26D21741890}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{37A129D0-59C9-4A7D-81EF-586492841C99}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{1F404CB4-E5EE-4042-93E3-7552986DE61D}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{DEAA83D6-92D5-4A5A-BFED-12E1416DBA10}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{8CB5CF58-CCC5-497E-9337-4632F24F49C6}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{F49F8B11-2125-461B-B008-2CB0C5B966AF}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{2ED1E4E8-76B5-47DE-89A8-D4C3AE7A76F7}C:\\users\\john doe\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\john doe\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{EA9E5B8E-DACD-4B46-91A9-5B7995B59AC9}C:\\users\\john doe\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\john doe\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"{D58F0834-4044-49C8-87F5-4E717D5CE98F}"= UDP:C:\Program Files\Steam\Steam.exe:Steam Client
"{D6A4A30D-2357-453B-91A0-C4C837FD5138}"= TCP:C:\Program Files\Steam\Steam.exe:Steam Client
"TCP Query User{988D5A89-D5F3-4603-A098-964677921D83}C:\\program files\\atari\\boiling point\\xenus.exe"= UDP:C:\program files\atari\boiling point\xenus.exe:Xenus
"UDP Query User{F3B4D19F-482D-4F6C-BEB1-6E33633AF284}C:\\program files\\atari\\boiling point\\xenus.exe"= TCP:C:\program files\atari\boiling point\xenus.exe:Xenus
"{FE03A966-FD75-4237-8F90-4B723D933B8F}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5DFBD29B-52AF-40BF-8766-A8453FFDCBA7}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{CDEC1F12-76D6-417C-8A58-DB9CD614B140}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{4B2F9999-ADA9-462E-A986-22435D2D347F}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{01A090FF-AAE8-4A3D-83FA-2E61471AA574}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4690CEBC-67A6-459D-A9C3-753A47CF1115}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{371D09FA-BFE0-468E-99A3-1DEE8799C963}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3F04110F-BBA6-4241-B5E3-75D63D230629}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6C7F87AF-51B2-422D-B348-3342EB1BAA92}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{264F1859-9056-4171-90EB-553D189E5497}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9F94BD8E-279F-48F7-A28B-1373872CD56A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F0569049-814F-46F8-BC28-DD07FA25541C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {A5B1F7C1-5288-46FE-AF95-9825D626F119}

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R0 MDFSYSNT;MacDrive file system driver;C:\Windows\system32\drivers\MDFSYSNT.sys [2008-01-29 22:35]
R0 MDPMGRNT;MDPMGRNT;C:\Windows\system32\drivers\MDPMGRNT.sys [2007-02-28 12:15]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;C:\Windows\system32\DRIVERS\rtlprot.sys [2007-04-02 10:57]
R2 AEADIFilters;Andrea ADI Filters Service;C:\Windows\system32\AEADISRV.EXE [2007-02-05 17:44]
R2 M4iPodWPDService;M4iPodWPDService;"C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe" [2008-01-23 13:31]
R2 MacDriveService;MacDriveService;"C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 15:55]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 17:13]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe" [2007-07-18 15:26]
R3 CamdDriverV32;CamdDriverV32;C:\Windows\system32\drivers\CamdDriverV32.sys [2007-12-28 15:57]
R3 CamdVideo32;CamdVideo32;C:\Windows\system32\DRIVERS\CamdVideo32.sys [2007-12-28 15:57]
R3 RecFltr;Reclusa Keyboard;C:\Windows\system32\Drivers\RecFltr.sys [2007-01-18 09:21]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187.sys [2007-11-19 07:59]
R3 SndTDriverV32;SndTDriverV32;C:\Windows\system32\drivers\SndTDriverV32.sys [2007-09-28 13:17]
R3 WmaCDriverV32;WmaCDriverV32;C:\Windows\system32\drivers\WmaCDriverV32.sys [2007-12-06 15:44]
R3 WmaCVideo32;WmaCVideo32;C:\Windows\system32\DRIVERS\WmaCVideo32.sys [2007-12-06 15:44]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 10:51]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys [2007-06-18 15:18]
S3 SoundMovieServer;SoundMovieServer;"C:\Windows\system32\snmvtsvc.exe" [2007-09-28 13:14]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-26 14:09]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 00:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7050012-50fc-11dc-bf15-001bfc2d0d2e}]
\shell\AutoRun\command - G:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 04:04:17 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-27 15:07:33 C:\Windows\Tasks\RtlVistaStart.job"
- C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
"2008-04-26 16:37:24 C:\Windows\Tasks\User_Feed_Synchronization-{52EA01DA-AC6C-4D26-8930-FB1C29CED8CA}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 10:08:47
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\ASUS\AASP\1.00.28\aaCenter.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
.
**************************************************************************
.
Completion time: 2008-04-27 10:15:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 15:14:53
ComboFix2.txt 2008-04-27 14:51:40
ComboFix3.txt 2008-04-27 04:17:29

Pre-Run: 492,850,577,408 bytes free
Post-Run: 493,210,365,952 bytes free

436 --- E O F --- 2008-04-27 00:46:55

Edited by crazhorse, 27 April 2008 - 09:17 AM.

  • 0

#4
greyknight17
Posted 27 April 2008 - 04:56 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download OTMoveIt2 at http://download.blee...r/OTMoveIt2.exe
* Save it to your desktop.
* Double-click OTMoveIt2.exe to run it. (Vista users, right click on OTMoveIt2.exe and select Run as an Administrator).
* Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Windows\System32\drivers\core.cache.dsk
C:\Windows\wintst32.tmp
C:\Windows\System32\drivers\swenumm.sys
C:\Windows\mainms.vpi
C:\Windows\muotr.so
C:\Windows\megavid.cdt
C:\Temp\tn3
C:\Program Files\plasq
C:\Windows\System32\wTMP
C:\Windows\System32\pnVes06
C:\Temp\kvebs14

* Return to OTMoveIt2. Right click in the Paste List of Files/Folders to Move window (under the Yellow bar) and choose Paste.
* Click the red Moveit! button.
* A log of files and folders moved will be created in the C:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
* Close OTMoveIt2.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Run Combofix by double clicking on it and post the log for it here.
  • 0

#5
crazhorse
Posted 27 April 2008 - 05:50 PM

crazhorse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
ComboFix 08-04-24.1 - John Doe 2008-04-27 18:32:46.6 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.1106 [GMT -5:00]
Running from: C:\Users\John Doe\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\temp\tn3
C:\Windows\system32\drivers\core.cache.dsk . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-27 18:42 . 2008-04-27 18:42 <DIR> d-------- C:\Temp\tn3
2008-04-27 18:19 . 2008-04-27 18:19 <DIR> d-------- C:\_OTMoveIt
2008-04-27 10:26 . 2008-04-27 10:26 <DIR> d-------- C:\Deckard
2008-04-27 09:16 . 2008-04-27 09:16 <DIR> d-------- C:\Users\All Users\Yahoo! Companion
2008-04-27 09:16 . 2008-04-27 09:16 <DIR> d-------- C:\ProgramData\Yahoo! Companion
2008-04-27 09:06 . 2008-04-27 09:06 <DIR> d-------- C:\Program Files\CCleaner
2008-04-27 08:52 . 2008-04-27 08:52 167,545 --a------ C:\Windows\System32\drivers\core.cache.dsk
2008-04-26 23:38 . 2008-04-26 23:38 <DIR> d-------- C:\VundoFix Backups
2008-04-26 23:36 . 2008-04-26 23:36 <DIR> d-------- C:\!KillBox
2008-04-26 20:21 . 2008-04-26 20:21 <DIR> d-------- C:\Users\All Users\SUPERAntiSpyware.com
2008-04-26 20:21 . 2008-04-26 20:21 <DIR> d-------- C:\ProgramData\SUPERAntiSpyware.com
2008-04-26 20:21 . 2008-04-26 20:22 <DIR> d-------- C:\Program Files\Panda Security
2008-04-26 20:21 . 2008-04-26 20:21 1,866 --a------ C:\Windows\mozver.dat
2008-04-26 20:20 . 2008-04-26 20:20 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\SUPERAntiSpyware.com
2008-04-26 20:20 . 2008-04-26 22:50 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-04-26 19:51 . 2008-04-26 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-26 15:57 . 2008-04-26 15:57 268 --ah----- C:\sqmdata19.sqm
2008-04-26 15:57 . 2008-04-26 15:57 244 --ah----- C:\sqmnoopt19.sqm
2008-04-26 15:47 . 2008-04-26 15:47 268 --ah----- C:\sqmdata18.sqm
2008-04-26 15:47 . 2008-04-26 15:47 244 --ah----- C:\sqmnoopt18.sqm
2008-04-26 15:23 . 2008-04-26 15:23 268 --ah----- C:\sqmdata17.sqm
2008-04-26 15:23 . 2008-04-26 15:23 244 --ah----- C:\sqmnoopt17.sqm
2008-04-26 14:55 . 2008-04-26 14:55 268 --ah----- C:\sqmdata16.sqm
2008-04-26 14:55 . 2008-04-26 14:55 244 --ah----- C:\sqmnoopt16.sqm
2008-04-26 14:35 . 2008-04-26 14:35 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:34 <DIR> d-------- C:\Users\All Users\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:34 <DIR> d-------- C:\ProgramData\Malwarebytes
2008-04-26 14:34 . 2008-04-26 14:35 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-26 14:23 . 2007-09-06 00:22 289,144 --a------ C:\Windows\System32\VCCLSID.exe
2008-04-26 14:23 . 2006-04-27 17:49 288,417 --a------ C:\Windows\System32\SrchSTS.exe
2008-04-26 14:23 . 2008-04-24 08:10 86,528 --a------ C:\Windows\System32\VACFix.exe
2008-04-26 14:23 . 2008-04-23 22:14 82,944 --a------ C:\Windows\System32\IEDFix.exe
2008-04-26 14:23 . 2008-04-23 22:14 82,944 --a------ C:\Windows\System32\404Fix.exe
2008-04-26 14:23 . 2003-06-05 21:13 53,248 --a------ C:\Windows\System32\Process.exe
2008-04-26 14:23 . 2004-07-31 18:50 51,200 --a------ C:\Windows\System32\dumphive.exe
2008-04-26 14:23 . 2007-10-04 00:36 25,600 --a------ C:\Windows\System32\WS2Fix.exe
2008-04-26 14:23 . 2008-04-26 14:23 5,410 --a------ C:\Windows\System32\tmp.reg
2008-04-26 14:05 . 2008-04-26 14:05 268 --ah----- C:\sqmdata15.sqm
2008-04-26 14:05 . 2008-04-26 14:05 244 --ah----- C:\sqmnoopt15.sqm
2008-04-26 13:54 . 2008-04-26 13:54 268 --ah----- C:\sqmdata14.sqm
2008-04-26 13:54 . 2008-04-26 13:54 244 --ah----- C:\sqmnoopt14.sqm
2008-04-26 12:39 . 2008-04-26 13:17 96,645 --a------ C:\Windows\System32\drivers\klin.dat
2008-04-26 12:39 . 2008-04-26 13:17 87,941 --a------ C:\Windows\System32\drivers\klick.dat
2008-04-26 12:36 . 2008-04-27 18:43 <DIR> d-------- C:\Users\All Users\Kaspersky Lab
2008-04-26 12:36 . 2008-04-27 18:43 <DIR> d-------- C:\ProgramData\Kaspersky Lab
2008-04-26 12:36 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-04-26 12:36 . 2008-04-27 18:43 73,758,752 --ahs---- C:\Windows\System32\drivers\fidbox.dat
2008-04-26 12:36 . 2008-04-27 18:40 989,696 --ahs---- C:\Windows\System32\drivers\fidbox.idx
2008-04-26 12:32 . 2008-04-26 12:32 <DIR> d-------- C:\kav
2008-04-26 11:28 . 2008-04-26 11:29 <DIR> d-------- C:\Users\All Users\Lavasoft
2008-04-26 11:28 . 2008-04-26 11:29 <DIR> d-------- C:\ProgramData\Lavasoft
2008-04-26 11:28 . 2008-04-26 11:28 <DIR> d-------- C:\Program Files\Lavasoft
2008-04-26 11:18 . 2008-04-26 11:18 <DIR> d-------- C:\Windows\McAfee.com
2008-04-26 10:36 . 2008-04-26 10:36 268 --ah----- C:\sqmdata13.sqm
2008-04-26 10:36 . 2008-04-26 10:36 244 --ah----- C:\sqmnoopt13.sqm
2008-04-26 10:35 . 2008-04-27 09:58 16 --a------ C:\Windows\wininit.ini
2008-04-26 10:17 . 2008-04-26 10:17 4 -r-hs---- C:\Users\All Users\sysqcl0.dat
2008-04-26 10:17 . 2008-04-26 10:17 4 -r-hs---- C:\ProgramData\sysqcl0.dat
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\Users\All Users\Spybot - Search & Destroy
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\ProgramData\Spybot - Search & Destroy
2008-04-26 10:15 . 2008-04-26 12:46 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-26 10:08 . 2008-04-27 18:42 <DIR> d-------- C:\Temp
2008-04-26 10:08 . 2008-04-26 10:08 86,144 --------- C:\Windows\System32\drivers\swenumm.sys
2008-04-23 19:30 . 2008-04-23 19:30 268 --ah----- C:\sqmdata12.sqm
2008-04-23 19:30 . 2008-04-23 19:30 244 --ah----- C:\sqmnoopt12.sqm
2008-04-22 21:33 . 2008-04-22 21:33 268 --ah----- C:\sqmdata11.sqm
2008-04-22 21:33 . 2008-04-22 21:33 244 --ah----- C:\sqmnoopt11.sqm
2008-04-22 21:31 . 2008-04-22 21:31 <DIR> d-------- C:\Program Files\Western Digital Technologies
2008-04-22 21:30 . 2008-04-22 21:30 <DIR> d-------- C:\wd
2008-04-22 20:44 . 2008-04-22 20:48 <DIR> d-------- C:\partition
2008-04-22 20:17 . 2008-04-22 20:17 268 --ah----- C:\sqmdata10.sqm
2008-04-22 20:17 . 2008-04-22 20:17 244 --ah----- C:\sqmnoopt10.sqm
2008-04-22 20:09 . 2008-04-22 20:09 268 --ah----- C:\sqmdata09.sqm
2008-04-22 20:09 . 2008-04-22 20:09 244 --ah----- C:\sqmnoopt09.sqm
2008-04-19 23:41 . 2008-04-19 23:41 <DIR> d-------- C:\cpu
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Users\All Users\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\ProgramData\Ipswitch
2008-04-19 21:52 . 2008-04-19 21:52 <DIR> d-------- C:\Program Files\Ipswitch
2008-04-19 21:52 . 2007-08-09 12:50 606,293 --a------ C:\Windows\System32\wbocx.ocx
2008-04-19 21:52 . 2007-08-09 12:50 50,688 --a------ C:\Windows\System32\wbhelp2.dll
2008-04-18 23:48 . 2008-04-18 23:48 0 --ah----- C:\Windows\System32\drivers\Msft_User_M4iPodWPDDriver_01_00_00.Wdf
2008-04-18 21:48 . 2008-04-18 21:48 268 --ah----- C:\sqmdata08.sqm
2008-04-18 21:48 . 2008-04-18 21:48 244 --ah----- C:\sqmnoopt08.sqm
2008-04-15 20:54 . 2008-04-22 17:31 <DIR> d-------- C:\Users\John Doe\AppData\Roaming\Azureus
2008-04-15 20:54 . 2008-04-15 20:54 <DIR> d-------- C:\Users\All Users\Azureus
2008-04-15 20:54 . 2008-04-15 20:54 <DIR> d-------- C:\ProgramData\Azureus
2008-04-15 20:53 . 2008-04-15 20:53 <DIR> d-------- C:\Program Files\Azureus
2008-04-13 13:44 . 2008-04-13 13:46 <DIR> d-------- C:\LITEON
2008-04-11 17:23 . 2008-04-11 17:23 38,400 --a------ C:\Windows\System32\SoundSchemes.exe
2008-04-08 16:03 . 2008-04-27 18:39 12 --a------ C:\Windows\bthservsdp.dat
2008-04-08 09:10 . 2008-04-08 09:10 170,224 --ah----- C:\Windows\System32\mlfcache.dat
2008-04-07 19:03 . 2008-04-08 17:09 <DIR> d-------- C:\Iphone music
2008-04-07 18:51 . 2008-04-07 19:04 <DIR> d-------- C:\Program Files\Tansee iPhone Transfer
2008-04-06 14:55 . 2008-04-06 14:55 <DIR> d-------- C:\Program Files\Microsoft Speech SDK 5.1
2008-04-06 14:54 . 2008-04-06 14:54 <DIR> d-------- C:\speech
2008-04-05 12:57 . 2008-04-05 12:59 <DIR> d-------- C:\p2k
2008-04-04 17:21 . 2008-04-04 17:27 <DIR> d-------- C:\Program Files\Motorola Phone Tools
2008-04-04 17:02 . 2008-04-04 17:26 <DIR> d-------- C:\Program Files\LiveUpdate
2008-04-04 17:00 . 2008-04-04 17:24 <DIR> d-------- C:\Users\All Users\BVRP Software
2008-04-04 17:00 . 2008-04-04 17:24 <DIR> d-------- C:\ProgramData\BVRP Software
2008-04-04 16:58 . 2008-04-04 16:58 <DIR> d-------- C:\tools
2008-04-02 21:23 . 2008-04-27 18:42 54,156 --ah----- C:\Windows\QTFont.qfn
2008-04-02 21:23 . 2008-04-02 21:23 1,409 --a------ C:\Windows\QTFont.for
2008-04-02 21:22 . 2008-04-02 21:22 <DIR> d-------- C:\Program Files\iPod
2008-04-02 21:12 . 2008-04-02 21:12 <DIR> d-------- C:\Program Files\QuickTime
2008-04-02 21:03 . 2008-04-02 21:03 268 --ah----- C:\sqmdata07.sqm
2008-04-02 21:03 . 2008-04-02 21:03 244 --ah----- C:\sqmnoopt07.sqm
2008-04-02 20:47 . 2008-04-02 20:47 268 --ah----- C:\sqmdata06.sqm
2008-04-02 20:47 . 2008-04-02 20:47 244 --ah----- C:\sqmnoopt06.sqm
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\Windows\System32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\Windows\System32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-27 14:06 --------- d-----w C:\Program Files\Yahoo!
2008-04-27 04:09 --------- d-----w C:\Program Files\Steam
2008-04-27 01:19 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-27 00:57 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-26 19:59 --------- d-----w C:\Program Files\Common Files\Steam
2008-04-26 03:43 --------- d-----w C:\Users\John Doe\AppData\Roaming\NewsLeecher
2008-04-26 03:41 --------- d-----w C:\Program Files\NewsLeecher
2008-04-23 01:09 --------- d-----w C:\Program Files\mIRC
2008-04-22 22:43 --------- d-----w C:\Program Files\Windows Mail
2008-04-20 02:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-07 23:46 --------- d-----w C:\Program Files\Music Rescue
2008-04-03 02:22 --------- d-----w C:\Program Files\iTunes
2008-03-27 01:42 --------- d-----w C:\Program Files\iLiberty
2008-03-22 04:16 --------- d-----w C:\Program Files\Motorola
2008-03-22 04:00 --------- d-----w C:\Users\John Doe\AppData\Roaming\Teleca
2008-03-22 03:59 --------- d-----w C:\Users\John Doe\AppData\Roaming\PhoneAppMgr
2008-03-22 02:55 --------- d-----w C:\Users\John Doe\AppData\Roaming\Motorola
2008-03-22 02:53 --------- d-----w C:\Program Files\Symbian
2008-03-22 02:53 --------- d-----w C:\Program Files\Intuwave
2008-03-22 02:52 --------- d-----w C:\ProgramData\Teleca
2008-03-22 02:52 --------- d-----w C:\ProgramData\Motorola
2008-03-22 02:52 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-03-21 04:23 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-03-19 22:29 0 ---ha-w C:\Windows\system32\drivers\Msft_User_WpdMtpDr_01_00_00.Wdf
2008-03-19 02:12 --------- d-----w C:\ProgramData\NVIDIA
2008-03-19 02:09 174 --sha-w C:\Program Files\desktop.ini
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Sidebar
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Journal
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Defender
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Collaboration
2008-03-19 02:01 --------- d-----w C:\Program Files\Windows Calendar
2008-03-15 16:03 --------- d-----w C:\ProgramData\Microsoft Help
2008-03-10 02:56 --------- d-----w C:\Program Files\Java
2008-03-09 17:13 --------- d-----w C:\Program Files\SoundTaxi
2008-03-07 23:53 --------- d-----w C:\Program Files\KC Softwares
2008-03-07 23:35 --------- d-----w C:\Users\John Doe\AppData\Roaming\Media Player Classic
2008-03-07 23:35 --------- d-----w C:\Users\John Doe\AppData\Roaming\DivX
2008-03-07 23:19 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-07 23:11 47,360 ----a-w C:\Windows\system32\drivers\pcouffin.sys
2008-03-07 23:11 47,360 ----a-w C:\Users\John Doe\AppData\Roaming\pcouffin.sys
2008-03-07 23:11 --------- d-----w C:\Users\John Doe\AppData\Roaming\Vso
2008-03-07 23:11 --------- d-----w C:\Program Files\IdealDVDCopy
2008-03-07 22:56 11,114 ----a-w C:\Users\All Users\MainApp.dll
2008-03-07 22:56 11,114 ----a-w C:\ProgramData\MainApp.dll
2008-03-07 03:44 --------- d-----w C:\Program Files\CloneDVD
2008-03-07 03:40 81,920 ----a-w C:\Users\John Doe\AppData\Roaming\ezpinst.exe
2008-03-07 03:40 --------- d-----w C:\ProgramData\DVDXStudio
2008-03-04 22:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-04 22:06 --------- d-----w C:\ProgramData\Logitech
2008-03-04 05:18 --------- d-----w C:\ProgramData\Symantec
2008-03-04 05:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-02 23:51 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-02 23:03 --------- d-----w C:\Program Files\VistaCodecPack
2008-03-02 18:45 --------- d-----w C:\Program Files\PicoZipRT
2008-03-02 18:26 --------- d-----w C:\Program Files\ElcomSoft
2008-03-02 17:28 --------- d-----w C:\Users\John Doe\AppData\Roaming\InterVideo
2008-03-01 21:34 --------- d-----w C:\ProgramData\Apple Computer
2008-03-01 21:33 --------- d-----w C:\Program Files\InterVideo Information Service
2008-03-01 21:33 --------- d-----w C:\Program Files\Common Files\Ulead
2008-03-01 21:31 --------- d-----w C:\Program Files\InterVideo
2008-03-01 21:31 --------- d-----w C:\Program Files\Common Files\InterVideo
2008-03-01 19:24 --------- d-----w C:\Program Files\Real
2008-03-01 19:24 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-01 19:24 --------- d-----w C:\Program Files\Common Files\Real
2008-03-01 19:18 --------- d-----w C:\Program Files\RM Converter
2008-03-01 17:48 --------- d-----w C:\Users\John Doe\AppData\Roaming\Apple Computer
2008-03-01 17:48 --------- d-----w C:\Program Files\Safari
2007-11-12 05:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-11-12 05:10 32,768 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-11-12 05:10 16,384 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-27_ 9.49.25.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-27 14:42:36 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-27 23:42:03 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-04-27 23:42:05 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-04-27 14:29:53 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-27 23:33:25 262,144 ----a-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-27 14:43:19 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-04-27 23:42:43 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-04-27 14:35:28 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
+ 2008-04-27 23:34:23 262,144 ----a-w C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\usrclass.dat
- 2008-04-27 14:43:19 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 23:43:35 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-04-27 23:43:35 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-04-27 14:21:10 101,988 ----a-w C:\Windows\System32\perfc009.dat
+ 2008-04-27 23:37:45 101,988 ----a-w C:\Windows\System32\perfc009.dat
- 2008-04-27 14:21:10 598,350 ----a-w C:\Windows\System32\perfh009.dat
+ 2008-04-27 23:37:45 598,350 ----a-w C:\Windows\System32\perfh009.dat
- 2008-04-27 14:44:58 13,616 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3753868638-1166536986-4250003746-1000_UserData.bin
+ 2008-04-27 23:44:13 13,664 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3753868638-1166536986-4250003746-1000_UserData.bin
- 2008-04-27 14:44:57 108,538 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-04-27 23:44:13 108,938 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-04-27 14:44:48 68,518 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-04-27 23:44:10 69,250 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\{FD8348AB-D74A-4C76-B2FE-926FF6D7CC40}]
@=MacDrive Volume Icons

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="C:\Program Files\Windows Sidebar\sidebar.exe" [2008-01-19 02:33 1233920]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-10 23:56 218032]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 02:33 125952]
"mRouterConfig"="C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterConfig.exe" [2006-03-02 11:54 290816]
"P2kAutostart"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-04-26 22:50 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundTray"="C:\Program Files\Analog Devices\SoundMAX\SoundTray.exe" [2007-04-01 12:44 49152]
"Ai Nap"="C:\Program Files\ASUS\Ai Suite\AiNap\AiNap.exe" [2007-04-09 14:49 1423360]
"Reclusa"="C:\Program Files\Razer\Reclusa\razerhid.exe" [2007-03-07 17:49 167936]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 15:32 56080 C:\Windows\KHALMNPR.Exe]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-01-12 20:48 275800]
"VX3000"="C:\Windows\vVX3000.exe" [2006-12-05 18:38 707360]
"{914C5BF8-EEDD-4F3A-A8BE-34EE71CF1B29}"="C:\Program Files\Mediafour\XPlay 3\XPlay.exe" [2008-01-31 16:02 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"{B179023B-6238-4499-8F26-CD73E9D90E0A}"="C:\Program Files\Mediafour\MacDrive 7\MacDrive.exe" [2007-07-12 11:57 179288]
"MDGetStarted.exe"="C:\Program Files\Mediafour\MacDrive 7\MDGetStarted.exe" [2007-06-13 14:23 139264]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2007-04-02 11:32 1261568]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-11-06 21:00 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-11-06 21:00 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-11-06 21:00 81920]
"Motorola PcSync"="C:\Program Files\Motorola\Motorola PcSync\Application Launcher\Application Launcher.exe" [2007-10-02 12:47 544768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2008-02-08 18:36 227856]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-09 21:05:16 113664]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2007-06-28 20:42:33 692224]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-08-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2008-04-26 22:50 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\r3hook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll
"msacm.divxa32"= divxa32.acm
"VIDC.FFDS"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{4916AE0E-A2DF-4A53-ADA9-E0DC6BA2B160}"= UDP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{863C54F9-86B5-4AB9-8013-13AF5799D281}"= TCP:C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:Yahoo! Messenger
"{7B25B8DA-6227-446A-99D8-DF6FB630F262}"= UDP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{E7A76F84-B061-4976-BE4B-DC844719D9BF}"= TCP:C:\Program Files\Yahoo!\Messenger\YServer.exe:Yahoo! FT Server
"{9CE75A46-CB32-4D58-9133-FCFC50FC0EE2}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{F59BED3A-5284-447F-B7BD-5BA453EB3C02}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"TCP Query User{78CE494B-7E78-4B0D-A34F-C6B280047DD9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{21DBC182-B3AD-4918-B145-92D5A9152361}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{7519BB5F-29E2-4BBE-ABC8-FEA2B577A7AE}C:\\program files\\best buy rhapsody\\rhapsody.exe"= UDP:C:\program files\best buy rhapsody\rhapsody.exe:RealNetworks Rhapsody
"UDP Query User{55D8A642-8684-4BC8-87FB-B171E336B428}C:\\program files\\best buy rhapsody\\rhapsody.exe"= TCP:C:\program files\best buy rhapsody\rhapsody.exe:RealNetworks Rhapsody
"{403A5E2B-24B9-4E98-883A-3632AF922282}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{B93790AB-26AF-4BEF-907F-A2DD1543AABB}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{07539FE7-B541-48C7-ACE1-4DACA8A7817E}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{036BC00C-8C14-4BD6-931B-DCFAD56E13F5}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CFF4F6FC-EBEA-4ED2-9BD5-B4E5C54A7502}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1D21C00B-1763-45EF-93B7-E1EBCC616DA5}C:\\program files\\mozilla firefox\\firefox.exe"= UDP:C:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{9B7403CF-F936-4515-B55C-DBAB57C3EE8A}C:\\program files\\mozilla firefox\\firefox.exe"= TCP:C:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{B01776D2-9084-40EE-8DB3-C26D21741890}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= UDP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"UDP Query User{37A129D0-59C9-4A7D-81EF-586492841C99}C:\\program files\\yahoo!\\messenger\\yahoomessenger.exe"= TCP:C:\program files\yahoo!\messenger\yahoomessenger.exe:Yahoo! Messenger
"{1F404CB4-E5EE-4042-93E3-7552986DE61D}"= UDP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{DEAA83D6-92D5-4A5A-BFED-12E1416DBA10}"= TCP:C:\Program Files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{8CB5CF58-CCC5-497E-9337-4632F24F49C6}"= UDP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{F49F8B11-2125-461B-B008-2CB0C5B966AF}"= TCP:C:\Program Files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{2ED1E4E8-76B5-47DE-89A8-D4C3AE7A76F7}C:\\users\\john doe\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= UDP:C:\users\john doe\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"UDP Query User{EA9E5B8E-DACD-4B46-91A9-5B7995B59AC9}C:\\users\\john doe\\desktop\\wow-burningcrusade-enus-installer-downloader.exe"= TCP:C:\users\john doe\desktop\wow-burningcrusade-enus-installer-downloader.exe:wow-burningcrusade-enus-installer-downloader.exe
"{D58F0834-4044-49C8-87F5-4E717D5CE98F}"= UDP:C:\Program Files\Steam\Steam.exe:Steam Client
"{D6A4A30D-2357-453B-91A0-C4C837FD5138}"= TCP:C:\Program Files\Steam\Steam.exe:Steam Client
"TCP Query User{988D5A89-D5F3-4603-A098-964677921D83}C:\\program files\\atari\\boiling point\\xenus.exe"= UDP:C:\program files\atari\boiling point\xenus.exe:Xenus
"UDP Query User{F3B4D19F-482D-4F6C-BEB1-6E33633AF284}C:\\program files\\atari\\boiling point\\xenus.exe"= TCP:C:\program files\atari\boiling point\xenus.exe:Xenus
"{FE03A966-FD75-4237-8F90-4B723D933B8F}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{5DFBD29B-52AF-40BF-8766-A8453FFDCBA7}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{CDEC1F12-76D6-417C-8A58-DB9CD614B140}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{4B2F9999-ADA9-462E-A986-22435D2D347F}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{01A090FF-AAE8-4A3D-83FA-2E61471AA574}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4690CEBC-67A6-459D-A9C3-753A47CF1115}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{371D09FA-BFE0-468E-99A3-1DEE8799C963}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{3F04110F-BBA6-4241-B5E3-75D63D230629}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{6C7F87AF-51B2-422D-B348-3342EB1BAA92}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{264F1859-9056-4171-90EB-553D189E5497}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{9F94BD8E-279F-48F7-A28B-1373872CD56A}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{F0569049-814F-46F8-BC28-DD07FA25541C}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DisabledInterfaces"= {A5B1F7C1-5288-46FE-AF95-9825D626F119}

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"= C:\Program Files\Logitech\Logitech Harmony Remote Software 7\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7

R0 MDFSYSNT;MacDrive file system driver;C:\Windows\system32\drivers\MDFSYSNT.sys [2008-01-29 22:35]
R0 MDPMGRNT;MDPMGRNT;C:\Windows\system32\drivers\MDPMGRNT.sys [2007-02-28 12:15]
R1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;C:\Windows\system32\DRIVERS\klim6.sys [2007-10-16 11:05]
R1 RtlProt;Realtke RtlProt WLAN Utility Protocol Driver;C:\Windows\system32\DRIVERS\rtlprot.sys [2007-04-02 10:57]
R2 AEADIFilters;Andrea ADI Filters Service;C:\Windows\system32\AEADISRV.EXE [2007-02-05 17:44]
R2 M4iPodWPDService;M4iPodWPDService;"C:\Program Files\Common Files\Mediafour\iPod\M4iPodWPDService.exe" [2008-01-23 13:31]
R2 MacDriveService;MacDriveService;"C:\Program Files\Mediafour\MacDrive 7\MacDriveService.exe" [2007-05-01 15:55]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-01-04 17:13]
R2 Stuffit Archive Name Service;Stuffit Archive Name Service;"C:\Program Files\Smith Micro\StuffIt11\ArcNameService.exe" [2007-07-18 15:26]
R3 CamdDriverV32;CamdDriverV32;C:\Windows\system32\drivers\CamdDriverV32.sys [2007-12-28 15:57]
R3 CamdVideo32;CamdVideo32;C:\Windows\system32\DRIVERS\CamdVideo32.sys [2007-12-28 15:57]
R3 RecFltr;Reclusa Keyboard;C:\Windows\system32\Drivers\RecFltr.sys [2007-01-18 09:21]
R3 RTL8187;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;C:\Windows\system32\DRIVERS\RTL8187.sys [2007-11-19 07:59]
R3 SndTDriverV32;SndTDriverV32;C:\Windows\system32\drivers\SndTDriverV32.sys [2007-09-28 13:17]
R3 WmaCDriverV32;WmaCDriverV32;C:\Windows\system32\drivers\WmaCDriverV32.sys [2007-12-06 15:44]
R3 WmaCVideo32;WmaCVideo32;C:\Windows\system32\DRIVERS\WmaCVideo32.sys [2007-12-06 15:44]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2007-12-06 10:51]
S3 MotDev;Motorola Inc. USB Device;C:\Windows\system32\DRIVERS\motodrv.sys [2007-05-07 15:11]
S3 motport;Motorola USB Diagnostic Port;C:\Windows\system32\DRIVERS\motport.sys [2007-06-18 15:18]
S3 SoundMovieServer;SoundMovieServer;"C:\Windows\system32\snmvtsvc.exe" [2007-09-28 13:14]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-26 14:09]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 00:53]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
GPSvcGroup REG_MULTI_SZ GPSvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b7050012-50fc-11dc-bf15-001bfc2d0d2e}]
\shell\AutoRun\command - G:\LaunchU3.exe -a


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration
.
Contents of the 'Scheduled Tasks' folder
"2007-11-11 04:04:17 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-04-27 23:42:33 C:\Windows\Tasks\RtlVistaStart.job"
- C:\Program Files\ASUS WiFi-AP Solo\RtWLan.exe
"2008-04-27 18:33:00 C:\Windows\Tasks\User_Feed_Synchronization-{52EA01DA-AC6C-4D26-8930-FB1C29CED8CA}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 18:42:59
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\Program Files\ASUS\AASP\1.00.28\aaCenter.exe
C:\Program Files\Razer\Reclusa\razertra.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Intuwave\Shared\mRouterRuntime\mRouterRuntime.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\wbem\unsecapp.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-04-27 18:49:06 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 23:48:52
ComboFix2.txt 2008-04-27 15:15:23
ComboFix3.txt 2008-04-27 14:51:40
ComboFix4.txt 2008-04-27 04:17:29

Pre-Run: 492,945,887,232 bytes free
Post-Run: 492,798,050,304 bytes free

415 --- E O F --- 2008-04-27 00:46:55


I ran moveit twice, once before running combo and after, it seems core.cach and swen are stubborn and arent getting deleted.


File move failed. C:\Windows\System32\drivers\core.cache.dsk scheduled to be moved on reboot.
File/Folder C:\Windows\wintst32.tmp not found.
File move failed. C:\Windows\System32\drivers\swenumm.sys scheduled to be moved on reboot.
File/Folder C:\Windows\mainms.vpi not found.
File/Folder C:\Windows\muotr.so not found.
File/Folder C:\Windows\megavid.cdt not found.
C:\Temp\tn3 moved successfully.
File/Folder C:\Program Files\plasq not found.
File/Folder C:\Windows\System32\wTMP not found.
File/Folder C:\Windows\System32\pnVes06 not found.
File/Folder C:\Temp\kvebs14 not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04272008_185123

Files moved on Reboot...
File move failed. C:\Windows\System32\drivers\core.cache.dsk scheduled to be moved on reboot.
File move failed. C:\Windows\System32\drivers\swenumm.sys scheduled to be moved on reboot.

Edited by crazhorse, 27 April 2008 - 05:58 PM.

  • 0

#6
crazhorse
Posted 27 April 2008 - 06:25 PM

crazhorse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I booted into safe mode and deleted both files, sofar no IE popups after the deletion.
  • 0

#7
greyknight17
Posted 29 April 2008 - 08:00 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good ridden....glad you got them removed.

Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#8
crazhorse
Posted 29 April 2008 - 09:24 PM

crazhorse

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
no popups and scans came up clean.......... thank you for the help
  • 0

#9
greyknight17
Posted 01 May 2008 - 06:50 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP