Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

zrizbi!rootkit [RESOLVED]


  • This topic is locked This topic is locked

#1
charliewykes

charliewykes

    Member

  • Member
  • PipPip
  • 84 posts
Hi, I have XP service pack 3 and McAfee security suite 8 with antivirus 12.1.

I have aquired the srizbi!rootkit and although McAfee detects it and apaers to remove it, on reboot it returns. It has turned the PC into a bot, my ISP has been on the 'phone so the PC is now in quarantine! On the point of infection the PC crashed then on reboott I had the message asking me to activate XP. Other oddities - my computer/windows explorer take an age to show drives and files and the desktop cleanup wizard appears at each reboot despite me disabling it each time.

I have run Malwarebytes with no joy so I'm posting my HijackThis log below and hoping for a solution. Many thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:48 PM, on 19/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_S5R3_4.26_windows_intelx86.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Documents and Settings\Charlie & Mandy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user')
O4 - .DEFAULT User Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user')
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.expertage...asp/ScriptX.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c...bt/yregucfg.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://libcitrix.lec...ca32/wficac.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1207428492798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1207428445220
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://rtc1.webresp...p/TLIEFlash.CAB
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.micro...jects/ocget.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - https://register.bti...bcontrol013.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 13730 bytes

Ad-Aware 2007
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player ActiveX
Adobe Photoshop Elements 3.0
Adobe Reader 8.1.2
Apple Mobile Device Support
Apple Software Update
ASUS Probe V2.23.06
Athens Toolbar
Avanquest update
BIONICLE Heroes
BioWare Premium Module: Neverwinter Nights - Kingmaker
BioWare Premium Module: Neverwinter Nights - ShadowGuard
BioWare Premium Module: Neverwinter Nights - Witch's Wake
BitDefender Total Security 2008
BOINC
Bonjour
Canon CanoScan Toolbox 4.1
Canon i965
Canon LBP3000
CanoScan LiDE20,30 Manual
CCleaner (remove only)
Chinese Simplified Fonts Support For Adobe Reader 8
Citrix ICA Web Client (Minimal Installation)
Clicker 4
Creative Audio Console
DECAdry Free Grids for Word XP
DH Driver Cleaner Professional Edition
Disc2Phone
Dorling Kindersley Application Database v1.4
DTS Neo:6 Settings
EA SPORTS online 2005
Easy-WebPrint
Eraser 5.82
Essential Tools 2
exPressit SX 3.0
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.4
Flying Colours
FUJIFILM USB Driver
Garmin Training Center v5
Garmin WebUpdater
Garmin WebUpdater
Garmin WebUpdater
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
iiyama Monitor Test 2.1
iPod for Windows 2005-09-06
iPod for Windows 2005-09-23
iPod for Windows 2005-11-17
iPod for Windows 2006-03-23
iTunes
Java 2 Runtime Environment, SE v1.4.2_01
LEGO MINDSTORMS NXT Driver
LEGO MINDSTORMS NXT Dynamic Block Update
LEGO® MINDSTORMS® NXT - English Language Pack
LEGO® MINDSTORMS® NXT Software v1.0
Logitech MouseWare 9.80
Macromedia Shockwave Player
Mafia Game
Malwarebytes' Anti-Malware
McAfee SecurityCenter
Mesh Online
Mesh Online (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft Money 5.0
Microsoft National Language Support Downlevel APIs
Microsoft Office Sounds
Microsoft Office Standard Edition 2003
Microsoft Office XP Media Content
Microsoft Office XP Professional
Microsoft Publisher 2000 SR-1
Microsoft Reader
Microsoft Reader Text-to-Speech for English
Microsoft Silverlight
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
Motorola Driver Installation
Motorola Phone Tools
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
NETGEAR WG311v3 PCI Adapter
Neverwinter Nights
NVIDIA Drivers
Olympus DSS Player
OmniPage SE
OpenMG Limited Patch 3.4-04-17-06-01
OpenMG Secure Module 3.4.01
OsaSync PRO
PCI SoftV92 Modem
Pivot Stickfigure Animator
Power2Go 4.0
QuickTime
RealPlayer
RTPatch Update
RunLog
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Softk56 Data Fax Voice Speakerphone CARP
SoftV92 SmartSpeakerphone Modem
Sony Ericsson PC Suite 1.20.224
SPSS 14.0 for Windows
SPSS Data Access Pack 4.0 for Windows
Star Wars Empire at War
The Sims Makin' Magic
Tiger Woods PGA TOUR 2005
TomTom HOME
Tunebite 4.1.0.21
Update for Windows XP (KB951978)
VC_MergeModuleToMSI
Viewpoint Manager (Remove Only)
Visual FoxPro 5.0 Runtime
WebDeployerSupport
WildTangent Web Driver
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player 9 Series TweakMP PowerToy
Windows Presentation Foundation
Windows Resource Kit Tools - SubInAcl.exe
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows XP Service Pack 3
WinRAR archiver
WinZip
Xfire (remove only)
  • 0

Advertisements


#2
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey charliewykes,

Welcome to GeekstoGo! I'm Ltangelic and I'll be helping you fix your computer problem.

Take note that I'm still in training, and my posts will have to be checked by an expert. This may cause delays in between my responses, I ask for your patience. Please stick with me until we get your computer cleaned up or it will be a wasted effort on both sides. :)

I'm looking at your log now, and I'll post back with a fix when I'm ready. Thanks for your patience.

PS. If I've not been responding, and you wonder why, feel free to PM me and I'll give an explanation.

LT
  • 0

#3
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey charliewykes,

Let's try removing the rootkit first. Please follow the instructions below carefully.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

  • 0

#4
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Hi, thanks for your help. Don't worry about slow replies I'm just glad of the support! I have run SDFix folowed by Hijackthis and I post results below.


SDFix: Version 1.219
Run by Charlie

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-25 12:03:27
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ContentIndex\Catalogs\System]
"Location"="C:\System Volume Information"
"IsIndexingW3Svc"=dword:00000000
"IsIndexingNNTPSvc"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\MUILanguages\RCV2\tourp.exe]
"0"=hex:00,00,1e,00,00,00,05,00
"1"=hex:82,cf,0c,ea,25,a6,21,d5,c4,01,d6,18,b2,ce,f7,75,75,84,e8,41,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWPRV]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SWPRV\0000]
"Service"="SwPrv"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="MS Software Shadow Copy Provider"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Abiosdsk]
"ErrorControl"=dword:00000000
"Group"="Primary disk"
"Start"=dword:00000004
"Tag"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\abiosdsk]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\intelide]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\Ip6FwHlp]
"EventMessageFile"=str(2):"%SystemRoot%\System32\Ip6FwHlp.dll;%SystemRoot%\System32\xpob2res.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\napagent]
"EventMessageFile"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\PptpMiniport]
"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000004
"Tag"=dword:00000004
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent]
"DisplayName"="Network Access Protection Agent"
"Description"="Allows windows clients to participate in Network Access Protection"
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DependOnService"=str(7):"RpcSs\0"
"ObjectName"="localSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\LocalConfig]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\Parameters]
"ServiceDll"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\Qecs]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\Shas]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\napagent\SohCache]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"System32\DRIVERS\raspptp.sys"
"DisplayName"="WAN Miniport (PPTP)"
"Description"="WAN Miniport (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PptpMiniport\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TROMPSUV]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\TROMPSUV.sys"
"DisplayName"="TROMPSUV"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TROMPSUV\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ContentIndex\Catalogs\System]
"Location"="C:\System Volume Information"
"IsIndexingW3Svc"=dword:00000000
"IsIndexingNNTPSvc"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Nls\MUILanguages\RCV2\tourp.exe]
"0"=hex:00,00,1e,00,00,00,05,00
"1"=hex:82,cf,0c,ea,25,a6,21,d5,c4,01,d6,18,b2,ce,f7,75,75,84,e8,41,34,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWPRV]
"NextInstance"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SWPRV\0000]
"Service"="SwPrv"
"Legacy"=dword:00000001
"ConfigFlags"=dword:00000000
"Class"="LegacyDriver"
"ClassGUID"="{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc"="MS Software Shadow Copy Provider"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Abiosdsk]
"ErrorControl"=dword:00000000
"Group"="Primary disk"
"Start"=dword:00000004
"Tag"=dword:00000003
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\abiosdsk]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\intelide]
"EventMessageFile"=str(2):"%SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\Drivers\IntelIde.sys"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\Ip6FwHlp]
"EventMessageFile"=str(2):"%SystemRoot%\System32\Ip6FwHlp.dll;%SystemRoot%\System32\xpob2res.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\napagent]
"EventMessageFile"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Eventlog\System\PptpMiniport]
"EventMessageFile"=str(2):"%SystemRoot%\System32\netevent.dll"
"TypesSupported"=dword:00000007
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\IntelIde]
"ErrorControl"=dword:00000001
"Group"="System Bus Extender"
"Start"=dword:00000004
"Tag"=dword:00000004
"Type"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\napagent]
"DisplayName"="Network Access Protection Agent"
"Description"="Allows windows clients to participate in Network Access Protection"
"Type"=dword:00000020
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"%SystemRoot%\System32\svchost.exe -k netsvcs"
"DependOnService"=str(7):"RpcSs\0"
"ObjectName"="localSystem"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\napagent\LocalConfig]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\napagent\Parameters]
"ServiceDll"=str(2):"%SystemRoot%\System32\qagentrt.dll"
"ServiceDllUnloadOnStop"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\napagent\Qecs]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\napagent\Shas]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\napagent\SohCache]
@=""
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PptpMiniport]
"Type"=dword:00000001
"Start"=dword:00000003
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"System32\DRIVERS\raspptp.sys"
"DisplayName"="WAN Miniport (PPTP)"
"Description"="WAN Miniport (PPTP)"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\PptpMiniport\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TROMPSUV]
"Type"=dword:00000001
"Start"=dword:00000002
"ErrorControl"=dword:00000001
"ImagePath"=str(2):"\??\C:\WINDOWS\system32\drivers\TROMPSUV.sys"
"DisplayName"="TROMPSUV"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TROMPSUV\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,..
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\WinSock2]

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\DeluxeCD\Providers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\CSSFilters]
"oavredirect"="{999937BC-30FE-11D4-BA52-00C04F6843FA}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartMenu\StartMenuRun]
"Type"="checkbox"
"Text"="@shell32.dll,-30474"
"HKeyRoot"=dword:80000001
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"ValueName"="StartMenuRun"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000001
"HelpID"="windows.hlp#51142"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowPrinters]
"Type"="checkbox"
"Text"="@shell32.dll,-30493"
"HKeyRoot"=dword:80000001
"RegPath"="Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced"
"ValueName"="Start_ShowPrinters"
"CheckedValue"=dword:00000001
"UncheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\cj.com]
@=dword:00000005
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History\ssby.com]
@=dword:00000005
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\ACTIVEX_OPTIN\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="1208"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\ALLOW_DYNSRC_VIDEO\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="120A"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2201"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\ACTIVE_CONTENT\BBHVR\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2000"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOTNET\MANIFESTPERMISSIONS\DISABLE]
"DefaultValue"=dword:00010000
"CheckedValue"=dword:00000003
"ValueName"="2007"
"PlugUIText"="@mscorier.dll,-1003"
"Text"="Disable"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Type"="radio"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2200"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\JAVAPER\JAVA\DISABLE]
"HelpID"="iexplore.hlp#50241"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"PlugUIText"="@vmhelper.dll,-4005"
"Type"="radio"
"ValueName"="1C00"
"Text"="Disable Java"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORCE_ADDRESS_BAR\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2104"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA]
"Type"="group"
"Text"="Submit non-encrypted form data"
"PlugUIText"="@inetcpl.cpl,-4797"
"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\ALLOW]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Enable"
"PlugUIText"="@inetcpl.cpl,-4803"
"ValueName"="1601"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000003
"Mask"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\DENY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="1601"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"Mask"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\FORMDATA\QUERY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Prompt"
"PlugUIText"="@inetcpl.cpl,-4804"
"ValueName"="1601"
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000003
"Mask"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\INC_UPLOAD_FILEPATH\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="160A"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\MIME_SNIFFING\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2100"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\RESTRICTED_PROTOCOLS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2300"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\WINDOW_RESTRICTIONS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2102"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\MISC\ZONE_ELEVATION\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2101"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WINFX\LOOSE_XAML\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2402"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WINFX\WINDOWS_BROWSER_APPLICATIONS\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2400"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WINFX\XPS_DOCUMENTS\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2401"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SO\WinFXSetup\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2600"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\ACTIVEX_OPTIN\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="1208"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\ALLOW_DYNSRC_VIDEO\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="120A"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\AUTOMATIC_ACTIVEX_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2201"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\ACTIVE_CONTENT\BBHVR\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2000"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOTNET\MANIFESTPERMISSIONS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@mscorier.dll,-1003"
"ValueName"="2007"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00010000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\DOWNLOAD\AUTOMATIC_DOWNLOAD_UI\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2200"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\JAVAPER\JAVA\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable Java"
"PlugUIText"="@inetcpl.cpl,-4818"
"ValueName"="1C00"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000000
"HKeyRoot"=dword:80000002
"HelpID"="iexplore.hlp#50241"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORCE_ADDRESS_BAR\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2104"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA]
"Type"="group"
"Text"="Submit non-encrypted form data"
"PlugUIText"="@inetcpl.cpl,-4797"
"Bitmap"="C:\WINDOWS\system32\inetcpl.cpl,4443"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\ALLOW]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Enable"
"PlugUIText"="@inetcpl.cpl,-4803"
"ValueName"="1601"
"CheckedValue"=dword:00000000
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\DENY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="1601"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\FORMDATA\QUERY]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Prompt"
"PlugUIText"="@inetcpl.cpl,-4804"
"ValueName"="1601"
"CheckedValue"=dword:00000001
"DefaultValue"=dword:00000003
"HKeyRoot"=dword:80000002
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\MIME_SNIFFING\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2100"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\RESTRICTED_PROTOCOLS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2300"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\WINDOW_RESTRICTIONS\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2102"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\MISC\ZONE_ELEVATION\DISABLE]
"Type"="radio"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"PlugUIText"="@inetcpl.cpl,-4805"
"ValueName"="2101"
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WINFX\LOOSE_XAML\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2402"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WINFX\WINDOWS_BROWSER_APPLICATIONS\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2400"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WINFX\XPS_DOCUMENTS\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2401"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SOIEAK\WinFXSetup\DISABLE]
"CheckedValue"=dword:00000003
"DefaultValue"=dword:00000003
"PlugUIText"="@inetcpl.cpl,-4805"
"RegPath"="SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"RegPoliciesPath"="SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\%s"
"Text"="Disable"
"Type"="radio"
"ValueName"="2600"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\TemplatePolicies\MedHigh]
"1001"=dword:00000001
"1004"=dword:00000003
"1200"=dword:00000000
"1201"=dword:00000003
"1206"=dword:00000003
"1207"=dword:00000003
"1208"=dword:00000003
"1209"=dword:00000003
"120A"=dword:00000003
"1400"=dword:00000000
"1402"=dword:00000000
"1405"=dword:00000000
"1406"=dword:00000003
"1407"=dword:00000001
"1408"=dword:00000003
"1601"=dword:00000000
"1604"=dword:00000000
"1605"=dword:00000000
"1606"=dword:00000000
"1607"=dword:00000003
"1608"=dword:00000000
"1609"=dword:00000001
"160A"=dword:00000000
"1800"=dword:00000001
"1802"=dword:00000000
"1803"=dword:00000000
"1804"=dword:00000001
"1806"=dword:00000001
"1809"=dword:00000000
"1A00"=dword:00020000
"1A02"=dword:00000000
"1A03"=dword:00000000
"1A04"=dword:00000003
"1A05"=dword:00000001
"1A06"=dword:00000000
"1C00"=dword:00010000
"1E05"=dword:00020000
"2000"=dword:00000000
"2100"=dword:00000000
"2101"=dword:00000000
"2102"=dword:00000003
"2103"=dword:00000003
"2104"=dword:00000003
"2105"=dword:00000003
"2200"=dword:00000003
"2201"=dword:00000003
"2300"=dword:00000001
"2301"=dword:00000000
"2400"=dword:00000000
"2401"=dword:00000000
"2402"=dword:00000000
"2600"=dword:00000000
"Description"="Help prevent malware from accessing your computer."
"DisplayName"="Internet recommended safety (medium high security)"
"Icon"="wininet.dll#00001206"
"TemplateIndex"=dword:00011500
"2001"=dword:00000000
"2004"=dword:00000000
"2007"=dword:00010000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PropertySystem\PropertyHandlers]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\Migration]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName"=str(2):"stdout"
"Active"=dword:00000001
"ControlFlags"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Desktop\CleanupWiz]
"Days between clean up"=dword:0000003c
"NoRun"=dword:00000001
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\Canon Printer Uninstaller]
"Order"=hex:08,00,00,00,02,00,00,00,a8,00,00,00,01,00,00,00,01,00,00,00,9c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\iiyama]
"Order"=hex:08,00,00,00,02,00,00,00,40,01,00,00,01,00,00,00,02,00,00,00,90,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\Logitech]
"Order"=hex:08,00,00,00,02,00,00,00,7c,00,00,00,01,00,00,00,01,00,00,00,70,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\Micronet Wireless Network Utility]
"Order"=hex:08,00,00,00,02,00,00,00,b8,00,00,00,01,00,00,00,01,00,00,00,ac,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\Microsoft Keyboard]
"Order"=hex:08,00,00,00,02,00,00,00,d8,01,00,00,01,00,00,00,03,00,00,00,aa,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\NETGEAR WG311v3 Smart Wizard]
"Order"=hex:08,00,00,00,02,00,00,00,4c,01,00,00,01,00,00,00,02,00,00,00,92,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Hardware\SpeedTouch USB]
"Order"=hex:08,00,00,00,02,00,00,00,0c,00,00,00,01,00,00,00,00,00,00,00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU]
"0"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"1"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"2"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"3"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"4"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"5"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"6"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"7"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"8"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"9"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"10"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"11"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"12"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"13"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"14"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"15"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"16"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"17"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"18"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"19"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"20"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"21"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"22"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"23"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"24"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"25"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"26"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"27"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"28"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"29"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"30"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"31"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"32"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"33"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"34"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"35"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"36"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"37"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"38"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"MRUListEx"=hex:c0,01,00,00,bf,01,00,00,be,01,00,00,bd,01,00,00,bc,01,00,00,bb,..
"39"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"40"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"41"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"42"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"43"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"44"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"45"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"46"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"47"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"48"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"49"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"50"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"51"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"52"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"54"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"55"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"56"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"57"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"58"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"59"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"60"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"61"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"62"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"63"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"64"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"65"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"66"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"67"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"68"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"69"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"70"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"71"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"75"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"76"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"77"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"78"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"79"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"80"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"81"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"82"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"83"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"84"=hex:43,00,3a,00,5c,00,57,00,49,00,4e,00,44,00,4f,00,57,00,53,00,5c,..
"85"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"86"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"87"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"88"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"89"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"90"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"91"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"92"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"93"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"94"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"95"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"96"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"97"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"98"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"99"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"100"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"101"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"102"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"103"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"104"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"105"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"106"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"107"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"108"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"109"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"110"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"111"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"112"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"113"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"114"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"115"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"117"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"118"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"119"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"120"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"121"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"122"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"123"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"124"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"125"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"126"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"127"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"128"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"129"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"130"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"131"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"132"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"133"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"134"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"135"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"136"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"137"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"138"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"139"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"140"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"141"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"142"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"143"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"150"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"151"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"154"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"155"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"160"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"161"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"162"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"163"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"164"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"165"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"166"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"167"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"168"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"169"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"170"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"171"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"172"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"173"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"174"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"175"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"176"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"177"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"178"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"179"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"180"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"181"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"182"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"183"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"184"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"185"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"186"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"187"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"188"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"189"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,74,..
"190"=hex:43,00,3a,00,5c,00,44,00,6f,00,63,00,75,00,6d,00,65,00,6e,00,7
  • 0

#5
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Hi again, I don't think the post above has the complete reports so I have also atached them - hope that's OK

Attached Files


  • 0

#6
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Sure, it's completely alright, and thanks. :) I'll be getting back to you with a fix, but it may take a while. Thanks for your patience and please stay with me. :)
  • 0

#7
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey charliewykes,

Seems like SDFix didn't find much, and the zrizbi rootkit seems to have disappeared. Let's try a different tool to see what we can find.

Please follow my instructions in the order they were given, and print out a copy of it as you may not have access to the forums during the fix.

1) Upload a file for analysis

Please ensure you can view hidden files and folders by doing the following:

  • Go to Start>Control Panel and go under Appearances and Themes
  • Click on Folder Options and go under View tab
  • Ensure that "Show hidden files and folders" is selected and click Apply

NEXT

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:

    • C:\WINDOWS\system32\drivers\TROMPSUV.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.

2) Run ComboFix

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Next reply (please include):

Fresh HijackThis log
VirScan report
ComboFix.txt

  • 0

#8
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Hi, as for TROMPSUV, it isn't running a service and I can't find it using windows explorer even allowing for hidden and system files and protected operating system files to be seen. Search doesn't find it either. VIRscan can't find it

BUT if I start> run> C:\WINDOWS\system32\drivers\TROMPSUV.sys I can open it using notepad!

Is there some way I can copy it to another location using start.. run... and scan it that way?

I'll do the ComboFix step shortly.

Thanks
  • 0

#9
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Ok! Here's the combofix log anf hijakthis log as attachments

Attached Files


  • 0

#10
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey, no worries about Virscan. It doesn't matter. :) I'll get back with a fix when I'm ready.

By the way, could you paste the above logs instead of attaching them? If it is too long and got cut off, post it in multiple posts.

Sorry I need you to post them again in order for the expert to look at it. Thanks. :)

Edited by Ltangelic, 28 August 2008 - 07:59 AM.

  • 0

Advertisements


#11
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
ComboFix 08-08-26.03 - Charlie & Mandy 2008-08-27 20:57:35.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.585 [GMT 1:00] Running from: C:\Documents and Settings\Charlie & Mandy\Desktop\ComboFix.exe . Error: Cfiles.dat ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Charlie & Mandy\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML C:\WINDOWS\system32\_000115_.tmp.dll C:\WINDOWS\system32\_003864_.tmp.dll C:\WINDOWS\system32\_003865_.tmp.dll C:\WINDOWS\system32\_003866_.tmp.dll C:\WINDOWS\system32\_003867_.tmp.dll C:\WINDOWS\system32\_003874_.tmp.dll C:\WINDOWS\system32\_003875_.tmp.dll C:\WINDOWS\system32\_003876_.tmp.dll C:\WINDOWS\system32\_003878_.tmp.dll C:\WINDOWS\system32\_003879_.tmp.dll C:\WINDOWS\system32\_003882_.tmp.dll C:\WINDOWS\system32\_003883_.tmp.dll C:\WINDOWS\system32\_003885_.tmp.dll C:\WINDOWS\system32\_003886_.tmp.dll C:\WINDOWS\system32\_003887_.tmp.dll C:\WINDOWS\system32\_003889_.tmp.dll C:\WINDOWS\system32\_003890_.tmp.dll C:\WINDOWS\system32\_003892_.tmp.dll C:\WINDOWS\system32\_003893_.tmp.dll C:\WINDOWS\system32\_003894_.tmp.dll C:\WINDOWS\system32\_003895_.tmp.dll C:\WINDOWS\system32\_003896_.tmp.dll C:\WINDOWS\system32\_003897_.tmp.dll C:\WINDOWS\system32\_003898_.tmp.dll C:\WINDOWS\system32\_003899_.tmp.dll C:\WINDOWS\system32\_003900_.tmp.dll C:\WINDOWS\system32\_003901_.tmp.dll C:\WINDOWS\system32\_003903_.tmp.dll C:\WINDOWS\system32\_003905_.tmp.dll C:\WINDOWS\system32\_003906_.tmp.dll C:\WINDOWS\system32\_003907_.tmp.dll C:\WINDOWS\system32\_003908_.tmp.dll C:\WINDOWS\system32\_003911_.tmp.dll C:\WINDOWS\system32\_003912_.tmp.dll C:\WINDOWS\system32\_003913_.tmp.dll C:\WINDOWS\system32\_003914_.tmp.dll C:\WINDOWS\system32\_003915_.tmp.dll C:\WINDOWS\system32\_003918_.tmp.dll C:\WINDOWS\system32\_003919_.tmp.dll C:\WINDOWS\system32\_003920_.tmp.dll C:\WINDOWS\system32\_003921_.tmp.dll C:\WINDOWS\system32\_003922_.tmp.dll C:\WINDOWS\system32\_003923_.tmp.dll C:\WINDOWS\system32\_003925_.tmp.dll C:\WINDOWS\system32\_003926_.tmp.dll C:\WINDOWS\system32\_003929_.tmp.dll C:\WINDOWS\system32\_003930_.tmp.dll C:\WINDOWS\system32\_003932_.tmp.dll C:\WINDOWS\system32\_003933_.tmp.dll C:\WINDOWS\system32\_003934_.tmp.dll C:\WINDOWS\system32\_003936_.tmp.dll C:\WINDOWS\system32\_003939_.tmp.dll C:\WINDOWS\system32\_003940_.tmp.dll C:\WINDOWS\system32\_003944_.tmp.dll C:\WINDOWS\system32\_003945_.tmp.dll C:\WINDOWS\system32\_003947_.tmp.dll C:\WINDOWS\system32\_003948_.tmp.dll C:\WINDOWS\system32\_003950_.tmp.dll C:\WINDOWS\system32\_003952_.tmp.dll C:\WINDOWS\system32\_003953_.tmp.dll C:\WINDOWS\system32\_003954_.tmp.dll C:\WINDOWS\system32\_003955_.tmp.dll C:\WINDOWS\system32\_003958_.tmp.dll C:\WINDOWS\system32\_003959_.tmp.dll C:\WINDOWS\system32\_003960_.tmp.dll C:\WINDOWS\system32\_003961_.tmp.dll C:\WINDOWS\system32\_003962_.tmp.dll C:\WINDOWS\system32\_003967_.tmp.dll C:\WINDOWS\system32\_003969_.tmp.dll C:\WINDOWS\system32\_003970_.tmp.dll . ((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 ))))))))))))))))))))))))))))))) . 2008-08-27 18:57 . 2008-05-01 15:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-25 20:25 . 2008-08-27 20:49 1,374 --a------ C:\WINDOWS\imsins.BAK 2008-08-25 20:20 . 2008-08-27 20:55 4,958,588 --a------ C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-20021102}.BAK 2008-08-25 17:25 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\msi.dll 2008-08-25 17:25 . 2008-04-13 21:09 884,736 --a------ C:\WINDOWS\system32\msimsg.dll 2008-08-25 17:25 . 2008-04-14 05:42 271,360 --a------ C:\WINDOWS\system32\msihnd.dll 2008-08-25 17:25 . 2008-04-14 05:42 78,848 --a------ C:\WINDOWS\system32\msiexec.exe 2008-08-25 17:25 . 2008-04-14 05:42 15,360 --a------ C:\WINDOWS\system32\msisip.dll 2008-08-25 15:54 . 2008-04-11 20:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll 2008-08-25 11:44 . 2008-08-25 11:44 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll 2008-08-25 11:41 . 2008-08-25 11:41
d-------- C:\WINDOWS\ERUNT 2008-08-25 10:28 . 2008-08-25 12:13
d-------- C:\SDFix 2008-08-25 10:09 . 2008-08-25 10:09 2,335,270 --a------ C:\WINDOWS\system32\36180.mht 2008-08-25 10:09 . 2008-04-14 05:41 706,048 --a------ C:\WINDOWS\system32\fe382.tmp 2008-08-25 10:09 . 2008-08-25 10:09 128,352 --a------ C:\WINDOWS\system32\bde81.dll 2008-08-25 10:09 . 2008-08-25 10:09 54,624 --a------ C:\WINDOWS\system32\bde81.sys 2008-08-20 18:40 . 2008-08-21 19:34 250 --a------ C:\WINDOWS\gmer.ini 2008-08-18 21:07 . 2008-08-18 21:07
d-------- C:\Program Files\Malwarebytes' Anti-Malware 2008-08-18 21:07 . 2008-08-18 21:07
d-------- C:\Documents and Settings\Charlie & Mandy\Application Data\Malwarebytes 2008-08-18 21:07 . 2008-08-18 21:07
d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-18 21:07 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys 2008-08-18 21:07 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys 2008-08-12 18:32 . 2008-08-12 18:32 29 --a------ C:\WINDOWS\system32\ggaittqf.tmp 2008-08-11 23:38 . 2008-08-11 23:38
d-------- C:\Program Files\iTunes . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-27 20:07 --------- d-----w C:\Program Files\BOINC 2008-08-25 14:40 --------- d-----w C:\Documents and Settings\Charlie & Mandy\Application Data\SiteAdvisor 2008-08-25 09:16 --------- d-----w C:\Program Files\iiyama monitor test 2008-08-25 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\OsaSync 2008-08-25 08:32 --------- d-----w C:\Program Files\RunLog 2008-08-14 12:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor 2008-08-12 07:04 --------- d-----w C:\Program Files\Apple Software Update 2008-08-11 22:38 --------- d-----w C:\Program Files\iPod 2008-07-25 13:39 --------- d-----w C:\Documents and Settings\Charlie & Mandy\Application Data\Canon 2008-07-13 18:00 --------- d-----w C:\Program Files\QuickTime 2008-07-13 18:00 --------- d-----w C:\Program Files\Bonjour 2008-06-29 19:01 --------- d-----w C:\Program Files\FinePixViewer 2008-06-29 19:01 --------- d-----w C:\Documents and Settings\Charlie & Mandy\Application Data\FUJIFILM 2008-06-29 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-06-29 18:15 --------- d-----w C:\Program Files\REGSHAVE 2007-06-14 06:38 92,064 ------w C:\Documents and Settings\Charlie & Mandy\mqdmmdm.sys 2007-06-14 06:38 9,232 ------w C:\Documents and Settings\Charlie & Mandy\mqdmmdfl.sys 2007-06-14 06:38 79,328 ------w C:\Documents and Settings\Charlie & Mandy\mqdmserd.sys 2007-06-14 06:38 66,656 ------w C:\Documents and Settings\Charlie & Mandy\mqdmbus.sys 2007-06-14 06:38 6,208 ------w C:\Documents and Settings\Charlie & Mandy\mqdmcmnt.sys 2007-06-14 06:38 5,936 ------w C:\Documents and Settings\Charlie & Mandy\mqdmwhnt.sys 2007-06-14 06:38 4,048 ------w C:\Documents and Settings\Charlie & Mandy\mqdmcr.sys 2007-06-14 06:38 25,600 ------w C:\Documents and Settings\Charlie & Mandy\usbsermptxp.sys 2007-06-14 06:38 22,768 ------w C:\Documents and Settings\Charlie & Mandy\usbsermpt.sys 2007-05-24 13:58 249,856 ----a-w C:\WINDOWS\inf\WG311v3\InsDrv2k.exe 2006-12-04 10:38 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe 2005-12-29 17:07 282,624 ----a-r C:\WINDOWS\inf\WG311v3\WG311v3XP.sys 2005-10-27 07:44 96,560 ------w C:\Documents and Settings\Charlie & Mandy\Application Data\GDIPFONTCACHEV1.DAT 2005-09-25 21:02 5,872 ------w C:\Documents and Settings\All Users\Application Data\ypinfo.bin 2004-12-18 23:45 855 ------w C:\Documents and Settings\Charlie & Mandy\DMOrganizer.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 09:47 135168] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 14:17 68856] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 16:45 114688] "Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992] "SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 22:57 36640] "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920] "REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064] "PtiuPbmd"="ptipbm.dll" [2003-01-15 20:41 24576 C:\WINDOWS\system32\ptipbm.dll] "Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll] "Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 20992 C:\WINDOWS\LOGI_MWX.EXE] "nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe] "CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE] "CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\WINDOWS\system32\Ctxfihlp.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 05:42 15360] "NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2007-12-05 01:41 81920] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2006-08-03 01:26:30 1966080] Directrec Configuration Tool.lnk - C:\Program Files\Olympus\DSSPlayer\DirectrecConfig.exe [2006-12-08 22:11:27 122880] NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-11-21 17:51:20 1507328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] Notification Packages REG_MULTI_SZ scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "kavsvc"=2 (0x2) [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\WINDOWS\\system32\\mmc.exe"= "C:\\NeverwinterNights\\NWN\\nwmain.exe"= "C:\\WINDOWS\\system32\\CNAB3RPK.EXE"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"= "C:\\Program Files\\MSN Messenger\\livecall.exe"= "C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"= "C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping "3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP) "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015 "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016 "500:UDP"= 500:UDP:@xpsp2res.dll,-22017 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings] "AllowInboundEchoRequest"= 1 (0x1) R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2003-05-09 16:55] R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-09-05 11:25] R1 SSHDRV79;SSHDRV79;C:\WINDOWS\system32\drivers\SSHDRV79.sys [2005-08-29 19:27] R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2005-07-24 22:54] R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47] R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40] S2 TROMPSUV;TROMPSUV;C:\WINDOWS\system32\drivers\TROMPSUV.sys [] S3 bde81;bde81;C:\WINDOWS\system32\bde81.sys [2008-08-25 10:09] S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 15:55] S3 ids0004C;ids0004C;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0004C.sys [] S3 klstm;klstm;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys [] S3 ldiskl;ldiskl;C:\DOCUME~1\CHARLI~1\LOCALS~1\Temp\ldiskl.sys [] S3 LtcyCfgWDM;PCI Latency Tool Driver Service;C:\WINDOWS\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 01:24] S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 14:31] S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03] S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27] S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42] S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42] S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42] S3 PAC207;SoC [email protected];C:\WINDOWS\system32\DRIVERS\pfc027.sys [] S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42] S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57] S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-01-18 13:24] S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 15:49] S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 17:50] S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 17:50] S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 17:50] S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 17:50] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc bdx REG_MULTI_SZ scan [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89322030-086e-11db-bcb6-000e502476af}] \Shell\AutoRun\command - G:\Installer.exe . Contents of the 'Scheduled Tasks' folder 2008-08-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] 2008-05-01 C:\WINDOWS\Tasks\McQcTask.job - c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32] . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKCU-Run-Power2GoExpress - (no file) HKLM-Run-Cmaudio - cmicnfg.cpl MSConfigStartUp-Steam - c:\program files\valve\steam\steam.exe . ------- Supplementary Scan ------- . R0 -: HKCU-Main,Start Page = hxxp://www.bbc.co.uk/ R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 R0 -: HKLM-Main,Search Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;*.local R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O16 -: DirectAnimation Java Classes O16 -: Microsoft XML Parser for Java - C:\WINDOWS\Downloaded Program Files\ScriptX.inf O16 -: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/bt/yregucfg.cab C:\WINDOWS\Downloaded Program Files\yregucfg.dll . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista -
No problem - Combofix first

rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-27 21:04:54 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\Explorer.exe -> C:\Program Files\SiteAdvisor\6261\saHook.dll -> C:\WINDOWS\system32\nview.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\system32\CTSVCCDA.EXE C:\Program Files\Olympus\DeviceDetector\DM1Service.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe C:\Program Files\McAfee\VirusScan\Mcshield.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\CNAB3RPK.EXE C:\Program Files\McAfee\MPF\MpfSrv.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\tcpsvcs.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\system32\PAStiSvc.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE C:\Program Files\BOINC\boinc.exe C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_4.35_windows_intelx86.exe C:\Program Files\iPod\bin\iPodService.exe C:\PROGRA~1\McAfee\MSC\mcuimgr.exe . ************************************************************************** . Completion time: 2008-08-27 21:11:40 - machine was rebooted [Charlie & Mandy] ComboFix-quarantined-files.txt 2008-08-27 20:11:35 Pre-Run: 2,502,279,168 bytes free Post-Run: 2,420,330,496 bytes free 326 --- E O F --- 2008-08-25 19:25:39
  • 0

#12
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
and Hijakthis

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:48:14 PM, on 27/08/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\WINDOWS\System32\CTsvcCDA.exe C:\Program Files\Olympus\DeviceDetector\DM1Service.exe C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe C:\Program Files\McAfee\VirusScan\McShield.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\CNAB3RPK.EXE C:\Program Files\McAfee\MPF\MPFSrv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe C:\WINDOWS\System32\tcpsvcs.exe C:\Program Files\SiteAdvisor\6261\SAService.exe C:\WINDOWS\System32\PAStiSvc.exe C:\WINDOWS\System32\svchost.exe c:\PROGRA~1\mcafee.com\agent\mcagent.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Microsoft IntelliType Pro\type32.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Logitech\MouseWare\system\em_exec.exe C:\Program Files\SiteAdvisor\6261\SiteAdv.exe C:\WINDOWS\CTHELPER.EXE C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\BOINC\boincmgr.exe C:\Program Files\NETGEAR\WG311v3\WG311v3.exe C:\Program Files\BOINC\boinc.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_4.35_windows_intelx86.exe C:\Program Files\iPod\bin\iPodService.exe c:\PROGRA~1\mcafee\msc\mcuimgr.exe C:\WINDOWS\Explorer.exe C:\Documents and Settings\Charlie & Mandy\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file) O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe" O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user') O4 - S-1-5-18 Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'SYSTEM') O4 - .DEFAULT Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user') O4 - .DEFAULT User Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user') O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe O4 - Global Startup: Directrec Configuration Tool.lnk = ? O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com O16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.micro...jects/ocget.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.expertage...asp/ScriptX.cab O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c...bt/yregucfg.cab O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...sa/LSSupCtl.cab O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://libcitrix.lec...ca32/wficac.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1207428492798 O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1207428445220 O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://rtc1.webresp...p/TLIEFlash.CAB O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.micro...jects/ocget.dll O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - https://register.bti...bcontrol013.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe -- End of file - 12621 bytes
  • 0

#13
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Wow Charlie, what happened to the logs? :) Please post it again, it's really hard to read when the logs are messed up like this. Please double check after you post them. Thanks.
  • 0

#14
charliewykes

charliewykes

    Member

  • Topic Starter
  • Member
  • PipPip
  • 84 posts
Oops sorry - how's this

ComboFix 08-08-26.03 - Charlie & Mandy 2008-08-27 20:57:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.585 [GMT 1:00]
Running from: C:\Documents and Settings\Charlie & Mandy\Desktop\ComboFix.exe
.
Error: Cfiles.dat

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Charlie & Mandy\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\WINDOWS\system32\_000115_.tmp.dll
C:\WINDOWS\system32\_003864_.tmp.dll
C:\WINDOWS\system32\_003865_.tmp.dll
C:\WINDOWS\system32\_003866_.tmp.dll
C:\WINDOWS\system32\_003867_.tmp.dll
C:\WINDOWS\system32\_003874_.tmp.dll
C:\WINDOWS\system32\_003875_.tmp.dll
C:\WINDOWS\system32\_003876_.tmp.dll
C:\WINDOWS\system32\_003878_.tmp.dll
C:\WINDOWS\system32\_003879_.tmp.dll
C:\WINDOWS\system32\_003882_.tmp.dll
C:\WINDOWS\system32\_003883_.tmp.dll
C:\WINDOWS\system32\_003885_.tmp.dll
C:\WINDOWS\system32\_003886_.tmp.dll
C:\WINDOWS\system32\_003887_.tmp.dll
C:\WINDOWS\system32\_003889_.tmp.dll
C:\WINDOWS\system32\_003890_.tmp.dll
C:\WINDOWS\system32\_003892_.tmp.dll
C:\WINDOWS\system32\_003893_.tmp.dll
C:\WINDOWS\system32\_003894_.tmp.dll
C:\WINDOWS\system32\_003895_.tmp.dll
C:\WINDOWS\system32\_003896_.tmp.dll
C:\WINDOWS\system32\_003897_.tmp.dll
C:\WINDOWS\system32\_003898_.tmp.dll
C:\WINDOWS\system32\_003899_.tmp.dll
C:\WINDOWS\system32\_003900_.tmp.dll
C:\WINDOWS\system32\_003901_.tmp.dll
C:\WINDOWS\system32\_003903_.tmp.dll
C:\WINDOWS\system32\_003905_.tmp.dll
C:\WINDOWS\system32\_003906_.tmp.dll
C:\WINDOWS\system32\_003907_.tmp.dll
C:\WINDOWS\system32\_003908_.tmp.dll
C:\WINDOWS\system32\_003911_.tmp.dll
C:\WINDOWS\system32\_003912_.tmp.dll
C:\WINDOWS\system32\_003913_.tmp.dll
C:\WINDOWS\system32\_003914_.tmp.dll
C:\WINDOWS\system32\_003915_.tmp.dll
C:\WINDOWS\system32\_003918_.tmp.dll
C:\WINDOWS\system32\_003919_.tmp.dll
C:\WINDOWS\system32\_003920_.tmp.dll
C:\WINDOWS\system32\_003921_.tmp.dll
C:\WINDOWS\system32\_003922_.tmp.dll
C:\WINDOWS\system32\_003923_.tmp.dll
C:\WINDOWS\system32\_003925_.tmp.dll
C:\WINDOWS\system32\_003926_.tmp.dll
C:\WINDOWS\system32\_003929_.tmp.dll
C:\WINDOWS\system32\_003930_.tmp.dll
C:\WINDOWS\system32\_003932_.tmp.dll
C:\WINDOWS\system32\_003933_.tmp.dll
C:\WINDOWS\system32\_003934_.tmp.dll
C:\WINDOWS\system32\_003936_.tmp.dll
C:\WINDOWS\system32\_003939_.tmp.dll
C:\WINDOWS\system32\_003940_.tmp.dll
C:\WINDOWS\system32\_003944_.tmp.dll
C:\WINDOWS\system32\_003945_.tmp.dll
C:\WINDOWS\system32\_003947_.tmp.dll
C:\WINDOWS\system32\_003948_.tmp.dll
C:\WINDOWS\system32\_003950_.tmp.dll
C:\WINDOWS\system32\_003952_.tmp.dll
C:\WINDOWS\system32\_003953_.tmp.dll
C:\WINDOWS\system32\_003954_.tmp.dll
C:\WINDOWS\system32\_003955_.tmp.dll
C:\WINDOWS\system32\_003958_.tmp.dll
C:\WINDOWS\system32\_003959_.tmp.dll
C:\WINDOWS\system32\_003960_.tmp.dll
C:\WINDOWS\system32\_003961_.tmp.dll
C:\WINDOWS\system32\_003962_.tmp.dll
C:\WINDOWS\system32\_003967_.tmp.dll
C:\WINDOWS\system32\_003969_.tmp.dll
C:\WINDOWS\system32\_003970_.tmp.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-27 to 2008-08-27 )))))))))))))))))))))))))))))))
.

2008-08-27 18:57 . 2008-05-01 15:33 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-25 20:25 . 2008-08-27 20:49 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-08-25 20:20 . 2008-08-27 20:55 4,958,588 --a------ C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-20021102}.BAK
2008-08-25 17:25 . 2008-04-14 05:42 2,843,136 --a------ C:\WINDOWS\system32\msi.dll
2008-08-25 17:25 . 2008-04-13 21:09 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2008-08-25 17:25 . 2008-04-14 05:42 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2008-08-25 17:25 . 2008-04-14 05:42 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2008-08-25 17:25 . 2008-04-14 05:42 15,360 --a------ C:\WINDOWS\system32\msisip.dll
2008-08-25 15:54 . 2008-04-11 20:04 691,712 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-25 11:44 . 2008-08-25 11:44 578,560 --a--c--- C:\WINDOWS\system32\dllcache\user32.dll
2008-08-25 11:41 . 2008-08-25 11:41 <DIR> d-------- C:\WINDOWS\ERUNT
2008-08-25 10:28 . 2008-08-25 12:13 <DIR> d-------- C:\SDFix
2008-08-25 10:09 . 2008-08-25 10:09 2,335,270 --a------ C:\WINDOWS\system32\36180.mht
2008-08-25 10:09 . 2008-04-14 05:41 706,048 --a------ C:\WINDOWS\system32\fe382.tmp
2008-08-25 10:09 . 2008-08-25 10:09 128,352 --a------ C:\WINDOWS\system32\bde81.dll
2008-08-25 10:09 . 2008-08-25 10:09 54,624 --a------ C:\WINDOWS\system32\bde81.sys
2008-08-20 18:40 . 2008-08-21 19:34 250 --a------ C:\WINDOWS\gmer.ini
2008-08-18 21:07 . 2008-08-18 21:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-18 21:07 . 2008-08-18 21:07 <DIR> d-------- C:\Documents and Settings\Charlie & Mandy\Application Data\Malwarebytes
2008-08-18 21:07 . 2008-08-18 21:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-18 21:07 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-18 21:07 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-12 18:32 . 2008-08-12 18:32 29 --a------ C:\WINDOWS\system32\ggaittqf.tmp
2008-08-11 23:38 . 2008-08-11 23:38 <DIR> d-------- C:\Program Files\iTunes

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-27 20:07 --------- d-----w C:\Program Files\BOINC
2008-08-25 14:40 --------- d-----w C:\Documents and Settings\Charlie & Mandy\Application Data\SiteAdvisor
2008-08-25 09:16 --------- d-----w C:\Program Files\iiyama monitor test
2008-08-25 08:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\OsaSync
2008-08-25 08:32 --------- d-----w C:\Program Files\RunLog
2008-08-14 12:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-08-12 07:04 --------- d-----w C:\Program Files\Apple Software Update
2008-08-11 22:38 --------- d-----w C:\Program Files\iPod
2008-07-25 13:39 --------- d-----w C:\Documents and Settings\Charlie & Mandy\Application Data\Canon
2008-07-13 18:00 --------- d-----w C:\Program Files\QuickTime
2008-07-13 18:00 --------- d-----w C:\Program Files\Bonjour
2008-06-29 19:01 --------- d-----w C:\Program Files\FinePixViewer
2008-06-29 19:01 --------- d-----w C:\Documents and Settings\Charlie & Mandy\Application Data\FUJIFILM
2008-06-29 18:18 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-29 18:15 --------- d-----w C:\Program Files\REGSHAVE
2007-06-14 06:38 92,064 ------w C:\Documents and Settings\Charlie & Mandy\mqdmmdm.sys
2007-06-14 06:38 9,232 ------w C:\Documents and Settings\Charlie & Mandy\mqdmmdfl.sys
2007-06-14 06:38 79,328 ------w C:\Documents and Settings\Charlie & Mandy\mqdmserd.sys
2007-06-14 06:38 66,656 ------w C:\Documents and Settings\Charlie & Mandy\mqdmbus.sys
2007-06-14 06:38 6,208 ------w C:\Documents and Settings\Charlie & Mandy\mqdmcmnt.sys
2007-06-14 06:38 5,936 ------w C:\Documents and Settings\Charlie & Mandy\mqdmwhnt.sys
2007-06-14 06:38 4,048 ------w C:\Documents and Settings\Charlie & Mandy\mqdmcr.sys
2007-06-14 06:38 25,600 ------w C:\Documents and Settings\Charlie & Mandy\usbsermptxp.sys
2007-06-14 06:38 22,768 ------w C:\Documents and Settings\Charlie & Mandy\usbsermpt.sys
2007-05-24 13:58 249,856 ----a-w C:\WINDOWS\inf\WG311v3\InsDrv2k.exe
2006-12-04 10:38 212,992 ----a-w C:\WINDOWS\inf\WG311v3\CopyWHQLDriver.exe
2005-12-29 17:07 282,624 ----a-r C:\WINDOWS\inf\WG311v3\WG311v3XP.sys
2005-10-27 07:44 96,560 ------w C:\Documents and Settings\Charlie & Mandy\Application Data\GDIPFONTCACHEV1.DAT
2005-09-25 21:02 5,872 ------w C:\Documents and Settings\All Users\Application Data\ypinfo.bin
2004-12-18 23:45 855 ------w C:\Documents and Settings\Charlie & Mandy\DMOrganizer.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteCenter"="C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE" [2003-06-12 09:47 135168]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 14:17 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 16:45 114688]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 18:17 159744]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-11-01 19:12 582992]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6261\SiteAdv.exe" [2007-08-24 22:57 36640]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 22:32 53248]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 10:47 289064]
"PtiuPbmd"="ptipbm.dll" [2003-01-15 20:41 24576 C:\WINDOWS\system32\ptipbm.dll]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-11 09:50 20992 C:\WINDOWS\LOGI_MWX.EXE]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2007-04-09 12:32 19968 C:\WINDOWS\system32\Ctxfihlp.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 05:42 15360]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2007-12-05 01:41 81920]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BOINC Manager.lnk - C:\Program Files\BOINC\boincmgr.exe [2006-08-03 01:26:30 1966080]
Directrec Configuration Tool.lnk - C:\Program Files\Olympus\DSSPlayer\DirectrecConfig.exe [2006-12-08 22:11:27 122880]
NETGEAR WG311v3 Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311v3\WG311v3.exe [2007-11-21 17:51:20 1507328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"kavsvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\WINDOWS\\system32\\mmc.exe"=
"C:\\NeverwinterNights\\NWN\\nwmain.exe"=
"C:\\WINDOWS\\system32\\CNAB3RPK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2003-05-09 16:55]
R0 viasraid;viasraid;C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-09-05 11:25]
R1 SSHDRV79;SSHDRV79;C:\WINDOWS\system32\drivers\SSHDRV79.sys [2005-08-29 19:27]
R1 SSHDRV85;SSHDRV85;C:\WINDOWS\system32\drivers\SSHDRV85.sys [2005-07-24 22:54]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 04:47]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 03:40]
S2 TROMPSUV;TROMPSUV;C:\WINDOWS\system32\drivers\TROMPSUV.sys []
S3 bde81;bde81;C:\WINDOWS\system32\bde81.sys [2008-08-25 10:09]
S3 FANTOM;LEGO MINDSTORMS NXT Driver;C:\WINDOWS\system32\DRIVERS\fantom.sys [2006-03-10 15:55]
S3 ids0004C;ids0004C;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids0004C.sys []
S3 klstm;klstm;C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys []
S3 ldiskl;ldiskl;C:\DOCUME~1\CHARLI~1\LOCALS~1\Temp\ldiskl.sys []
S3 LtcyCfgWDM;PCI Latency Tool Driver Service;C:\WINDOWS\system32\DRIVERS\LtcyCfgWDM.sys [2005-12-26 01:24]
S3 motccgp;Motorola USB Composite Device Driver;C:\WINDOWS\system32\DRIVERS\motccgp.sys [2007-02-27 14:31]
S3 motccgpfl;MotCcgpFlService;C:\WINDOWS\system32\DRIVERS\motccgpfl.sys [2007-01-23 19:03]
S3 MotDev;Motorola Inc. USB Device;C:\WINDOWS\system32\DRIVERS\motodrv.sys [2006-12-14 10:27]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42]
S3 p2psvc;Peer Networking;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42]
S3 PAC207;SoC [email protected];C:\WINDOWS\system32\DRIVERS\pfc027.sys []
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\System32\svchost.exe [2008-04-14 05:42]
S3 SjyPkt;SjyPkt;C:\WINDOWS\System32\Drivers\SjyPkt.sys [2002-10-02 09:57]
S3 SndTDriverV32;SndTDriverV32;C:\WINDOWS\system32\drivers\SndTDriverV32.sys [2007-01-18 13:24]
S3 w300bus;Sony Ericsson W300 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\w300bus.sys [2006-03-13 15:49]
S3 w300mdfl;Sony Ericsson W300 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\w300mdfl.sys [2006-03-13 17:50]
S3 w300mdm;Sony Ericsson W300 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\w300mdm.sys [2006-03-13 17:50]
S3 w300mgmt;Sony Ericsson W300 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\w300mgmt.sys [2006-03-13 17:50]
S3 w300obex;Sony Ericsson W300 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\w300obex.sys [2006-03-13 17:50]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc
bdx REG_MULTI_SZ scan

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89322030-086e-11db-bcb6-000e502476af}]
\Shell\AutoRun\command - G:\Installer.exe
.
Contents of the 'Scheduled Tasks' folder

2008-08-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2008-08-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2008-05-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKCU-Run-Power2GoExpress - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-Steam - c:\program files\valve\steam\steam.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.bbc.co.uk/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Search Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1;*.local
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 -: Easy-WebPrint Add To Print List - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 -: Easy-WebPrint High Speed Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 -: Easy-WebPrint Preview - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 -: Easy-WebPrint Print - C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html

O16 -: DirectAnimation Java Classes

O16 -: Microsoft XML Parser for Java

- C:\WINDOWS\Downloaded Program Files\ScriptX.inf

O16 -: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} - hxxp://us.dl1.yimg.com/download.yahoo.com/dl/installs/bt/yregucfg.cab
C:\WINDOWS\Downloaded Program Files\yregucfg.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-27 21:04:54
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.exe
-> C:\Program Files\SiteAdvisor\6261\saHook.dll
-> C:\WINDOWS\system32\nview.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\PROGRA~1\COMMON~1\McAfee\MNA\McNASvc.exe
C:\PROGRA~1\COMMON~1\McAfee\McProxy\McProxy.exe
C:\Program Files\McAfee\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\Program Files\McAfee\MPF\MpfSrv.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\system32\PAStiSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\BOINC\boinc.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_4.35_windows_intelx86.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-08-27 21:11:40 - machine was rebooted [Charlie & Mandy]
ComboFix-quarantined-files.txt 2008-08-27 20:11:35

Pre-Run: 2,502,279,168 bytes free
Post-Run: 2,420,330,496 bytes free

326 --- E O F --- 2008-08-25 19:25:39


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:14 PM, on 27/08/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\SiteAdvisor\6261\SAService.exe
C:\WINDOWS\System32\PAStiSvc.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\SiteAdvisor\6261\SiteAdv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\astropulse_4.35_windows_intelx86.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\Explorer.exe
C:\Documents and Settings\Charlie & Mandy\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Athens Toolbar - {2E560504-B9C8-48AA-982A-08B79C3FD40E} - C:\Program Files\Eduserv Technologies Limited\Athens Toolbar\AthensToolbar.dll
O3 - Toolbar: (no name) - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6261\SiteAdv.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [SiteAdvisor] "C:\Program Files\SiteAdvisor\6261\SiteAdv.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user')
O4 - .DEFAULT User Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe (User 'Default user')
O4 - Global Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Directrec Configuration Tool.lnk = ?
O4 - Global Startup: NETGEAR WG311v3 Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311v3\WG311v3.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {028518E1-9FA8-44FC-92D7-5C54244B5F36} - http://activex.micro...jects/ocget.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative....031/CTSUEng.cab
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://www.expertage...asp/ScriptX.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.c...bt/yregucfg.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - https://www-secure.s...sa/LSSupCtl.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://libcitrix.lec...ca32/wficac.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1207428492798
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1207428445220
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} - https://rtc1.webresp...p/TLIEFlash.CAB
O16 - DPF: {AAF15A90-F3EC-4FEE-9A00-F65B25B83D05} - http://activex.micro...jects/ocget.dll
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcaf...,23/mcgdmgr.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.s...sa/SymAData.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EC5A4E7B-02EB-451D-B310-D5F2E0A4D8C3} - https://register.bti...bcontrol013.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15035/CTPID.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe Active File Monitor (AdobeActiveFileMonitor) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DM1Service - OLYMPUS Corporation - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan\McShield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6261\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe

--
End of file - 12621 bytes
  • 0

#15
Ltangelic

Ltangelic

    Angel Annihilator of Malware

  • Retired Staff
  • 2,008 posts
Hey charliewykes,

That's much better, thanks. :)

There are some strange files inside there, and it looks like you still have some rootkit on your computer.

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

http://www.geekstogo...s...t&p=1319018

Collect::
C:\WINDOWS\system32\bde81.dll
C:\WINDOWS\system32\bde81.sys
C:\WINDOWS\system32\drivers\TROMPSUV.sys

File::
C:\WINDOWS\{00000000-00000000-0000000D-00001102-00000004-20021102}.BAK
C:\WINDOWS\system32\36180.mht
C:\WINDOWS\system32\fe382.tmp
C:\WINDOWS\system32\ggaittqf.tmp
C:\Documents and Settings\Charlie & Mandy\Local Settings\Temp\ldiskl.sys
G:\Installer.exe

Driver::
TROMPSUV
bde81
ldiskl

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89322030-086e-11db-bcb6-000e502476af}]

Sysrst::


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. Additonally, ComboFix will generate the following files on your desktop
  • A zipped file on your desktop called Submit [Date Time].zip
  • And another file named - CF-Submit.htm
6. ComboFix may need to reboot to finish its work. Let it.

7. When CF has finished running, it will generate the ComboFix.log which will appear on your screen.

8. If CF-Submit.htm is detected, ComboFix will generate this message box:

Posted Image

Clicking OK will cause the machine's browser to load CF-Submit.htm

Posted Image

9. Click the "Browse" button and locate the Submit [Date Time].zip file on your desktop.
  • Click on the file to Select it.
  • Submit the file by clicking "OK"
10. Once the file has been submitted, please DELETE both files on your desktop.

11. Post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log (run after ComboFix has finished its work.)

Edited by Ltangelic, 30 August 2008 - 09:15 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP