It is booting my laptop over and over!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:19 PM, on 4/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Safe mode with network support
Running processes:
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\SpeedProject\SpeedCommander 12\SpeedCommander.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9666
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: EverProfitsAddOns - {1b08a88c-3083-4512-93dc-ce1321deb555} - C:\Program Files\Ever Profits Toolbar\adxloader.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ever Profits Toolbar - {4fe8e2eb-f905-45a9-8de9-9ad2f228ccc9} - C:\Program Files\Ever Profits Toolbar\adxloader.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\RunOnce: [Application Restart #0] C:\Program Files\Windows Media Player\wmpnscfg.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O4 - Global Startup: Update ESET's licence.lnk = C:\Program Files\Eset\MiNODLogin\MiNODLogin.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ArchVision Content Manager Service - Unknown owner - C:\Program Files\ArchVision\ArchVision Content Manager\rpcACMapp.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
--
End of file - 11249 bytes
-----------------------------------------------------------------------------------
ComboFix 09-04-30.01 - Eli 04/30/2009 16:07.4 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.548 [GMT -3:00]
Running from: F:\ComboFix.exe
FW: COMODO Firewall Pro *disabled*
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.
2009-04-30 16:49 . 2008-06-19 19:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-24 03:25 . 2009-04-30 16:49 -------- d-----w c:\program files\Panda Security
2009-04-24 00:52 . 2009-04-24 00:52 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-----w c:\programdata\Hewlett-Packard
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-----w c:\users\All Users\Hewlett-Packard
2009-04-23 21:10 . 2009-04-23 21:10 -------- d-sh--w c:\windows\system32\%APPDATA%
2009-04-23 16:01 . 2009-04-30 12:24 -------- d-----w c:\program files\Proxy Switcher Standard
2009-04-21 18:50 . 2009-04-21 18:50 -------- dc----w C:\Autodesk
2009-04-20 22:25 . 2009-04-20 22:26 -------- d-----w c:\program files\Vidalia Bundle
2009-04-20 20:29 . 2009-04-20 20:29 -------- d-----w c:\program files\ProxyShell
2009-04-16 21:11 . 2009-04-17 03:48 -------- d-----w c:\users\Eli\AppData\Local\PMB Files
2009-04-16 21:11 . 2009-04-16 21:15 -------- d-----w c:\programdata\PMB Files
2009-04-16 21:11 . 2009-04-16 21:15 -------- d-----w c:\users\All Users\PMB Files
2009-04-16 21:10 . 2009-04-16 21:10 -------- d-----w c:\program files\Pando Networks
2009-04-15 11:14 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-15 11:14 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-15 11:14 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-12 11:30 . 2009-04-12 11:30 -------- d-----w c:\programdata\HP
2009-04-12 11:30 . 2009-04-12 11:30 -------- d-----w c:\users\All Users\HP
2009-04-09 18:21 . 2009-04-09 18:21 38240 ----a-w c:\windows\system32\drivers\epfwwfp.sys
2009-04-09 18:21 . 2009-04-09 18:21 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-04-09 18:21 . 2009-04-09 18:21 133000 ----a-w c:\windows\system32\drivers\epfw.sys
2009-04-09 18:18 . 2009-04-09 18:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 18:10 . 2009-04-09 18:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-04-09 17:49 . 2009-04-09 17:49 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-01 00:47 . 2008-04-07 07:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 19:11 . 2008-10-04 14:21 1356 ----a-w c:\users\Eli\AppData\Local\d3d9caps.dat
2009-04-30 19:11 . 2009-03-06 13:33 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-30 18:58 . 2007-11-14 09:53 12 ----a-w c:\windows\bthservsdp.dat
2009-04-30 18:53 . 2009-03-21 22:15 27649 ----a-w c:\users\All Users\nvModes.dat
2009-04-30 18:53 . 2009-03-21 22:15 27649 ----a-w c:\programdata\nvModes.dat
2009-04-30 15:52 . 2009-03-06 21:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 15:36 . 2009-03-09 21:40 -------- d-----w c:\program files\GSA Auto SoftSubmit
2009-04-29 13:45 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-04-27 20:53 . 2009-03-11 14:02 -------- d-----w c:\program files\NoteTab Pro 5
2009-04-26 12:11 . 2009-02-27 16:37 -------- d-----w c:\program files\RSS Submit
2009-04-24 23:45 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-24 23:45 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-24 23:45 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-24 23:42 . 2008-03-04 03:21 -------- d-----w c:\program files\Eset
2009-04-24 12:19 . 2009-03-02 17:06 -------- d-----w c:\program files\FriendBlasterPro
2009-04-24 12:09 . 2009-03-02 17:32 -------- d-----w c:\program files\TwitterBlasterPro
2009-04-22 22:53 . 2009-02-09 23:07 -------- d-----w c:\program files\SEO Directory Submitter
2009-04-22 11:59 . 2009-02-17 01:12 -------- d-----w c:\program files\SocialSpeed
2009-04-17 20:22 . 2007-08-05 01:49 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 20:22 . 2007-08-05 01:45 -------- d-----w c:\program files\Hewlett-Packard
2009-04-17 14:30 . 2009-02-09 16:54 -------- d-----w c:\program files\Replay Video Capture
2009-04-17 14:25 . 2009-02-25 18:51 -------- d-----w c:\program files\VideoPostRobot
2009-04-15 13:10 . 2008-03-03 14:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 17:53 . 2009-03-21 16:54 -------- d-----w c:\program files\SENuke
2009-04-09 18:01 . 2007-12-27 17:03 181088 ----a-w c:\users\Eli\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-09 17:54 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild
2009-04-08 22:47 . 2008-03-03 15:37 -------- d-----w c:\program files\IrfanView
2009-04-06 18:32 . 2009-03-06 21:53 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 18:32 . 2009-03-06 21:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 19:19 . 2008-07-09 14:45 891448 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-03-31 17:35 . 2009-04-23 21:14 17160 ----a-w c:\windows\Help\OEM\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-31 00:37 . 2009-03-13 12:10 -------- d-----w c:\program files\CoreFTP
2009-03-30 19:30 . 2009-04-23 21:14 17160 ----a-w c:\windows\Help\OEM\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-26 19:36 . 2009-03-26 19:36 257071 ----a-w c:\windows\XHeader Uninstaller.exe
2009-03-26 19:36 . 2009-03-26 19:36 -------- d-----w c:\program files\XHeader
2009-03-26 19:36 . 2009-03-26 19:36 -------- d-----w c:\program files\Common Files\Thraex Software
2009-03-25 22:36 . 2009-02-06 18:06 -------- d-----w c:\program files\PromoSoft
2009-03-25 21:33 . 2009-03-25 21:33 -------- d-----w c:\program files\Mythicsoft
2009-03-25 20:50 . 2009-03-25 20:49 -------- d-----w c:\program files\SmartFTP Client
2009-03-23 19:22 . 2008-03-04 02:17 -------- d-----w c:\program files\Avanquest
2009-03-22 15:48 . 2009-03-22 15:48 -------- d---a-w c:\program files\Neoretix
2009-03-19 19:11 . 2007-08-05 02:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-19 19:06 . 2008-03-04 19:06 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-19 16:41 . 2008-03-03 15:04 -------- d-----w c:\program files\Google
2009-03-19 16:34 . 2008-05-03 21:38 -------- d-----w c:\program files\Common Files\Autodesk Shared
2009-03-19 16:30 . 2008-11-20 18:05 -------- d-----w c:\program files\Ashampoo
2009-03-19 00:37 . 2009-03-19 00:37 -------- d-----w c:\program files\Vstplugins
2009-03-19 00:37 . 2009-03-19 00:37 -------- d-----w c:\program files\Sony
2009-03-18 21:52 . 2009-03-02 22:31 -------- d-----w c:\program files\RSS Wizard
2009-03-18 03:53 . 2009-03-18 03:53 -------- d-----w c:\program files\SocialSubmitterDemo
2009-03-18 02:54 . 2009-02-16 11:16 -------- d-----w c:\program files\Ever Profits Toolbar
2009-03-17 18:59 . 2009-01-03 20:16 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-03-17 15:09 . 2009-03-06 01:31 -------- d--h--w c:\program files\NiwradSoft
2009-03-17 03:38 . 2009-04-15 11:15 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 11:15 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 11:15 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-15 03:50 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-14 12:54 . 2009-03-14 00:25 -------- d-----w c:\program files\Free Link Cloaker
2009-03-14 00:46 . 2009-03-14 00:45 -------- d-----w c:\program files\Phantom Cloaker
2009-03-13 12:16 . 2008-09-01 00:22 -------- d-----w c:\program files\Siber Systems
2009-03-13 01:16 . 2009-02-06 17:41 -------- d-----w c:\program files\WebPosition 4
2009-03-12 23:57 . 2009-03-12 23:57 -------- d-----w c:\program files\The Internet Marketing Center
2009-03-12 13:32 . 2008-03-04 01:39 -------- d-----w c:\program files\FlashFXP
2009-03-11 10:16 . 2009-03-11 10:16 -------- d-----w c:\program files\PowerMenu
2009-03-10 21:53 . 2009-01-23 01:48 -------- d-----w c:\program files\Lavasoft
2009-03-09 19:01 . 2009-02-12 19:32 -------- d-----w c:\program files\Freeware PDF Unlocker
2009-03-09 01:12 . 2009-03-09 01:11 -------- d-----w c:\program files\RoboSoft 3
2009-03-07 17:59 . 2009-03-07 17:59 -------- d-----w c:\program files\NPUST
2009-03-07 17:56 . 2009-03-07 17:56 -------- d-----w c:\program files\Living Easy Software
2009-03-07 16:26 . 2009-03-07 16:26 -------- d-----w c:\program files\Common Files\SpeedProject
2009-03-07 16:26 . 2008-06-28 15:05 -------- d-----w c:\program files\SpeedProject
2009-03-07 15:39 . 2009-03-07 15:39 -------- d-----w c:\program files\IntelliAdmin
2009-03-06 22:22 . 2008-04-21 23:03 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 22:22 . 2008-04-22 00:40 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-06 20:12 . 2009-04-23 21:14 21256 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2009-03-06 13:16 . 2009-03-06 13:16 7852 ----a-w c:\windows\system32\mcdmsg7.dll
2009-03-06 12:13 . 2007-08-05 02:28 -------- d-----w c:\program files\Microsoft Works
2009-03-05 23:06 . 2009-03-05 23:06 -------- d-----w c:\program files\Object Desktop
2009-03-05 22:11 . 2008-08-30 13:39 -------- d-----w c:\program files\Vista Start Menu
2009-03-05 15:29 . 2009-03-26 21:16 16648 ----a-w c:\windows\Help\OEM\scripts\HC_ProtectSmartPatch.exe
2009-03-04 13:28 . 2009-03-04 13:28 -------- d-----w c:\program files\Common Files\SWF Studio
2009-03-03 23:17 . 2008-10-30 16:49 -------- d-----w c:\program files\Pegasys Inc
2009-03-03 23:06 . 2007-08-05 02:48 -------- d-----w c:\program files\HP Games
2009-03-03 04:46 . 2009-04-15 11:15 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 11:15 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 11:15 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 11:15 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 11:15 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 11:15 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 11:15 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-15 11:15 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-15 11:15 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 11:15 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-02 17:37 . 2009-03-02 17:37 -------- d-----w c:\program files\Nuclear Coffee
2009-03-02 17:02 . 2009-03-02 17:02 -------- d-----w c:\program files\NotePage
2009-02-24 01:46 . 2009-02-24 01:46 91 ----a-w c:\users\Eli\AppData\Local\fusioncache.dat
2009-02-18 20:37 . 2008-03-13 14:23 263184 ---ha-w c:\windows\system32\mlfcache.dat
2009-02-13 08:49 . 2009-04-15 11:15 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 11:15 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 10:10 2033152 ----a-w c:\windows\system32\win32k.sys
2007-01-06 13:19 . 2007-01-06 13:19 108 --sha-r c:\windows\neoqaz2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaStartMenu"="c:\program files\Vista Start Menu\VistaStartMenu.exe" [2008-07-09 1331200]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-18 159744]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart 0"="c:\program files\Windows Media Player\wmpnscfg.exe" [2008-01-19 202240]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's licence.lnk - c:\program files\Eset\MiNODLogin\MiNODLogin.exe [2009-4-19 125952]
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\StartupFaster
Actualizar la licencia del NOD32.lnk - c:\program files\Eset\ESET Smart Security\MiNODLogin.exe [2008-9-25 125952]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Actualizar la licencia del NOD32.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Actualizar la licencia del NOD32.lnk
backup=c:\windows\pss\Actualizar la licencia del NOD32.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup
[HKLM\~\startupfolder\C:^Users^Eli^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
path=c:\users\Eli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerMenu.lnk
backup=c:\windows\pss\PowerMenu.lnk.Startup
backupExtension=.Startup
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1491950412-2009852829-4049741679-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7528C9F9-5F63-4907-820E-5AE2980E0288}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{E9A2201F-0316-4990-9FF4-BD92ECD9F2EB}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{F86521EC-F013-4DEC-8ECF-394A3BA411AD}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E7CD4B0-5C7B-4182-8E47-908AD1D3631A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1A96733B-1920-4D1A-AA0D-D0A748C5D4E6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A450AD95-B5EC-4B8A-85AA-A7AD5AA39F8A}"= UDP:c:\windows\ehome\ehshell.exe:Windows Media Center
"{DC9868B6-AEFE-4FD3-9D87-57B842414B9A}"= TCP:c:\windows\ehome\ehshell.exe:Windows Media Center
"{56CF2D5D-0AD4-46A5-AE06-8C88E678B150}"= UDP:c:\program files\7-Zip\7zFM.exe:7-Zip File Manager
"{822D0F7B-DDDE-4A27-8BFE-D54D5E4AE7AA}"= TCP:c:\program files\7-Zip\7zFM.exe:7-Zip File Manager
"TCP Query User{23E3BF57-ED59-4B64-9EBD-7E02B31ABC60}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AF381AFB-1262-42A2-8AD3-920F727FC333}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{682D23E8-E86C-4A43-9D5B-4CADCDCE90A6}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{055324B6-58F7-4A39-91B8-66BD74B849A0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{DF10F12C-AE82-4595-92DC-E6507E3DC8BD}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A1A36068-8F96-40B5-A57A-5345856D3C0F}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2C1FDC35-E0E8-40AF-B24B-739D74A2F3DB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{CA010460-A2C6-4C89-BF07-72D5D94E85B6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6A88AD41-C0ED-4673-8C45-3932AA447E9E}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{05AE3CCB-9DAB-4229-834B-1EBD900FE709}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{38A29E48-8011-47F2-8F0E-40E372039479}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{DE26C65D-6DA1-499E-8050-787B63FA2FAA}"= UDP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{FDE37A47-7D36-40EE-AB3F-FC72A27D9319}"= TCP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{985F9086-523A-4742-889A-EEB3BF5B2C29}"= UDP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{14C015BF-CBC1-4AF7-8665-104AB307FD68}"= TCP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{C39DAB44-2C24-4060-8E30-5DDF6B64A3A1}"= UDP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{8BC0BA89-E93C-47E8-9E35-966118D36F36}"= TCP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{680A5CAF-1BE7-4B49-9FCD-820E182BAB67}"= UDP:c:\program files\Autodesk\3ds Max 2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{5D3633D7-1F1F-446C-81FE-53B2C8CF81C3}"= TCP:c:\program files\Autodesk\3ds Max 2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{31A1EEAB-800D-4F1E-9A9F-1D794FEEAA2B}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{683660CD-0B4C-4A0E-A651-7B8CAB551985}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{94256596-E725-409F-B954-A16801BB6543}"= UDP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMapp.exe:ArchVision Content Manager
"{645B27F5-24B9-4477-BC85-EB9C3433673F}"= TCP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMapp.exe:ArchVision Content Manager
"{5EDC0E58-0B88-471B-8ACE-6D38CF8F2F19}"= UDP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMftp.exe:ArchVision Download Processor
"{B5E941A1-61A0-4B99-884C-E746EAB9FD90}"= TCP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMftp.exe:ArchVision Download Processor
"{0165DBAD-6B2D-40C6-B3A2-A18FCEA5F0AB}"= TCP:2799:Altova License Metering Port (UDP)
"{C247AD69-1BFF-473B-992D-51541B0B610A}"= UDP:2799:Altova License Metering Port (TCP)
"{AB2A34A1-5CDF-4885-BA98-334E3BB6B1DB}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B75A3332-B6B7-4302-B590-95EB2B72110F}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{75E9027A-E04D-4D46-B964-271E5A0FFF2F}"= UDP:5353:Adobe CSI CS4
"{3A160451-E083-40E6-A371-DAAC3E483DEF}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{697155E5-27AA-4A7A-8C28-86387B449C28}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{A82CFDF4-C6C7-4B84-8B29-C60702D32A55}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{1598EE94-3BAB-496D-9E02-7DD2A80F56D4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{5D6DFC7B-6D2C-49F8-AD69-BA4F38553498}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F9EC70F9-0D8E-4A9C-B1DF-5F9F64D702DE}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BDFBCE30-0D68-4090-A417-A18943D72B65}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB4CD9FC-4BE1-4341-B20D-D3CF51A322D6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F4AC6798-21B3-4E6A-BFA7-54B6BE4FC23B}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{7AB1DE7F-4400-40A9-8ED0-F580134D4D0C}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
"c:\\Program Files\\IBP 10\\IBP.exe"= c:\program files\IBP 10\IBP.exe:*:Enabled:Internet Business Promoter (IBP)
R0 Lbd;Lbd; [x]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 SASKUTIL;SASKUTIL; [x]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-04-09 731840]
R2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-04-09 38240]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 600912]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2008-12-04 226640]
R3 ArchVision Content Manager Service;ArchVision Content Manager Service; [x]
R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr.sys [2008-12-08 55264]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
R3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-05 603904]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8412efa7-e8fc-11dc-afb2-001e375ff685}]
\shell\Setup\command - setup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8412efaa-e8fc-11dc-afb2-001e375ff685}]
\shell\AutoRun\command - F:\LaunchU3.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
2009-04-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 12:09]
2009-04-24 c:\windows\Tasks\HPCeeScheduleForEli.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-05 21:23]
.
- - - - ORPHANS REMOVED - - - -
HKLM-RunOnce-<NO NAME> - (no file)
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:9666
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.liv...m/quickadd.aspx
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath -
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 16:13
Windows 6.0.6001 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
c:\windows\system32\drivers\ovfsthxpyeaoqhs.sys 83456 bytes executable
c:\windows\system32\ovfsthxcxeqcrob.dll 60928 bytes executable
c:\windows\system32\ovfsthxhkrdgvff.dll 18432 bytes executable
c:\windows\system32\ovfsthxijkwrrsw.dat 43 bytes
c:\windows\system32\ovfsthxmjninhoe.dll 18432 bytes executable
c:\windows\system32\ovfsthxrmjsbsft.dat 532550 bytes
scan completed successfully
hidden files: 6
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\default\Software\Microsoft\Windows\CurrentVersion\{80931a9f5e5146ffebc38bc8d3faec28}*jopa]
"00"="4bN5tp7prQGqlHHBOMtxM95Qd03gyb2veSgc9F6X/0o="
[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe"
[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx"
"ThreadingModel"="Apartment"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx, 1"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx"
"ThreadingModel"="Apartment"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx, 1"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_USERS\software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
[HKEY_USERS\software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
[HKEY_USERS\software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
[HKEY_USERS\software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
[HKEY_USERS\software\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"
[HKEY_USERS\software\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)
[HKEY_USERS\software\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"
[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_USERS\system\ControlSet002\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
"inst"=dword:00000000
[HKEY_USERS\system\ControlSet003\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
[HKEY_USERS\system\ControlSet004\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
"inst"=dword:00000000
[HKEY_USERS\system\ControlSet005\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
[HKEY_USERS\system\ControlSet006\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
"inst"=dword:00000000
[HKEY_USERS\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_USERS\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
[HKEY_USERS\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'Explorer.exe'(1052)
c:\windows\system32\btncopy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-04-30 16:15
ComboFix-quarantined-files.txt 2009-04-30 19:15
Pre-Run: 81,834,311,680 bytes free
Post-Run: 81,795,493,888 bytes free
Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
505 --- E O F --- 2009-04-18 06:03
-------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1
4/30/2009 4:43:16 PM
mbam-log-2009-04-30 (16-43-16).txt
Scan type: Quick Scan
Objects scanned: 69120
Time elapsed: 3 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\Windows\System32\drivers\ovfsthxpyeaoqhs.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthxcxeqcrob.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ovfsthxhkrdgvff.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ovfsthxmjninhoe.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ovfsthxijkwrrsw.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthxrmjsbsft.dat (Trojan.Agent) -> Quarantined and deleted successfully.