Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

TR/Crypt.XPACK.Gen Trojan


  • Please log in to reply

#1
Attilla the Bun

Attilla the Bun

    Member

  • Member
  • PipPip
  • 35 posts
Hi Geeks to Go,
Over the last week or so (after several years of trouble-free browsing) I suddenly had some problems with a couple of trojans, (including Patched DO) but found your website and cleared my computer using your guides and advice from some of your threads. Yesterday I followed a lot of the recommendations on your 'preventing malware' guide, including substituting Avira for AVG. I also have had Malwarebites for a while, and have added Sperantispyware and SpywareGuard instead of Adaware and Spybot.

Avira did its first scheduled scan this evening and found the trojan TR/Crypt.XPACK.Gen Trojan, which it dealt with, but when I scanned again, it was back. I have Googled for it, and it seems very scary, and I'm beginning to wonder if I have some other problems which are causing this sudden spate of attacks. Please could you help me?

Edited by Attilla the Bun, 09 May 2010 - 01:30 PM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
Do as much of

http://www.geekstogo...uide-t2852.html

as you can. If a step won't work, skip to the next one. Copy and paste your gmer, mbam, otl, & extras logs into a reply. Do not attach them.

If you lose internet access after running MBAM or if you are not able to get to the downloads:

In IE, Tools, Internet Options, Connections, LAN Settings, then uncheck all boxes and OK. Close IE and restart IE.

In FireFox, Tools, Options, Advanced, Settings, check No Proxy then OK. Close Firefox and restart Firefox.

In Chrome, Wrench, Options, Under the Hood, Change Proxy Settings, uncheck all boxes, OK.

Ron
  • 0

#3
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi RKinner
I've been having trouble with GMER. When I tried to save the log (after 3 1/2 hours!), the window went blank and the computer froze completely, so that I had to turn it off at the plug in the end.

I should explain that after I posted this request, I stopped panicking and thought of trying Avira again in safe mode, and I switched off System restore too, as this was how I got rid of the other Trojans a few days ago. This time it did get rid of it, and I did a scan with Malwarebytes, and that also came up clean, and it's been two days now. Mind you, this happened with the Patched DO virus, and that came back a couple of days later.

I'm still not convinced that whatever caused my problems over the last 10 days isn't lurking - it seemes odd to have no trouble for years, then suddenly a series of attacks in a few days. I no longer have the confidence to buy anything online, or send emails, just in case. Also something occasionally tries to open a website in a new tab (I use Firefox), although Noscript won't let it open, and that is despite having Malwarebytes, Superantispyware, Spywareguard, Spybot and Avira.

I know you are busy helping people who do still have more of a problem than me, but could you tell from the OTL log below (it only created one, OTL,txt) whether there is still something hiding in there? Before the GMER log disappeared, I noticed that it mentioned an irregularity in a system32/redbook file, and that was where one of the other Trojans was lurking
Thanks very much,
A the B

OTL logfile created on: 11/05/2010 22:23:17 - Run 2
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 65.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 78.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 335.34 Gb Total Space | 275.56 Gb Free Space | 82.17% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-2D7097102E
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/05/10 00:08:59 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL(2).exe
PRC - [2010/05/09 00:01:17 | 002,017,280 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
PRC - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2010/03/15 14:47:22 | 001,303,784 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
PRC - [2010/03/15 14:47:22 | 000,779,496 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
PRC - [2010/03/02 11:28:31 | 000,282,792 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2010/01/14 22:11:00 | 000,076,968 | ---- | M] (Avira GmbH) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe
PRC - [2009/11/22 16:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) -- C:\WINDOWS\system32\ZoneLabs\vsmon.exe
PRC - [2009/11/22 16:42:50 | 001,037,192 | ---- | M] (Check Point Software Technologies LTD) -- C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
PRC - [2009/10/14 14:30:26 | 000,476,528 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ISWSVC.exe
PRC - [2009/10/14 14:30:06 | 000,730,480 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\ForceField.exe
PRC - [2009/05/04 13:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe
PRC - [2009/04/17 13:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) -- C:\Program Files\Kodak\AiO\Center\KodakSvc.exe
PRC - [2009/03/05 16:07:20 | 002,260,480 | RHS- | M] (Safer-Networking Ltd.) -- C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
PRC - [2008/04/14 13:00:00 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/09/28 10:20:00 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
PRC - [2006/05/23 23:49:14 | 000,024,576 | ---- | M] (Syntek America Inc.) -- C:\WINDOWS\system32\StkASv2K.exe
PRC - [2003/08/29 19:05:35 | 000,360,448 | ---- | M] () -- C:\Program Files\SpywareGuard\sgmain.exe
PRC - [2003/08/29 11:14:56 | 000,233,472 | ---- | M] () -- C:\Program Files\SpywareGuard\sgbhp.exe
PRC - [2003/05/23 05:38:26 | 000,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) -- C:\WINDOWS\system32\DVDRAMSV.exe


========== Modules (SafeList) ==========

MOD - [2010/05/10 00:08:59 | 000,570,880 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\User\My Documents\Downloads\OTL(2).exe
MOD - [2010/02/10 20:12:08 | 000,496,872 | ---- | M] (Trusteer Ltd.) -- C:\Program Files\Trusteer\Rapport\bin\rooksbas.dll
MOD - [2009/10/14 14:30:36 | 000,628,080 | ---- | M] (Check Point Software Technologies) -- C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
MOD - [2008/07/25 12:17:20 | 000,635,904 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcr80.dll
MOD - [2008/07/25 12:17:20 | 000,558,080 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\msvcp80.dll
MOD - [2008/04/14 13:00:00 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\msscript.ocx


========== Win32 Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- -- (0155281273365123mcinstcleanup) McAfee Application Installer Cleanup (0155281273365123)
SRV - [2010/04/01 13:33:19 | 000,267,432 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2010/03/29 08:51:54 | 000,068,000 | ---- | M] (NOS Microsystems Ltd.) [On_Demand | Stopped] -- C:\Program Files\NOS\bin\getPlus_Helper.dll -- (getPlusHelper) getPlus®
SRV - [2010/03/15 14:47:22 | 000,779,496 | ---- | M] (Trusteer Ltd.) [Auto | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe -- (RapportMgmtService)
SRV - [2010/02/24 10:28:09 | 000,135,336 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2009/12/08 14:25:28 | 000,093,320 | ---- | M] (McAfee, Inc.) [Auto | Running] -- c:\Program Files\McAfee\SiteAdvisor\McSACore.exe -- (McAfee SiteAdvisor Service)
SRV - [2009/11/22 16:44:16 | 002,384,240 | ---- | M] (Check Point Software Technologies LTD) [Auto | Running] -- C:\WINDOWS\System32\ZoneLabs\vsmon.exe -- (vsmon)
SRV - [2009/10/14 14:30:26 | 000,476,528 | ---- | M] (Check Point Software Technologies) [Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe -- (IswSvc)
SRV - [2009/05/04 13:15:26 | 000,279,960 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\Center\EKDiscovery.exe -- (Kodak AiO Network Discovery Service)
SRV - [2009/04/17 13:08:26 | 000,032,768 | ---- | M] (Eastman Kodak Company) [Auto | Running] -- C:\Program Files\Kodak\AiO\center\KodakSvc.exe -- (KodakSvc)
SRV - [2006/09/28 10:20:00 | 000,049,152 | ---- | M] (Ulead Systems, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2006/05/23 23:49:14 | 000,024,576 | ---- | M] (Syntek America Inc.) [Auto | Running] -- C:\WINDOWS\system32\StkASv2K.exe -- (StkASSrv)
SRV - [2003/05/23 05:38:26 | 000,106,496 | ---- | M] (Matsushita Electric Industrial Co., Ltd.) [Auto | Running] -- C:\WINDOWS\system32\DVDRAMSV.exe -- (DVD-RAM_Service)


========== Driver Services (SafeList) ==========

DRV - [2010/05/09 00:01:16 | 000,068,168 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/03/15 14:47:30 | 000,116,328 | ---- | M] (Trusteer Ltd.) [Kernel | System | Running] -- C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys -- (RapportPG)
DRV - [2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\avipbb.sys -- (avipbb)
DRV - [2010/02/17 11:25:50 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2010/02/17 11:15:58 | 000,012,872 | R--- | M] ( SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | On_Demand | Stopped] -- C:\Program Files\SUPERAntiSpyware\SASENUM.SYS -- (SASENUM)
DRV - [2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\WINDOWS\system32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2009/11/22 16:42:54 | 000,486,280 | ---- | M] (Check Point Software Technologies LTD) [Kernel | System | Running] -- C:\WINDOWS\system32\vsdatant.sys -- (vsdatant)
DRV - [2009/10/14 14:30:02 | 000,025,208 | ---- | M] (Check Point Software Technologies) [Kernel | Auto | Running] -- C:\Program Files\CheckPoint\ZAForceField\ISWKL.sys -- (ISWKL)
DRV - [2009/05/11 12:49:19 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- (avgio)
DRV - [2009/05/11 10:12:49 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2009/05/09 01:14:20 | 000,014,736 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nuidfltr.sys -- (NuidFltr)
DRV - [2008/12/30 12:47:18 | 000,016,512 | ---- | M] (Windows ® 2000 DDK provider) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\gdrv.sys -- (gdrv)
DRV - [2008/04/14 13:00:00 | 000,144,384 | ---- | M] (Windows ® Server 2003 DDK provider) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\hdaudbus.sys -- (HDAudBus)
DRV - [2008/04/14 00:15:14 | 000,060,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\USBAUDIO.sys -- (usbaudio) USB Audio Driver (WDM)
DRV - [2007/11/10 04:20:02 | 000,029,728 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvhda32.sys -- (NVHDA)
DRV - [2007/10/04 09:14:00 | 006,854,464 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)
DRV - [2007/09/20 19:07:40 | 000,022,016 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nvnetbus.sys -- (nvnetbus)
DRV - [2007/09/20 19:07:38 | 000,053,632 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\NVENETFD.sys -- (NVENETFD)
DRV - [2007/09/19 10:16:32 | 004,617,728 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\RtkHDAud.sys -- (IntcAzAudAddService) Service for Realtek HD Audio (WDM)
DRV - [2006/11/15 17:32:44 | 000,242,139 | ---- | M] (Syntek America Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\StkAMini.sys -- (StkAMini)
DRV - [2006/06/27 18:27:18 | 000,004,772 | ---- | M] (Syntek America Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\StkScan.sys -- (StkScan)
DRV - [2004/10/08 12:58:32 | 000,585,824 | R--- | M] () [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\lvcm.sys -- (QCMerced)
DRV - [2004/10/08 12:57:48 | 000,022,016 | R--- | M] (Logitech Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\LVUSBSta.sys -- (LVUSBSta)
DRV - [2004/10/08 02:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/01/31 03:40:08 | 000,010,368 | ---- | M] (Padus, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\pfc.sys -- (pfc)
DRV - [2003/12/03 17:44:58 | 000,013,566 | ---- | M] (B.H.A Corporation) [Kernel | System | Running] -- C:\WINDOWS\system32\drivers\cdrbsvsd.sys -- (cdrbsvsd)
DRV - [2003/10/24 05:53:14 | 000,090,416 | ---- | M] (Matsushita Electric Industrial Co.,Ltd.) [File_System | System | Running] -- C:\WINDOWS\system32\drivers\meiudf.sys -- (meiudf)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========


IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.defaultenginename: "Secure Search"
FF - prefs.js..browser.search.selectedEngine: "Secure Search"
FF - prefs.js..browser.startup.homepage: "http://www.google.co.uk/"
FF - prefs.js..extensions.enabledItems: {4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}:0.6.7
FF - prefs.js..extensions.enabledItems: [email protected]:1.11.6a
FF - prefs.js..extensions.enabledItems: {B7082FAA-CB62-4872-9106-E42DD88EDE45}:3.0
FF - prefs.js..extensions.enabledItems: {73a6fe31-595d-460b-a920-fcc0f8843232}:1.9.9.74
FF - prefs.js..keyword.URL: "http://uk.search.yah...h?fr=mcafee&p="

FF - HKLM\software\mozilla\Firefox\extensions\\{FFB96CC1-7EB3-449D-B827-DB661701C6BB}: C:\Program Files\CheckPoint\ZAForceField\TrustChecker [2010/03/18 01:55:45 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\extensions\\{1DA0528B-1DD8-4167-BFAF-E0EF94939F93}: C:\Program Files\Comodo\HopSurfToolbar\hopsurfext_ff3_5
FF - HKLM\software\mozilla\Firefox\extensions\\{B7082FAA-CB62-4872-9106-E42DD88EDE45}: C:\Program Files\McAfee\SiteAdvisor [2010/05/10 19:27:37 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2010/05/09 21:42:43 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.9\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2010/05/09 02:06:56 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2010/03/17 19:34:24 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.24\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2010/05/09 02:06:56 | 000,000,000 | ---D | M]

[2009/01/05 00:11:29 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Extensions
[2010/05/11 18:34:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions
[2010/03/30 00:36:02 | 000,000,000 | ---D | M] (Ad blocker) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\{4DC70064-89E2-4a55-8FC6-E8CDEAE3612C}
[2010/05/09 01:44:51 | 000,000,000 | ---D | M] (NoScript) -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\{73a6fe31-595d-460b-a920-fcc0f8843232}
[2010/01/03 21:35:34 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]
[2010/01/03 21:35:35 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]
[2010/05/11 18:34:54 | 000,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007/02/04 23:02:56 | 001,642,496 | ---- | M] (LizardTech) -- C:\Program Files\Mozilla Firefox\plugins\npdjvu.dll
[2010/05/09 02:05:59 | 000,075,208 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2009/12/02 09:11:44 | 000,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/12/02 09:11:44 | 000,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/12/02 09:11:44 | 000,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2010/05/09 01:45:07 | 000,002,027 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\McSiteAdvisor.xml
[2009/12/02 09:11:44 | 000,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2010/05/09 23:50:52 | 000,393,128 | R--- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: 127.0.0.1 www.007guard.com
O1 - Hosts: 127.0.0.1 007guard.com
O1 - Hosts: 127.0.0.1 008i.com
O1 - Hosts: 127.0.0.1 www.008k.com
O1 - Hosts: 127.0.0.1 008k.com
O1 - Hosts: 127.0.0.1 www.00hq.com
O1 - Hosts: 127.0.0.1 00hq.com
O1 - Hosts: 127.0.0.1 010402.com
O1 - Hosts: 127.0.0.1 www.032439.com
O1 - Hosts: 127.0.0.1 032439.com
O1 - Hosts: 127.0.0.1 www.0scan.com
O1 - Hosts: 127.0.0.1 0scan.com
O1 - Hosts: 127.0.0.1 www.1000gratisproben.com
O1 - Hosts: 127.0.0.1 1000gratisproben.com
O1 - Hosts: 127.0.0.1 www.1001namen.com
O1 - Hosts: 127.0.0.1 1001namen.com
O1 - Hosts: 127.0.0.1 100888290cs.com
O1 - Hosts: 127.0.0.1 www.100888290cs.com
O1 - Hosts: 127.0.0.1 100sexlinks.com
O1 - Hosts: 127.0.0.1 www.100sexlinks.com
O1 - Hosts: 127.0.0.1 10sek.com
O1 - Hosts: 127.0.0.1 www.10sek.com
O1 - Hosts: 127.0.0.1 www.1-2005-search.com
O1 - Hosts: 127.0.0.1 1-2005-search.com
O1 - Hosts: 13578 more lines...
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (SpywareGuardDLBLOCK.CBrowserHelper) - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll ()
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (ZoneAlarm Toolbar Registrar) - {8A4A36C2-0535-4D2C-BD3D-496CB7EED6E3} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O2 - BHO: (McAfee SiteAdvisor BHO) - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (McAfee SiteAdvisor Toolbar) - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O3 - HKLM\..\Toolbar: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O3 - HKCU\..\Toolbar\WebBrowser: (ZoneAlarm Toolbar) - {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - C:\Program Files\CheckPoint\ZAForceField\Trustchecker\bin\TrustCheckerIEPlugin.dll (Check Point Software Technologies)
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH)
O4 - HKLM..\Run: [CleanIt] C:\Program Files\CleanIt\CleanIt.exe (Silmaril Software)
O4 - HKLM..\Run: [ISW] C:\Program Files\CheckPoint\ZAForceField\ForceField.exe (Check Point Software Technologies)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (Check Point Software Technologies LTD)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\User\Start Menu\Programs\Startup\SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe ()
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {31435657-9980-0010-8000-00AA00389B71} http://download.micr...78f/wvc1dmo.cab (Reg Error: Key error.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_11)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.254
O18 - Protocol\Handler\dssrequest {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.14.0.8064.0206.dll (Microsoft Corporation)
O18 - Protocol\Handler\sacore {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\Program Files\McAfee\SiteAdvisor\McIEPlg.dll (McAfee, Inc.)
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll (SUPERAntiSpyware.com)
O24 - Desktop WallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O28 - HKLM ShellExecuteHooks: {81559C35-8464-49F7-BB0E-07A383BEF910} - C:\Program Files\SpywareGuard\spywareguard.dll ()
O30 - LSA: Authentication Packages - (OWS\S) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/12/30 12:40:11 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\system32\ias [2008/12/30 12:39:53 | 000,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\system32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (77419173512216576)

========== Files/Folders - Created Within 90 Days ==========

[2010/05/11 18:24:05 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\User\Recent
[2010/05/09 19:10:44 | 000,000,000 | ---D | C] -- C:\WINDOWS\System32\NtmsData
[2010/05/09 02:33:11 | 000,000,000 | ---D | C] -- C:\Program Files\SpywareGuard
[2010/05/09 02:06:55 | 000,000,000 | ---D | C] -- C:\Program Files\Foxit Software
[2010/05/09 01:32:03 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\McAfee
[2010/05/09 01:31:46 | 000,000,000 | ---D | C] -- C:\Program Files\McAfee
[2010/05/09 01:31:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2010/05/09 01:25:41 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/05/09 00:12:00 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Local Settings\Application Data\Temp
[2010/05/09 00:04:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Avira
[2010/05/09 00:02:28 | 000,028,520 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\ssmdrv.sys
[2010/05/09 00:02:27 | 000,124,784 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/05/09 00:02:27 | 000,060,936 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/05/09 00:02:27 | 000,045,416 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntdd.sys
[2010/05/09 00:02:27 | 000,022,360 | ---- | C] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntmgr.sys
[2010/05/09 00:02:27 | 000,000,000 | ---D | C] -- C:\Program Files\Avira
[2010/05/09 00:02:27 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Avira
[2010/05/07 13:08:50 | 000,000,000 | ---D | C] -- C:\Program Files\Alwil Software
[2010/05/07 13:08:50 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2010/05/07 11:48:39 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/05/07 11:47:58 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/05/06 01:03:36 | 000,000,000 | ---D | C] -- C:\Program Files\CleanIt
[2010/04/27 21:39:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2010/04/23 23:14:28 | 000,000,000 | ---D | C] -- C:\Program Files\Comodo
[2010/04/23 23:14:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Comodo
[2010/04/23 23:14:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Comodo Downloader
[2010/04/22 18:26:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2010/04/22 18:26:40 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
[2010/04/22 18:26:40 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2010/04/22 18:26:15 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Wise Installation Wizard
[2010/04/22 16:37:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/04/22 16:37:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/04/22 13:57:43 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/04/21 23:47:02 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Documents\Settings
[2010/04/21 23:24:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/04/19 21:19:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\freezer
[2010/03/31 10:07:20 | 000,000,000 | ---D | C] -- C:\Program Files\PureSync
[2010/03/31 10:07:20 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Jumping Bytes
[2010/03/31 10:06:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Jumping Bytes
[2010/03/18 01:35:35 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\My Documents\ForceField Shared Files
[2010/03/18 01:35:32 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\CheckPoint
[2010/03/18 01:35:23 | 000,000,000 | ---D | C] -- C:\Program Files\CheckPoint
[2010/03/18 01:35:02 | 000,000,000 | ---D | C] -- C:\Program Files\Zone Labs
[2010/03/18 00:46:52 | 000,095,024 | ---- | C] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/03/18 00:44:59 | 000,000,000 | -H-D | C] -- C:\Documents and Settings\All Users\Application Data\~0
[2010/03/15 22:26:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Stonehenge
[2010/03/15 22:07:37 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\AVG8
[2010/02/18 18:59:39 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Trusteer
[2010/02/16 20:09:32 | 000,000,000 | ---D | C] -- C:\Program Files\SopCast
[2010/02/14 22:11:57 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Trusteer
[2010/02/14 16:28:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Application Data\Trusteer
[2010/02/14 16:28:10 | 000,000,000 | ---D | C] -- C:\Program Files\Trusteer
[2010/02/14 16:27:25 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2010/02/12 19:38:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\User\Desktop\Hotels Abersoch, Egryn Guest House Abersoch Wales, Hotel accommodation self-catering holiday in Abersoch, bed and breakfast, weekend breaks Abersoch, Gwynedd, Cottage to rent in Abersoch_files

========== Files - Modified Within 90 Days ==========

[2010/05/11 22:23:07 | 000,000,069 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2010/05/11 22:21:30 | 000,002,473 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Microsoft Word.lnk
[2010/05/11 22:02:24 | 000,004,212 | -H-- | M] () -- C:\WINDOWS\System32\zllictbl.dat
[2010/05/11 21:51:44 | 000,508,956 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2010/05/11 21:51:44 | 000,433,130 | ---- | M] () -- C:\WINDOWS\System32\perfh009.dat
[2010/05/11 21:51:44 | 000,067,768 | ---- | M] () -- C:\WINDOWS\System32\perfc009.dat
[2010/05/11 21:46:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/05/11 21:46:40 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/05/09 23:50:52 | 000,393,128 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\HOSTS
[2010/05/09 23:43:13 | 012,320,768 | ---- | M] () -- C:\Documents and Settings\User\NTUSER.DAT
[2010/05/09 22:46:28 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\User\ntuser.ini
[2010/05/09 17:53:01 | 000,000,394 | ---- | M] () -- C:\WINDOWS\tasks\Kodak AiO Scheduled Maintenance.job
[2010/05/09 14:36:55 | 000,302,634 | ---- | M] () -- C:\Documents and Settings\User\My Documents\Backup of registry b4 runningt cc cleaner 9.05.reg
[2010/05/09 14:24:09 | 012,320,768 | ---- | M] () -- C:\Documents and Settings\User\NTUSER.bak
[2010/05/09 02:33:12 | 000,000,650 | ---- | M] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\SpywareGuard.lnk
[2010/05/09 02:20:44 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/05/09 02:06:58 | 000,000,883 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2010/05/09 01:59:34 | 000,064,000 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
[2010/05/09 01:53:06 | 000,239,144 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/05/09 01:08:25 | 000,393,128 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100509-235052.backup
[2010/05/08 23:41:44 | 000,002,577 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2010/05/08 23:24:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job
[2010/05/07 11:28:45 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\User\Desktop\URGENT.doc
[2010/05/01 09:19:56 | 000,000,593 | ---- | M] () -- C:\WINDOWS\win.ini
[2010/05/01 09:19:56 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/05/01 09:19:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/04/28 23:07:59 | 000,000,151 | ---- | M] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2010/04/24 11:20:03 | 000,000,664 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/23 23:40:02 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/04/23 23:32:35 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/04/22 13:58:35 | 000,000,552 | ---- | M] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/21 18:28:39 | 000,010,584 | ---- | M] () -- C:\Documents and Settings\User\Application Data\docXConverter (3).ini
[2010/04/21 18:28:39 | 000,000,140 | -H-- | M] () -- C:\Documents and Settings\User\Application Data\lakerda1967.sys
[2010/04/21 18:26:24 | 000,026,112 | ---- | M] () -- C:\Documents and Settings\User\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2010/04/15 20:10:35 | 000,824,424 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Wallander 10.mp3
[2010/04/15 20:09:54 | 001,026,299 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Wallander 09.mp3
[2010/04/05 22:20:48 | 000,038,400 | ---- | M] () -- C:\Documents and Settings\User\Desktop\april.doc
[2010/03/31 10:07:20 | 000,000,684 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\PureSync.lnk
[2010/03/18 01:52:25 | 000,380,770 | R--- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20100509-010825.backup
[2010/03/18 01:35:49 | 000,422,437 | ---- | M] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/03/18 00:46:51 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\System32\drivers\SBREDrv.sys
[2010/03/10 23:59:11 | 000,002,459 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Microsoft PowerPoint.lnk
[2010/03/10 11:20:17 | 000,003,622 | ---- | M] () -- C:\Documents and Settings\User\Desktop\Isembard.gif
[2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avipbb.sys
[2010/02/16 20:09:33 | 000,000,666 | ---- | M] () -- C:\Documents and Settings\User\Desktop\SopCast.lnk
[2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\WINDOWS\System32\drivers\avgntflt.sys
[2010/02/13 13:26:31 | 000,040,448 | ---- | M] () -- C:\tim emails re coffin, dairy well, maps etc.doc

========== Files Created - No Company Name ==========

[2010/05/09 14:35:47 | 000,302,634 | ---- | C] () -- C:\Documents and Settings\User\My Documents\Backup of registry b4 runningt cc cleaner 9.05.reg
[2010/05/09 02:33:12 | 000,000,650 | ---- | C] () -- C:\Documents and Settings\User\Start Menu\Programs\Startup\SpywareGuard.lnk
[2010/05/09 02:06:58 | 000,000,883 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Foxit Reader.lnk
[2010/05/08 22:46:07 | 000,000,000 | -H-- | C] () -- C:\Documents and Settings\User\NTUSER.tmp.LOG
[2010/05/07 11:28:45 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\User\Desktop\URGENT.doc
[2010/05/05 19:58:19 | 000,002,426 | ---- | C] () -- C:\Documents and Settings\User\avgrep.txt
[2010/04/23 23:32:35 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\User\Local Settings\Application Data\housecall.guid.cache
[2010/04/22 13:58:35 | 000,000,552 | ---- | C] () -- C:\WINDOWS\System32\d3d8caps.dat
[2010/04/22 11:28:21 | 000,000,664 | ---- | C] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/04/15 20:10:25 | 000,824,424 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Wallander 10.mp3
[2010/04/15 20:09:41 | 001,026,299 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Wallander 09.mp3
[2010/04/05 22:20:47 | 000,038,400 | ---- | C] () -- C:\Documents and Settings\User\Desktop\april.doc
[2010/03/31 10:07:20 | 000,000,684 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\PureSync.lnk
[2010/03/18 01:35:03 | 000,422,437 | ---- | C] () -- C:\WINDOWS\System32\vsconfig.xml
[2010/03/10 11:17:10 | 000,003,622 | ---- | C] () -- C:\Documents and Settings\User\Desktop\Isembard.gif
[2010/02/16 20:09:33 | 000,000,666 | ---- | C] () -- C:\Documents and Settings\User\Desktop\SopCast.lnk
[2010/02/13 13:26:31 | 000,040,448 | ---- | C] () -- C:\tim emails re coffin, dairy well, maps etc.doc
[2010/01/24 18:52:33 | 000,012,800 | ---- | C] () -- C:\WINDOWS\System32\EKDeviceServices.dll
[2009/06/02 23:31:31 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\Lffpx7.dll
[2009/06/02 23:31:31 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\Lfkodak.dll
[2009/04/17 21:12:14 | 000,006,812 | R--- | C] () -- C:\WINDOWS\System32\lvcoinst.ini
[2009/04/17 21:12:04 | 000,585,824 | R--- | C] () -- C:\WINDOWS\System32\drivers\lvcm.sys
[2009/03/31 01:10:05 | 000,000,022 | ---- | C] () -- C:\WINDOWS\kodakpcd.User.ini
[2009/01/21 02:01:16 | 000,000,279 | ---- | C] () -- C:\WINDOWS\hpqcopy.INI
[2009/01/08 18:13:20 | 000,000,151 | ---- | C] () -- C:\WINDOWS\PhotoSnapViewer.INI
[2009/01/05 01:57:38 | 000,000,099 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2008/12/31 19:22:15 | 000,000,069 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2008/12/30 18:47:47 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2007/10/04 09:14:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2007/10/04 09:14:00 | 001,478,656 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2007/10/04 09:14:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2007/10/04 09:14:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2007/10/04 09:14:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2003/03/24 14:50:28 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1999/01/27 13:39:06 | 000,065,024 | ---- | C] () -- C:\WINDOWS\System32\indounin.dll
[1997/06/13 07:56:08 | 000,056,832 | ---- | C] () -- C:\WINDOWS\System32\Iyvu9_32.dll

========== LOP Check ==========

[2010/05/08 22:52:20 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alwil Software
[2009/05/04 23:36:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Citrix
[2010/01/24 18:52:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Eastman Kodak Company
[2010/05/09 01:25:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\F-Secure
[2010/01/24 18:55:59 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\kds_kodak
[2009/01/05 20:40:05 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\MailFrontier
[2010/01/30 01:27:15 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Tarma Installer
[2010/05/09 01:09:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2010/02/14 16:27:25 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Trusteer
[2009/01/05 01:59:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\UDL
[2009/05/16 22:49:39 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Ulead Systems
[2009/01/31 23:50:41 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\WinZip
[2009/03/13 12:32:23 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{00D89592-F643-4D8D-8F0F-AFAE0F14D4C3}
[2009/09/09 18:08:37 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
[2010/02/06 19:56:24 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
[2010/05/09 02:17:52 | 000,000,000 | -H-D | M] -- C:\Documents and Settings\All Users\Application Data\~0
[2010/03/18 01:35:32 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\CheckPoint
[2010/03/31 10:06:58 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Jumping Bytes
[2010/02/06 01:03:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Serif
[2010/05/03 16:30:43 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Spotify
[2010/04/29 23:39:56 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Temp
[2009/01/10 21:39:07 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Thunderbird
[2010/02/14 16:28:18 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Trusteer
[2009/05/16 22:57:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\User\Application Data\Ulead Systems
[2010/05/08 23:24:45 | 000,000,472 | ---- | M] () -- C:\WINDOWS\Tasks\Ad-Aware Update (Weekly).job

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.* >
[2010/05/09 01:53:03 | 000,139,100 | ---- | M] () -- C:\aaw7boot.log
[2008/12/30 12:40:11 | 000,000,000 | ---- | M] () -- C:\AUTOEXEC.BAT
[2010/05/01 09:19:56 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2008/12/30 12:40:11 | 000,000,000 | ---- | M] () -- C:\CONFIG.SYS
[2009/06/10 21:47:52 | 000,207,524 | ---- | M] () -- C:\coreuninstall.log
[2008/12/30 12:52:06 | 000,000,086 | ---- | M] () -- C:\CSB.LOG
[2009/01/12 16:04:44 | 000,000,164 | ---- | M] () -- C:\install.dat
[2008/12/30 12:40:11 | 000,000,000 | RHS- | M] () -- C:\IO.SYS
[2010/01/30 01:29:45 | 000,000,617 | ---- | M] () -- C:\kds.log
[2009/04/17 21:04:35 | 000,000,183 | ---- | M] () -- C:\LogiSetup.log
[2010/05/06 01:22:06 | 000,000,109 | ---- | M] () -- C:\mbam-error.txt
[2008/12/30 12:40:11 | 000,000,000 | RHS- | M] () -- C:\MSDOS.SYS
[2008/04/14 13:00:00 | 000,047,564 | RHS- | M] () -- C:\NTDETECT.COM
[2008/04/14 13:00:00 | 000,250,048 | RHS- | M] () -- C:\ntldr
[2009/10/03 19:27:16 | 000,022,851 | ---- | M] () -- C:\output.log
[2010/05/11 21:46:37 | 1409,286,144 | -HS- | M] () -- C:\pagefile.sys
[2009/12/15 02:05:16 | 000,030,720 | ---- | M] () -- C:\printing Christams Card envelopes.doc
[2008/12/30 12:51:57 | 000,000,429 | ---- | M] () -- C:\RHDSetup.log
[2010/02/13 13:26:31 | 000,040,448 | ---- | M] () -- C:\tim emails re coffin, dairy well, maps etc.doc

< %systemroot%\*. /mp /s >

< %systemroot%\system32\*.dll /lockedfiles >
[2009/03/08 04:31:44 | 000,348,160 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtmsft.dll
[2009/03/08 04:31:38 | 000,216,064 | ---- | M] (Microsoft Corporation) Unable to obtain MD5 -- C:\WINDOWS\system32\dxtrans.dll

< %systemroot%\Tasks\*.job /lockedfiles >

< %systemroot%\System32\config\*.sav >
[2008/12/30 11:39:06 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2008/12/30 11:39:06 | 001,064,960 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2008/12/30 11:39:05 | 000,909,312 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav

< %systemroot%\system32\drivers\*.sys /90 >
[2010/02/16 14:24:01 | 000,060,936 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avgntflt.sys
[2010/03/01 10:05:24 | 000,124,784 | ---- | M] (Avira GmbH) -- C:\WINDOWS\system32\drivers\avipbb.sys
[2010/04/29 15:39:26 | 000,020,952 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbam.sys
[2010/04/29 15:39:38 | 000,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
[2010/02/24 14:11:07 | 000,455,680 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\mrxsmb.sys
[2010/05/09 12:58:32 | 000,057,600 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\redbook.sys
[2010/03/18 00:46:51 | 000,095,024 | ---- | M] (Sunbelt Software) -- C:\WINDOWS\system32\drivers\SBREDrv.sys
[2010/02/11 13:02:15 | 000,226,880 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\drivers\tcpip6.sys

========== Alternate Data Streams ==========

@Alternate Data Stream - 118 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5C321E34
< End of report >
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
I hope you have turned System Restore back on. There is no need to turn it off regardless of what Symantec and McAfee recommend. It's a simple matter to purge it once you have removed the bugs from the active system. Just follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

It's not like things in System Restore will jump out and bite you. They only become active if you ask for a System Restore point that includes them. It's a safety net and working without the safety net is dumb.


Don't see anything in OTL. Did you not get an Extras log too?


Download but do not yet run ComboFix
:!: If you have a previous version of Combofix.exe, delete it and download a fresh copy. :!:

:!: It must be saved to your desktop, do not run it :!:

:!: Disable your Antivirus software when downloading or running Combofix. If it has Script Blocking features, please disable these as well. See: http://www.bleepingc...opic114351.html


Download and Rename this file -- (call it george.exe ) to your Desktop -- from either of these two sources:
http://download.blee...Bs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Right click on george and Run As Administrator to start the program.



* :!: Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.


* A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix. Allow it to install the Recovery Console then Continue. When the scan completes Notepad will open with with your results log open. Do a File, Exit and answer 'Yes' to save changes.


A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

A file will be created at => C:\Combofix.txt. I'll need to see that in your reply.

Re-activate your protection programs at this time :!:
  • 0

#5
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I had system restore back on, I only switched it off because I read on several websites that you oculdn't clean off some viruses unless you temporarily turned it off.

Combofix said it found a rootkit something or other and rebooted. Here is the log:
ComboFix 10-05-11.06 - User 12/05/2010 22:15:20.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1917.1406 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\George.exe.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
PEV Error: UserFile
PEV Error: UserFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\User\GoToAssistDownloadHelper.exe
c:\windows\eSellerateEngine.dll

Infected copy of c:\windows\system32\drivers\redbook.sys was found and disinfected
Restored copy from - Kitty had a snack :)
.
((((((((((((((((((((((((( Files Created from 2010-04-12 to 2010-05-12 )))))))))))))))))))))))))))))))
.

2010-05-09 20:42 . 2010-05-09 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-09 18:10 . 2010-05-10 19:10 -------- d-----w- c:\windows\system32\NtmsData
2010-05-09 01:33 . 2010-05-10 22:43 -------- d-----w- c:\program files\SpywareGuard
2010-05-09 01:06 . 2010-05-09 01:06 -------- d-----w- c:\program files\Foxit Software
2010-05-09 00:55 . 2010-05-09 00:55 -------- d-----w- c:\documents and settings\User_2\Local Settings\Application Data\Identities
2010-05-09 00:55 . 2010-05-09 00:55 -------- d-----w- c:\documents and settings\User_2\Local Settings\Application Data\Ahead
2010-05-09 00:32 . 2010-05-09 00:32 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-09 00:31 . 2010-05-09 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 00:31 . 2010-05-09 00:31 -------- d-----w- c:\program files\McAfee
2010-05-09 00:25 . 2010-05-09 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-05-08 23:12 . 2010-05-08 23:12 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2010-05-08 23:04 . 2010-05-08 23:04 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2010-05-08 23:02 . 2010-05-08 23:02 -------- d-----w- c:\program files\Avira
2010-05-08 23:02 . 2010-05-08 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-05-08 23:02 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-08 23:02 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-08 23:02 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-05-08 23:02 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-05-08 22:41 . 2010-05-08 22:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-07 12:08 . 2010-05-08 22:41 -------- d-----w- c:\program files\Alwil Software
2010-05-07 12:08 . 2010-05-08 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-07 10:47 . 2010-05-07 10:51 -------- d-----w- c:\program files\ERUNT
2010-05-06 00:03 . 2010-05-06 00:03 -------- d-----w- c:\program files\CleanIt
2010-05-05 18:04 . 2010-05-10 22:41 63488 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-04-24 10:20 . 2008-04-14 12:00 26112 ----a-w- c:\windows\system32\stu2.exe
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\program files\Comodo
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\documents and settings\User\Application Data\Comodo
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-22 17:27 . 2010-04-22 17:27 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 17:27 . 2010-05-10 22:41 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-22 17:26 . 2010-05-08 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-22 15:37 . 2010-04-22 15:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-22 12:58 . 2010-04-22 12:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 10:28 . 2010-04-24 10:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-22 09:01 . 2010-04-22 09:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-21 21:43 . 2010-04-21 21:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 21:04 . 2009-03-22 22:22 2308791 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-12 18:16 . 2008-12-30 10:44 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-05-12 18:05 . 2009-01-05 01:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-12 17:51 . 2009-01-10 20:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-10 22:35 . 2009-01-17 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-09 22:43 . 2009-01-17 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-09 19:32 . 2009-08-23 13:44 -------- d-----w- c:\program files\LiveOnlineFooty.com
2010-05-09 01:21 . 2009-03-20 09:51 -------- d-----w- c:\program files\Lavasoft
2010-05-09 01:17 . 2010-03-17 23:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-05-09 01:16 . 2009-01-10 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 01:04 . 2008-12-30 14:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-09 00:59 . 2009-01-04 23:00 64000 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 00:53 . 2010-05-09 00:53 -------- d-----w- c:\documents and settings\User_2\Application Data\CheckPoint
2010-05-09 00:12 . 2009-05-09 12:09 -------- d-----w- c:\program files\Google
2010-05-09 00:09 . 2009-01-17 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-09 00:09 . 2009-01-17 21:16 -------- d-----w- c:\program files\SpywareBlaster
2010-05-08 22:24 . 2010-05-08 22:59 385024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-05-08 22:24 . 2010-05-08 22:59 1762304 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-05-07 12:03 . 2008-12-30 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-06 00:22 . 2009-01-10 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 00:19 . 2009-04-17 20:04 -------- d-----w- c:\program files\Logitech
2010-05-03 15:30 . 2009-08-23 18:12 -------- d-----w- c:\documents and settings\User\Application Data\Spotify
2010-04-29 22:39 . 2010-01-24 17:49 -------- d-----w- c:\documents and settings\User\Application Data\Temp
2010-04-29 14:39 . 2009-01-10 22:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-01-10 22:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 20:10 . 2009-01-05 00:53 -------- d-----w- c:\program files\EPSON
2010-04-25 22:06 . 2010-04-27 20:28 56832 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-25 22:06 . 2010-04-27 20:28 1722880 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-24 11:00 . 2010-04-25 18:06 1719808 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-24 11:00 . 2010-04-25 18:06 1531392 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-24 10:43 . 2008-12-30 11:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 22:41 . 2009-09-10 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:28 . 2009-02-20 13:37 140 ---ha-w- c:\documents and settings\User\Application Data\lakerda1967.sys
2010-04-21 17:28 . 2009-02-20 13:37 140 ---ha-w- c:\documents and settings\User\Application Data\lakerda1967.sys
2010-04-21 17:28 . 2009-02-20 13:37 -------- d-----w- c:\program files\docXConverter3
2010-03-31 09:07 . 2010-03-31 09:07 -------- d-----w- c:\program files\PureSync
2010-03-31 09:07 . 2010-03-31 09:07 -------- d-----w- c:\program files\Common Files\Jumping Bytes
2010-03-31 09:06 . 2010-03-31 09:06 -------- d-----w- c:\documents and settings\User\Application Data\Jumping Bytes
2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\documents and settings\User\Application Data\CheckPoint
2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\program files\CheckPoint
2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\program files\Zone Labs
2010-03-17 23:46 . 2010-03-17 23:46 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-15 21:07 . 2010-03-15 21:07 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 22:50 . 2010-03-05 22:49 20887024 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-05 22:49 . 2010-03-05 22:49 8405312 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 22:49 . 2010-03-05 22:49 149000 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 22:49 . 2010-03-05 22:48 10309448 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-05 22:48 . 2010-03-05 22:48 283280 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 22:48 . 2010-03-05 22:48 181768 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 22:48 . 2010-03-05 22:48 79368 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 22:47 . 2010-03-05 22:47 64000 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 22:47 . 2010-03-05 22:47 52288 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 22:47 . 2010-03-05 22:47 50688 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 22:47 . 2010-03-05 22:47 49152 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 22:47 . 2010-03-05 22:47 118784 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-04 18:33 . 2010-03-04 18:33 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 10:03 . 2010-04-01 11:41 293376 ------w- c:\windows\system32\browserchoice.exe
2010-02-12 04:33 . 2008-04-14 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-01-10 19:08 . 2009-01-10 19:05 23804784 ----a-w- c:\program files\aaw2008.exe
2003-12-19 19:36 . 2009-06-02 22:28 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-08 2017280]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"CleanIt"="c:\program files\CleanIt\cleanit.exe" [2001-08-13 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\User\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 10:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 12:00 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-04-07 17:27 1511424 ----a-w- c:\program files\Kodak\AiO\PrinterDriver\i386\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-10-08 11:06 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-10-08 11:31 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-10-08 11:24 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 10:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-10-04 08:14 8491008 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-10-04 08:14 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-10-04 08:14 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2004-01-08 15:07 86016 ------w- c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PureSync]
2010-03-25 10:16 771744 ----a-w- c:\program files\PureSync\PureSyncTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 16:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-09-19 10:14 16844800 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 14:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-08-03 05:22 1826816 ------r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-03 19:00 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-03 12:50 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ------w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
"9322:TCP"= 9322:TCP:EKDiscovery

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [09/05/2010 00:02 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 14:30 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 14:30 476528]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [04/05/2009 13:15 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [17/04/2009 13:08 32768]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [09/05/2010 01:31 93320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [10/11/2007 04:20 29728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 0155281273365123mcinstcleanup;McAfee Application Installer Cleanup (0155281273365123);c:\docume~1\User\LOCALS~1\Temp\015528~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\User\LOCALS~1\Temp\015528~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-05-09 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2009-05-04 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-EPSON Stylus D68 Series - c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATIAAE.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-12 22:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
.
Completion time: 2010-05-12 22:23:02
ComboFix-quarantined-files.txt 2010-05-12 21:23

Pre-Run: 295,801,049,088 bytes free
Post-Run: 295,762,391,040 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - E95E18F3AF3BB88679D3E2E7A00D04D8

I tried OTl again, and it still only produced the Txt file. I did run it a couple of days ago and got two files, but didn't post themb because I didn't have time to let the GMER scan finish; here is the other file it produced then:

OTL Extras logfile created on: 10/05/2010 00:09:27 - Run 1
OTL by OldTimer - Version 3.2.4.1 Folder = C:\Documents and Settings\User\My Documents\Downloads
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 53.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 70.00% Paging File free
Paging file location(s): C:\pagefile.sys 1344 2688 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 335.34 Gb Total Space | 275.63 Gb Free Space | 82.19% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 944.69 Mb Total Space | 791.19 Mb Free Space | 83.75% Space Free | Partition Type: FAT
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: USER-2D7097102E
Current User Name: User
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 90 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office\msohtmed.exe" %1 (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Winamp.Bookmark] -- "C:\Program Files\Winamp\winamp.exe" /BOOKMARK "%1" (Nullsoft)
Directory [Winamp.Enqueue] -- "C:\Program Files\Winamp\winamp.exe" /ADD "%1" (Nullsoft)
Directory [Winamp.Play] -- "C:\Program Files\Winamp\winamp.exe" "%1" (Nullsoft)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"UpdatesDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"135:TCP" = 135:TCP:*:Enabled:DCOM(135)
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"9322:TCP" = 9322:TCP:*:Enabled:EKDiscovery

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\AVG\AVG8\avgemc.exe" = C:\Program Files\AVG\AVG8\avgemc.exe:*:Enabled:avgemc.exe -- File not found
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe" = C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call -- (Microsoft Corporation)
"C:\Program Files\Spotify\spotify.exe" = C:\Program Files\Spotify\spotify.exe:*:Enabled:Spotify -- (Spotify AB)
"C:\Program Files\iTunes\iTunes.exe" = C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe" = C:\Program Files\Kodak\AiO\Center\Kodak.Statistics.exe:*:Enabled:Kodak AiO Scheduled Maintenance -- (Eastman Kodak Company)
"C:\Program Files\SopCast\SopCast.exe" = C:\Program Files\SopCast\SopCast.exe:*:Enabled:SopCast Main Application -- (www.sopcast.com)
"C:\Program Files\SopCast\adv\SopAdver.exe" = C:\Program Files\SopCast\adv\SopAdver.exe:*:Enabled:SopCast Adver -- (www.sopcast.com)
"C:\Program Files\Java\jre6\bin\java.exe" = C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java™ Platform SE binary -- (Sun Microsystems, Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00000409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 Premium
"{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}" = Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
"{02E89EFC-7B07-4D5A-AA03-9EC0902914EE}" = VC 9.0 Runtime
"{07287123-B8AC-41CE-8346-3D777245C35B}" = Bonjour
"{074AED0D-DD1C-432A-B38D-F8733604033F}" = aioscnnr
"{0AAA9C97-74D4-47CE-B089-0B147EF3553C}" = Windows Live Messenger
"{105CFC7C-6992-11D5-BD9D-000102C10FD8}" = Lizardtech DjVu Control
"{108A39BF-4ED1-4293-B11A-06BD521FB8F7}" = FreeOCR 3.0
"{10934A28-0CC6-4B98-A14F-76B3546003AF}" = ksDIP
"{13F3917B56CD4C25848BDC69916971BB}" = DivX Converter
"{18D10072035C4515918F7E37EAFAACFC}" = AutoUpdate
"{1DD81E7D-0D28-4CEB-87B2-C041A4FCB215}" = Rapport
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}" = Multimedia Launcher
"{205C6BDD-7B73-42DE-8505-9A093F35A238}" = Windows Live Upload Tool
"{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}" = MSVCRT
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11
"{27CC6AB1-E72B-4179-AF1A-EAE507EBAF51}_is1" = ConvertHelper 2.2
"{345112D9-0930-4A68-AB71-A831BA5DE7AA}" = Microsoft IntelliType Pro 6.2
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35ED3F83-4BDC-4c44-8EC6-6A8301C7413A}" = McAfee SiteAdvisor
"{36D00AE6-69DE-4087-A1A9-84ADD10E5530}" = BHA B's Recorder GOLD BASIC 7.13
"{3B4E636E-9D65-4D67-BA61-189800823F52}" = Windows Live Communications Platform
"{3FC7CBBC4C1E11DCA1A752EA55D89593}" = DivX Version Checker
"{45338B07-A236-4270-9A77-EBB4115517B5}" = Windows Live Sign-in Assistant
"{541DEAC0-5F3D-45E6-B7CB-94ECF3B96748}" = Skype web features
"{56BA241F-580C-43D2-8403-947241AAE633}" = center
"{56C049BE-79E9-4502-BEA7-9754A3E60F9B}" = neroxml
"{59B73DDC-593A-4D02-B9CA-1D8C9F912324}" = aioprnt
"{66EBD70F-A42C-475F-AEDF-277378151033}" = Nero 7 Essentials
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{767CC44C-9BBC-438D-BAD3-FD4595DD148B}" = VC80CRTRedist - 8.0.50727.762
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8C5FAD77-F678-4758-A296-C12F08D179E0}" = Microsoft IntelliPoint 6.2
"{8F8D9297-FDD2-405A-97E7-E52C7B2F97B3}" = Ulead VideoStudio SE DVD
"{8FFC5648-FAF8-43A3-BC8F-42BA1E275C4E}" = Choice Guard
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{99ECF41F-5CCA-42BD-B8B8-A8333E2E2944}" = iTunes
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D765FA6-F2BC-40AF-8145-50808F9BDF4E}" = DVD-RAM Driver
"{A040AC77-C1AA-4CC9-8931-9F648AF178F6}" = VC 9.0 Runtime
"{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}" = Segoe UI
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A8C3083C-A1C1-4248-B0E2-14A7D9F2E9EF}" = BCL easyConverter SDK 1.0.0 Module
"{A96E97134CA649888820BCDE5E300BBD}" = H.264 Decoder
"{AAC389499AEF40428987B3D30CFC76C9}" = MKV Splitter
"{AEF9DC35ADDF4825B049ACBFD1C6EB37}" = AAC Decoder
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B4092C6D-E886-4CB2-BA68-FE5A88D31DE6}_is1" = Spybot - Search & Destroy
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B8E952E3-A823-443A-8493-39A0CCE0E3EB}" = HP Photo and Imaging 1.0 - Scanjet 3500c Series
"{B97CF5C3-0487-11D8-A36E-0050BAE317E1}" = DVD Solution
"{BCA541B4-00B4-4D20-B38D-6623BF2F68BF}" = Serif PagePlus 9.0
"{BDC83FD3-1A0F-46FB-8852-5E9A94294143}" = Serif PagePlus 8.0 PDF Edition
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C337BDAF-CB4E-47E2-BE1A-CB31BB7DD0E3}" = Apple Mobile Device Support
"{C43048A9-742C-4DAD-90D2-E3B53C9DB825}" = Logitech QuickCam Software
"{C6CA8874-5F22-4AF0-9BE3-016BF299C536}" = Windows Live Essentials
"{C78EAC6F-7A73-452E-8134-DBB2165C5A68}" = QuickTime
"{C7EDC953-DACF-4FD1-B73F-2608EEF9C4F3}" = PureSync
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{CECB5CA0-6908-45EA-B18E-64C61B11DA99}" = Family Tree Maker 2008
"{D103C4BA-F905-437A-8049-DB24763BBE36}" = Skype™ 4.1
"{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}" = Microsoft Primary Interoperability Assemblies 2005
"{DA5BDB2A-12F0-4343-8351-21AAEB293990}" = PreReq
"{DC888258-F37C-11D2-9594-00A0C9CD527E}" = PhotoAlbum Add-In
"{DE6B7599-D3EF-4436-8836-BAA0B0D7768D}" = aiofw
"{E0F274B7-592B-4669-8FB8-8D9825A09858}" = KODAK AiO Home Centre
"{E2883E8F-472F-4fb0-9522-AC9BF37916A7}" = Adobe Download Manager
"{E337B156-DF81-48D8-8977-B1574EE87BCF}" = USB2.0 Capture Device
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{EDEA8AB7-7683-4ED2-AA19-E6C078064C0D}" = Microsoft WSE 3.0
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}" = Visual C++ 2008 x86 Runtime - (v9.0.30729)
"{F333A33D-125C-32A2-8DCE-5C5D14231E27}.vc_x86runtime_30729_01" = Visual C++ 2008 x86 Runtime - v9.0.30729.01
"{F6BD194C-4190-4D73-B1B1-C48C99921BFE}" = Windows Live Call
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player 11.5
"Avira AntiVir Desktop" = Avira AntiVir Personal - Free Antivirus
"CCleaner" = CCleaner (remove only)
"CleanIt! v.2.0_is1" = CleanIt!
"DivX Plus DirectShow Filters" = DivX Plus DirectShow Filters
"docXConverter3_is1" = docXConverter 3.1.2
"ERUNT_is1" = ERUNT 1.1j
"Family Historian" = Family Historian
"Foxit Reader" = Foxit Reader
"ie8" = Windows Internet Explorer 8
"InstallShield_{CECB5CA0-6908-45EA-B18E-64C61B11DA99}" = Family Tree Maker 2008
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.9)" = Mozilla Firefox (3.5.9)
"Mozilla Thunderbird (2.0.0.24)" = Mozilla Thunderbird (2.0.0.24)
"NVIDIA Drivers" = NVIDIA Drivers
"QcDrv" = Logitech® Camera Driver
"Rapport_msi" = Rapport
"RealPlayer 12.0" = RealPlayer
"SopCast" = SopCast 3.2.4
"Spotify" = Spotify
"SpywareBlaster_is1" = SpywareBlaster 4.3
"SpywareGuard_is1" = SpywareGuard v2.2
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"Winamp" = Winamp
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format Runtime
"WinLiveSuite_Wave3" = Windows Live Essentials
"ZoneAlarm" = ZoneAlarm
"ZoneAlarm Toolbar" = ZoneAlarm Toolbar

========== HKEY_CURRENT_USER Uninstall List ==========

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]

========== Last 10 Event Log Errors ==========

[ Application Events ]
Error - 27/04/2010 18:55:47 | Computer Name = USER-2D7097102E | Source = ESENT | ID = 473
Description = Catalog Database (1176) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
was partially detached. Error -1032 encountered updating database headers.

Error - 01/05/2010 03:55:00 | Computer Name = USER-2D7097102E | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module shlwapi.dll, version 6.0.2900.5912, fault address 0x00009584.

Error - 07/05/2010 03:49:33 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 03:49:40 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 03:49:46 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 06:40:23 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 06:40:36 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 09/05/2010 08:22:50 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 09/05/2010 08:22:57 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 09/05/2010 08:23:04 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

[ Application Events ]
Error - 27/04/2010 18:55:47 | Computer Name = USER-2D7097102E | Source = ESENT | ID = 473
Description = Catalog Database (1176) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb
was partially detached. Error -1032 encountered updating database headers.

Error - 01/05/2010 03:55:00 | Computer Name = USER-2D7097102E | Source = Application Error | ID = 1000
Description = Faulting application svchost.exe, version 5.1.2600.5512, faulting
module shlwapi.dll, version 6.0.2900.5912, fault address 0x00009584.

Error - 07/05/2010 03:49:33 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 03:49:40 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 03:49:46 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 06:40:23 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 07/05/2010 06:40:36 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 09/05/2010 08:22:50 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 09/05/2010 08:22:57 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

Error - 09/05/2010 08:23:04 | Computer Name = USER-2D7097102E | Source = MsiInstaller | ID = 11706
Description = Product: Microsoft Office 2000 Premium -- Error 1706. No valid source
could be found for product Microsoft Office 2000 Premium. The Windows installer
cannot continue.

[ System Events ]
Error - 09/05/2010 17:48:13 | Computer Name = USER-2D7097102E | Source = Service Control Manager | ID = 7023
Description = The HID Input Service service terminated with the following error:
%%126

Error - 09/05/2010 17:48:18 | Computer Name = USER-2D7097102E | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Lbd

Error - 09/05/2010 17:54:55 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 17:54:59 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 17:58:04 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 17:58:09 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 18:00:43 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 18:00:44 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 18:34:05 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.

Error - 09/05/2010 18:34:06 | Computer Name = USER-2D7097102E | Source = Removable Storage Service | ID = 262255
Description = RSM could not load media in drive Drive 0 of library Generic USB SD
Reader USB Device.


< End of report >

Edited by Attilla the Bun, 12 May 2010 - 04:16 PM.

  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
You only get an Extras log the first time you run OTL.

I think your antivirus came on after the reboot and ate one of Combofix's files. Delete the current george.exe, pause your antivirus and download a new one and call it george2.exe then run george2 and post the log.

I think we need to check your disk to make sure it is healthy.

Open My Computer and right click on C:\ and select Properties then Tools. Where it says Error Check, click on Check Now. Check both boxes then Start. It will tell you it can't do it now and ask to schedule it for the next reboot. Allow it to do that then reboot.

It will take about 30 minutes to check your drive to make sure it is healthy.

Then get Dial-A-Fix from

http://wiki.lunarsof...wiki/Dial-a-fix

Your log is showing some problems with install and update files so run Dial-A-Fix and check the boxes for MSI and WU/WUAU then
Go.

After a reboot

1. Please download the Event Viewer Tool by Vino Rosso
http://images.malwar...om/vino/VEW.exe
and save it to your Desktop:
2. Double-click VEW.exe
3. Under 'Select log to query', select:

* System
4. Under 'Select type to list', select:
* Error
* Warning


Then use the 'Number of events' as follows:


1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.


Please post the Output log in your next reply then repeat but select Application.

Ron
  • 0

#7
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi Ron,
I had a couple of problems. :)
I ran Combofix OK (much quicker this time!). At the beginning, when it asked Zonealarm for Internet access, a programme called nircmd.cfxxe also asked, I wasn't sure what it was, but it happened yesterday too when I ran Combofix, so I thought it must be to do with the programme and said yes. Soon after that a window came up saying my IE homepage had been changed, did I want to change it back. I don't use IE, but I thought I'd better say yes, and had to do it twice. The Combofix log is below.

It took three goes to get the disc check to work, then it took hours but completed it, but then I had touble with Dial a Fix. It started working, and the two boxes you had me tick were unticked one by one, but then it hung on 'Stopping CRYPTSVC' for hours, with no activity showing, so I stopped it and tried it again, with the same result. Whilst it was stuck, Avira came up with another virus warning: Trojan PatchedGen, in C:System Volume Information\_restore, which it was able to quarantine.This was one of the ones that turned up last week as well.

I didn't do the last step, as Dial a Fix hadn't been completed, and I thought it all worked sequentially (does it?).
Sorry to be a nuisance, I hope it isn't me getting it wrong! I have done everything you said and been very careful, at least I think I have
Louise

Combofix log:
ComboFix 10-05-13.01 - User 13/05/2010 19:11:15.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1917.1137 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\Georege2.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2010-04-13 to 2010-05-13 )))))))))))))))))))))))))))))))
.

2010-05-12 21:06 . 2010-05-12 21:23 -------- d-----w- C:\George.exe
2010-05-09 20:42 . 2010-05-09 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-09 18:10 . 2010-05-10 19:10 -------- d-----w- c:\windows\system32\NtmsData
2010-05-09 01:33 . 2010-05-10 22:43 -------- d-----w- c:\program files\SpywareGuard
2010-05-09 01:06 . 2010-05-09 01:06 -------- d-----w- c:\program files\Foxit Software
2010-05-09 00:55 . 2010-05-09 00:55 -------- d-----w- c:\documents and settings\User_2\Local Settings\Application Data\Identities
2010-05-09 00:55 . 2010-05-09 00:55 -------- d-----w- c:\documents and settings\User_2\Local Settings\Application Data\Ahead
2010-05-09 00:32 . 2010-05-09 00:32 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-09 00:31 . 2010-05-09 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 00:31 . 2010-05-09 00:31 -------- d-----w- c:\program files\McAfee
2010-05-09 00:25 . 2010-05-09 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-05-08 23:12 . 2010-05-08 23:12 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2010-05-08 23:04 . 2010-05-08 23:04 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2010-05-08 23:02 . 2010-05-08 23:02 -------- d-----w- c:\program files\Avira
2010-05-08 23:02 . 2010-05-08 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-05-08 23:02 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-08 23:02 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-08 23:02 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-05-08 23:02 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-05-08 22:41 . 2010-05-08 22:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-07 12:08 . 2010-05-08 22:41 -------- d-----w- c:\program files\Alwil Software
2010-05-07 12:08 . 2010-05-08 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-07 10:47 . 2010-05-07 10:51 -------- d-----w- c:\program files\ERUNT
2010-05-06 00:03 . 2010-05-06 00:03 -------- d-----w- c:\program files\CleanIt
2010-05-05 18:04 . 2010-05-10 22:41 63488 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-04-24 10:20 . 2008-04-14 12:00 26112 ----a-w- c:\windows\system32\stu2.exe
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\program files\Comodo
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\documents and settings\User\Application Data\Comodo
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-22 17:27 . 2010-04-22 17:27 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 17:27 . 2010-05-10 22:41 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-22 17:26 . 2010-05-08 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-22 15:37 . 2010-04-22 15:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-22 12:58 . 2010-04-22 12:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 10:28 . 2010-04-24 10:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-22 09:01 . 2010-04-22 09:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-21 21:43 . 2010-04-21 21:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-12 21:04 . 2009-03-22 22:22 2308791 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-05-12 18:16 . 2008-12-30 10:44 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-05-12 18:05 . 2009-01-05 01:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-12 17:51 . 2009-01-10 20:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-10 22:35 . 2009-01-17 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-09 22:43 . 2009-01-17 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-09 19:32 . 2009-08-23 13:44 -------- d-----w- c:\program files\LiveOnlineFooty.com
2010-05-09 01:21 . 2009-03-20 09:51 -------- d-----w- c:\program files\Lavasoft
2010-05-09 01:17 . 2010-03-17 23:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-05-09 01:16 . 2009-01-10 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 01:04 . 2008-12-30 14:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-09 00:59 . 2009-01-04 23:00 64000 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 00:53 . 2010-05-09 00:53 -------- d-----w- c:\documents and settings\User_2\Application Data\CheckPoint
2010-05-09 00:12 . 2009-05-09 12:09 -------- d-----w- c:\program files\Google
2010-05-09 00:09 . 2009-01-17 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-09 00:09 . 2009-01-17 21:16 -------- d-----w- c:\program files\SpywareBlaster
2010-05-08 22:24 . 2010-05-08 22:59 385024 ----a-w- c:\windows\Internet Logs\xDB8.tmp
2010-05-08 22:24 . 2010-05-08 22:59 1762304 ----a-w- c:\windows\Internet Logs\xDB9.tmp
2010-05-07 12:03 . 2008-12-30 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-06 00:22 . 2009-01-10 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 00:19 . 2009-04-17 20:04 -------- d-----w- c:\program files\Logitech
2010-05-03 15:30 . 2009-08-23 18:12 -------- d-----w- c:\documents and settings\User\Application Data\Spotify
2010-04-29 22:39 . 2010-01-24 17:49 -------- d-----w- c:\documents and settings\User\Application Data\Temp
2010-04-29 14:39 . 2009-01-10 22:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-01-10 22:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 20:10 . 2009-01-05 00:53 -------- d-----w- c:\program files\EPSON
2010-04-25 22:06 . 2010-04-27 20:28 56832 ----a-w- c:\windows\Internet Logs\xDB10.tmp
2010-04-25 22:06 . 2010-04-27 20:28 1722880 ----a-w- c:\windows\Internet Logs\xDB11.tmp
2010-04-24 11:00 . 2010-04-25 18:06 1719808 ----a-w- c:\windows\Internet Logs\xDB6.tmp
2010-04-24 11:00 . 2010-04-25 18:06 1531392 ----a-w- c:\windows\Internet Logs\xDB5.tmp
2010-04-24 10:43 . 2008-12-30 11:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 22:41 . 2009-09-10 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:28 . 2009-02-20 13:37 140 ---ha-w- c:\documents and settings\User\Application Data\lakerda1967.sys
2010-04-21 17:28 . 2009-02-20 13:37 140 ---ha-w- c:\documents and settings\User\Application Data\lakerda1967.sys
2010-04-21 17:28 . 2009-02-20 13:37 -------- d-----w- c:\program files\docXConverter3
2010-03-31 09:07 . 2010-03-31 09:07 -------- d-----w- c:\program files\PureSync
2010-03-31 09:07 . 2010-03-31 09:07 -------- d-----w- c:\program files\Common Files\Jumping Bytes
2010-03-31 09:06 . 2010-03-31 09:06 -------- d-----w- c:\documents and settings\User\Application Data\Jumping Bytes
2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\documents and settings\User\Application Data\CheckPoint
2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\program files\CheckPoint
2010-03-18 00:35 . 2010-03-18 00:35 -------- d-----w- c:\program files\Zone Labs
2010-03-17 23:46 . 2010-03-17 23:46 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-15 21:07 . 2010-03-15 21:07 -------- d-----w- c:\documents and settings\User\Application Data\AVG8
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 22:50 . 2010-03-05 22:49 20887024 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-05 22:49 . 2010-03-05 22:49 8405312 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 22:49 . 2010-03-05 22:49 149000 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 22:49 . 2010-03-05 22:48 10309448 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-05 22:48 . 2010-03-05 22:48 283280 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 22:48 . 2010-03-05 22:48 181768 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 22:48 . 2010-03-05 22:48 79368 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 22:47 . 2010-03-05 22:47 64000 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 22:47 . 2010-03-05 22:47 52288 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 22:47 . 2010-03-05 22:47 50688 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 22:47 . 2010-03-05 22:47 49152 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 22:47 . 2010-03-05 22:47 118784 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-04 18:33 . 2010-03-04 18:33 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-01-10 19:08 . 2009-01-10 19:05 23804784 ----a-w- c:\program files\aaw2008.exe
2003-12-19 19:36 . 2009-06-02 22:28 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [email protected]_21.21.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-13 18:00 . 2010-05-13 18:00 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
- 2008-04-14 12:00 . 2010-05-12 21:18 67768 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-13 18:04 67768 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-13 18:04 433130 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-05-12 21:18 433130 c:\windows\system32\perfh009.dat
+ 2008-12-30 11:38 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2008-12-30 11:38 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
- 2008-12-30 11:38 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-30 11:38 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-30 11:38 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
- 2008-12-30 11:38 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-01-05 19:42 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-08 2017280]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-11-22 1037192]
"ISW"="c:\program files\CheckPoint\ZAForceField\ForceField.exe" [2009-10-14 730480]
"CleanIt"="c:\program files\CleanIt\cleanit.exe" [2001-08-13 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\User\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 10:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 12:00 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-04-07 17:27 1511424 ----a-w- c:\program files\Kodak\AiO\PrinterDriver\i386\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-10-08 11:06 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-10-08 11:31 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-10-08 11:24 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 10:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-10-04 08:14 8491008 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-10-04 08:14 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-10-04 08:14 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2004-01-08 15:07 86016 ------w- c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PureSync]
2010-03-25 10:16 771744 ----a-w- c:\program files\PureSync\PureSyncTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 16:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-09-19 10:14 16844800 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 14:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-08-03 05:22 1826816 ------r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-03 19:00 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-03 12:50 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ------w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
"9322:TCP"= 9322:TCP:EKDiscovery

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [09/05/2010 00:02 135336]
R2 ISWKL;ZoneAlarm Toolbar ISWKL;c:\program files\CheckPoint\ZAForceField\ISWKL.sys [14/10/2009 14:30 25208]
R2 IswSvc;ZoneAlarm Toolbar IswSvc;c:\program files\CheckPoint\ZAForceField\ISWSVC.exe [14/10/2009 14:30 476528]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [04/05/2009 13:15 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [17/04/2009 13:08 32768]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [09/05/2010 01:31 93320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [10/11/2007 04:20 29728]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 0155281273365123mcinstcleanup;McAfee Application Installer Cleanup (0155281273365123);c:\docume~1\User\LOCALS~1\Temp\015528~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\docume~1\User\LOCALS~1\Temp\015528~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-05-09 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2009-05-04 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-13 19:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(696)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

- - - - - - - > 'lsass.exe'(752)
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll

- - - - - - - > 'explorer.exe'(13648)
c:\windows\system32\WININET.dll
c:\program files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-05-13 19:16:25
ComboFix-quarantined-files.txt 2010-05-13 18:16
ComboFix2.txt 2010-05-12 21:23

Pre-Run: 295,574,372,352 bytes free
Post-Run: 295,521,214,464 bytes free

- - End Of File - - BC2D1FD1841EA2C9BA1004C683186002

Edited by Attilla the Bun, 13 May 2010 - 05:44 PM.

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
Go ahead and run the Event Viewer Tool and let's see if the logs tell us anything about what happened.

Ron
  • 0

#9
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
That was quick! I'll be in bed early tonight!

Vino's Event Viewer v01c run on Windows XP in English
Report run at 14/05/2010 19:04:25

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 14/05/2010 19:01:13
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 14/05/2010 19:00:43
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 14/05/2010 00:23:43
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 14/05/2010 00:23:25
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 14/05/2010 00:23:25
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 14/05/2010 00:23:25
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Log: 'System' Date/Time: 14/05/2010 00:22:38
Type: error Category: 0
Event: 877 Source: Application Popup
There was error [DATABASE OPEN FAILED] processing the driver database.

Log: 'System' Date/Time: 13/05/2010 19:30:20
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 13/05/2010 19:30:12
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 13/05/2010 19:01:20
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 13/05/2010 19:01:02
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 12/05/2010 23:09:37
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 12/05/2010 23:09:27
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 12/05/2010 22:14:41
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 12/05/2010 22:14:34
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 12/05/2010 22:02:43
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

Log: 'System' Date/Time: 12/05/2010 22:02:32
Type: error Category: 0
Event: 7023 Source: Service Control Manager
The HID Input Service service terminated with the following error: The specified module could not be found.

Log: 'System' Date/Time: 12/05/2010 22:02:32
Type: error Category: 0
Event: 7000 Source: Service Control Manager
The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.

Log: 'System' Date/Time: 12/05/2010 22:02:32
Type: error Category: 0
Event: 7009 Source: Service Control Manager
Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.

Log: 'System' Date/Time: 12/05/2010 22:01:46
Type: error Category: 0
Event: 49 Source: Ftdisk
Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 11/05/2010 21:45:48
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:45:18
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:44:40
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:44:06
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<firefox.exe> C:\...vw.default\prefs-1.js

Log: 'System' Date/Time: 11/05/2010 21:43:38
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:43:06
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:42:35
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:42:07
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:41:28
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<firefox.exe> C:\...fault\sessionstore.js

Log: 'System' Date/Time: 11/05/2010 21:40:56
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:40:24
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:39:56
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:39:29
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:38:58
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:38:25
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:37:56
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:37:30
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:37:04
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:36:33
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<RapportService.>

Log: 'System' Date/Time: 11/05/2010 21:36:02
Type: warning Category: 0
Event: 18 Source: avgntflt
TIMEOUT<firefox.exe>

Vino's Event Viewer v01c run on Windows XP in English
Report run at 14/05/2010 19:05:38

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 09/05/2010 13:23:04
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 09/05/2010 13:22:57
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 09/05/2010 13:22:50
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 07/05/2010 11:40:36
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 07/05/2010 11:40:23
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 07/05/2010 08:49:46
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 07/05/2010 08:49:40
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 07/05/2010 08:49:33
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 01/05/2010 08:55:00
Type: error Category: 100
Event: 1000 Source: Application Error
Faulting application svchost.exe, version 5.1.2600.5512, faulting module shlwapi.dll, version 6.0.2900.5912, fault address 0x00009584.

Log: 'Application' Date/Time: 27/04/2010 23:55:47
Type: error Category: 12
Event: 473 Source: ESENT
Catalog Database (1176) Database C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb was partially detached. Error -1032 encountered updating database headers.

Log: 'Application' Date/Time: 27/04/2010 23:55:47
Type: error Category: 1
Event: 489 Source: ESENT
svchost (1176) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read only access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Log: 'Application' Date/Time: 27/04/2010 23:55:46
Type: error Category: 3
Event: 439 Source: ESENT
Catalog Database (1176) Unable to write a shadowed header for file C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb. Error -1032.

Log: 'Application' Date/Time: 27/04/2010 23:55:46
Type: error Category: 1
Event: 490 Source: ESENT
svchost (1176) An attempt to open the file "C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb" for read / write access failed with system error 32 (0x00000020): "The process cannot access the file because it is being used by another process. ". The open file operation will fail with error -1032 (0xfffffbf8).

Log: 'Application' Date/Time: 23/04/2010 23:32:06
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application spybotsd.exe, version 1.6.2.46, faulting module spybotsd.exe, version 1.6.2.46, fault address 0x00001941.

Log: 'Application' Date/Time: 22/04/2010 09:55:20
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 22/04/2010 09:54:58
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 22/04/2010 09:54:32
Type: error Category: 0
Event: 11706 Source: MsiInstaller
Product: Microsoft Office 2000 Premium -- Error 1706. No valid source could be found for product Microsoft Office 2000 Premium. The Windows installer cannot continue.

Log: 'Application' Date/Time: 21/04/2010 06:37:57
Type: error Category: 0
Event: 1000 Source: Application Error
Faulting application cawxsonmer.tmp, version 0.0.0.0, faulting module msvcrt.dll, version 7.0.2600.5512, fault address 0x000370dc.

Log: 'Application' Date/Time: 16/04/2010 06:56:54
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: The specified server cannot perform the requested operation.

Log: 'Application' Date/Time: 16/04/2010 06:56:54
Type: error Category: 0
Event: 8 Source: crypt32
Failed auto update retrieval of third-party root list sequence number from: <http://www.download....uthrootseq.txt> with error: This operation returned because the timeout period expired.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'Application' Date/Time: 13/05/2010 21:34:40
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\System Volume Information\_restore{7CB3854A-A0B4-44C2-A07D-D4D4DC292982}\RP4\A0004216.sys

Log: 'Application' Date/Time: 13/05/2010 20:33:35
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\System Volume Information\_restore{7CB3854A-A0B4-44C2-A07D-D4D4DC292982}\RP4\A0004216.sys

Log: 'Application' Date/Time: 13/05/2010 20:04:44
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\System Volume Information\_restore{7CB3854A-A0B4-44C2-A07D-D4D4DC292982}\RP4\A0004216.sys

Log: 'Application' Date/Time: 12/05/2010 22:15:23
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir

Log: 'Application' Date/Time: 12/05/2010 22:15:17
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\redbook.sys.vir

Log: 'Application' Date/Time: 12/05/2010 22:15:17
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\Qoobox\32788R22FWJFW\redbook.sys

Log: 'Application' Date/Time: 12/05/2010 22:15:16
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Patched.Gen' in the file C:\Qoobox\32788R22FWJFW\redbook.sys

Log: 'Application' Date/Time: 09/05/2010 18:53:55
Type: warning Category: 2
Event: 4113 Source: Avira AntiVir
AntiVir has detected 'TR/Crypt.XPACK.Gen' in the file C:\Documents and Settings\User\Application Data\Microsoft\Windows\olemgr.exe

Log: 'Application' Date/Time: 09/05/2010 13:22:58
Type: warning Category: 0
Event: 1001 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles' failed during request for component '{7AB02DE0-B463-11D1-96C4-0080C728108A}'

Log: 'Application' Date/Time: 09/05/2010 13:22:58
Type: warning Category: 0
Event: 1004 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Log: 'Application' Date/Time: 09/05/2010 13:22:50
Type: warning Category: 0
Event: 1001 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles' failed during request for component '{7AB02DE0-B463-11D1-96C4-0080C728108A}'

Log: 'Application' Date/Time: 09/05/2010 13:22:50
Type: warning Category: 0
Event: 1004 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Log: 'Application' Date/Time: 09/05/2010 13:22:39
Type: warning Category: 0
Event: 1001 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles' failed during request for component '{7AB02DE0-B463-11D1-96C4-0080C728108A}'

Log: 'Application' Date/Time: 09/05/2010 13:22:39
Type: warning Category: 0
Event: 1004 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'ProductNonBootFiles', component '{4A31E933-6F67-11D2-AAA2-00A0C90F57B0}' failed. The resource 'HKEY_CURRENT_USER\Software\ODBC\ODBC.INI\MS Access Database\' does not exist.

Log: 'Application' Date/Time: 09/05/2010 01:56:05
Type: warning Category: 0
Event: 1517 Source: Userenv
Windows saved user USER-2D7097102E\User_2 registry while an application or service was still using the registry during log off. The memory used by the user's registry has not been freed. The registry will be unloaded when it is no longer in use. This is often caused by services running as a user account, try configuring the services to run in either the LocalService or NetworkService account.

Log: 'Application' Date/Time: 08/05/2010 23:27:55
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x8007043C

Log: 'Application' Date/Time: 07/05/2010 14:28:26
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x8007043C

Log: 'Application' Date/Time: 07/05/2010 13:44:28
Type: warning Category: 0
Event: 1015 Source: MsiInstaller
Failed to connect to server. Error: 0x8007043C

Log: 'Application' Date/Time: 07/05/2010 11:40:23
Type: warning Category: 0
Event: 1001 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Log: 'Application' Date/Time: 07/05/2010 11:39:56
Type: warning Category: 0
Event: 1001 Source: MsiInstaller
Detection of product '{00000409-78E1-11D2-B60F-006097C998E7}', feature 'HTMLSourceEditing' failed during request for component '{9E0B2BE1-DEDA-11D1-A17E-00A0C90AB50F}'

Thanks, Ron.

Think I'll switch the darned thing off now before anything else happens!

Louise
  • 0

#10
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

I would uninstall Zone Alarm. Getting too many events from it. Doesn't really look like it is working at all.

Ad Aware did not install properly and left a driver entry. We'll get it on our next Combofix run.

You did disable Spybot's Tea Timer I hope.


HID Input Service is not working. Missing a file. Let's just turn it off for now.

Start, Run, services.msc, OK then click on Standard and scroll down in the right pane and find HID Input Service. Right click on it and select Properties then change the startup type" to Disabled. OK.


You have an installer problem:

http://support.microsoft.com/kb/555175

Do Methods one and three. With Three the failed installation is Microsoft Office 2000 Premium which has ID {00000409-78E1-11D2-B60F-006097C998E7}

Start, Run, eventvwr.msc, OK

Right click on System and Clear All. No we don't want to make a copy first.

Right click on Applications and Clear All. No we don't want to make a copy first.

Now reboot and run Vino's Event Viewer again and post the new logs.

Ron
  • 0

#11
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Vino's Event Viewer v01c run on Windows XP in English
Report run at 14/05/2010 21:46:16

Note: All dates below are in the format dd/mm/yyyy
Hi Ron,
I did everything except Method three, as I couldn't find Microsoft Office Premium or the ID number in the Installer Cleanup utility

Here are the Eventviewer logs:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vino's Event Viewer v01c run on Windows XP in English
Report run at 14/05/2010 21:47:11

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'Application' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  • 0

#12
RKinner

RKinner

    Malware Expert

  • Expert
  • 23,711 posts
  • MVP
Assuming you rebooted after clearing the logs, things are really looking good.

In Internet Explorer 8, Safety, Windows Update.

See if they have any updates for you. They will also tell you if your auto update service is not turned on. (You want it on. Also Schedule a time like 3AM for them to be installed.)

Hopefully they have an update and you are able to install it.

Copy the text between the lines of stars by highlighting and Ctrl + c.

******************************************

Killall:

File::
c:\windows\system32\DRIVERS\Lbd.sys
c:\docume~1\User\LOCALS~1\Temp\015528~1.EXE
c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini

Driver::
Lbd
0155281273365123mcinstcleanup


******************************************

Now open notepad (Start, Run, notepad, OK) and Ctrl + V to paste the text into Notepad. Make sure you got it all then File, SAVE AS, (to your Desktop), CFScript , OK. Close notepad. (Overwrite the old one if it's still there.) You should see a file CFScript.txt on your desktop.

Drag it over to george and let it start as before.

Post the new log.

We need to clean up System Restore. Follow Jim's procedure here:
http://forum.aumha.o...581099691bf108f

You can uninstall or delete any tools we had you download and their logs.
To uninstall combofix, copy the next line:

"%userprofile%\Desktop\george.exe" /Uninstall

Start, Run, cmd, OK then right click, Paste, then hit Enter.

To hide hidden files again:

# Close all programs so that you are at your desktop.
# Double-click on the My Computer icon.
# Select the Tools menu and click Folder Options.
# After the new window appears select the View tab.
# Uncheck the checkbox labeled Display the contents of system folders.
# Under the Hidden files and folders section select the 'Hide protected operating system files (recommended)' option.
# Check the checkbox labeled Hide protected operating system files.
# Press the Apply button and then the OK button and shutdown My Computer.

You do not have the latest Java. Get the latest at:

http://www.java.com/...nload/index.jsp


Once you install it, go into Control Panel, Add/Remove Software and remove any old versions (which may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE)
I see:
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 11


Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat. Adobe is fond of foisting GetPlus on you. You can let them install it and then afterwards, go into Control Panel, Add/Remove Software and remove it. It probably doesn't hurt to leave it but I don't see the need for it and it has caused problems in the past.

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

I recommend you install the free WinPatrol 2010 from http://www.winpatrol.com/download.html

It's a small program that will sit in your systray and warn you if something tries to make changes to your system.

If you use USB drives you might want to install Autorun Eater v2.4.
http://oldmcdonald.w...orun-eater-v24/
Another small program which will stay resident and prevent an infected USB drive from infecting your PC.

If you use Firefox then get the AdBlock Plus Add-on.

Ron
  • 0

#13
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Hi Ron,
I had a Senior Moment, and got confused about COmbofix - I thought I ahd to copy and past the text, like some of the other things you've had me do, so it ran without it. I HOpe it didn't mess things up,. Then I got my ehad togetehr and did exactly what you asked, and here is the log:
ComboFix 10-05-14.06 - User 15/05/2010 10:53:58.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.1917.1222 [GMT 1:00]
Running from: c:\documents and settings\User\Desktop\George.exe
Command switches used :: c:\documents and settings\User\Desktop\CFSCRIPT.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

FILE ::
"c:\docume~1\User\LOCALS~1\Temp\015528~1.EXE"
"c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini"
"c:\windows\system32\DRIVERS\Lbd.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0155281273365123MCINSTCLEANUP
-------\Legacy_LBD
-------\Service_0155281273365123mcinstcleanup
-------\Service_Lbd


((((((((((((((((((((((((( Files Created from 2010-04-15 to 2010-05-15 )))))))))))))))))))))))))))))))
.

2010-05-14 20:34 . 2010-05-14 20:34 3584 ----a-r- c:\documents and settings\User\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2010-05-14 20:34 . 2010-05-14 20:34 -------- d-----w- c:\program files\Windows Installer Clean Up
2010-05-14 20:33 . 2010-05-14 20:33 -------- d-----w- c:\program files\MSECACHE
2010-05-14 20:06 . 2010-05-14 20:06 -------- d-----w- c:\windows\Internet Logs
2010-05-13 18:08 . 2010-05-13 18:16 -------- d-----w- C:\Georege2
2010-05-12 21:06 . 2010-05-12 21:23 -------- d-----w- C:\George.exe
2010-05-09 20:42 . 2010-05-09 20:42 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-05-09 18:10 . 2010-05-10 19:10 -------- d-----w- c:\windows\system32\NtmsData
2010-05-09 01:33 . 2010-05-10 22:43 -------- d-----w- c:\program files\SpywareGuard
2010-05-09 01:06 . 2010-05-09 01:06 -------- d-----w- c:\program files\Foxit Software
2010-05-09 00:55 . 2010-05-09 00:55 -------- d-----w- c:\documents and settings\User_2\Local Settings\Application Data\Identities
2010-05-09 00:55 . 2010-05-09 00:55 -------- d-----w- c:\documents and settings\User_2\Local Settings\Application Data\Ahead
2010-05-09 00:32 . 2010-05-09 00:32 -------- d-----w- c:\program files\Common Files\McAfee
2010-05-09 00:31 . 2010-05-09 00:31 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-05-09 00:31 . 2010-05-09 00:31 -------- d-----w- c:\program files\McAfee
2010-05-09 00:25 . 2010-05-09 00:25 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-05-08 23:12 . 2010-05-08 23:12 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Temp
2010-05-08 23:04 . 2010-05-08 23:04 -------- d-----w- c:\documents and settings\User\Application Data\Avira
2010-05-08 23:02 . 2010-05-08 23:02 -------- d-----w- c:\program files\Avira
2010-05-08 23:02 . 2010-05-08 23:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-05-08 23:02 . 2010-03-01 09:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-05-08 23:02 . 2010-02-16 13:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-05-08 23:02 . 2009-05-11 11:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-05-08 23:02 . 2009-05-11 11:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-05-08 22:41 . 2010-05-08 22:41 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-05-07 12:08 . 2010-05-08 22:41 -------- d-----w- c:\program files\Alwil Software
2010-05-07 12:08 . 2010-05-08 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-05-07 10:47 . 2010-05-07 10:51 -------- d-----w- c:\program files\ERUNT
2010-05-06 00:03 . 2010-05-06 00:03 -------- d-----w- c:\program files\CleanIt
2010-05-05 18:04 . 2010-05-10 22:41 63488 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-04-24 10:20 . 2008-04-14 12:00 26112 ----a-w- c:\windows\system32\stu2.exe
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\program files\Comodo
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\documents and settings\User\Application Data\Comodo
2010-04-23 22:14 . 2010-04-28 23:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-22 17:27 . 2010-04-22 17:27 52224 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 17:27 . 2010-05-10 22:41 117760 ----a-w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-22 17:26 . 2010-05-08 23:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\documents and settings\User\Application Data\SUPERAntiSpyware.com
2010-04-22 17:26 . 2010-04-22 17:26 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-22 15:37 . 2010-04-22 15:38 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-22 12:58 . 2010-04-22 12:58 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-22 10:28 . 2010-04-24 10:20 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-22 09:01 . 2010-04-22 09:01 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-21 21:43 . 2010-04-21 21:43 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
1601-01-01 00:00 . 1601-01-01 00:00 -------- d-----w- c:\windows\LastGood.Tmp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-14 20:18 . 2009-01-10 20:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2010-05-14 20:05 . 2010-03-18 00:35 -------- d-----w- c:\program files\CheckPoint
2010-05-14 20:05 . 2010-03-18 00:35 -------- d-----w- c:\documents and settings\User\Application Data\CheckPoint
2010-05-14 18:15 . 2009-01-05 01:43 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-05-12 18:16 . 2008-12-30 10:44 57600 ----a-w- c:\windows\system32\drivers\redbook.sys
2010-05-10 22:35 . 2009-01-17 21:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-05-09 22:43 . 2009-01-17 21:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-05-09 19:32 . 2009-08-23 13:44 -------- d-----w- c:\program files\LiveOnlineFooty.com
2010-05-09 01:21 . 2009-03-20 09:51 -------- d-----w- c:\program files\Lavasoft
2010-05-09 01:17 . 2010-03-17 23:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\~0
2010-05-09 01:16 . 2009-01-10 19:15 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-05-09 01:04 . 2008-12-30 14:02 -------- d-----w- c:\program files\Common Files\Adobe
2010-05-09 00:59 . 2009-01-04 23:00 64000 ----a-w- c:\documents and settings\User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-09 00:53 . 2010-05-09 00:53 -------- d-----w- c:\documents and settings\User_2\Application Data\CheckPoint
2010-05-09 00:12 . 2009-05-09 12:09 -------- d-----w- c:\program files\Google
2010-05-09 00:09 . 2009-01-17 21:17 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-09 00:09 . 2009-01-17 21:16 -------- d-----w- c:\program files\SpywareBlaster
2010-05-07 12:03 . 2008-12-30 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-05-06 00:22 . 2009-01-10 22:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-06 00:19 . 2009-04-17 20:04 -------- d-----w- c:\program files\Logitech
2010-05-03 15:30 . 2009-08-23 18:12 -------- d-----w- c:\documents and settings\User\Application Data\Spotify
2010-04-29 22:39 . 2010-01-24 17:49 -------- d-----w- c:\documents and settings\User\Application Data\Temp
2010-04-29 14:39 . 2009-01-10 22:41 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 14:39 . 2009-01-10 22:41 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-28 20:10 . 2009-01-05 00:53 -------- d-----w- c:\program files\EPSON
2010-04-24 10:43 . 2008-12-30 11:51 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 22:41 . 2009-09-10 22:37 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-04-21 17:28 . 2009-02-20 13:37 140 ---ha-w- c:\documents and settings\User\Application Data\lakerda1967.sys
2010-04-21 17:28 . 2009-02-20 13:37 140 ---ha-w- c:\documents and settings\User\Application Data\lakerda1967.sys
2010-04-21 17:28 . 2009-02-20 13:37 -------- d-----w- c:\program files\docXConverter3
2010-03-31 09:07 . 2010-03-31 09:07 -------- d-----w- c:\program files\PureSync
2010-03-31 09:07 . 2010-03-31 09:07 -------- d-----w- c:\program files\Common Files\Jumping Bytes
2010-03-31 09:06 . 2010-03-31 09:06 -------- d-----w- c:\documents and settings\User\Application Data\Jumping Bytes
2010-03-17 23:46 . 2010-03-17 23:46 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-03-10 06:15 . 2008-04-14 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-05 22:50 . 2010-03-05 22:49 20887024 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\rp\RealPlayerSPGold.exe
2010-03-05 22:49 . 2010-03-05 22:49 8405312 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\gtb\GOOGLE_TOOLBAR\GoogleToolbarInstaller.exe
2010-03-05 22:49 . 2010-03-05 22:49 149000 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\chr_helper\LaunchHelper.exe
2010-03-05 22:49 . 2010-03-05 22:48 10309448 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\chr\ChromeInstaller.exe
2010-03-05 22:48 . 2010-03-05 22:48 283280 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\carb\CarboniteSetupLiteRealPreinstaller.exe
2010-03-05 22:48 . 2010-03-05 22:48 181768 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\carb\LaunchHelper.exe
2010-03-05 22:48 . 2010-03-05 22:48 79368 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\vista.exe
2010-03-05 22:47 . 2010-03-05 22:47 64000 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\gcapi_dll.dll
2010-03-05 22:47 . 2010-03-05 22:47 52288 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\gtapi.dll
2010-03-05 22:47 . 2010-03-05 22:47 50688 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\fftbapi.dll
2010-03-05 22:47 . 2010-03-05 22:47 49152 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\CarboniteCompatibility.dll
2010-03-05 22:47 . 2010-03-05 22:47 118784 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\RUP\inst_config\compat.dll
2010-03-04 18:33 . 2010-03-04 18:33 439816 ----a-w- c:\documents and settings\User\Application Data\Real\Update\setup3.10\setup.exe
2010-02-25 06:24 . 2008-04-14 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2008-04-14 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2008-04-14 12:00 2146304 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2008-04-14 00:01 2024448 ----a-w- c:\windows\system32\ntkrnlpa.exe
2009-01-10 19:08 . 2009-01-10 19:05 23804784 ----a-w- c:\program files\aaw2008.exe
2003-12-19 19:36 . 2009-06-02 22:28 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2009-05-13 21:55 . 2009-05-13 21:55 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-05-13 21:55 . 2009-05-13 21:55 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((( [email protected]_21.21.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-05-15 09:58 . 2010-05-15 09:58 16384 c:\windows\temp\Perflib_Perfdata_fec.dat
+ 2010-05-15 09:57 . 2010-05-15 09:57 16384 c:\windows\temp\Perflib_Perfdata_244.dat
- 2008-04-14 12:00 . 2010-05-12 21:18 67768 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-15 09:28 67768 c:\windows\system32\perfc009.dat
+ 2008-04-14 12:00 . 2010-05-15 09:28 433130 c:\windows\system32\perfh009.dat
- 2008-04-14 12:00 . 2010-05-12 21:18 433130 c:\windows\system32\perfh009.dat
+ 2008-12-30 11:38 . 2010-01-29 15:01 691712 c:\windows\system32\inetcomm.dll
- 2008-12-30 11:38 . 2008-04-11 19:04 691712 c:\windows\system32\inetcomm.dll
- 2008-12-30 11:38 . 2008-04-11 19:04 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2008-12-30 11:38 . 2010-01-29 15:01 691712 c:\windows\system32\dllcache\inetcomm.dll
+ 2010-05-14 20:34 . 2010-05-14 20:34 472064 c:\windows\Installer\d1d30.msi
+ 2008-03-20 17:06 . 2008-03-20 17:06 1480232 c:\windows\system32\LegitCheckControl.dll
- 2008-12-30 11:38 . 2009-07-10 13:27 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2008-12-30 11:38 . 2010-01-29 15:01 1315328 c:\windows\system32\dllcache\msoe.dll
+ 2009-01-05 19:42 . 2010-04-30 18:51 32058312 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-08 2017280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8491008]
"CleanIt"="c:\program files\CleanIt\cleanit.exe" [2001-08-13 61440]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

c:\documents and settings\User\Start Menu\Programs\Startup\
SpywareGuard.lnk - c:\program files\SpywareGuard\sgmain.exe [2003-8-29 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 14:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk
backup=c:\windows\pss\RAMASST.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 10:43 69632 ------r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-01 10:21 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Conime]
2008-04-14 12:00 27648 ----a-w- c:\windows\system32\conime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EKIJ5000StatusMonitor]
2009-04-07 17:27 1511424 ----a-w- c:\program files\Kodak\AiO\PrinterDriver\i386\EKIJ5000MUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2007-08-31 19:01 1037736 ----a-w- c:\program files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-07-13 13:03 292128 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2007-08-31 19:13 988584 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechSoftwareUpdate]
2004-10-08 11:06 196608 ----a-w- c:\program files\Logitech\Video\ManifestEngine.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoRepair]
2004-10-08 11:31 458752 ----a-w- c:\program files\Logitech\Video\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideoTray]
2004-10-08 11:24 217088 ----a-w- c:\program files\Logitech\Video\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMSX]
2004-10-08 10:52 221184 ----a-w- c:\windows\system32\LVCOMSX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 15:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-10-04 08:14 8491008 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-10-04 08:14 81920 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-10-04 08:14 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
2004-01-08 15:07 86016 ------w- c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PureSync]
2010-03-25 10:16 771744 ----a-w- c:\program files\PureSync\PureSyncTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 16:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-12-08 16:35 32768 ----a-w- c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-09-19 10:14 16844800 ------r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-11 04:19 69632 ----a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-09-02 14:27 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-08-03 05:22 1826816 ------r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 15:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-02-03 19:00 136600 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2009-10-03 12:50 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
2006-08-09 13:27 36864 ------w- c:\program files\Ulead Systems\Ulead VideoStudio SE DVD\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
2008-08-03 23:02 36352 ----a-w- c:\program files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Kodak\\AiO\\Center\\Kodak.Statistics.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"135:TCP"= 135:TCP:DCOM(135)
"9322:TCP"= 9322:TCP:EKDiscovery

R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [15/03/2010 14:47 116328]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [17/02/2010 11:25 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [17/02/2010 11:15 68168]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [09/05/2010 00:02 135336]
R2 Kodak AiO Network Discovery Service;Kodak AiO Network Discovery Service;c:\program files\Kodak\AiO\Center\EKDiscovery.exe [04/05/2009 13:15 279960]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\AiO\Center\KodakSvc.exe [17/04/2009 13:08 32768]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\progra~1\mcafee\SITEAD~1\mcsacore.exe [09/05/2010 01:31 93320]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [15/03/2010 14:47 779496]
R3 NVHDA;Service for NVIDIA HDMI Audio Driver;c:\windows\system32\drivers\nvhda32.sys [10/11/2007 04:20 29728]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [17/02/2010 11:15 12872]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2010-05-09 c:\windows\Tasks\Kodak AiO Scheduled Maintenance.job
- c:\program files\Kodak\AiO\Center\Kodak.Statistics.exe [2009-05-04 12:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\
FF - prefs.js: browser.search.selectedEngine - Secure Search
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
FF - prefs.js: keyword.URL - hxxp://uk.search.yahoo.com/search?fr=mcafee&p=
FF - component: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]\components\coolirisstub.dll
FF - component: c:\program files\McAfee\SiteAdvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\5aga9evw.default\extensions\[email protected]\plugins\npcoolirisplugin.dll
FF - plugin: c:\documents and settings\User\Application Data\Mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-15 10:58
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(5836)
c:\windows\system32\WININET.dll
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\windows\system32\nvsvc32.exe
c:\program files\SpywareGuard\sgbhp.exe
c:\windows\System32\StkASv2K.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\wdfmgr.exe
c:\\?\c:\windows\system32\WBEM\WMIADAP.EXE
.
**************************************************************************
.
Completion time: 2010-05-15 11:01:14 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-15 10:01
ComboFix2.txt 2010-05-15 09:49
ComboFix3.txt 2010-05-13 18:16
ComboFix4.txt 2010-05-12 21:23

Pre-Run: 295,982,469,120 bytes free
Post-Run: 295,875,723,264 bytes free

- - End Of File - - 78D8A59A38701BB53459612C9DBABF7E
  • 0

#14
Attilla the Bun

Attilla the Bun

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I need to spellcheck my typing as well! Excuse the previous gibberish..
I had a question about the window update - it had me install Active X, and something in my memory from the last two weeks suggested that Active X is a security risk, and I and disabled it? Do I need to disable it again? Ialready had autoomatic update, so there wasn't much

I did all the other things, all the system files and folders were already checked/unchecked as you siggested, and I already had the Addon blocker in Firefox.
I added Winpatrol (woof!) and Autorun blocker (baa!) :)), does the latter need to be in the startup menu? I usually have as little as I can in that.

When you asked if I had rebooted before I ran Event Viewer, I immediately wondered if I had (I followed all your instructions, but you know how it is when someone raises a doubt..) and rebooted and ran it yet again. The applications log still had nothing on it, but the system log had the following:

Vino's Event Viewer v01c run on Windows XP in English
Report run at 15/05/2010 11:33:56

Note: All dates below are in the format dd/mm/yyyy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - error Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 15/05/2010 11:18:02
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Print Spooler service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Kodak AiO Network Discovery Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Kodak AiO Device Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Ulead Burning Helper service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7031 Source: Service Control Manager
The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The McAfee SiteAdvisor Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Windows User Mode Driver Framework service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The Syntek STK1160 Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: error Category: 0
Event: 7034 Source: Service Control Manager
The DVD-RAM_Service service terminated unexpectedly. It has done this 1 time(s).

Log: 'System' Date/Time: 15/05/2010 10:24:41
Type: error Category: 0
Event: 7026 Source: Service Control Manager
The following boot-start or system-start driver(s) failed to load: Lbd

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'System' Log - warning Type
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Log: 'System' Date/Time: 15/05/2010 10:53:57
Type: warning Category: 0
Event: 263 Source: PlugPlayManager
The service "SPOOLER" may not have unregistered for device event notifications before it was stopped.

Hope there's nothingsignificant, after all this
Thank's again, Ron
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP