Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please check my Hijackthislog [RESOLVED]

Started by martinzx13 , May 22 2008 09:16 AM

  • This topic is locked This topic is locked

#16
Mike
Posted 02 June 2008 - 06:22 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
So the log is no longer there?

The log that had this in it?

SDFix: Version 1.187
Run by Bossman on Mon 06/02/2008 at 01:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File


It was cut off. Could you check once more?

If not please restart your computer, Run MalwareBytes' Anti-Malware again and post back if it found anything.

Edited by Mike, 02 June 2008 - 06:23 AM.

  • 0

Advertisements

#17
martinzx13
Posted 02 June 2008 - 06:44 AM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Done all you asked no document, sorry
  • 0

#18
Mike
Posted 02 June 2008 - 06:56 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
OK then your logs look clean to me, and since you aren't reporting any issues, I think we can wrap this up :)

Step 1. Removing ComboFix

Click START then RUN
Now type Combofix /u in the runbox and click OK
Posted Image
Notice the space between the x and / -- That needs to be there.

Now please download OTCleanIt.
  • Save it to your desktop.
  • Double Click on OTCleanIt.exe, a window will appear.
  • Please press the CleanUp! Button.
This will remove the tools we used during the process of cleaning your computer.


Step 2. Configuring Automatic Updates

Click the Automatic Updates tab. Choose the update option that best suits your needs, but be sure that Automatic Updates is not turned off. Windows XP will now notify you and download important updates and security patches as they become available.
Click "OK" to save your new settings and close the System Properties dialogue.

Step 3. Preventing future infection

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems.

In order to protect yourself against spyware, you should consider installing and running the following free programs:

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
http://www.spywarewa...uc/resource.htm

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.o...oducts/firefox/

Also make sure to run your antivirus software regularly, and to keep it up-to-date.

There are many programs that can be used for your protection, most falling within the three main categories of anti-virus, anti-spyware and firewall. Please be careful to never run more than one program of the same category in resident mode, as conflicts between the different programs can actually decrease your protection.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

Hopefully this should take care of your problems! Good luck. :)

Please post back and tell me if everything is OK, so that I may mark this thread as Resolved.
  • 0

#19
martinzx13
Posted 02 June 2008 - 07:28 AM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thank-you Mike your a diamond !!

I will follow your recommendations , i already use firefox, i found out my Trojan came through an old version of IE, i have updated to IE7 & disabled it.

I became infected also by downloading, is there any way i can download in a safe area/layer/ quarantined zone or file because until i unzip i dont know if there is any malicious codes etc

Is there a safe way to do this i hope im making sence
  • 0

#20
Mike
Posted 02 June 2008 - 07:55 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
You can always scan it with your anti-virus program before opening up the file, or with a standalone scanner such as MalwareBytes' Anti-Malware, if you don't double-click on the .exe file it won't run, so if you scan it before and it comes back bad, just delete the file, no harm will be done to your PC.

I'm glad to hear everything is running smoothly, any more questions?
  • 0

#21
martinzx13
Posted 02 June 2008 - 09:04 AM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
No thank-you Mike ,

resolved

Many thanks martin
  • 0

#22
Mike
Posted 02 June 2008 - 09:10 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
you're very welcome :)

Have a good day,

Mike
  • 0

#23
Mike
Posted 02 June 2008 - 09:10 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0

#24
Mike
Posted 02 June 2008 - 02:04 PM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi martinzx13,

Please go here to install the recovery console and for a guide on using combofix.
Please note: Installing the Recovery Console plays a vital part in making this process of cleaning your computer safe, please don't overlook this!

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#25
martinzx13
Posted 02 June 2008 - 02:30 PM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Thanks Mike

done as you says below are logs

ComboFix 08-06-01.6 - Bossman 2008-06-02 22:19:33.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.560 [GMT 2:00]
Running from: C:\Documents and Settings\Bossman\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-05-02 to 2008-06-02 )))))))))))))))))))))))))))))))
.

2008-06-02 15:37 . 2008-06-02 17:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-02 15:37 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-06-02 15:36 . 2008-06-02 15:38 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-06-02 13:09 . 2008-06-02 13:09 <DIR> d-------- C:\WINDOWS\ERUNT
2008-06-01 14:13 . 2008-06-01 14:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 14:13 . 2008-06-01 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 21:10 . 2008-05-31 21:10 <DIR> d-------- C:\New Folder
2008-05-31 19:10 . 2008-05-31 19:10 <DIR> d-------- C:\Program Files\Alex Feinman
2008-05-30 21:52 . 2008-05-30 21:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 21:52 . 2008-05-30 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 21:08 . 2008-05-30 21:08 <DIR> d-------- C:\Program Files\Panda Security
2008-05-30 15:00 . 2008-05-30 15:00 359 ---h----- C:\Documents and Settings\Martin\Application Data\hpothb07.dat
2008-05-30 14:54 . 2008-06-02 17:49 161 --ah----- C:\Documents and Settings\Martin\hpothb07.dat
2008-05-29 15:20 . 2008-05-29 15:20 1,374 --------- C:\WINDOWS\imsins.BAK
2008-05-28 19:14 . 2008-06-02 21:57 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\OnlineArmor
2008-05-28 19:14 . 2008-05-28 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-05-28 19:14 . 2008-04-15 02:51 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-05-28 19:14 . 2008-04-15 02:51 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-05-28 19:14 . 2008-04-15 02:51 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-05-27 16:09 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 16:09 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-24 20:37 . 2008-04-14 00:15 26,368 -----c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-24 20:34 . 2008-05-24 20:34 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-24 11:38 . 2008-05-24 11:49 <DIR> d-------- C:\Combo-Fix
2008-05-23 21:54 . 2008-05-23 23:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-05-23 15:53 . 2008-04-14 05:42 116,224 -----c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-23 15:53 . 2001-08-17 22:37 99,865 -----c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-23 15:53 . 2001-08-17 22:37 27,648 -----c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-23 15:53 . 2001-08-17 22:36 23,040 -----c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-23 15:53 . 2008-04-14 05:42 18,944 -----c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-23 15:53 . 2001-08-17 22:37 4,608 -----c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-23 15:51 . 2001-08-17 13:28 765,884 -----c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-23 15:50 . 2001-08-17 13:28 794,654 -----c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-05-23 15:49 . 2001-08-17 22:36 525,568 -----c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-23 15:48 . 2001-08-17 14:01 241,664 -----c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-23 15:47 . 2001-08-17 12:18 285,760 -----c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-23 15:46 . 2001-08-17 22:36 114,688 -----c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-05-23 15:46 . 2001-08-17 22:36 106,584 -----c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-05-23 15:46 . 2001-08-17 13:51 61,824 -----c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-05-23 15:46 . 2001-08-17 12:51 37,040 -----c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-05-23 15:46 . 2001-08-17 22:36 24,660 -----c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-05-23 15:46 . 2001-08-17 12:51 20,752 -----c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-05-23 15:46 . 2001-08-17 14:07 19,072 -----c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-05-23 15:46 . 2001-08-17 13:53 9,600 -----c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-05-23 15:46 . 2001-08-17 13:56 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-23 15:46 . 2008-04-14 00:10 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-05-23 15:46 . 2001-08-17 13:53 7,040 -----c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-05-23 15:44 . 2001-08-17 22:36 386,560 -----c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-23 15:43 . 2001-08-17 22:36 495,616 -----c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-05-23 15:42 . 2001-08-17 14:56 210,496 -----c--- C:\WINDOWS\system32\dllcache\s3mvirge.dll
2008-05-23 15:41 . 2001-08-17 13:28 899,146 -----c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-05-23 15:40 . 2008-04-14 05:42 363,520 -----c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-05-23 15:39 . 2001-08-17 14:05 351,616 -----c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-05-23 15:38 . 2008-04-14 00:01 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-05-23 15:37 . 2008-04-13 22:05 132,695 -----c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-23 15:36 . 2001-08-17 12:50 103,296 -----c--- C:\WINDOWS\system32\dllcache\mtxvideo.sys
2008-05-23 15:35 . 2001-08-17 12:50 320,384 -----c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-05-23 15:34 . 2001-08-17 13:28 802,683 -----c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-23 15:33 . 2008-04-14 05:41 253,952 -----c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-05-23 15:32 . 2001-08-17 22:36 372,824 -----c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-05-23 15:31 . 2008-04-14 05:41 702,845 -----c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-23 15:30 . 2001-08-17 22:36 324,608 -----c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-05-23 15:29 . 2001-08-17 14:56 1,733,120 -----c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-23 15:28 . 2001-08-17 12:17 629,952 -----c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-23 15:27 . 2001-08-17 12:14 952,007 -----c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-23 15:26 . 2001-08-17 22:36 614,429 -----c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-05-23 15:25 . 2001-08-17 12:13 980,034 -----c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-23 15:24 . 2001-08-17 13:28 871,388 -----c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-05-23 15:23 . 2001-08-17 13:28 762,780 -----c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-05-23 15:22 . 2008-04-14 00:54 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\CCleaner
2008-05-22 17:10 . 2008-05-22 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 16:51 . 2008-05-22 16:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-31 12:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 14:00 . 2008-05-22 14:00 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\skypePM
2008-05-22 13:59 . 2008-05-23 15:01 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\Skype
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 15:51 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-18 15:51 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-18 15:51 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-18 15:51 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-18 15:51 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-18 15:51 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-18 15:51 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-18 15:51 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-18 15:51 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-17 12:55 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-17 12:39 . 2008-05-23 15:00 <DIR> d--hs---- C:\Documents and Settings\Martin\UserData
2008-05-17 12:39 . 2008-05-17 12:39 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Hewlett-Packard
2008-05-16 21:32 . 2008-05-30 01:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-16 21:19 . 2008-05-16 21:19 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-16 21:19 . 2008-05-16 21:19 940,794 --------- C:\WINDOWS\system32\LoopyMusic.wav
2008-05-16 21:19 . 2008-05-16 21:19 146,650 --------- C:\WINDOWS\system32\BuzzingBee.wav
2008-05-16 20:23 . 2008-04-14 00:09 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-05-16 20:23 . 2008-04-14 00:09 7,552 -----c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 -----c--- C:\WINDOWS\system32\dllcache\mspclock.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 -----c--- C:\WINDOWS\system32\dllcache\mspqm.sys
2008-05-16 20:20 . 2008-05-16 20:20 <DIR> d-------- C:\Program Files\Realtek
2008-05-16 20:20 . 2007-04-10 09:28 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-05-16 20:20 . 2007-03-23 13:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-05-16 20:20 . 2007-04-10 13:04 4,397,568 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 20:20 . 2006-05-04 10:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-05-16 20:20 . 2006-10-11 11:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-05-16 20:20 . 2007-01-12 10:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-16 20:20 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-05-16 20:20 . 2006-07-21 10:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-05-16 20:20 . 2006-08-01 09:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-05-16 20:05 . 2008-02-22 20:26 53,248 --------- C:\WINDOWS\system32\CSVer.dll
2008-05-16 20:01 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Zip Files Opener
2008-05-16 17:55 . 2008-05-29 14:59 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\OnlineArmor
2008-05-16 17:55 . 2008-05-23 23:29 <DIR> d-------- C:\Documents and Settings\Maja
2008-05-16 17:46 . 2008-06-02 09:36 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\skypePM
2008-05-16 17:45 . 2008-06-02 12:01 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Skype
2008-05-16 17:43 . 2008-05-16 17:43 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\skypePM
2008-05-16 17:43 . 2008-05-16 17:43 56 ---h----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Skype
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 17:41 . 2008-05-16 20:14 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 15:11 5,236 ------w C:\Program Files\hijackthisnew.txt
2008-04-14 03:55 1,804 ------w C:\WINDOWS\system32\dcache.bin
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 03:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 22:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 22:24 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 22:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 22:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 22:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 22:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 22:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 22:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 22:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 22:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 22:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 22:17 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 22:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 22:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 22:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 22:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 22:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 22:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 22:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 22:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 22:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 22:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 22:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 22:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 22:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 22:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 22:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 22:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 22:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-13 22:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 22:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 22:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 22:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 22:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 22:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 22:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 22:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 09:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-15 02:51 5545024]
"SDFix"="C:\SDFix\RunThis.bat /second" [ ]

C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-07-11 06:03:34 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-04-15 02:51 671432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-15 02:51]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-15 02:51]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-15 02:51]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-04-15 02:51]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-02 22:25:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-06-02 22:28:05
ComboFix-quarantined-files.txt 2008-06-02 20:27:52

Pre-Run: 41,811,562,496 bytes free
Post-Run: 41,806,966,784 bytes free

288 --- E O F --- 2008-05-29 23:03:27

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:29:21 PM, on 6/2/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [SDFix] C:\SDFix\RunThis.bat /second
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1708537768-1292428093-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Martin')
O4 - S-1-5-21-1708537768-1292428093-839522115-1003 Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Martin')
O4 - S-1-5-21-1708537768-1292428093-839522115-1003 User Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe (User 'Martin')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{035449FE-DDB5-451D-A8B9-ADE636E2B0A4}: NameServer = 62.162.32.6 62.162.32.5
O17 - HKLM\System\CS1\Services\Tcpip\..\{035449FE-DDB5-451D-A8B9-ADE636E2B0A4}: NameServer = 62.162.32.6 62.162.32.5
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 5985 bytes


Thnks martin
  • 0

Advertisements

#26
Mike
Posted 03 June 2008 - 06:11 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi again,

My apologies for not getting you clean the first time around, beep.sys just eluded the scanners :)

Anyways, Combofix isn't detecting an infected beep.sys, is MBAM still detecting it?

I would like you to run SDFix again following my instructions below, try not to change user accounts and just post the log straight back here and let's see if we can get some information on it.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

So please post Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Also tell me if anything is detecting beep.sys still.
  • 0

#27
martinzx13
Posted 03 June 2008 - 07:22 AM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Its ok Mike i appreciate your time & expertise,

I have done what you say & i have nt switched accounts through out, but it does not produce a report file on start up, well it did but also many other empty files

SDFix: Version 1.187
Run by Bossman on Tue 06/03/2008 at 02:51 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File


I have rescanned & now there is nothing found ??

please advise , many thanks martin
  • 0

#28
Mike
Posted 03 June 2008 - 08:11 AM

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there martinzx13,

That is odd.

Do this for me please.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\dllcache\beep.sys
  • Click on the submit button
  • Please post the results in your next reply.

That it reappeared doesn't make me feel to good so let's get a deep scan and see if anything is there.

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.

  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      File - Additional Folder Scans
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. Make sure that the first line is code with brackets around it [] and that the last line is /code with brackets around it [].

Important: If, after posting, the last line is not <End of Report> then the log is too big to fit into a single post and you will need to split it into multiple posts or attach it as a file.
  • 0

#29
martinzx13
Posted 03 June 2008 - 09:16 AM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Jotti s scan, all clear

ATF cleaner done

OTscan log below many thanks

[code=auto:0]OTScanIt logfile created on: 6/3/2008 5:02:21 PM
OTScanIt by OldTimer - Version 1.0.15.10 Folder = C:\Documents and Settings\Bossman\Desktop\OTScanIt
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1022.42 Mb Total Physical Memory | 698.30 Mb Available Physical Memory | 68.30% Memory free
2.40 Gb Paging File | 2.12 Gb Available in Paging File | 88.13% Paging File free
Paging file location(s): C:\pagefile.sys 1536 3072;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 48.83 Gb Total Space | 38.94 Gb Free Space | 79.74% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 100.22 Gb Total Space | 100.15 Gb Free Space | 99.93% Space Free | Partition Type: NTFS
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: HOME-3365BC916D
Current User Name: Bossman
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user

[Processes - Non-Microsoft Only]
oasrv.exe -> %ProgramFiles%\Tall Emu\Online Armor\oasrv.exe -> Tall Emu [Ver = 2.1.0.130 | Size = 5433920 bytes | Modified Date = 4/15/2008 2:51:08 AM | Attr = ]
aawservice.exe -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,7 | Size = 607576 bytes | Modified Date = 3/19/2008 5:08:58 PM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 17272 bytes | Modified Date = 5/16/2008 1:06:57 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 144760 bytes | Modified Date = 5/16/2008 1:19:24 AM | Attr = ]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 79224 bytes | Modified Date = 5/16/2008 1:19:31 AM | Attr = ]
rthdcpl.exe -> %SystemRoot%\RTHDCPL.exe -> Realtek Semiconductor Corp. [Ver = 2.1.3.0 | Size = 16126464 bytes | Modified Date = 4/10/2007 9:28:44 AM | Attr = R ]
oaui.exe -> %ProgramFiles%\Tall Emu\Online Armor\oaui.exe -> Tall Emu [Ver = 2.1.0.130 | Size = 5545024 bytes | Modified Date = 4/15/2008 2:51:08 AM | Attr = ]
hpohmr08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 147456 bytes | Modified Date = 4/6/2003 1:17:18 AM | Attr = ]
hpotdd01.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> Hewlett-Packard [Ver = 1, 0, 0, 1 | Size = 28672 bytes | Modified Date = 4/6/2003 1:06:58 AM | Attr = ]
hpoevm08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 286720 bytes | Modified Date = 4/6/2003 12:45:10 AM | Attr = ]
nvsvc32.exe -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.7516 | Size = 159812 bytes | Modified Date = 5/2/2008 10:46:00 PM | Attr = ]
ashmaisv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 247160 bytes | Modified Date = 5/16/2008 1:19:00 AM | Attr = ]
ashwebsv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 349560 bytes | Modified Date = 5/16/2008 1:16:59 AM | Attr = ]
hpzipm12.exe -> %SystemRoot%\system32\HPZipm12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Modified Date = 4/7/2003 7:32:06 AM | Attr = ]
hposts08.exe -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hposts08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 311296 bytes | Modified Date = 4/6/2003 12:55:04 AM | Attr = ]
otscanit.exe -> %UserProfile%\Desktop\OTScanIt\OTScanIt.exe -> OldTimer Tools [Ver = 1.0.15.10 | Size = 373760 bytes | Modified Date = 6/2/2008 12:37:14 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aawservice) Ad-Aware 2007 Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Lavasoft\Ad-Aware 2007\aawservice.exe -> Lavasoft [Ver = 7,0,2,7 | Size = 607576 bytes | Modified Date = 3/19/2008 5:08:58 PM | Attr = ]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 17272 bytes | Modified Date = 5/16/2008 1:06:57 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 144760 bytes | Modified Date = 5/16/2008 1:19:24 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 247160 bytes | Modified Date = 5/16/2008 1:19:00 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 349560 bytes | Modified Date = 5/16/2008 1:16:59 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %SystemRoot%\system32\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 224768 bytes | Modified Date = 4/14/2008 5:42:18 AM | Attr = ]
(Imapi Helper) Imapi Helper [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alex Feinman\ISO Recorder\ImapiHelper.exe -> Alex Feinman [Ver = 1.0.0.0 | Size = 163840 bytes | Modified Date = 1/5/2006 12:06:02 AM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %SystemRoot%\system32\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.7516 | Size = 159812 bytes | Modified Date = 5/2/2008 10:46:00 PM | Attr = ]
(Pml Driver HPZ12) Pml Driver HPZ12 [Win32_Own | On_Demand | Running] -> %SystemRoot%\system32\HPZipm12.exe -> HP [Ver = 6, 0, 0, 0 | Size = 65795 bytes | Modified Date = 4/7/2003 7:32:06 AM | Attr = ]
(SvcOnlineArmor) Online Armor [Win32_Own | Auto | Running] -> %ProgramFiles%\Tall Emu\Online Armor\oasrv.exe -> Tall Emu [Ver = 2.1.0.130 | Size = 5433920 bytes | Modified Date = 4/15/2008 2:51:08 AM | Attr = ]

[Driver Services - Non-Microsoft Only]
(Aavmker4) avast! Asynchronous Virus Monitor [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.8.1201.0 | Size = 26944 bytes | Modified Date = 5/16/2008 1:13:26 AM | Attr = ]
(AFS2K) AFS2K [Kernel | System | Running] -> %SystemRoot%\System32\drivers\AFS2K.SYS -> Oak Technology Inc. [Ver = 3.1.21.1103 | Size = 35840 bytes | Modified Date = 10/8/2004 3:16:04 AM | Attr = ]
(aswFsBlk) aswFsBlk [File_System | Auto | Running] -> %SystemRoot%\system32\drivers\aswFsBlk.sys -> ALWIL Software [Ver = 4.8.1201.0 | Size = 20560 bytes | Modified Date = 5/16/2008 1:16:06 AM | Attr = ]
(aswMon2) avast! Standard Shield Support [File_System | Auto | Running] -> %SystemRoot%\System32\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.8.1201.0 | Size = 94416 bytes | Modified Date = 5/16/2008 1:18:33 AM | Attr = ]
(aswRdr) aswRdr [Kernel | On_Demand | Running] -> %SystemRoot%\System32\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.8.1201.0 | Size = 23152 bytes | Modified Date = 5/16/2008 1:15:29 AM | Attr = ]
(aswSP) avast! Self Protection [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aswSP.sys -> ALWIL Software [Ver = 4.8.1201.0 | Size = 78416 bytes | Modified Date = 5/16/2008 1:20:32 AM | Attr = ]
(aswTdi) avast! Network Shield Support [Kernel | System | Running] -> %SystemRoot%\System32\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.8.1201.0 | Size = 42912 bytes | Modified Date = 5/16/2008 1:14:11 AM | Attr = ]
(catchme) catchme [Kernel | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\Bossman\LOCALS~1\Temp\catchme.sys -> File not found
(dmboot) dmboot [Kernel | Disabled | Stopped] -> %SystemRoot%\system32\drivers\dmboot.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 799744 bytes | Modified Date = 4/14/2008 12:14:50 AM | Attr = ]
(dmio) Logical Disk Manager Driver [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmio.sys -> Microsoft Corp., Veritas Software [Ver = 2600.5512.503.0 | Size = 153344 bytes | Modified Date = 4/14/2008 12:14:48 AM | Attr = ]
(dmload) dmload [Kernel | Boot | Running] -> %SystemRoot%\system32\drivers\dmload.sys -> Microsoft Corp., Veritas Software. [Ver = 2600.0.503.0 | Size = 5888 bytes | Modified Date = 8/4/2004 2:00:00 PM | Attr = ]
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hdaudbus.sys -> Windows (R) Server 2003 DDK provider [Ver = 5.10.01.5013 built by: WinDDK | Size = 144384 bytes | Modified Date = 4/13/2008 10:06:06 PM | Attr = ]
(HPZid412) IEEE-1284.4 Driver HPZid412 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\hpzid412.sys -> HP [Ver = 6, 0, 0, 0 | Size = 51024 bytes | Modified Date = 4/7/2003 7:32:04 AM | Attr = ]
(HPZipr12) Print Class Driver for IEEE-1284.4 HPZipr12 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HPZipr12.sys -> HP [Ver = 6, 0, 0, 0 | Size = 16080 bytes | Modified Date = 4/7/2003 7:32:06 AM | Attr = ]
(HPZius12) USB to IEEE-1284.4 Translation Driver HPZius12 [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\HPZius12.sys -> HP [Ver = 6, 0, 0, 0 | Size = 21456 bytes | Modified Date = 4/7/2003 7:32:08 AM | Attr = ]
(IntcAzAudAddService) Service for Realtek HD Audio (WDM) [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RtkHDAud.sys -> Realtek Semiconductor Corp. [Ver = 5.10.0.5397 built by: WinDDK | Size = 4397568 bytes | Modified Date = 4/10/2007 1:04:40 PM | Attr = R ]
(nv) nv [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\nv4_mini.sys -> NVIDIA Corporation [Ver = 6.14.11.7516 | Size = 6554496 bytes | Modified Date = 5/2/2008 10:46:00 PM | Attr = ]
(OADevice) OADriver [Kernel | System | Running] -> %SystemRoot%\system32\drivers\OADriver.sys -> [Ver = | Size = 80584 bytes | Modified Date = 4/15/2008 2:51:14 AM | Attr = ]
(OAmon) OAmon [Kernel | System | Running] -> %SystemRoot%\system32\drivers\OAmon.sys -> [Ver = | Size = 32456 bytes | Modified Date = 4/15/2008 2:51:24 AM | Attr = ]
(OAnet) OAnet [Kernel | System | Running] -> %SystemRoot%\system32\drivers\oanet.sys -> [Ver = | Size = 28872 bytes | Modified Date = 4/15/2008 2:51:18 AM | Attr = ]
(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\ptilink.sys -> Parallel Technologies, Inc. [Ver = 1.10 (XPClient.010817-1148) | Size = 17792 bytes | Modified Date = 8/4/2004 2:00:00 PM | Attr = ]
(rtl8139) Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver [Kernel | On_Demand | Running] -> %SystemRoot%\system32\drivers\RTL8139.sys -> Realtek Semiconductor Corporation [Ver = 5.398.613.2003 built by: WinDDK | Size = 20992 bytes | Modified Date = 8/4/2004 12:31:34 AM | Attr = ]
(Secdrv) Secdrv [Kernel | On_Demand | Stopped] -> %SystemRoot%\system32\drivers\secdrv.sys -> Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K. [Ver = 4.03.086 | Size = 20480 bytes | Modified Date = 4/13/2008 10:09:16 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe [C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe] -> ALWIL Software [Ver = 4, 8, 1201, 0 | Size = 79224 bytes | Modified Date = 5/16/2008 1:19:31 AM | Attr = ]
NvCplDaemon -> %SystemRoot%\system32\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.11.7516 | Size = 13529088 bytes | Modified Date = 5/2/2008 10:46:00 PM | Attr = ]
NvMediaCenter -> %SystemRoot%\system32\nvmctray.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit] -> NVIDIA Corporation [Ver = 6.14.11.7516 | Size = 86016 bytes | Modified Date = 5/2/2008 10:46:00 PM | Attr = ]
OnlineArmor GUI -> %ProgramFiles%\Tall Emu\Online Armor\oaui.exe ["C:\Program Files\Tall Emu\Online Armor\oaui.exe"] -> Tall Emu [Ver = 2.1.0.130 | Size = 5545024 bytes | Modified Date = 4/15/2008 2:51:08 AM | Attr = ]
RTHDCPL -> %SystemRoot%\RTHDCPL.exe [RTHDCPL.EXE] -> Realtek Semiconductor Corp. [Ver = 2.1.3.0 | Size = 16126464 bytes | Modified Date = 4/10/2007 9:28:44 AM | Attr = R ]
SDFix -> %SystemDrive%\SDFix\RunThis.bat [C:\SDFix\RunThis.bat /second] -> [Ver = | Size = 703276 bytes | Modified Date = 6/1/2008 7:12:45 PM | Attr = ]
< OptionalComponents [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL-> Installed = 1 ->
MAPI-> Installed = 1 ->
MSFS-> Installed = 1 ->
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup ->
%AllUsersProfile%\Start Menu\Programs\Startup\hp psc 1000 series.lnk -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe -> Hewlett-Packard Co. [Ver = 4.2.0.020 | Size = 147456 bytes | Modified Date = 4/6/2003 1:17:18 AM | Attr = ]
%AllUsersProfile%\Start Menu\Programs\Startup\hpoddt01.exe.lnk -> %ProgramFiles%\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe -> Hewlett-Packard [Ver = 1, 0, 0, 1 | Size = 28672 bytes | Modified Date = 4/6/2003 1:06:58 AM | Attr = ]
< Bossman Startup Folder > -> C:\Documents and Settings\Bossman\Start Menu\Programs\Startup ->
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{4F07DA45-8170-4859-9B5F-037EF2970034} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Tall Emu\Online Armor\oaevent.dll [OA Shell Helper] -> Tall Emu [Ver = 2.1.0.130 | Size = 671432 bytes | Modified Date = 4/15/2008 2:51:28 AM | Attr = ]
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLegacyLogonScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideLogoffScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunLogonScriptSync -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\RunStartupScriptSync -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\HideStartupScripts -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLegacyLogonScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideLogoffScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunLogonScriptSync -> 1 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\RunStartupScriptSync -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\HideStartupScripts -> 0 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CDROM Autorun Settings > [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\ -> ->
*DependOnGroup* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DependOnGroup ->
SCSI miniport -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Group -> SCSI CDROM Class ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Start -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Tag -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\Type -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\DisplayName -> CD-ROM Driver ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\ImagePath -> %SystemRoot%\system32\drivers\cdrom.sys [system32\DRIVERS\cdrom.sys] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2108) | Size = 62976 bytes | Modified Date = 4/14/2008 12:10:48 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRun -> 1 ->
*AutoRunAlwaysDisable* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\\AutoRunAlwaysDisable ->
NEC MBR-7 -> -> File not found
NEC MBR-7.4 -> -> File not found
PIONEER CHANGR DRM-1804X -> -> File not found
PIONEER CD-ROM DRM-6324X -> -> File not found
PIONEER CD-ROM DRM-624X -> -> File not found
TORiSAN CD-ROM CDR_C36 -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\0 -> IDE\CdRomHL-DT-ST_DVD-RAM_GSA-H58N_______________1.01____\5&2084e8&0&0.0.0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom\Enum\\NextInstance -> 1 ->
< Drives - Autoruns > -> ->
AUTOEXEC.BAT [] -> %SystemDrive%\AUTOEXEC.BAT [ NTFS ] -> [Ver = | Size = 0 bytes | Modified Date = 5/15/2008 10:01:50 PM | Attr = ]
< HOSTS File > (686 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> ->
HKEY_LOCAL_MACHINE\: Main\\Default_Page_URL -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Main\\Default_Search_URL -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Local Page -> %SystemRoot%\system32\blank.htm ->
HKEY_LOCAL_MACHINE\: Main\\Search Page -> http://go.microsoft.com/fwlink/?LinkId=54896 ->
HKEY_LOCAL_MACHINE\: Main\\Start Page -> http://go.microsoft.com/fwlink/?LinkId=69157 ->
HKEY_LOCAL_MACHINE\: Search\\CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKEY_LOCAL_MACHINE\: Search\\SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> ->
HKEY_CURRENT_USER\: Main\\Local Page -> C:\WINDOWS\system32\blank.htm ->
HKEY_CURRENT_USER\: Main\\Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKEY_CURRENT_USER\: Main\\Start Page -> ->
HKEY_CURRENT_USER\: ProxyEnable -> 0 ->
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 1 domain(s) found. ->
1 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Trusted Sites Domains [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 3323 domain(s) found. ->
26 domain(s) and sub-domain(s) not assigned to a zone.
< Trusted Sites Ranges [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. ->
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}:{53707962-6F74-2D53-2644-206D7942484F} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot - Search && Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 11 | Size = 1554256 bytes | Modified Date = 1/28/2008 11:43:28 AM | Attr = ]
< Internet Explorer Extensions [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\ ->
CmdMapping\\{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKEY_LOCAL_MACHINE] -> [Reg Error: Key does not exist or could not be opened.] -> File not found
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ ->
PluginsPageFriendlyName -> Microsoft ActiveX Gallery ->
PluginsPage -> http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s ->
< DNS Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{FD67EA75-BEF7-4237-AB2C-C456B0140467} -> (Realtek RTL8139 Family PCI Fast Ethernet NIC) ->
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
msdaipp: [HKEY_LOCAL_MACHINE] -> No CLSID value
skype4com:{FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} [HKEY_LOCAL_MACHINE] -> %CommonProgramFiles%\Skype\Skype4COM.dll[IEProtocolHandler Class] -> Skype Technologies [Ver = 1, 0, 29, 0 | Size = 1942864 bytes | Modified Date = 4/23/2008 5:45:34 PM | Attr = R ]
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}[HKEY_LOCAL_MACHINE] -> http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab[CKAVWebScan Object] ->
< Module Usage Keys [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\ not found. -> ->


[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\DefaultLaunchPermission -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineLaunchRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\MachineAccessRestriction -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\\EnableDCOM -> Y ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{A50398B8-9075-4FBF-A7A1-456BF21937AD} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{AD65A69D-3831-40D7-9629-9B0B50A93843} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{0040D221-54A1-11D1-9DE0-006097042D69} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\AppCompat\ActivationSecurityCheckExemptionList\\{2A6D72F1-6E7E-4702-B99C-E40D3DED33C3} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirstRunDisabled -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ not found. -> ->
Reg Error: Key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ not found. -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\ -> ->
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages ->
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 4/14/2008 5:42:02 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Bounds -> 0 [binary data] ->
*Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages ->
kerberos -> %SystemRoot%\system32\kerberos.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 299520 bytes | Modified Date = 4/14/2008 5:41:58 AM | Attr = ]
msv1_0 -> %SystemRoot%\system32\msv1_0.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 132608 bytes | Modified Date = 4/14/2008 5:42:02 AM | Attr = ]
schannel -> %SystemRoot%\system32\schannel.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 144384 bytes | Modified Date = 4/14/2008 5:42:06 AM | Attr = ]
wdigest -> %SystemRoot%\system32\wdigest.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 49152 bytes | Modified Date = 4/14/2008 5:42:10 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\ImpersonatePrivilegeUpgradeToolHasRun -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\LsaPid -> 672 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\SecureBoot -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\auditbaseobjects -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\crashonauditfail -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\disabledomaincreds -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\everyoneincludesanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fipsalgorithmpolicy -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\forceguest -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\fullprivilegeauditing -> [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\limitblankpassworduse -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\lmcompatibilitylevel -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nodefaultadminowner -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\nolmhash -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymous -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\restrictanonymoussam -> 1 ->
*Notification Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Notification Packages ->
scecli -> %SystemRoot%\system32\scecli.dll -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 181248 bytes | Modified Date = 4/14/2008 5:42:06 AM | Attr = ]
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\enabledcom -> y ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\ -> ->
*ProviderOrder* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\\ProviderOrder ->
Windows NT Access Provider -> -> File not found
*MultiFile Done* -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\AccessProviders\Windows NT Access Provider\\ProviderPath -> %SystemRoot%\system32\ntmarta.dll [%SystemRoot%\system32\ntmarta.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2113) | Size = 118784 bytes | Modified Date = 4/14/2008 5:42:04 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Data\\Pattern -> F8 EC FE 47 9F 47 1C B2 9B 4D 4E F8 7A FE 6E C8 35 64 33 33 34 33 34 65 00 FD 07 00 9E 3A 00 00 34 FA 07 00 56 82 7C 75 20 FA 07 00 40 FD 07 00 4C FD 07 00 1A 19 A7 50 30 70 33 67 EB AA 74 5D [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\GBG\\GrafBlumGroup -> 53 99 2F 05 30 A6 B7 47 AD [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\JD\\Lookup -> 29 DC 86 E2 54 4D [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Domains\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\SidCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\Auth132 -> %SystemRoot%\system32\iissuba.dll [IISSUBA] -> Microsoft Corporation [Ver = 6.0.2600.0 (xpclient.010817-1148) | Size = 9216 bytes | Modified Date = 8/4/2004 2:00:00 PM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminclientsec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\\ntlmminserversec -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Skew1\\SkewMatrix -> B9 28 51 17 EB F5 67 EB E0 92 89 53 0E 51 D9 1C [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SSO\Passport1.4\\SSOURL -> http://www.passport.com ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\\Time -> 3C D9 8A E0 34 B7 C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Name -> Digest ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Comment -> Digest SSPI Authentication Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Capabilities -> 16464 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\RpcId -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\TokenSize -> 65535 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Time -> 00 ED 2F 7B E1 9D C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\digest.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Name -> DPA ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Comment -> DPA Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\RpcId -> 17 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Time -> 00 74 C3 7E E1 9D C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msapsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Name -> MSN ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Comment -> MSN Security Package ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Capabilities -> 55 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\RpcId -> 18 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Version -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\TokenSize -> 768 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Time -> 00 A1 F4 7F E1 9D C8 01 [binary data] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SspiCache\msnsspc.dll\\Type -> 49 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\system32\svchost.exe [%SystemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 4/14/2008 5:42:38 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 12064 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\system32\ipnathlp.dll [%SystemRoot%\System32\ipnathlp.dll] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 331264 bytes | Modified Date = 4/14/2008 5:41:56 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 4/14/2008 5:42:36 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 4/14/2008 12:23:34 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\system32\sessmgr.exe -> %SystemRoot%\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 141312 bytes | Modified Date = 4/14/2008 5:42:36 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\%windir%\Network Diagnostic\xpnetdiag.exe -> %SystemRoot%\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-0852) | Size = 558080 bytes | Modified Date = 4/14/2008 12:23:34 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\Skype\Phone\Skype.exe -> %ProgramFiles%\Skype\Phone\Skype.exe [C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype] -> Skype Technologies S.A. [Ver = 3.8.0.115 | Size = 22058792 bytes | Modified Date = 4/23/2008 5:45:34 PM | Attr = R ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %SystemRoot%\system32\svchost.exe [%systemRoot%\System32\svchost.exe -k netsvcs] -> Microsoft Corporation [Ver = 5.1.2600.5512 (xpsp.080413-2111) | Size = 14336 bytes | Modified Date = 4/14/2008 5:42:38 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> %SystemRoot%\system32\wuauserv.dll [C:\WINDOWS\system32\wuauserv.dll] -> Microsoft Corporation [Ver = 5.4.3790.5512 (xpsp.080413-0852) | Size = 6656 bytes | Modified Date = 4/14/2008 5:42:12 AM | Attr = ]
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security -> [Binary data over 100 bytes] ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteRegistry\\Description -> Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service
  • 0

#30
martinzx13
Posted 03 June 2008 - 09:50 AM

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Mike

Sorry about the log, i did do what you say, but the log is 97pages long ! sorry mate

I re-did in case i checked the wrong box but came out same!! :)

So i hope i did nt mess up please advise, thanks martin
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP