Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Bagle infection - please help! [RESOLVED]

Started by teacup , May 27 2008 02:55 PM

  • This topic is locked This topic is locked

#16
teacup
Posted 30 May 2008 - 12:16 PM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
It blue screened again, exactly the same as before when trying to run a script through combofix.
  • 0

Advertisements

#17
Rorschach112
Posted 30 May 2008 - 12:17 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok post a new HijackThis log there
  • 0

#18
teacup
Posted 30 May 2008 - 12:27 PM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here it is.

Should I try just manually deleting those registry keys myself, or do they need to be 'killed' with combofix?




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25:32, on 30/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Windows\System32\mobsync.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\WTablet\TabUserW.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Users\Teacup\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [MyScreenCam] C:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [EntaTool] "C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" /hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\realmon.exe -s
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://fasthelp.dns....oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Kwari.xLoader - Unknown owner - C:\Users\Teacup\AppData\Local\Micro.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe

--
End of file - 13176 bytes
  • 0

#19
Rorschach112
Posted 30 May 2008 - 12:50 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O4 - HKCU\..\Run: [Realtime Monitor] C:\Program Files\CA\eTrust Antivirus\realmon.exe -s


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



Reboot and post a new HijackThis log
  • 0

#20
teacup
Posted 30 May 2008 - 01:09 PM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Cool, that's stopped the 'open with...' dialog for realmon from opening now, thanks.

Here's the log:



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:08:41, on 30/05/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\WTablet\TabUserW.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
C:\Windows\vVX6000.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Windows\RtHDVCpl.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Microsoft Office Communicator\communicator.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\Teacup\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: ContributeBHO Class - {074C1DC5-9320-4A9A-947D-C042949C6216} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Contribute Toolbar - {517BDDE4-E3A7-4570-B21E-2B52B6139FC7} - C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
O4 - HKLM\..\Run: [JMB36X IDE Setup] C:\Windows\JM\JMInsIDE.exe
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [XboxStat] "C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX6000] C:\Windows\vVX6000.exe
O4 - HKLM\..\Run: [MyScreenCam] C:\Program Files\My Screen Cam\scrcam.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Mobile Device Center] %windir%\WindowsMobile\wmdc.exe
O4 - HKLM\..\Run: [EntaTool] "C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" /hide
O4 - HKLM\..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: hueyTray.lnk = C:\Program Files\Pantone\huey\hueyTray.exe
O4 - Global Startup: MozyHome Status.lnk = C:\Program Files\MozyHome\mozystat.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Locate Spot on Map by GPS - C:\Program Files\Opanda\IExif 2.3\IExifMap.htm
O8 - Extra context menu item: View Exif/GPS/IPTC with IExif - C:\Program Files\Opanda\IExif 2.3\IExifCom.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: @C:\Windows\WindowsMobile\INetRepl.dll,-222 - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra 'Tools' menuitem: @C:\Windows\WindowsMobile\INetRepl.dll,-223 - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Windows\WindowsMobile\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O13 - Gopher Prefix:
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://fasthelp.dns....oad/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O22 - SharedTaskScheduler: Windows DreamScene - {E31004D1-A431-41B8-826F-E902F9D95C81} - C:\Windows\System32\DreamScene.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Boonty Games - Unknown owner - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Kwari.xLoader - Unknown owner - C:\Users\Teacup\AppData\Local\Micro.exe (file missing)
O23 - Service: Maya 7.0 Documentation Server (maya70docserver) - Unknown owner - C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
O23 - Service: MozyHome Backup Service (mozybackup) - Unknown owner - C:\Program Files\MozyHome\mozybackup.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\Windows\system32\Tablet.exe

--
End of file - 13049 bytes
  • 0

#21
Rorschach112
Posted 30 May 2008 - 01:15 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok nearly done

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::
Boonty Games
Kwari.xLoader


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall





Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, in the menu, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.



Please download and unzip Icesword to its own folder on your desktop


If you get a lot of "red entries" in an IceSword log, don't panic.

Step 1 : Close all windows and run IceSword. Click the Processes tab and watch for processes displayed in red color. A red colored process in this list indicates that it's hidden. Write down the PathName of any processes in red color. Then click on LOG at the top left. It will prompt you to save the log, call this Processes and save it to your desktop.


Step 2 : Click the Win32 Services tab and look out for red colored entries in the services list. Write down the Module name of any services in red color, you will need to expand out the Module tab to see the full name. Then click on LOG. It will prompt you to save the log, call this Services and save it to your desktop.


Step 3 : Click the Startup tab and look out for red colored entries in the startup list. Write down the Path of any startup entries in red color. Then click on LOG. It will prompt you to save the log, call this Startup and save it to your desktop.


Step 4 : Click the SSDT tab and check for red colored entries. If there are any, write down the KModule name.


Step 5 : Click the Message Hooks tab and check for any entries that are underneath Type and labelled WH_KEYBOARD. Write down the Process Path of these entries if present.



Now post all of the data collected under the headings for :

Processes
Win32 Services
Startup
SSDT
Message Hooks
  • 0

#22
teacup
Posted 31 May 2008 - 03:55 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Ok, combofix log and Dr.Web cureit worked, but Icesword just gives the error: 'Initialize Failed[1]!' when I try to run it. I tried renaming it, and right clicking on 'Run as Admin' but still had the same error.

ComboFix 08-05-29.1 - Teacup 2008-05-30 20:19:20.3 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2446 [GMT 1:00]
Running from: C:\Users\Teacup\Desktop\wooyt.exe
Command switches used :: C:\Users\Teacup\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_BOONTY_GAMES
-------\Legacy_KWARI.XLOADER
-------\Service_Boonty Games
-------\Service_Kwari.xLoader


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 19:14 . 2008-05-30 20:04 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-30 19:14 . 2008-05-30 19:14 1,409 --a------ C:\Windows\QTFont.for
2008-05-30 00:44 . 2008-05-30 00:44 <DIR> d-------- C:\Combo-Fix
2008-05-29 20:32 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-05-29 20:32 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-05-29 20:32 . 2007-10-12 15:14 1,374,232 --a------ C:\Windows\System32\D3DCompiler_36.dll
2008-05-29 20:32 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-05-29 20:32 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-05-29 20:32 . 2007-10-02 09:56 444,776 --a------ C:\Windows\System32\d3dx10_36.dll
2008-05-29 20:32 . 2007-10-22 03:39 267,272 --a------ C:\Windows\System32\xactengine2_10.dll
2008-05-29 20:32 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-05-29 20:32 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-05-29 20:32 . 2007-10-22 03:37 17,928 --a------ C:\Windows\System32\X3DAudio1_2.dll
2008-05-27 23:47 . 2008-03-08 03:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 23:47 . 2008-03-08 05:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-27 19:01 . 2008-05-27 19:01 <DIR> d-------- C:\Deckard
2008-05-27 18:57 . 2008-05-27 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- C:\fsaua.data
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 18:01 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-27 18:01 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-27 01:55 . 2008-05-27 01:55 <DIR> d-------- C:\kav
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-25 20:17 . 2008-05-25 20:17 249,856 --------- C:\Windows\Setup1.exe
2008-05-25 20:17 . 2008-05-25 20:17 73,216 --a------ C:\Windows\ST6UNST.EXE
2008-05-25 18:24 . 2008-05-25 18:25 <DIR> d-------- C:\Program Files\Easy Duplicate Finder
2008-05-25 16:20 . 2008-05-25 18:06 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-05-22 23:47 . 2007-04-23 13:12 343,216 --a------ C:\Windows\System32\KeyHelp.ocx
2008-05-18 23:53 . 2008-05-18 23:53 <DIR> d-------- C:\Program Files\MozyHome
2008-05-18 23:53 . 2008-05-15 20:08 53,752 --a------ C:\Windows\System32\drivers\mozy.sys
2008-05-18 23:53 . 2008-05-26 22:01 6,466 --a------ C:\Windows\mozy.blk
2008-05-18 23:53 . 2008-05-26 22:01 68 --a------ C:\Windows\mozy.flt
2008-05-17 00:37 . 2008-05-17 00:37 <DIR> d-------- C:\Program Files\Trials 2 Second Edition
2008-05-17 00:37 . 2007-10-12 15:14 3,734,536 --a------ C:\Windows\System32\d3dx9_36.dll
2008-05-11 11:55 . 2007-02-16 11:55 302 --a------ C:\Windows\System32\gmsblist.dll
2008-05-11 11:54 . 2008-05-11 18:30 <DIR> d-------- C:\gsak
2008-05-11 11:54 . 2000-01-24 06:01 111,104 --a------ C:\Windows\System32\midas.dll
2008-05-11 11:54 . 2005-11-22 22:20 7,348 --a------ C:\Windows\SDENSX.UDF
2008-05-08 18:43 . 2008-05-08 18:43 <DIR> d-------- C:\logs3
2008-05-07 00:32 . 2008-05-07 00:32 <DIR> d-------- C:\Program Files\GeoSetter
2008-05-02 18:05 . 2008-05-25 15:23 <DIR> d-------- C:\Program Files\Flock
2008-04-14 23:33 . 2008-04-14 23:33 <DIR> d-------- C:\Program Files\Memory-Map
2008-04-14 23:17 . 2008-05-30 20:24 12 --a------ C:\Windows\bthservsdp.dat
2008-04-14 23:15 . 2008-04-14 23:15 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-04-14 23:06 . 2008-04-14 23:06 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-04-14 22:23 . 2008-04-14 22:49 1,663 --a------ C:\printersettings
2008-04-13 13:48 . 2008-04-13 13:48 <DIR> d-------- C:\Program Files\iPod
2008-04-09 00:41 . 2008-04-09 00:46 6,213,632 --a------ C:\Windows\System32\microdem.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 20:46 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-05-29 19:55 --------- d-----w C:\Program Files\FlashGet
2008-05-29 19:54 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-26 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 17:07 395,744 ----a-w C:\Windows\system32\drivers\timntr.sys
2008-05-25 17:07 39,264 ----a-w C:\Windows\system32\drivers\tifsfilt.sys
2008-05-25 17:06 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-05-25 14:28 --------- d-----w C:\Program Files\P.H.L.O.P
2008-05-25 14:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-25 14:27 --------- d-----w C:\Program Files\NFR
2008-05-25 14:27 --------- d-----w C:\Program Files\MPDemo
2008-05-25 14:23 --------- d-----w C:\Program Files\eMusic Download Manager
2008-05-25 14:19 --------- d-----w C:\Program Files\Steam
2008-05-25 14:17 --------- d-----w C:\Program Files\Azureus
2008-05-21 02:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 23:54 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 21:05 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-08 17:43 --------- d-----w C:\Program Files\Kontiki
2008-05-02 17:05 --------- d-----w C:\Program Files\Opera
2008-04-21 17:45 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 22:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 12:48 --------- d-----w C:\Program Files\iTunes
2008-04-13 12:47 --------- d-----w C:\Program Files\QuickTime
2008-03-29 16:18 --------- d-----w C:\Program Files\Google
2008-03-29 13:19 --------- d-----w C:\Program Files\Pantone
2008-03-23 23:17 174 --sha-w C:\Program Files\desktop.ini
2008-03-23 22:34 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-03-23 22:34 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-03-23 16:14 37,888 ----a-w C:\Windows\System32\rar.exe
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
2007-11-24 18:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112420071125\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112620071203\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120320071204\index.dat
2007-12-04 17:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120420071205\index.dat
2007-12-06 23:50 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120620071207\index.dat
2007-12-07 14:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120720071208\index.dat
2007-12-09 13:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120920071210\index.dat
2007-12-24 12:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007121720071224\index.dat
2008-01-07 20:12 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007122420071231\index.dat
2008-01-14 20:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080115\index.dat
2008-01-15 18:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011520080116\index.dat
2008-01-16 18:19 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011620080117\index.dat
2008-01-17 18:14 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011720080118\index.dat
2008-01-18 18:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011820080119\index.dat
2008-01-19 12:25 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011920080120\index.dat
2008-01-20 22:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012020080121\index.dat
2008-01-28 21:43 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012820080129\index.dat
2008-01-29 17:48 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
2008-01-30 17:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013020080131\index.dat
2008-01-31 17:34 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013120080201\index.dat
2008-02-01 17:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020120080202\index.dat
2008-02-02 12:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020220080203\index.dat
2008-02-03 12:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020320080204\index.dat
2008-02-25 10:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008021820080225\index.dat
2008-02-25 18:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022520080226\index.dat
2008-02-26 10:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022620080227\index.dat
2008-02-27 17:55 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022720080228\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot_2008-05-30_18.18.33.88 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 16:59:12 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-30 19:26:22 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-30 16:59:12 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-30 19:26:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-30 16:59:12 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-30 19:26:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-30 16:59:38 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-30 19:29:04 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-30 19:29:04 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-05-30 17:02:49 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-30 19:29:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2008-05-30 16:59:24 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-30 19:26:32 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 16:59:24 475,136 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-30 19:26:32 475,136 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 16:59:24 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-30 19:26:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 16:44:58 14,822 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\WTablet\tablet.dat
+ 2008-05-30 19:26:35 14,822 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\WTablet\tablet.dat
- 2008-05-30 17:01:39 25,146 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3018700875-756917214-4125846603-1000_UserData.bin
+ 2008-05-30 19:04:53 25,186 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3018700875-756917214-4125846603-1000_UserData.bin
- 2008-05-30 17:01:38 110,278 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-30 19:04:52 110,386 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-30 16:46:51 101,188 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-30 19:04:42 101,188 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 10:33 5803368]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-30 20:44 36864]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 13:00 174872]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"VX6000"="C:\Windows\vVX6000.exe" [2007-04-10 15:46 996712]
"MyScreenCam"="C:\Program Files\My Screen Cam\scrcam.exe" [ ]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 19:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 20:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 20:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 20:55 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"EntaTool"="C:\Users\Teacup\Desktop\Desktop\EntaToolv0-6d\EntaTool.exe" [2007-07-20 23:06 303104]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12 1164912]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"vidc.iv32"= C:\Windows\system32\ir32_32.dll
"vidc.iv31"= C:\Windows\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1000]
"EnableNotificationsRef"=dword:00000006

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1006]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{18BDF8B2-297B-41ED-B785-4456C4C35F0E}"= UDP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{7F191103-DA52-4A8B-994F-CF3B20D80ED9}"= TCP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{8ED78554-DAF7-4C6A-A489-5A660ED02118}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{9B02CA99-573B-4871-A8C8-A12BF8B1ED6A}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{63B0B5A3-97FD-4933-8888-5EC7A29994C3}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{3C60C82B-AF6A-44CB-8975-8C9D5C1A0493}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{CCB576D5-DBF5-40C6-92A2-537AA5093BCA}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{69477381-72CD-46D4-BEC0-B513DA95BC75}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{54DE8F49-6021-4A93-8616-E8A5FCB76F6E}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{48EE45D7-D6A6-48AF-9E0F-46D4A48BD469}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{7E6E8870-7F18-45CE-8224-3A87D5DD0839}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4785F4DB-55D4-494A-A9D9-E925E5F9097E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FA010D46-165A-4454-BDB2-2D7900DBED48}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BB9C8FB1-4E73-4567-A68A-D3112724C75E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA7CBF35-A07A-47E0-A9D7-50C20535E862}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{461787F7-1521-4122-B621-1BC60DAA28C8}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{07F74CBF-B916-460D-8BAD-D7416A5BD19D}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{5FE214F2-AC23-4207-86B9-525F0494BEB6}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{3F95654F-1281-489A-B008-2C1322E4FFCC}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{9193A6E3-7CBB-42DC-873D-9ABE4D39CC24}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9841163A-2F93-44BE-82DB-F4B99B5EF1A7}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{5B7A00E7-2B54-451B-B366-5A378F41A311}"= UDP:23486:az
"TCP Query User{8DEFD4B0-634E-4A79-8A5A-0005FFF2CA67}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{4ED61228-C7A0-4357-A2E6-B3E774AB461D}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{1867AF51-F149-4540-B0F6-AF33971442D0}"= Disabled:UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{7360D78F-4FAF-4346-8E47-334F006198F0}"= Disabled:TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{06E6C814-219F-4963-9F3C-AA6D4B7233B4}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= UDP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"UDP Query User{1C5CB88E-34AF-4FC8-B982-6499E1C5E4FD}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= TCP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"TCP Query User{B1A3F406-5339-47F7-A78F-FA812145B7A4}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"UDP Query User{5BE0DE14-55D0-4897-AE8D-21AF7E7EFA03}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"TCP Query User{B81AB4F5-686E-4BB5-B9E5-073F43D01F0F}C:\\ut2003\\system\\ut2003.exe"= UDP:C:\ut2003\system\ut2003.exe:UT2003
"UDP Query User{DE240339-6278-42D1-AF37-AF8F5C428B3A}C:\\ut2003\\system\\ut2003.exe"= TCP:C:\ut2003\system\ut2003.exe:UT2003
"{92046C7E-6146-4F4E-90B0-FFC7C1B7D9EA}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{93FD8633-9D90-4A50-9D4E-1A448F3197E6}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{6B560FD2-6288-4D9D-86BE-FF4964D42598}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{3B03B7E4-23F2-4B26-B38E-535441EBFA2F}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{BEA3D129-6890-4FA7-9E15-FD33D3393768}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{45287821-1A28-445E-8E9C-2CE6B836B2A3}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{8BE4C0CB-59FA-4D70-9969-932C4A0D8BAD}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{8EFBEB31-9C73-4F7C-87D8-6BD4E2702788}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{1928BBA8-81FD-4279-BF3F-212C6D3617CE}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"{4E8311DB-5FD0-4DD2-9D09-E84A693C104F}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"TCP Query User{325BF7F9-9721-49BC-B66D-23B8E2D210BA}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{0DB2E8C9-5D60-4E6F-8626-DCE802447E5C}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{75EC61A2-4ECF-476B-B316-EA0B4BB547F2}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= UDP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"UDP Query User{38E6771D-3F5C-4A86-A1D7-4BDC9F0E792C}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= TCP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"TCP Query User{132E4993-E899-47F9-8EF3-DCD104D6D78F}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{8D708B08-C9B0-43D1-BCBF-8858DBA0D016}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{1D761CD4-4DA7-416F-B17F-58DB06FB6454}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{531ADF73-460D-4668-A1C4-294D6EF1B1B3}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"TCP Query User{3B7688ED-AB6B-42BF-9D32-EF345E512F52}C:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:C:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{0DC3396F-9179-44A8-ABF0-47D556B73ED5}C:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:C:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{3E51C875-37E3-4026-B4B3-272023FA5451}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= UDP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"UDP Query User{C598DB01-F87B-46BC-86CD-B60C90228541}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= TCP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"TCP Query User{6266E821-F617-4C95-886C-B78495226262}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{81C97655-3250-4F94-914F-B56A2601080E}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{8C3442FA-6D2A-4408-B15D-82E03938181B}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{06D9E3D7-F7A3-456E-A69A-1BD3D241427C}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{6F0D7DB8-352D-49A9-BF15-079D552C11EF}C:\\aeriagames\\12sky\\twelvesky.exe"= UDP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"UDP Query User{0D4E321B-AD2F-4B75-A8D5-559D25CDDA29}C:\\aeriagames\\12sky\\twelvesky.exe"= TCP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"TCP Query User{34943C87-20FF-40B7-AAA2-FB25C81F5B73}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"UDP Query User{4F415124-4E46-4832-947C-7595970C364D}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"TCP Query User{E7400F46-DA85-431F-9A76-E296F770D10E}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"UDP Query User{F4859058-E9DC-4CE7-8CE0-ACD64B6D42A7}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"{021A1887-AE38-4F27-8002-4EDAA85D32F4}"= UDP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{F107FA13-EF2E-4B03-9A9A-A3FA40ABD27F}"= TCP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{97BF3F98-879C-4ED0-B6E2-3DA19181E87A}"= UDP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{DBCED2A4-1A49-470C-B63F-00C2754ACB33}"= TCP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{1EC83135-3718-474D-8A58-4D2DC96B1062}"= UDP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A4622FAC-8136-41A5-B57A-24F7D58C77E4}"= TCP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F91A78E6-505F-44F9-9645-E6C186C2A7DA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B304E257-54AA-47D6-92EE-85F78C87BFAC}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{FA7D5919-060F-480E-AD40-75057B806D6E}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{8B8FB35A-DD4F-427C-9AA9-C12AC3D0514D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{BDDAD19D-5E05-4FC4-B372-4B7522035589}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{559CE9BE-22D9-4AE2-969A-F6FDBE64AC71}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{752CD407-5B6B-4863-A1B5-27F19710C13A}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{9E8E19E6-4F55-4616-9C0E-A11C2B6E17AD}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{D9668FE8-8086-4BBB-B985-C9F57F1BC9A2}"= UDP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"{588267D2-93E7-4C78-895D-71F8F5F36ABC}"= TCP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{50C85E55-2007-46B3-A4C5-3EDE00B3D6C7}C:\\program files\\microsoft lifecam\\lifeexp.exe"= UDP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"UDP Query User{872F0BEB-A94B-46FE-A8EE-5109C2A7075E}C:\\program files\\microsoft lifecam\\lifeexp.exe"= TCP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"{D8327333-C35E-416E-93A6-B721770351DE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4DF67023-04D2-45F8-AED9-09EACD2D9608}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{49124406-D4CB-4BD4-A4C1-8358B0080874}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{D29180BD-1320-43B0-8D17-21841F8EF4D4}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{DB0E8B5B-798E-48FF-8F40-0F271FFF0117}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{4F115BED-BB21-46DA-92EF-11EEE06030DB}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E064BF92-C93B-4366-89EC-523B3C363AB0}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{EEC3B38E-7133-43AC-925B-6F2334DFFCB2}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{AA69FF85-8860-46E3-AD09-5B0D1CD32BD2}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B4786107-6B46-4F54-9503-ABE76A0CF4FF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B9876473-803E-4CE4-9605-63D4EA7512F4}Q:\\tmunitedforever\\tmforever.exe"= UDP:Q:\tmunitedforever\tmforever.exe:TmForever
"UDP Query User{FDCA6782-2962-478A-9829-A2A1B5802B30}Q:\\tmunitedforever\\tmforever.exe"= TCP:Q:\tmunitedforever\tmforever.exe:TmForever
"TCP Query User{00EE6AEF-21C2-4998-AC96-36338F0B8B37}Q:\\trackmania united\\tmunited.exe"= UDP:Q:\trackmania united\tmunited.exe:TmUnited
"UDP Query User{45AC8227-399B-4C8C-A1F6-4CF47EBB3A2D}Q:\\trackmania united\\tmunited.exe"= TCP:Q:\trackmania united\tmunited.exe:TmUnited

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\Windows\system32\drivers\sfsync03.sys [2005-12-06 16:11]
R1 mozyFilter;mozyFilter;C:\Windows\system32\DRIVERS\mozy.sys [2008-05-15 20:08]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R2 SRUserService;IT Connection Manager;"C:\Program Files\IT Connection Manager\SRUserService.exe" [2007-04-06 14:44]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R3 HabuFltr;Habu Mouse;C:\Windows\system32\drivers\habu.sys [2006-10-23 12:09]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\Windows\system32\DRIVERS\wacomvhid.sys [2006-11-15 11:55]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 Alpham1;Ideazon Fang USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Fang MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 GEMPC430;GEMPC430;C:\Windows\system32\Drivers\gemusb.sys [2001-12-04 10:03]
S3 MBAMCatchMe;MBAMCatchMe;C:\Windows\system32\drivers\mbamcatchme.sys [2008-05-05 20:46]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-24 18:24]
S3 uisp;Freescale USB JW32 driver;C:\Windows\system32\Drivers\usbicp.sys [2005-12-21 11:23]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 06:53]
S3 VX6000;Microsoft LifeCam VX-6000;C:\Windows\system32\DRIVERS\VX6000Xp.sys [2007-04-10 15:46]
S3 wacommousefilter;Wacom Mouse Filter Driver;C:\Windows\system32\DRIVERS\wacommousefilter.sys [2006-02-14 13:18]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}]
\shell\AutoRun\command - L:\CaptureNXSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d12eb66d-08ac-11dc-8713-806e6f6e6963}]
\shell\AutoRun\command - D:\setup.exe /autorun

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 20:30:17
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\Tablet.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\WTablet\TabUserW.exe
C:\Windows\System32\Tablet.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DigiGuide TV Guide\DigiGuide.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-30 20:48:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-30 19:48:06
ComboFix2.txt 2008-05-30 17:19:07
ComboFix3.txt 2008-05-27 22:55:47

Pre-Run: 57,872,293,888 bytes free
Post-Run: 57,811,808,256 bytes free

437 --- E O F --- 2008-05-28 02:01:41





entatool.exe;c:\users\teacup\desktop\desktop\entatoolv0-6d;Probably BACKDOOR.Trojan;Deleted.;
FIND3M.bat;C:\Combo-Fix;Probably SCRIPT.Virus;;
psexec.cfexe;C:\Combo-Fix;Program.PsExec.171;;
EntaTool.exe;C:\Downloads\EntaToolv0-6d;Probably BACKDOOR.Trojan;Deleted.;
realmon.exe -s;C:\Program Files\CA\eTrust Antivirus;Win32.HLLM.Beagle.219;Deleted.;
data.oct.vir;C:\QooBox\Quarantine\C\Users\Teacup\AppData\Roaming\m;Win32.HLLM.Beagle.223;Deleted.;
1263108.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
14893290.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
14897315.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
15122175.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
15154919.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
266465.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
29430259.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
29435797.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
29456654.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
321206.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
371485.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
392248.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
44054853.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
44057661.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
44084088.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
467706.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
58805232.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
6629122.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
6631914.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Win32.HLLM.Beagle;Deleted.;
73292420.exe.vir;C:\QooBox\Quarantine\C\Windows\System32\drivers\downld;Trojan.PWS.Kone.2;Deleted.;
crazygame.exe;F:\archive\backup\Desktop;Win32.HLLW.Gavir.75;Deleted.;
PATCH.EXE;F:\Program Files\DVD Clone Factory;Tool.DVTPatch;Deleted.;
mirc.exe;F:\Program Files\mIRC;Program.mIRC.603;;
vncviewer.exe;F:\Program Files\RealVNC;Program.RemoteAdmin;;
GameMon.des;F:\Program Files\softnyx\GunboundWC\GameGuard;Probably BACKDOOR.Trojan;Deleted.;
A0091232.exe;F:\System Volume Information\_restore{00AA6B87-EA8D-47A5-B13B-3590C0E3209D}\RP790;Adware.Ezula;Deleted.;
sysinfo.dll;F:\work files\websites\phpdev\www\id42\public_html\sysinfo_v1;Tool.Moo;;
sysinfo.dll;Q:\work files\websites\phpdev\www\id42\public_html\sysinfo_v1;Tool.Moo;;
  • 0

#23
Rorschach112
Posted 31 May 2008 - 05:57 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Try this

Download NIAP to your desktop and unzip it to it's own folder

Close all windows and run NIAP_XRay_FileMgr
  • Click the Log tab at the top and click Create System log. Check the boxes beside Autorun.inf file. and System Critical Files and click OK. Save the log to your desktop and let the program run.
  • Exit out of NIAP_XRay_FileMgr


Next run NIAP_XRay_Regedit
  • Click the Log tab then click on Get log. Once it is finished scanning, click Save and call the log NiapReg, then save it to your desktop
  • Exit out of NIAP_XRay_Regedit


Finally run NIAP_XRay_System
  • Click the Log tab and click Create log. Check all the boxes and click Log, save it to your desktop. Let the program run.
  • Once it is done close the program and post the log back here along with the other two logs.


Also tell me how your PC is running
  • 0

#24
teacup
Posted 31 May 2008 - 08:15 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
PCs running well now, not had any crashes other than those caused by combofix, and I've not had any other strange behavior at all. Seems good! :)




# NIAP_XRay_FileMgr.exe 0.0.0.4
# 2008-05-31 15:01:46
# ------------------------------------------------------------------------
# Scan Autorun.inf in: Q:\
# Not Found.

# Scan Autorun.inf in: O:\
# Scan Autorun.inf in: N:\
# Not Found.

# Scan Autorun.inf in: L:\
# Not Found.

# Scan Autorun.inf in: K:\
# Scan Autorun.inf in: J:\
# Scan Autorun.inf in: I:\
# Scan Autorun.inf in: G:\
# Scan Autorun.inf in: F:\
# Not Found.

# Scan Autorun.inf in: D:\
# Scan Autorun.inf in: C:\
# Not Found.

# Verify System Critical File
C:\Windows\explorer.exe;OK
C:\Windows\system32\win32k.sys;OK
C:\Windows\system32\watchdog.sys;Not found.
C:\Windows\system32\hal.dll;OK
C:\Windows\system32\ntkrnlpa.exe;OK
C:\Windows\system32\ntoskrnl.exe;OK
C:\Windows\system32\smss.exe;OK
C:\Windows\system32\csrss.exe;OK
C:\Windows\system32\winlogon.exe;OK
C:\Windows\system32\lsass.exe;OK
C:\Windows\system32\services.exe;OK
C:\Windows\system32\svchost.exe;OK
C:\Windows\system32\userinit.exe;OK
C:\Windows\system32\drivers\acpi.sys;OK
C:\Windows\system32\drivers\atapi.sys;OK
C:\Windows\system32\drivers\beep.sys;OK
C:\Windows\system32\drivers\cdfs.sys;OK
C:\Windows\system32\drivers\cdrom.sys;OK
C:\Windows\system32\drivers\disk.sys;OK
C:\Windows\system32\drivers\fastfat.sys;OK
C:\Windows\system32\drivers\fs_rec.sys;OK
C:\Windows\system32\drivers\ftdisk.sys;Not found.
C:\Windows\system32\drivers\i8042prt.sys;OK
C:\Windows\system32\drivers\kbdclass.sys;OK
C:\Windows\system32\drivers\mouclass.sys;OK
C:\Windows\system32\drivers\ndis.sys;OK
C:\Windows\system32\drivers\ntfs.sys;OK
C:\Windows\system32\drivers\null.sys;OK
C:\Windows\system32\drivers\partmgr.sys;OK
C:\Windows\system32\drivers\pci.sys;OK
C:\Windows\system32\drivers\pciidex.sys;OK
C:\Windows\system32\drivers\redbook.sys;Not found.
C:\Windows\system32\drivers\scsiport.sys;OK
C:\Windows\system32\drivers\sr.sys;Not found.
C:\Windows\system32\drivers\termdd.sys;OK
C:\Windows\system32\drivers\usbhub.sys;OK
C:\Windows\system32\drivers\usbport.sys;OK
C:\Windows\system32\drivers\volsnap.sys;OK
C:\Windows\system32\drivers\tcpip.sys;OK
C:\Windows\system32\drivers\tdi.sys;OK

eof





Report:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:JMB36X IDE Setup , Path:C:\Windows\JM\JMInsIDE.exe
Name:IAAnotif , Path:"C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
Name:Sony Ericsson PC Suite , Path:"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
Name:XboxStat , Path:"C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" silentrun
Name:LifeCam , Path:"C:\Program Files\Microsoft LifeCam\LifeExp.exe"
Name:VX6000 , Path:C:\Windows\vVX6000.exe
Name:GrooveMonitor , Path:"C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
Name:Adobe Photo Downloader , Path:"C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
Name:4oD , Path:"C:\Program Files\Kontiki\KHost.exe" -all
Name:RtHDVCpl , Path:RtHDVCpl.exe
Name:NvSvc , Path:RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
Name:NvCplDaemon , Path:RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
Name:NvMediaCenter , Path:RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
Name:QuickTime Task , Path:"C:\Program Files\QuickTime\QTTask.exe" -atboottime
Name:iTunesHelper , Path:"C:\Program Files\iTunes\iTunesHelper.exe"
Name:Windows Mobile Device Center , Path:%windir%\WindowsMobile\wmdc.exe
Name:TrueImageMonitor.exe , Path:C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
Name:AcronisTimounterMonitor , Path:C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
Name:Acronis Scheduler2 Service , Path:"C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\:
Name:msnmsgr , Path:"C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
Name:ehTray.exe , Path:C:\Windows\ehome\ehTray.exe
Name:COMMUNICATOR , Path:"C:\Program Files\Microsoft Office Communicator\Communicator.exe" /silentRetrials /background
Name:kdx , Path:C:\Program Files\Kontiki\KHost.exe -all
Name:WMPNSCFG , Path:C:\Program Files\Windows Media Player\WMPNSCFG.exe


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:


HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\:


HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\:


HKCC\Software\Microsoft\Windows NT\CurrentVersion\Windows\[Load]:
Value: None

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Userinit]:
Value: C:\Windows\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\[Shell]:
Value: Explorer.exe

HKLM\SYSTEM\ControlSet001\Control\Session Manager\[BootExecute]:
Value: autocheck autochk *



BHO Items List:
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
InprocServer32:None
ThreadingModel:None
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{074C1DC5-9320-4A9A-947D-C042949C6216}
InprocServer32:C:\Program Files\Adobe\/Adobe Contribute CS3/contributeieplugin.dll
ThreadingModel:Apartment
ProgID:Adobe.Contribute.ContributeBHO.1
Programmable:
TypeLib:{AB60D8C6-305C-4D9A-9CE0-DAE05B0D6FA1}
VersionIndependentProgID:Adobe.Contribute.ContributeBHO
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}
InprocServer32:C:\Program Files\FlashGet\jccatch.dll
ThreadingModel:Apartment
ProgID:FGCatchUrl.IECatch.1
Programmable:None
TypeLib:{79DE8D41-161C-11D3-8B9B-DF77640BA112}
VersionIndependentProgID:FGCatchUrl.IECatch
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}
InprocServer32:C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
InprocServer32:C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
ThreadingModel:Apartment
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{9030D464-4C02-4ABF-8ECC-5164760863C6}
InprocServer32:C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
ThreadingModel:Apartment
ProgID:IDBHO.IDBrowserExtension.1
Programmable:None
TypeLib:{FD609BF1-0E01-403F-8F20-EA238F5CDCC3}
VersionIndependentProgID:IDBHO.IDBrowserExtension
{AE7CD045-E861-484f-8273-0445EE161910}
InprocServer32:None
ThreadingModel:None
ProgID:None
Programmable:None
TypeLib:None
VersionIndependentProgID:None
{F156768E-81EF-470C-9057-481BA8380DBA}
InprocServer32:C:\Program Files\FlashGet\getflash.dll
ThreadingModel:Apartment
ProgID:Getflash.gFlash.1
Programmable:None
TypeLib:{16136F72-5845-4CD4-825E-56C3BF44B598}
VersionIndependentProgID:Getflash.gFlash

File Links List:
.txt: %SystemRoot%\system32\NOTEPAD.EXE %1
.exe: "%1" %*
.com: "%1" %*
.pif: "%1" %*
.bat: "%1" %*
.reg: regedit.exe "%1"
.chm: None
.hlp: %SystemRoot%\winhlp32.exe %1
.ini: %SystemRoot%\system32\NOTEPAD.EXE %1
.inf: %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs: "%SystemRoot%\System32\WScript.exe" "%1" %*
.js: %SystemRoot%\System32\WScript.exe "%1" %*
.lnk: CLSID: {00021401-0000-0000-C000-000000000046} shell32.dll

Image File Execution Options:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\[AppInit_DLLs]:
Value:


ShellExecuteHooks:
{B5A7F190-DDA6-4420-B3BA-52453494E6CD} : Groove GFS Stub Execution Hook
InProcServer32:C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\[Debugger]:
Value: "C:\Windows\system32\vsjitdebugger.exe" -p %ld -e %ld

Kernel Drivers:
ATITool
DisplayName:ATITool Overclocking Utility
Description:None
ImagePath:system32\DRIVERS\ATITool.sys
ObjectName:None
Start:SERVICE_SYSTEM_START(1)
Type:SERVICE_KERNEL_DRIVER(1)
Bcim
DisplayName:Bandwidth Controller kernel component
Description:None
ImagePath:system32\DRIVERS\bcim.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
blbdrive
DisplayName:None
Description:None
ImagePath:\SystemRoot\system32\drivers\blbdrive.sys [File not found]
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
catchme
DisplayName:None
Description:None
ImagePath:\??\C:\Combo-Fix\catchme.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
DS1410D
DisplayName:DS1410D
Description:None
ImagePath:SYSTEM32\drivers\DS1410D.SYS
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
ENTECH
DisplayName:ENTECH
Description:None
ImagePath:\??\C:\Windows\system32\DRIVERS\ENTECH.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
GEMPC430
DisplayName:None
Description:None
ImagePath:System32\Drivers\gemusb.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
giveio
DisplayName:giveio
Description:None
ImagePath:system32\giveio.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
grmnusb
DisplayName:None
Description:None
ImagePath:system32\drivers\grmnusb.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
Haspnt
DisplayName:Haspnt
Description:None
ImagePath:\??\C:\Windows\system32\drivers\Haspnt.sys
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
IpInIp
DisplayName:IP in IP Tunnel Driver
Description:IP in IP Tunnel Driver
ImagePath:system32\DRIVERS\ipinip.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
mdxgthkn
DisplayName:mdxgthkn
Description:None
ImagePath:\??\C:\Users\Teacup\AppData\Local\Temp\mdxgthkn.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NCHSSVAD
DisplayName:SoundTap Recorder
Description:None
ImagePath:system32\drivers\nchssvad.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NIAPSafe
DisplayName:NIAPSafe
Description:None
ImagePath:\??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys
ObjectName:None
Start:SERVICE_DISABLED(4)
Type:SERVICE_KERNEL_DRIVER(1)
nvlddmkm
DisplayName:None
Description:None
ImagePath:system32\DRIVERS\nvlddmkm.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NwlnkFlt
DisplayName:IPX Traffic Filter Driver
Description:IPX Traffic Filter Driver
ImagePath:system32\DRIVERS\nwlnkflt.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
NwlnkFwd
DisplayName:IPX Traffic Forwarder Driver
Description:IPX Traffic Forwarder Driver
ImagePath:system32\DRIVERS\nwlnkfwd.sys [File not found]
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
Sentinel
DisplayName:Sentinel
Description:None
ImagePath:\SystemRoot\System32\Drivers\SENTINEL.SYS
ObjectName:None
Start:SERVICE_AUTO_START(2)
Type:SERVICE_KERNEL_DRIVER(1)
sfsync03
DisplayName:StarForce Protection Synchronization Driver (version 3.x)
Description:None
ImagePath:System32\drivers\sfsync03.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
Sntnlusb
DisplayName:Rainbow USB SuperPro
Description:None
ImagePath:system32\DRIVERS\SNTNLUSB.SYS
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
speedfan
DisplayName:speedfan
Description:None
ImagePath:system32\speedfan.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
sptd
DisplayName:None
Description:None
ImagePath:System32\Drivers\sptd.sys
ObjectName:None
Start:SERVICE_BOOT_START(0)
Type:SERVICE_KERNEL_DRIVER(1)
uisp
DisplayName:Freescale USB JW32 driver
Description:None
ImagePath:System32\Drivers\usbicp.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)
wacommousefilter
DisplayName:Wacom Mouse Filter Driver
Description:None
ImagePath:system32\DRIVERS\wacommousefilter.sys
ObjectName:None
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_KERNEL_DRIVER(1)

Services:
Apple Mobile Device
DisplayName:Apple Mobile Device
Description:Provides the interface to Apple mobile devices.
ImagePath:"C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
Bonjour Service
DisplayName:Bonjour Service
Description:Enables hardware devices and software services to automatically configure themselves on the network and advertise their presence, so that users can discover and use those services without any unnecessary manual setup or administration.
ImagePath:"C:\Program Files\Bonjour\mDNSResponder.exe"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
FLEXnet Licensing Service
DisplayName:FLEXnet Licensing Service
Description:This service performs licensing functions on behalf of FLEXnet enabled products.
ImagePath:"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
IDriverT
DisplayName:InstallDriver Table Manager
Description:Provides support for the Running Object Table for InstallShield Drivers
ImagePath:"C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)
InoRPC
DisplayName:eTrust Antivirus RPC Server
Description:Listens for Admin Server discovery and policy requests
ImagePath:"C:\Program Files\CA\eTrust Antivirus\InoRpc.exe"
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_OWN_PROCESS(16)
InoRT
DisplayName:eTrust Antivirus Realtime Server
Description:Provides real-time on-access virus protection
ImagePath:"C:\Program Files\CA\eTrust Antivirus\InoRT.exe"
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_OWN_PROCESS(16)
InoTask
DisplayName:eTrust Antivirus Job Server
Description:Schedules background task such as scan jobs and signature downloads
ImagePath:"C:\Program Files\CA\eTrust Antivirus\InoTask.exe"
ObjectName:LocalSystem
Start:SERVICE_DISABLED(4)
Type:SERVICE_WIN32_OWN_PROCESS(16)
maya70docserver
DisplayName:Maya 7.0 Documentation Server
Description:Searchable online docs for Alias software
ImagePath:"C:\Program Files\Alias\Maya7.0\docs\wrapper.exe" -s "C:\Program Files\Alias\Maya7.0\docs\Wrapper.conf"
ObjectName:LocalSystem
Start:SERVICE_AUTO_START(2)
Type:SERVICE_WIN32_OWN_PROCESS(16)
WinHttpAutoProxySvc
DisplayName:@%SystemRoot%\system32\winhttp.dll,-100
Description:@%SystemRoot%\system32\winhttp.dll,-101
ImagePath:%SystemRoot%\system32\svchost.exe -k LocalService
ServiceDll:winhttp.dll [File not found]
ObjectName:NT AUTHORITY\LocalService
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_SHARE_PROCESS(32)
WLSetupSvc
DisplayName:Windows Live Setup Service
Description:Windows Live Setup Service
ImagePath:"C:\Program Files\Windows Live\installer\WLSetupSvc.exe"
ObjectName:LocalSystem
Start:SERVICE_DEMAND_START(3)
Type:SERVICE_WIN32_OWN_PROCESS(16)

eof

Edited by teacup, 31 May 2008 - 08:16 AM.

  • 0

#25
teacup
Posted 31 May 2008 - 08:17 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
NIAP_XRay_System Version 0.0.0.5 System log

Process:
PID | EPROCESS | Process Name | Module Path
00000004 850D3D90 System
000002D0 87849B70 smss.exe \SystemRoot\System32\smss.exe
0000034C 8B0D1478 csrss.exe C:\Windows\system32\csrss.exe
00000380 87D94458 wininit.exe C:\Windows\system32\wininit.exe
0000038C 87DB15D0 csrss.exe C:\Windows\system32\csrss.exe
000003AC 87DC1020 services.exe C:\Windows\system32\services.exe
000003C8 87DBB020 lsass.exe C:\Windows\system32\lsass.exe
000003D0 87DBC020 lsm.exe C:\Windows\system32\lsm.exe
0000041C 87DFC348 winlogon.exe C:\Windows\system32\winlogon.exe
0000047C 882A6D90 schedul2.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
00000484 87DF7868 svchost.exe C:\Windows\system32\svchost.exe
000004C8 87E78D90 svchost.exe C:\Windows\system32\svchost.exe
00000508 87E98580 svchost.exe C:\Windows\System32\svchost.exe
00000520 87EB5D90 svchost.exe C:\Windows\System32\svchost.exe
00000530 8813CD90 svchost.exe C:\Windows\system32\svchost.exe
0000057C 85C5C020 dwm.exe C:\Windows\system32\Dwm.exe
0000058C 8815B2F8 audiodg.exe C:\Windows\system32\AUDIODG.EXE
000005B4 882B3D90 AppleMobileDevi C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
000005C8 8816F020 SLsvc.exe C:\Windows\system32\SLsvc.exe
000005E8 88177D90 svchost.exe C:\Windows\system32\svchost.exe
00000630 882A57C8 mDNSResponder.e C:\Program Files\Bonjour\mDNSResponder.exe
00000680 858C9820 TabTip.exe C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
00000688 88206618 wisptis.exe C:\Windows\SYSTEM32\WISPTIS.EXE
0000069C 8820DC78 TabTip.exe C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
000006A4 88503D90 svchost.exe C:\Windows\system32\svchost.exe
000006EC 88241D90 svchost.exe C:\Windows\system32\svchost.exe
000006F8 882104D0 svchost.exe C:\Windows\system32\svchost.exe
000007C4 881A1D90 spoolsv.exe C:\Windows\System32\spoolsv.exe
000007DC 88232D90 svchost.exe C:\Windows\system32\svchost.exe
00000850 882E7D90 IAANTmon.exe C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
00000864 882EACE8 KService.exe C:\Program Files\Kontiki\KService.exe
00000898 8823BD90 wrapper.exe C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
000008A4 882FA830 mozybackup.exe C:\Program Files\MozyHome\mozybackup.exe
000008B0 88311AD8 MSCamS32.exe C:\Program Files\Microsoft LifeCam\MSCamS32.exe
000008C0 8830ED90 sqlservr.exe C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
000008FC 88341020 java.exe C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
00000908 8839DD90 PnkBstrA.exe C:\Windows\system32\PnkBstrA.exe
00000928 8833EAF0 sqlbrowser.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
00000950 88339A00 mozybackup.exe C:\Program Files\MozyHome\mozybackup.exe
0000098C 8838B020 sqlwriter.exe C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
000009B0 865F1900 usnsvc.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe
000009B8 88368D90 SRUserService.e C:\Program Files\IT Connection Manager\SRUserService.exe
000009C0 885A5D90 wisptis.exe C:\Windows\SYSTEM32\WISPTIS.EXE
000009D4 8839FB80 svchost.exe C:\Windows\system32\svchost.exe
000009E8 88386020 Tablet.exe C:\Windows\system32\Tablet.exe
00000A0C 8836B610 svchost.exe C:\Windows\System32\svchost.exe
00000A90 883912D8 SearchIndexer.e C:\Windows\system32\SearchIndexer.exe
00000B3C 88435950 WUDFHost.exe C:\Windows\system32\WUDFHost.exe
00000D24 85C31020 mozybackup.exe C:\Program Files\MozyHome\mozybackup.exe
00000D80 866E5BE0 SearchProtocolH C:\Windows\system32\SearchProtocolHost.exe
00000D98 85C2FAD8 taskeng.exe C:\Windows\system32\taskeng.exe
00000ED0 857CC020 wmpnetwk.exe C:\Program Files\Windows Media Player\wmpnetwk.exe
00000FD0 856A9330 taskeng.exe C:\Windows\system32\taskeng.exe
00000FF4 866F69B8 SearchFilterHos C:\Windows\system32\SearchFilterHost.exe
00001068 85C9D020 explorer.exe C:\Windows\Explorer.EXE
000010C8 85CE15B0 TabUserW.exe C:\Windows\system32\WTablet\TabUserW.exe
000010D8 85D31230 Tablet.exe C:\Windows\system32\Tablet.exe
00001128 85E12D90 epmworker.exe C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
0000119C 85D63020 IAAnotif.exe C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
000011A4 85D47020 Application Lau C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
000011B4 85BD7AD8 XBoxStat.exe C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
00001228 85D76568 vVX6000.exe C:\Windows\vVX6000.exe
00001244 85CF19C0 GrooveMonitor.e C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
00001258 85D43D90 apdproxy.exe C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
0000126C 878D0D90 KHost.exe C:\Program Files\Kontiki\KHost.exe
00001274 85D718B0 RtHDVCpl.exe C:\Windows\RtHDVCpl.exe
000012A0 85D93AD8 rundll32.exe C:\Windows\System32\rundll32.exe
000012B8 85D8BD90 iTunesHelper.ex C:\Program Files\iTunes\iTunesHelper.exe
000012D0 87E7A020 wmdc.exe C:\Windows\WindowsMobile\wmdc.exe
00001310 85D44AD8 TrueImageMonito C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
00001318 85D45570 TimounterMonito C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
00001334 85D507E0 msnmsgr.exe C:\Program Files\Windows Live\Messenger\msnmsgr.exe
00001340 85DE8D90 ehtray.exe C:\Windows\ehome\ehtray.exe
00001348 85D86D90 communicator.ex C:\Program Files\Microsoft Office Communicator\communicator.exe
00001358 85D32020 wmpnscfg.exe C:\Program Files\Windows Media Player\wmpnscfg.exe
0000136C 85CD5020 hueyTray.exe C:\Program Files\Pantone\huey\hueyTray.exe
00001378 85D5F768 schedhlp.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
00001398 85D85458 mozystat.exe C:\Program Files\MozyHome\mozystat.exe
000013B4 85DC69B0 ehmsas.exe C:\Windows\ehome\ehmsas.exe
000013BC 881CABB0 ONENOTEM.EXE C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
00001460 86552B10 TrustedInstalle C:\Windows\servicing\TrustedInstaller.exe
000014A0 85DE5820 rundll32.exe C:\Windows\System32\rundll32.exe
0000154C 882E6D90 InputPersonaliz C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
00001680 85DD2828 NIAP_XRay_Syste C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAP_XRay_System.exe
00001684 86592D90 DigiGuide.exe C:\Program Files\DigiGuide TV Guide\digiguide.exe
00001704 867017B0 Generic.exe C:\Program Files\Common Files\Teleca Shared\Generic.exe
00001728 85A3AAE8 WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe
000017C4 865EAD90 iPodService.exe C:\Program Files\iPod\bin\iPodService.exe

Kernel Module:
EntryPoint | Module Base | Image Size | Module Path
8230A4B0 8221E000 003B9000 ntoskrnl.exe \SystemRoot\system32\ntkrnlpa.exe
825D7000 825D7000 00033000 hal.dll \SystemRoot\system32\hal.dll
80608000 80608000 00008000 kdcom.dll \SystemRoot\system32\kdcom.dll
8066D005 80610000 00060000 mcupdate.dll \SystemRoot\system32\mcupdate_GenuineIntel.dll
80670000 80670000 00011000 PSHED.dll \SystemRoot\system32\PSHED.dll
80681000 80681000 00008000 BOOTVID.dll \SystemRoot\system32\BOOTVID.dll
806C4005 80689000 00041000 CLFS.SYS \SystemRoot\system32\CLFS.SYS
806CA000 806CA000 000E0000 CI.dll \SystemRoot\system32\CI.dll
82C78005 82C07000 0007C000 Wdf01000.sys \SystemRoot\system32\drivers\Wdf01000.sys
82C8D005 82C83000 0000D000 WDFLDR.SYS \SystemRoot\system32\drivers\WDFLDR.SYS
82D1B266 82C90000 000EA000 sptd.sys \SystemRoot\System32\Drivers\sptd.sys
82D80010 82D7A000 00009000 WMILIB.SYS \SystemRoot\System32\Drivers\WMILIB.SYS
82DA400F 82D83000 00026000 SCSIPORT.SYS \SystemRoot\System32\Drivers\SCSIPORT.SYS
82DE6490 82DA9000 00046000 acpi.sys \SystemRoot\system32\drivers\acpi.sys
82DF0070 82DEF000 00008000 msisadrv.sys \SystemRoot\system32\drivers\msisadrv.sys
807CBCEB 807AA000 00027000 pci.sys \SystemRoot\system32\drivers\pci.sys
807DD22D 807D1000 0000F000 partmgr.sys \SystemRoot\System32\drivers\partmgr.sys
807EC39B 807E0000 0000F000 volmgr.sys \SystemRoot\system32\drivers\volmgr.sys
82E4866E 82E05000 0004A000 volmgrx.sys \SystemRoot\System32\drivers\volmgrx.sys
82E53005 82E4F000 00007000 intelide.sys \SystemRoot\system32\drivers\intelide.sys
82E61010 82E56000 0000E000 PCIIDEX.SYS \SystemRoot\system32\drivers\PCIIDEX.SYS
82E68005 82E64000 00007000 pciide.sys \SystemRoot\system32\drivers\pciide.sys
82E78255 82E6B000 00010000 mountmgr.sys \SystemRoot\System32\drivers\mountmgr.sys
82E846B0 82E7B000 0000E000 sfsync03.sys \SystemRoot\System32\drivers\sfsync03.sys
82F4C005 82E89000 000C7000 iaStor.sys \SystemRoot\system32\DRIVERS\iaStor.sys
82F55005 82F50000 00008000 atapi.sys \SystemRoot\system32\drivers\atapi.sys
82F72010 82F58000 0001E000 ataport.SYS \SystemRoot\system32\drivers\ataport.SYS
82F7985C 82F76000 0000B000 jraid.sys \SystemRoot\system32\DRIVERS\jraid.sys
82F87005 82F81000 00009000 msahci.sys \SystemRoot\system32\DRIVERS\msahci.sys
82FB59A7 82F8A000 00032000 fltmgr.sys \SystemRoot\system32\drivers\fltmgr.sys
82FC84C8 82FBC000 00010000 fileinfo.sys \SystemRoot\system32\drivers\fileinfo.sys
82FD01BC 82FCC000 00006000 ino_flpy.sys \SystemRoot\system32\Drivers\ino_flpy.sys
82FD791D 82FD2000 00009000 PxHelp20.sys \SystemRoot\System32\Drivers\PxHelp20.sys
8BC7A2A5 8BC0F000 00071000 ksecdd.sys \SystemRoot\System32\Drivers\ksecdd.sys
8BD811ED 8BC80000 0010B000 ndis.sys \SystemRoot\system32\drivers\ndis.sys
8BDB3032 8BD8B000 0002B000 msrpc.sys \SystemRoot\system32\drivers\msrpc.sys
8BDEB112 8BDB6000 0003A000 NETIO.SYS \SystemRoot\system32\drivers\NETIO.SYS
8BEDF1B9 8BE04000 000E7000 tcpip.sys \SystemRoot\System32\drivers\tcpip.sys
8BF03005 8BEEB000 0001B000 fwpkclnt.sys \SystemRoot\System32\drivers\fwpkclnt.sys
8BF1EB80 8BF06000 0005F000 timntr.sys \SystemRoot\system32\DRIVERS\timntr.sys
8C0F4B75 8C002000 0010F000 Ntfs.sys \SystemRoot\System32\Drivers\Ntfs.sys
8C13F640 8C111000 00039000 volsnap.sys \SystemRoot\system32\drivers\volsnap.sys
8C14F331 8C14A000 00008000 spldr.sys \SystemRoot\System32\Drivers\spldr.sys
8C152E85 8C152000 00002000 speedfan.sys \SystemRoot\system32\speedfan.sys
8C167CB0 8C154000 0001B000 snapman.sys \SystemRoot\system32\DRIVERS\snapman.sys
8C1817D6 8C16F000 00017000 sfvfs02.sys \SystemRoot\System32\drivers\sfvfs02.sys
8C18B300 8C186000 00008000 sfhlp02.sys \SystemRoot\System32\drivers\sfhlp02.sys
8C19D350 8C18E000 00013000 sfdrv01.sys \SystemRoot\System32\drivers\sfdrv01.sys
8C1AD048 8C1A1000 0000F000 mup.sys \SystemRoot\System32\Drivers\mup.sys
8C1B0C9C 8C1B0000 00002000 JGOGO.sys \SystemRoot\system32\DRIVERS\JGOGO.sys
8C1B22E5 8C1B2000 00001000 giveio.sys \SystemRoot\system32\giveio.sys
8C1D51CE 8C1B3000 00027000 ecache.sys \SystemRoot\System32\drivers\ecache.sys
8C1F80E5 8C1DA000 00024000 fvevol.sys \SystemRoot\System32\DRIVERS\fvevol.sys
8BF72BBC 8BF65000 00011000 disk.sys \SystemRoot\system32\drivers\disk.sys
8BF9300F 8BF76000 00021000 CLASSPNP.SYS \SystemRoot\system32\drivers\CLASSPNP.SYS
8BF9D065 8BF97000 00009000 crcdisk.sys \SystemRoot\system32\drivers\crcdisk.sys
8BFD9005 8BFD1000 0000B000 tunnel.sys \SystemRoot\system32\DRIVERS\tunnel.sys
8BFE2005 8BFDC000 00009000 tunmp.sys \SystemRoot\system32\DRIVERS\tunmp.sys
8BFE62E2 8BFE5000 0000F000 intelppm.sys \SystemRoot\system32\DRIVERS\intelppm.sys
8FC119B0 8FC0D000 007DC000 nvlddmkm.sys \SystemRoot\system32\DRIVERS\nvlddmkm.sys
9069B005 90606000 0009F000 dxgkrnl.sys \SystemRoot\System32\drivers\dxgkrnl.sys
906AF005 906A5000 0000D000 watchdog.sys \SystemRoot\System32\drivers\watchdog.sys
906BA005 906B2000 0000B000 usbuhci.sys \SystemRoot\system32\DRIVERS\usbuhci.sys
906F6005 906BD000 0003E000 USBPORT.SYS \SystemRoot\system32\DRIVERS\USBPORT.SYS
90707005 906FB000 0000F000 usbehci.sys \SystemRoot\system32\DRIVERS\usbehci.sys
9070FBDA 9070A000 00012000 HDAudBus.sys \SystemRoot\system32\DRIVERS\HDAudBus.sys
9074A005 9071C000 00033000 yk60x86.sys \SystemRoot\system32\DRIVERS\yk60x86.sys
9075A785 9074F000 00010000 ohci1394.sys \SystemRoot\system32\DRIVERS\ohci1394.sys
9076AD05 9075F000 0000E000 1394BUS.SYS \SystemRoot\system32\DRIVERS\1394BUS.SYS
90780408 9076D000 0001A000 serial.sys \SystemRoot\system32\DRIVERS\serial.sys
9078E069 90787000 0000A000 serenum.sys \SystemRoot\system32\DRIVERS\serenum.sys
907A6005 90791000 00018000 parport.sys \SystemRoot\system32\DRIVERS\parport.sys
907BE005 907A9000 00018000 cdrom.sys \SystemRoot\system32\DRIVERS\cdrom.sys
907C2C89 907C1000 00003000 GEARAspiWDM.sys \SystemRoot\System32\Drivers\GEARAspiWDM.sys
90A3E3F4 90A0D000 00066000 a937g0ff.SYS \SystemRoot\System32\Drivers\a937g0ff.SYS
90A74106 90A73000 00002000 wacomvhid.sys \SystemRoot\system32\DRIVERS\wacomvhid.sys
90A82005 90A75000 00010000 HIDCLASS.SYS \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
90A8AD85 90A85000 00007000 HIDPARSE.SYS \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
90AB6005 90A8C000 0002E000 msiscsi.sys \SystemRoot\system32\DRIVERS\msiscsi.sys
90AF7005 90ABA000 00041000 storport.sys \SystemRoot\system32\DRIVERS\storport.sys
90B03005 90AFB000 0000B000 TDI.SYS \SystemRoot\system32\DRIVERS\TDI.SYS
90B1A005 90B06000 00017000 rasl2tp.sys \SystemRoot\system32\DRIVERS\rasl2tp.sys
90B251B5 90B1D000 0000B000 ndistapi.sys \SystemRoot\system32\DRIVERS\ndistapi.sys
90B45590 90B28000 00023000 ndiswan.sys \SystemRoot\system32\DRIVERS\ndiswan.sys
90B5707E 90B4B000 0000F000 raspppoe.sys \SystemRoot\system32\DRIVERS\raspppoe.sys
90B6B005 90B5A000 00014000 raspptp.sys \SystemRoot\system32\DRIVERS\raspptp.sys
90B80005 90B6E000 00015000 rassstp.sys \SystemRoot\system32\DRIVERS\rassstp.sys
90C8F0AE 90C0D000 00089000 rdpdr.sys \SystemRoot\system32\DRIVERS\rdpdr.sys
90CA3272 90C96000 00010000 termdd.sys \SystemRoot\system32\DRIVERS\termdd.sys
90CAD802 90CA6000 0000B000 kbdclass.sys \SystemRoot\system32\DRIVERS\kbdclass.sys
90CB87DD 90CB1000 0000B000 mouclass.sys \SystemRoot\system32\DRIVERS\mouclass.sys
90CBCB5D 90CBC000 00002000 swenum.sys \SystemRoot\system32\DRIVERS\swenum.sys
90CE3035 90CBE000 0002A000 ks.sys \SystemRoot\system32\DRIVERS\ks.sys
90CEF12A 90CE8000 0000A000 mssmbios.sys \SystemRoot\system32\DRIVERS\mssmbios.sys
90CF37C5 90CF2000 0000D000 umbus.sys \SystemRoot\system32\DRIVERS\umbus.sys
90D2F005 90CFF000 00034000 usbhub.sys \SystemRoot\system32\DRIVERS\usbhub.sys
90D3827D 90D33000 00008000 mouhid.sys \SystemRoot\system32\DRIVERS\mouhid.sys
90D49293 90D3B000 00011000 NDProxy.SYS \SystemRoot\System32\Drivers\NDProxy.SYS
911A8DC5 91006000 001AD000 RTKVHDA.sys \SystemRoot\system32\drivers\RTKVHDA.sys
911DB005 911B3000 0002D000 portcls.sys \SystemRoot\system32\drivers\portcls.sys
90D6D03E 90D4C000 00025000 drmk.sys \SystemRoot\system32\drivers\drmk.sys
911EE878 911E0000 00012000 mozy.sys \SystemRoot\system32\DRIVERS\mozy.sys
911F8256 911F2000 00009000 Fs_Rec.SYS \SystemRoot\System32\Drivers\Fs_Rec.SYS
90D75083 90D71000 00007000 Null.SYS \SystemRoot\System32\Drivers\Null.SYS
90D7C005 90D78000 00007000 Beep.SYS \SystemRoot\System32\Drivers\Beep.SYS
90DA40C2 90D9B000 0000C000 vga.sys \SystemRoot\System32\drivers\vga.sys
90DC2E0A 90DA7000 00021000 VIDEOPRT.SYS \SystemRoot\System32\drivers\VIDEOPRT.SYS
90DCE005 90DC8000 00009000 hidusb.sys \SystemRoot\system32\DRIVERS\hidusb.sys
911FC105 911FB000 00002000 USBD.SYS \SystemRoot\system32\DRIVERS\USBD.SYS
90DD71DD 90DD1000 00009000 kbdhid.sys \SystemRoot\system32\DRIVERS\kbdhid.sys
90DDF005 90DDA000 00008000 RDPCDD.sys \SystemRoot\System32\DRIVERS\RDPCDD.sys
90DE7005 90DE2000 00008000 rdpencdd.sys \SystemRoot\system32\drivers\rdpencdd.sys
90DF229A 90DEA000 0000B000 Msfs.SYS \SystemRoot\System32\Drivers\Msfs.SYS
90D8A58A 90D7F000 0000E000 Npfs.SYS \SystemRoot\System32\Drivers\Npfs.SYS
90D932B8 90D8D000 00009000 rasacd.sys \SystemRoot\System32\DRIVERS\rasacd.sys
90B96005 90B83000 00016000 tdx.sys \SystemRoot\system32\DRIVERS\tdx.sys
90BA94FB 90B99000 00014000 smb.sys \SystemRoot\system32\DRIVERS\smb.sys
90BE8504 90BAD000 00048000 afd.sys \SystemRoot\system32\drivers\afd.sys
907F00B1 907C4000 00032000 netbt.sys \SystemRoot\System32\DRIVERS\netbt.sys
903F8005 903E9000 00016000 pacer.sys \SystemRoot\system32\DRIVERS\pacer.sys
8BDFB278 8BDF0000 0000E000 netbios.sys \SystemRoot\system32\DRIVERS\netbios.sys
82FEA005 82FDB000 00012000 USBSTOR.SYS \SystemRoot\system32\DRIVERS\USBSTOR.SYS
82FFC4E1 82FED000 00013000 wanarp.sys \SystemRoot\system32\DRIVERS\wanarp.sys
9143C1CE 91406000 0003C000 rdbss.sys \SystemRoot\system32\DRIVERS\rdbss.sys
91449038 91442000 0000A000 nsiproxy.sys \SystemRoot\system32\drivers\nsiproxy.sys
9149E443 9144C000 0005A000 csc.sys \SystemRoot\system32\drivers\csc.sys
914B93E1 914A6000 00017000 dfsc.sys \SystemRoot\System32\Drivers\dfsc.sys
914DB040 914C9000 00016000 cdfs.sys \SystemRoot\system32\DRIVERS\cdfs.sys
914F3005 914DF000 00017000 usbccgp.sys \SystemRoot\system32\DRIVERS\usbccgp.sys
914FBDF0 914F6000 00007000 habu.sys \SystemRoot\system32\drivers\habu.sys
91507005 914FD000 0000D000 crashdmp.sys \SystemRoot\System32\Drivers\crashdmp.sys
91512005 9150A000 0000B000 dump_ataport.sys \SystemRoot\System32\Drivers\dump_dumpata.sys
9151A005 91515000 00008000 dump_atapi.sys \SystemRoot\System32\Drivers\dump_atapi.sys
9152B005 9151D000 00011000 dump_dumpfve.sys \SystemRoot\System32\Drivers\dump_dumpfve.sys
9A9E906B 9A800000 00201000 win32k.sys \SystemRoot\System32\win32k.sys
91535005 9152E000 0000A000 Dxapi.sys \SystemRoot\System32\drivers\Dxapi.sys
9153AB02 91538000 0000F000 monitor.sys \SystemRoot\system32\DRIVERS\monitor.sys
9AA22145 9AA20000 00009000 TSDDD.dll \SystemRoot\System32\TSDDD.dll
9AA47B7A 9AA40000 0000E000 cdd.dll \SystemRoot\System32\cdd.dll
9AA64A82 9AA50000 0004C000 ATMFD.DLL \SystemRoot\System32\ATMFD.DLL
9155A2CD 91547000 0001B000 luafv.sys \SystemRoot\system32\drivers\luafv.sys
91589CFA 91562000 0002C000 ino_fltr.sys \??\C:\Windows\system32\Drivers\ino_fltr.sys
9158FCE0 9158E000 00008000 tifsfilt.sys \SystemRoot\system32\DRIVERS\tifsfilt.sys
A02B31EB A020B000 000AF000 spsys.sys \SystemRoot\system32\drivers\spsys.sys
A02C69E7 A02BA000 00010000 lltdio.sys \SystemRoot\system32\DRIVERS\lltdio.sys
A02D941B A02CA000 00013000 rspndr.sys \SystemRoot\system32\DRIVERS\rspndr.sys
A02E3005 A02DD000 00009000 asyncmac.sys \SystemRoot\system32\DRIVERS\asyncmac.sys
A033848F A02E6000 0006B000 HTTP.sys \SystemRoot\system32\drivers\HTTP.sys
A0369040 A0351000 0001D000 srvnet.sys \SystemRoot\System32\DRIVERS\srvnet.sys
A03831E5 A036E000 00019000 bowser.sys \SystemRoot\system32\DRIVERS\bowser.sys
A03A2005 A0387000 00020000 mrxdav.sys \SystemRoot\system32\drivers\mrxdav.sys
A03C1005 A03A7000 0001F000 mrxsmb.sys \SystemRoot\system32\DRIVERS\mrxsmb.sys
A03F9005 A03C6000 00039000 mrxsmb10.sys \SystemRoot\system32\DRIVERS\mrxsmb10.sys
915B2005 9159E000 00018000 mrxsmb20.sys \SystemRoot\system32\DRIVERS\mrxsmb20.sys
915D8005 915B6000 00027000 srv2.sys \SystemRoot\System32\DRIVERS\srv2.sys
A1248005 A1204000 0004C000 srv.sys \SystemRoot\System32\DRIVERS\srv.sys
A1251520 A1250000 0000C000 Haspnt.sys \??\C:\Windows\system32\drivers\Haspnt.sys
A125C2D5 A125C000 00002000 DS1410D.SYS \SystemRoot\SYSTEM32\drivers\DS1410D.SYS
A12624BE A125E000 00007000 parvdm.sys \SystemRoot\system32\DRIVERS\parvdm.sys
A1267770 A1265000 00012000 SENTINEL.SYS \SystemRoot\System32\Drivers\SENTINEL.SYS
A12B7446 A1277000 00043000 atksgt.sys \SystemRoot\system32\DRIVERS\atksgt.sys
A135E620 A12BA000 000AA000 hardlock.sys \SystemRoot\system32\drivers\hardlock.sys
A1386734 A1364000 00028000 fastfat.SYS \SystemRoot\System32\Drivers\fastfat.SYS
A138FE46 A138C000 00005000 lirsgt.sys \SystemRoot\system32\DRIVERS\lirsgt.sys
A28DA183 A2801000 000DE000 peauth.sys \SystemRoot\system32\drivers\peauth.sys
A28E605F A28DF000 0000A000 secdrv.SYS \SystemRoot\System32\Drivers\secdrv.SYS
A28F2005 A28E9000 0000C000 tcpipreg.sys \SystemRoot\System32\drivers\tcpipreg.sys
A29072A2 A28F5000 00015000 WUDFRd.sys \SystemRoot\system32\DRIVERS\WUDFRd.sys
A291901A A290A000 00012000 WUDFPf.sys \SystemRoot\system32\DRIVERS\WUDFPf.sys
A2924005 A291C000 0000B000 tdtcp.sys \SystemRoot\system32\drivers\tdtcp.sys
A2930005 A2927000 0000C000 tssecsrv.sys \SystemRoot\System32\DRIVERS\tssecsrv.sys
A2963005 A2933000 00033000 RDPWD.SYS \SystemRoot\System32\Drivers\RDPWD.SYS
A2968F50 A2966000 0000E000 NIAPMirrorSystem.sys \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys
A2978B50 A2974000 0001A000 NIAPRkDetect.sys \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPRkDetect.sys

SSDT:
ID | Current Function Address | Module Path | Source Function Address | Function Name
HOOK 00000187 A2968530 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 81E1E187 -----
HOOK 00000188 A2968590 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys AE0E0018 -----
HOOK 00000189 A29685E0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys C6220C40 -----
HOOK 0000018A A2968630 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 99E9E80C -----
HOOK 0000018B A2968680 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 85E5E818 -----
HOOK 0000018C A29686D0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys A5F9F00C -----
HOOK 0000018D A2968710 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 99EE0C0C -----
HOOK 0000018E A2968750 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 8DEDEC10 -----
HOOK 0000018F A29687A0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 89EDEC0C -----
HOOK 00000190 A29687F0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 95F9F80C -----
HOOK 00000191 A2968850 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 9201EC18 -----
HOOK 00000192 A29688A0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 8DE9E808 -----
HOOK 00000193 A29688F0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 85E9E804 -----
HOOK 00000194 A2968940 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 8DE9EC04 -----
HOOK 00000195 A2968980 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 8A01E404 -----
HOOK 00000196 A29689E0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 8DF5EC10 -----
HOOK 00000197 A2968A30 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 8DEDF02C -----
HOOK 00000198 A2968A80 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 9202001C -----
HOOK 00000199 A2968AC0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 95F1F038 -----
HOOK 0000019A A2968B00 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 9E060420 -----
HOOK 0000019B A2968B40 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 9201F014 -----
HOOK 0000019C A2968BB0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 95F60834 -----
HOOK 0000019D A2968C00 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 89E9E814 -----
HOOK 0000019E A2968C40 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 89E9E808 -----
HOOK 0000019F A2968C80 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 89E9E808 -----
HOOK 000001A0 A2968CF0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 91F1F008 -----
HOOK 000001A1 A2968D40 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 89E9F818 -----
HOOK 000001A2 A2968D90 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 9DE5E408 -----
HOOK 000001A3 A2968DF0 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys A1F5FC14 -----
HOOK 000001A4 A2968E50 \??\C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAPMirrorSystem.sys 95F5F014 -----

Shadow Table:
ID | Current Function Address | Module Path | Source Function Address | Function Name

System Callback:
Notify type | Address | Module Name | Module Path
Process Create/Terminate 82244A78 ntoskrnl.exe \SystemRoot\system32\ntkrnlpa.exe
Process Create/Terminate 82CA9472 sptd.sys \SystemRoot\System32\Drivers\sptd.sys
Process Create/Terminate 8BC47F8E ksecdd.sys \SystemRoot\System32\Drivers\ksecdd.sys
Process Create/Terminate 8BE583E9 tcpip.sys \SystemRoot\System32\drivers\tcpip.sys
Process Create/Terminate 8079BB2D CI.dll \SystemRoot\system32\CI.dll
Process Create/Terminate 91563B8C ino_fltr.sys \??\C:\Windows\system32\Drivers\ino_fltr.sys
Process Create/Terminate A12E343E hardlock.sys \SystemRoot\system32\drivers\hardlock.sys
Process Create/Terminate A28C5C4A peauth.sys \SystemRoot\system32\drivers\peauth.sys
Thread Create/Terminate 8C18A234 sfhlp02.sys \SystemRoot\System32\drivers\sfhlp02.sys
LoadImage 82450847 ntoskrnl.exe \SystemRoot\system32\ntkrnlpa.exe
LoadImage 854E6ED6 
LoadImage 82E8188E sfsync03.sys \SystemRoot\System32\drivers\sfsync03.sys

FSD Dispatch hook:
Driver Name | Major Function | Address | Module Path
HOOK \FileSystem\Ntfs IRP_MJ_CREATE 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_CLOSE 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_READ 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_WRITE 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_QUERY_INFORMATION 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_SET_INFORMATION 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_QUERY_EA 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_SET_EA 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_FLUSH_BUFFERS 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_SET_VOLUME_INFORMATION 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_DIRECTORY_CONTROL 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_FILE_SYSTEM_CONTROL 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_DEVICE_CONTROL 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_SHUTDOWN 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_LOCK_CONTROL 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_CLEANUP 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_QUERY_SECURITY 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_SET_SECURITY 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_QUERY_QUOTA 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_SET_QUOTA 82CAE67E \SystemRoot\System32\Drivers\sptd.sys
HOOK \FileSystem\Ntfs IRP_MJ_PNP 82CAE67E \SystemRoot\System32\Drivers\sptd.sys

Kernel Mode Hook:
Module Name | Address | Hook Type | Memo
HOOK C:\Windows\system32\drivers\USBPORT.SYS DllUnload+00000000 jmp xxxxxxxx [906ED46F] jmp to --> [873621BE]

Windows Hook:
Process Name | IsGlobal | Function Address | Hook Type | Module Path
Generic.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Common Files\Teleca Shared\Generic.exe
Generic.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Common Files\Teleca Shared\Generic.exe
Generic.exe Global 000021A3 WH_SHELL C:\Program Files\Common Files\Teleca Shared\Generic.exe
DigiGuide.exe Global 00001493 WH_GETMESSAGE C:\Program Files\DigiGuide TV Guide\digiguide.exe
DigiGuide.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\DigiGuide TV Guide\digiguide.exe
DigiGuide.exe Global 000021A3 WH_SHELL C:\Program Files\DigiGuide TV Guide\digiguide.exe
NIAP_XRay_Syste Global 0000149B WH_GETMESSAGE C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 000014FB WH_CALLWNDPROC C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Global 000021AB WH_SHELL C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 00431453 WH_MSGFILTER C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAP_XRay_System.exe
NIAP_XRay_Syste Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
NIAP_XRay_Syste Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
NIAP_XRay_Syste Local 0041EB20 WH_CBT C:\Users\Teacup\Desktop\niap-05\NIAP 0.5\NIAP_XRay_System.exe
InputPersonaliz Global 00001493 WH_GETMESSAGE C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
InputPersonaliz Global 000014F3 WH_CALLWNDPROC C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
InputPersonaliz Global 000021A3 WH_SHELL C:\Program Files\Common Files\Microsoft Shared\Ink\InputPersonalization.exe
rundll32.exe Global 00001493 WH_GETMESSAGE C:\Windows\System32\rundll32.exe
rundll32.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\System32\rundll32.exe
rundll32.exe Global 000021A3 WH_SHELL C:\Windows\System32\rundll32.exe
ehmsas.exe Global 00001493 WH_GETMESSAGE C:\Windows\ehome\ehmsas.exe
ehmsas.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\ehome\ehmsas.exe
ehmsas.exe Global 000021A3 WH_SHELL C:\Windows\ehome\ehmsas.exe
mozystat.exe Local 004B7F10 WH_KEYBOARD C:\Program Files\MozyHome\mozystat.exe
mozystat.exe Local 004B81C0 WH_GETMESSAGE C:\Program Files\MozyHome\mozystat.exe
mozystat.exe Global 00001493 WH_GETMESSAGE C:\Program Files\MozyHome\mozystat.exe
mozystat.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\MozyHome\mozystat.exe
mozystat.exe Global 000021A3 WH_SHELL C:\Program Files\MozyHome\mozystat.exe
schedhlp.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
schedhlp.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
schedhlp.exe Global 000021A3 WH_SHELL C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
hueyTray.exe Local 6C3748A5 WH_MSGFILTER C:\Program Files\Pantone\huey\MFC42.DLL
hueyTray.exe Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
hueyTray.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Pantone\huey\hueyTray.exe
hueyTray.exe Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
hueyTray.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Pantone\huey\hueyTray.exe
hueyTray.exe Local 6C3742D8 WH_CBT C:\Program Files\Pantone\huey\MFC42.DLL
hueyTray.exe Global 000021A3 WH_SHELL C:\Program Files\Pantone\huey\hueyTray.exe
wmpnscfg.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Windows Media Player\wmpnscfg.exe
wmpnscfg.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Windows Media Player\wmpnscfg.exe
wmpnscfg.exe Global 000021A3 WH_SHELL C:\Program Files\Windows Media Player\wmpnscfg.exe
communicator.ex Local 010F7706 WH_GETMESSAGE C:\Program Files\Microsoft Office Communicator\communicator.exe
communicator.ex Global 00001493 WH_GETMESSAGE C:\Program Files\Microsoft Office Communicator\communicator.exe
communicator.ex Global 000014F3 WH_CALLWNDPROC C:\Program Files\Microsoft Office Communicator\communicator.exe
communicator.ex Global 000021A3 WH_SHELL C:\Program Files\Microsoft Office Communicator\communicator.exe
ehtray.exe Global 00001493 WH_GETMESSAGE C:\Windows\ehome\ehtray.exe
ehtray.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\ehome\ehtray.exe
ehtray.exe Global 000021A3 WH_SHELL C:\Windows\ehome\ehtray.exe
msnmsgr.exe Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
msnmsgr.exe Local 004058C1 WH_GETMESSAGE C:\Program Files\Windows Live\Messenger\msnmsgr.exe
msnmsgr.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Windows Live\Messenger\msnmsgr.exe
msnmsgr.exe Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
msnmsgr.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Windows Live\Messenger\msnmsgr.exe
msnmsgr.exe Global 000021A3 WH_SHELL C:\Program Files\Windows Live\Messenger\msnmsgr.exe
TimounterMonito Global 00001493 WH_GETMESSAGE C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
TimounterMonito Global 000014F3 WH_CALLWNDPROC C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
TimounterMonito Global 000021A3 WH_SHELL C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
TrueImageMonito Global 00001493 WH_GETMESSAGE C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
TrueImageMonito Global 000014F3 WH_CALLWNDPROC C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
TrueImageMonito Global 000021A3 WH_SHELL C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
dllhost.exe Global 00001493 WH_GETMESSAGE C:\Windows\system32\DllHost.exe
dllhost.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\system32\DllHost.exe
dllhost.exe Global 000021A3 WH_SHELL C:\Windows\system32\DllHost.exe
wmdc.exe Global 00001493 WH_GETMESSAGE C:\Windows\WindowsMobile\wmdc.exe
wmdc.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\WindowsMobile\wmdc.exe
wmdc.exe Global 000021A3 WH_SHELL C:\Windows\WindowsMobile\wmdc.exe
iTunesHelper.ex Global 00001493 WH_GETMESSAGE C:\Program Files\iTunes\iTunesHelper.exe
iTunesHelper.ex Global 000014F3 WH_CALLWNDPROC C:\Program Files\iTunes\iTunesHelper.exe
iTunesHelper.ex Global 000021A3 WH_SHELL C:\Program Files\iTunes\iTunesHelper.exe
rundll32.exe Global 00001493 WH_GETMESSAGE C:\Windows\System32\rundll32.exe
rundll32.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\System32\rundll32.exe
rundll32.exe Global 000021A3 WH_SHELL C:\Windows\System32\rundll32.exe
RtHDVCpl.exe Global 00001493 WH_GETMESSAGE C:\Windows\RtHDVCpl.exe
RtHDVCpl.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\RtHDVCpl.exe
RtHDVCpl.exe Global 000021A3 WH_SHELL C:\Windows\RtHDVCpl.exe
RtHDVCpl.exe Local 0045B95B WH_MSGFILTER C:\Windows\RtHDVCpl.exe
RtHDVCpl.exe Local 00456D48 WH_CBT C:\Windows\RtHDVCpl.exe
RtHDVCpl.exe Local 0045B95B WH_MSGFILTER C:\Windows\RtHDVCpl.exe
RtHDVCpl.exe Local 0045B95B WH_MSGFILTER C:\Windows\RtHDVCpl.exe
KHost.exe Local 6ADAF656 WH_KEYBOARD C:\Windows\system32\ieframe.dll
KHost.exe Local 00404A5D WH_GETMESSAGE C:\Program Files\Kontiki\KHost.exe
KHost.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Kontiki\KHost.exe
KHost.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Kontiki\KHost.exe
KHost.exe Local 6AD28933 WH_MOUSE C:\Windows\system32\ieframe.dll
KHost.exe Global 000021A3 WH_SHELL C:\Program Files\Kontiki\KHost.exe
apdproxy.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
apdproxy.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
apdproxy.exe Global 000021A3 WH_SHELL C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
GrooveMonitor.e Global 00001493 WH_GETMESSAGE C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
GrooveMonitor.e Global 000014F3 WH_CALLWNDPROC C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
GrooveMonitor.e Global 000021A3 WH_SHELL C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
vVX6000.exe Local 00425011 WH_MSGFILTER C:\Windows\vVX6000.exe
vVX6000.exe Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
vVX6000.exe Global 00001493 WH_GETMESSAGE C:\Windows\vVX6000.exe
vVX6000.exe Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
vVX6000.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\vVX6000.exe
vVX6000.exe Local 0041D9F0 WH_CBT C:\Windows\vVX6000.exe
vVX6000.exe Global 000021A3 WH_SHELL C:\Windows\vVX6000.exe
vVX6000.exe Local 00425011 WH_MSGFILTER C:\Windows\vVX6000.exe
XBoxStat.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
XBoxStat.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
XBoxStat.exe Global 000021A3 WH_SHELL C:\Program Files\Microsoft Xbox 360 Accessories\XBoxStat.exe
Application Lau Global 00001493 WH_GETMESSAGE C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
Application Lau Global 000014F3 WH_CALLWNDPROC C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
Application Lau Global 000021A3 WH_SHELL C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
Application Lau Local 7C284C22 WH_MSGFILTER C:\Windows\system32\MFC71U.DLL
Application Lau Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
Application Lau Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
Application Lau Local 7C27AA0B WH_CBT C:\Windows\system32\MFC71U.DLL
IAAnotif.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
IAAnotif.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
IAAnotif.exe Global 000021A3 WH_SHELL C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
epmworker.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
epmworker.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
epmworker.exe Global 000021A3 WH_SHELL C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
Tablet.exe Global 00001491 WH_GETMESSAGE C:\Windows\system32\Tablet.exe
Tablet.exe Global 000014F1 WH_CALLWNDPROC C:\Windows\system32\Tablet.exe
Tablet.exe Global 000021A1 WH_SHELL C:\Windows\system32\Tablet.exe
TabUserW.exe Global 00001493 WH_GETMESSAGE C:\Windows\system32\WTablet\TabUserW.exe
TabUserW.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\system32\WTablet\TabUserW.exe
TabUserW.exe Global 000021A3 WH_SHELL C:\Windows\system32\WTablet\TabUserW.exe
explorer.exe Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
explorer.exe Global 00001497 WH_GETMESSAGE C:\Windows\Explorer.EXE
explorer.exe Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
explorer.exe Global 000014F7 WH_CALLWNDPROC C:\Windows\Explorer.EXE
explorer.exe Global 000021A7 WH_SHELL C:\Windows\Explorer.EXE
explorer.exe Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
explorer.exe Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
explorer.exe Local 02D607E0 WH_CALLWNDPROC C:\Windows\Explorer.EXE
explorer.exe Local 72CC1AF5 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
explorer.exe Local 72CC2011 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\tiptsf.dll
taskeng.exe Global 00001493 WH_GETMESSAGE C:\Windows\system32\taskeng.exe
taskeng.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\system32\taskeng.exe
taskeng.exe Global 000021A3 WH_SHELL C:\Windows\system32\taskeng.exe
wisptis.exe Global 00001493 WH_GETMESSAGE C:\Windows\SYSTEM32\WISPTIS.EXE
wisptis.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\SYSTEM32\WISPTIS.EXE
wisptis.exe Global 000021A3 WH_SHELL C:\Windows\SYSTEM32\WISPTIS.EXE
spoolsv.exe Global 00001160 WH_CALLWNDPROC C:\Windows\System32\spoolsv.exe
TabTip.exe Global 00001493 WH_GETMESSAGE C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
TabTip.exe Global 000014F3 WH_CALLWNDPROC C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
TabTip.exe Global 000021A3 WH_SHELL C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
TabTip.exe Local 72A33570 WH_CALLWNDPROC C:\Program Files\Common Files\Microsoft Shared\Ink\InkObj.dll
dwm.exe Global 00001493 WH_GETMESSAGE C:\Windows\system32\Dwm.exe
dwm.exe Global 000014F3 WH_CALLWNDPROC C:\Windows\system32\Dwm.exe
dwm.exe Global 000021A3 WH_SHELL C:\Windows\system32\Dwm.exe
svchost.exe Global 00001497 WH_GETMESSAGE C:\Windows\system32\svchost.exe
svchost.exe Global 000014F7 WH_CALLWNDPROC C:\Windows\system32\svchost.exe
svchost.exe Global 000021A7 WH_SHELL C:\Windows\system32\svchost.exe
schedul2.exe Global 00001160 WH_CALLWNDPROC C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
wininit.exe Global 00001160 WH_CALLWNDPROC C:\Windows\system32\wininit.exe
  • 0

Advertisements

#26
Rorschach112
Posted 31 May 2008 - 08:30 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::

Driver::
mdxgthkn


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please download RUNSCANNER to your desktop and run it.
  • When the first page comes up select Beginner Mode
  • On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top.
  • At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes.
  • On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log
  • Call the file "Select a file name here" and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file

Then upload that as an attachment in your next post.
  • 0

#27
teacup
Posted 31 May 2008 - 11:07 AM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Combofix log below, runscanner log and .run file attached in zip.




ComboFix 08-05-29.1 - Teacup 2008-05-31 17:23:03.4 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2373 [GMT 1:00]
Running from: C:\Users\Teacup\Desktop\wooyt.exe
Command switches used :: C:\Users\Teacup\Desktop\CFScript.txt
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MDXGTHKN
-------\Service_mdxgthkn


((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 19:14 . 2008-05-31 17:30 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-30 19:14 . 2008-05-30 19:14 1,409 --a------ C:\Windows\QTFont.for
2008-05-30 00:44 . 2008-05-30 00:44 <DIR> d-------- C:\Combo-Fix
2008-05-29 20:32 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-05-29 20:32 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-05-29 20:32 . 2007-10-12 15:14 1,374,232 --a------ C:\Windows\System32\D3DCompiler_36.dll
2008-05-29 20:32 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-05-29 20:32 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-05-29 20:32 . 2007-10-02 09:56 444,776 --a------ C:\Windows\System32\d3dx10_36.dll
2008-05-29 20:32 . 2007-10-22 03:39 267,272 --a------ C:\Windows\System32\xactengine2_10.dll
2008-05-29 20:32 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-05-29 20:32 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-05-29 20:32 . 2007-10-22 03:37 17,928 --a------ C:\Windows\System32\X3DAudio1_2.dll
2008-05-27 23:47 . 2008-03-08 03:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 23:47 . 2008-03-08 05:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-27 19:01 . 2008-05-27 19:01 <DIR> d-------- C:\Deckard
2008-05-27 18:57 . 2008-05-27 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- C:\fsaua.data
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 18:01 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-27 18:01 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-27 01:55 . 2008-05-27 01:55 <DIR> d-------- C:\kav
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-25 20:17 . 2008-05-25 20:17 249,856 --------- C:\Windows\Setup1.exe
2008-05-25 20:17 . 2008-05-25 20:17 73,216 --a------ C:\Windows\ST6UNST.EXE
2008-05-25 18:24 . 2008-05-25 18:25 <DIR> d-------- C:\Program Files\Easy Duplicate Finder
2008-05-25 16:20 . 2008-05-25 18:06 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-05-22 23:47 . 2007-04-23 13:12 343,216 --a------ C:\Windows\System32\KeyHelp.ocx
2008-05-18 23:53 . 2008-05-18 23:53 <DIR> d-------- C:\Program Files\MozyHome
2008-05-18 23:53 . 2008-05-15 20:08 53,752 --a------ C:\Windows\System32\drivers\mozy.sys
2008-05-18 23:53 . 2008-05-26 22:01 6,466 --a------ C:\Windows\mozy.blk
2008-05-18 23:53 . 2008-05-26 22:01 68 --a------ C:\Windows\mozy.flt
2008-05-17 00:37 . 2008-05-17 00:37 <DIR> d-------- C:\Program Files\Trials 2 Second Edition
2008-05-17 00:37 . 2007-10-12 15:14 3,734,536 --a------ C:\Windows\System32\d3dx9_36.dll
2008-05-11 11:55 . 2007-02-16 11:55 302 --a------ C:\Windows\System32\gmsblist.dll
2008-05-11 11:54 . 2008-05-11 18:30 <DIR> d-------- C:\gsak
2008-05-11 11:54 . 2000-01-24 06:01 111,104 --a------ C:\Windows\System32\midas.dll
2008-05-11 11:54 . 2005-11-22 22:20 7,348 --a------ C:\Windows\SDENSX.UDF
2008-05-08 18:43 . 2008-05-08 18:43 <DIR> d-------- C:\logs3
2008-05-07 00:32 . 2008-05-07 00:32 <DIR> d-------- C:\Program Files\GeoSetter
2008-05-02 18:05 . 2008-05-25 15:23 <DIR> d-------- C:\Program Files\Flock
2008-04-14 23:33 . 2008-04-14 23:33 <DIR> d-------- C:\Program Files\Memory-Map
2008-04-14 23:17 . 2008-05-31 17:26 12 --a------ C:\Windows\bthservsdp.dat
2008-04-14 23:15 . 2008-04-14 23:15 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-04-14 23:06 . 2008-04-14 23:06 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-04-14 22:23 . 2008-04-14 22:49 1,663 --a------ C:\printersettings
2008-04-13 13:48 . 2008-04-13 13:48 <DIR> d-------- C:\Program Files\iPod
2008-04-09 00:41 . 2008-04-09 00:46 6,213,632 --a------ C:\Windows\System32\microdem.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 20:46 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-05-29 19:55 --------- d-----w C:\Program Files\FlashGet
2008-05-29 19:54 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-26 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 17:07 395,744 ----a-w C:\Windows\system32\drivers\timntr.sys
2008-05-25 17:07 39,264 ----a-w C:\Windows\system32\drivers\tifsfilt.sys
2008-05-25 17:06 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-05-25 14:28 --------- d-----w C:\Program Files\P.H.L.O.P
2008-05-25 14:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-25 14:27 --------- d-----w C:\Program Files\NFR
2008-05-25 14:27 --------- d-----w C:\Program Files\MPDemo
2008-05-25 14:23 --------- d-----w C:\Program Files\eMusic Download Manager
2008-05-25 14:19 --------- d-----w C:\Program Files\Steam
2008-05-25 14:17 --------- d-----w C:\Program Files\Azureus
2008-05-21 02:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 23:54 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 21:05 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-08 17:43 --------- d-----w C:\Program Files\Kontiki
2008-05-02 17:05 --------- d-----w C:\Program Files\Opera
2008-04-21 17:45 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 22:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 12:48 --------- d-----w C:\Program Files\iTunes
2008-04-13 12:47 --------- d-----w C:\Program Files\QuickTime
2008-03-29 16:18 --------- d-----w C:\Program Files\Google
2008-03-29 13:19 --------- d-----w C:\Program Files\Pantone
2008-03-23 23:17 174 --sha-w C:\Program Files\desktop.ini
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-11-24 18:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112420071125\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112620071203\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120320071204\index.dat
2007-12-04 17:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120420071205\index.dat
2007-12-06 23:50 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120620071207\index.dat
2007-12-07 14:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120720071208\index.dat
2007-12-09 13:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120920071210\index.dat
2007-12-24 12:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007121720071224\index.dat
2008-01-07 20:12 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007122420071231\index.dat
2008-01-14 20:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080115\index.dat
2008-01-15 18:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011520080116\index.dat
2008-01-16 18:19 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011620080117\index.dat
2008-01-17 18:14 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011720080118\index.dat
2008-01-18 18:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011820080119\index.dat
2008-01-19 12:25 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011920080120\index.dat
2008-01-20 22:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012020080121\index.dat
2008-01-28 21:43 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012820080129\index.dat
2008-01-29 17:48 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
2008-01-30 17:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013020080131\index.dat
2008-01-31 17:34 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013120080201\index.dat
2008-02-01 17:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020120080202\index.dat
2008-02-02 12:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020220080203\index.dat
2008-02-03 12:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020320080204\index.dat
2008-02-25 10:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008021820080225\index.dat
2008-02-25 18:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022520080226\index.dat
2008-02-26 10:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022620080227\index.dat
2008-02-27 17:55 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022720080228\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot_2008-05-30_20.47.22.49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 19:26:22 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-31 16:28:17 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-30 19:26:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-31 16:28:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-30 19:26:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-31 16:28:18 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-30 19:29:04 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-31 16:28:44 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-31 16:28:44 262,144 ---ha-w C:\Windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-05-30 19:29:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-31 16:28:44 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-31 16:28:44 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-05-30 19:26:32 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-31 16:28:27 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 19:26:32 475,136 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-31 16:28:27 475,136 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 19:26:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-31 16:28:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 19:26:35 14,822 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\WTablet\tablet.dat
+ 2008-05-31 16:28:30 14,822 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\WTablet\tablet.dat
- 2008-05-30 19:04:53 25,186 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3018700875-756917214-4125846603-1000_UserData.bin
+ 2008-05-31 16:30:28 25,322 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3018700875-756917214-4125846603-1000_UserData.bin
- 2008-05-30 19:04:52 110,386 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 16:30:27 110,676 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-30 19:04:42 101,188 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 10:05:57 101,196 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 10:33 5803368]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-30 20:44 36864]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 13:00 174872]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"VX6000"="C:\Windows\vVX6000.exe" [2007-04-10 15:46 996712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 19:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 20:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 20:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 20:55 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12 1164912]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"vidc.iv32"= C:\Windows\system32\ir32_32.dll
"vidc.iv31"= C:\Windows\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1000]
"EnableNotificationsRef"=dword:00000006

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1006]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{18BDF8B2-297B-41ED-B785-4456C4C35F0E}"= UDP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{7F191103-DA52-4A8B-994F-CF3B20D80ED9}"= TCP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{8ED78554-DAF7-4C6A-A489-5A660ED02118}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{9B02CA99-573B-4871-A8C8-A12BF8B1ED6A}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{63B0B5A3-97FD-4933-8888-5EC7A29994C3}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{3C60C82B-AF6A-44CB-8975-8C9D5C1A0493}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{CCB576D5-DBF5-40C6-92A2-537AA5093BCA}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{69477381-72CD-46D4-BEC0-B513DA95BC75}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{54DE8F49-6021-4A93-8616-E8A5FCB76F6E}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{48EE45D7-D6A6-48AF-9E0F-46D4A48BD469}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{7E6E8870-7F18-45CE-8224-3A87D5DD0839}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4785F4DB-55D4-494A-A9D9-E925E5F9097E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FA010D46-165A-4454-BDB2-2D7900DBED48}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BB9C8FB1-4E73-4567-A68A-D3112724C75E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA7CBF35-A07A-47E0-A9D7-50C20535E862}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{461787F7-1521-4122-B621-1BC60DAA28C8}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{07F74CBF-B916-460D-8BAD-D7416A5BD19D}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{5FE214F2-AC23-4207-86B9-525F0494BEB6}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{3F95654F-1281-489A-B008-2C1322E4FFCC}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{9193A6E3-7CBB-42DC-873D-9ABE4D39CC24}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9841163A-2F93-44BE-82DB-F4B99B5EF1A7}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{5B7A00E7-2B54-451B-B366-5A378F41A311}"= UDP:23486:az
"TCP Query User{8DEFD4B0-634E-4A79-8A5A-0005FFF2CA67}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{4ED61228-C7A0-4357-A2E6-B3E774AB461D}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{1867AF51-F149-4540-B0F6-AF33971442D0}"= Disabled:UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{7360D78F-4FAF-4346-8E47-334F006198F0}"= Disabled:TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{06E6C814-219F-4963-9F3C-AA6D4B7233B4}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= UDP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"UDP Query User{1C5CB88E-34AF-4FC8-B982-6499E1C5E4FD}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= TCP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"TCP Query User{B1A3F406-5339-47F7-A78F-FA812145B7A4}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"UDP Query User{5BE0DE14-55D0-4897-AE8D-21AF7E7EFA03}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"TCP Query User{B81AB4F5-686E-4BB5-B9E5-073F43D01F0F}C:\\ut2003\\system\\ut2003.exe"= UDP:C:\ut2003\system\ut2003.exe:UT2003
"UDP Query User{DE240339-6278-42D1-AF37-AF8F5C428B3A}C:\\ut2003\\system\\ut2003.exe"= TCP:C:\ut2003\system\ut2003.exe:UT2003
"{92046C7E-6146-4F4E-90B0-FFC7C1B7D9EA}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{93FD8633-9D90-4A50-9D4E-1A448F3197E6}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{6B560FD2-6288-4D9D-86BE-FF4964D42598}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{3B03B7E4-23F2-4B26-B38E-535441EBFA2F}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{BEA3D129-6890-4FA7-9E15-FD33D3393768}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{45287821-1A28-445E-8E9C-2CE6B836B2A3}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{8BE4C0CB-59FA-4D70-9969-932C4A0D8BAD}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{8EFBEB31-9C73-4F7C-87D8-6BD4E2702788}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{1928BBA8-81FD-4279-BF3F-212C6D3617CE}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"{4E8311DB-5FD0-4DD2-9D09-E84A693C104F}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"TCP Query User{325BF7F9-9721-49BC-B66D-23B8E2D210BA}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{0DB2E8C9-5D60-4E6F-8626-DCE802447E5C}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{75EC61A2-4ECF-476B-B316-EA0B4BB547F2}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= UDP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"UDP Query User{38E6771D-3F5C-4A86-A1D7-4BDC9F0E792C}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= TCP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"TCP Query User{132E4993-E899-47F9-8EF3-DCD104D6D78F}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{8D708B08-C9B0-43D1-BCBF-8858DBA0D016}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{1D761CD4-4DA7-416F-B17F-58DB06FB6454}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{531ADF73-460D-4668-A1C4-294D6EF1B1B3}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"TCP Query User{3B7688ED-AB6B-42BF-9D32-EF345E512F52}C:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:C:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{0DC3396F-9179-44A8-ABF0-47D556B73ED5}C:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:C:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{3E51C875-37E3-4026-B4B3-272023FA5451}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= UDP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"UDP Query User{C598DB01-F87B-46BC-86CD-B60C90228541}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= TCP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"TCP Query User{6266E821-F617-4C95-886C-B78495226262}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{81C97655-3250-4F94-914F-B56A2601080E}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{8C3442FA-6D2A-4408-B15D-82E03938181B}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{06D9E3D7-F7A3-456E-A69A-1BD3D241427C}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{6F0D7DB8-352D-49A9-BF15-079D552C11EF}C:\\aeriagames\\12sky\\twelvesky.exe"= UDP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"UDP Query User{0D4E321B-AD2F-4B75-A8D5-559D25CDDA29}C:\\aeriagames\\12sky\\twelvesky.exe"= TCP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"TCP Query User{34943C87-20FF-40B7-AAA2-FB25C81F5B73}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"UDP Query User{4F415124-4E46-4832-947C-7595970C364D}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"TCP Query User{E7400F46-DA85-431F-9A76-E296F770D10E}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"UDP Query User{F4859058-E9DC-4CE7-8CE0-ACD64B6D42A7}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"{021A1887-AE38-4F27-8002-4EDAA85D32F4}"= UDP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{F107FA13-EF2E-4B03-9A9A-A3FA40ABD27F}"= TCP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{97BF3F98-879C-4ED0-B6E2-3DA19181E87A}"= UDP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{DBCED2A4-1A49-470C-B63F-00C2754ACB33}"= TCP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{1EC83135-3718-474D-8A58-4D2DC96B1062}"= UDP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A4622FAC-8136-41A5-B57A-24F7D58C77E4}"= TCP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F91A78E6-505F-44F9-9645-E6C186C2A7DA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B304E257-54AA-47D6-92EE-85F78C87BFAC}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{FA7D5919-060F-480E-AD40-75057B806D6E}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{8B8FB35A-DD4F-427C-9AA9-C12AC3D0514D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{BDDAD19D-5E05-4FC4-B372-4B7522035589}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{559CE9BE-22D9-4AE2-969A-F6FDBE64AC71}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{752CD407-5B6B-4863-A1B5-27F19710C13A}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{9E8E19E6-4F55-4616-9C0E-A11C2B6E17AD}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{D9668FE8-8086-4BBB-B985-C9F57F1BC9A2}"= UDP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"{588267D2-93E7-4C78-895D-71F8F5F36ABC}"= TCP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{50C85E55-2007-46B3-A4C5-3EDE00B3D6C7}C:\\program files\\microsoft lifecam\\lifeexp.exe"= UDP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"UDP Query User{872F0BEB-A94B-46FE-A8EE-5109C2A7075E}C:\\program files\\microsoft lifecam\\lifeexp.exe"= TCP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"{D8327333-C35E-416E-93A6-B721770351DE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4DF67023-04D2-45F8-AED9-09EACD2D9608}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{49124406-D4CB-4BD4-A4C1-8358B0080874}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{D29180BD-1320-43B0-8D17-21841F8EF4D4}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{DB0E8B5B-798E-48FF-8F40-0F271FFF0117}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{4F115BED-BB21-46DA-92EF-11EEE06030DB}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E064BF92-C93B-4366-89EC-523B3C363AB0}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{EEC3B38E-7133-43AC-925B-6F2334DFFCB2}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{AA69FF85-8860-46E3-AD09-5B0D1CD32BD2}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B4786107-6B46-4F54-9503-ABE76A0CF4FF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B9876473-803E-4CE4-9605-63D4EA7512F4}Q:\\tmunitedforever\\tmforever.exe"= UDP:Q:\tmunitedforever\tmforever.exe:TmForever
"UDP Query User{FDCA6782-2962-478A-9829-A2A1B5802B30}Q:\\tmunitedforever\\tmforever.exe"= TCP:Q:\tmunitedforever\tmforever.exe:TmForever
"TCP Query User{00EE6AEF-21C2-4998-AC96-36338F0B8B37}Q:\\trackmania united\\tmunited.exe"= UDP:Q:\trackmania united\tmunited.exe:TmUnited
"UDP Query User{45AC8227-399B-4C8C-A1F6-4CF47EBB3A2D}Q:\\trackmania united\\tmunited.exe"= TCP:Q:\trackmania united\tmunited.exe:TmUnited

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\Windows\system32\drivers\sfsync03.sys [2005-12-06 16:11]
R1 mozyFilter;mozyFilter;C:\Windows\system32\DRIVERS\mozy.sys [2008-05-15 20:08]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R2 SRUserService;IT Connection Manager;"C:\Program Files\IT Connection Manager\SRUserService.exe" [2007-04-06 14:44]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R3 HabuFltr;Habu Mouse;C:\Windows\system32\drivers\habu.sys [2006-10-23 12:09]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\Windows\system32\DRIVERS\wacomvhid.sys [2006-11-15 11:55]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 Alpham1;Ideazon Fang USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Fang MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 GEMPC430;GEMPC430;C:\Windows\system32\Drivers\gemusb.sys [2001-12-04 10:03]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-24 18:24]
S3 uisp;Freescale USB JW32 driver;C:\Windows\system32\Drivers\usbicp.sys [2005-12-21 11:23]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 06:53]
S3 VX6000;Microsoft LifeCam VX-6000;C:\Windows\system32\DRIVERS\VX6000Xp.sys [2007-04-10 15:46]
S3 wacommousefilter;Wacom Mouse Filter Driver;C:\Windows\system32\DRIVERS\wacommousefilter.sys [2006-02-14 13:18]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{974d5f1f-0b87-11dc-aaeb-001a4d40a1fa}]
\shell\AutoRun\command - L:\CaptureNXSetup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0a16974-5b07-11dc-b854-001a4d40a1fa}]
\shell\AutoRun\command - H:\LaunchU3.exe -a

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 17:28:50
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\Tablet.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\WTablet\TabUserW.exe
C:\Windows\System32\Tablet.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\ehome\ehmsas.exe
C:\Program Files\DigiGuide TV Guide\DigiGuide.exe
C:\Windows\hh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2008-05-31 17:47:44 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 16:47:39
ComboFix2.txt 2008-05-30 19:48:43
ComboFix3.txt 2008-05-30 17:19:07
ComboFix4.txt 2008-05-27 22:55:47

Pre-Run: 57,595,449,344 bytes free
Post-Run: 57,539,026,944 bytes free

411 --- E O F --- 2008-05-28 02:01:41

Attached Files


  • 0

#28
Rorschach112
Posted 31 May 2008 - 11:55 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok nearly there :)

Download the zipped attachment at the end of this post(this will be your runscanner as fixed by me)

  • Unzip it to your desktop then double click the runscanner icon this will run the program.
  • Click on the "Item Fixer" tab
  • You will notice several entries with a tick in red, click Fix checked.
  • Accept the warning then repeat until they are all gone.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

SysRst::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#29
teacup
Posted 31 May 2008 - 01:24 PM

teacup

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Combofix log.


ComboFix 08-05-29.1 - Teacup 2008-05-31 19:32:30.5 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.1.1033.18.2297 [GMT 1:00]
Running from: C:\Users\Teacup\Desktop\wooyt.exe
Command switches used :: C:\Users\Teacup\Desktop\CFScript.txt
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 19:14 . 2008-05-31 17:30 54,156 --ah----- C:\Windows\QTFont.qfn
2008-05-30 19:14 . 2008-05-30 19:14 1,409 --a------ C:\Windows\QTFont.for
2008-05-30 00:44 . 2008-05-30 00:44 <DIR> d-------- C:\Combo-Fix
2008-05-29 20:32 . 2008-03-05 15:56 3,786,760 --a------ C:\Windows\System32\D3DX9_37.dll
2008-05-29 20:32 . 2008-03-05 15:56 1,420,824 --a------ C:\Windows\System32\D3DCompiler_37.dll
2008-05-29 20:32 . 2007-10-12 15:14 1,374,232 --a------ C:\Windows\System32\D3DCompiler_36.dll
2008-05-29 20:32 . 2008-03-05 16:03 479,752 --a------ C:\Windows\System32\XAudio2_0.dll
2008-05-29 20:32 . 2008-02-05 23:07 462,864 --a------ C:\Windows\System32\d3dx10_37.dll
2008-05-29 20:32 . 2007-10-02 09:56 444,776 --a------ C:\Windows\System32\d3dx10_36.dll
2008-05-29 20:32 . 2007-10-22 03:39 267,272 --a------ C:\Windows\System32\xactengine2_10.dll
2008-05-29 20:32 . 2008-03-05 16:03 238,088 --a------ C:\Windows\System32\xactengine3_0.dll
2008-05-29 20:32 . 2008-03-05 16:00 25,608 --a------ C:\Windows\System32\X3DAudio1_3.dll
2008-05-29 20:32 . 2007-10-22 03:37 17,928 --a------ C:\Windows\System32\X3DAudio1_2.dll
2008-05-27 23:47 . 2008-03-08 03:08 4,240,384 --a------ C:\Windows\System32\GameUXLegacyGDFs.dll
2008-05-27 23:47 . 2008-03-08 05:21 1,695,744 --a------ C:\Windows\System32\gameux.dll
2008-05-27 19:01 . 2008-05-27 19:01 <DIR> d-------- C:\Deckard
2008-05-27 18:57 . 2008-05-27 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-27 18:56 . 2008-05-27 18:56 <DIR> d-------- C:\fsaua.data
2008-05-27 18:01 . 2008-05-27 18:01 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-27 18:01 . 2008-05-05 20:46 27,048 --a------ C:\Windows\System32\drivers\mbamcatchme.sys
2008-05-27 18:01 . 2008-05-05 20:46 15,864 --a------ C:\Windows\System32\drivers\mbam.sys
2008-05-27 01:55 . 2008-05-27 01:55 <DIR> d-------- C:\kav
2008-05-27 00:50 . 2008-05-27 00:50 <DIR> d-------- C:\Windows\System32\Kaspersky Lab
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\DVDVideoSoft
2008-05-26 01:07 . 2008-05-26 01:07 <DIR> d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\Red Kawa
2008-05-26 00:41 . 2008-05-26 00:41 <DIR> d-------- C:\Program Files\AviSynth 2.5
2008-05-25 20:17 . 2008-05-25 20:17 249,856 --------- C:\Windows\Setup1.exe
2008-05-25 20:17 . 2008-05-25 20:17 73,216 --a------ C:\Windows\ST6UNST.EXE
2008-05-25 18:24 . 2008-05-25 18:25 <DIR> d-------- C:\Program Files\Easy Duplicate Finder
2008-05-25 16:20 . 2008-05-25 18:06 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-05-22 23:47 . 2007-04-23 13:12 343,216 --a------ C:\Windows\System32\KeyHelp.ocx
2008-05-18 23:53 . 2008-05-18 23:53 <DIR> d-------- C:\Program Files\MozyHome
2008-05-18 23:53 . 2008-05-15 20:08 53,752 --a------ C:\Windows\System32\drivers\mozy.sys
2008-05-18 23:53 . 2008-05-26 22:01 6,466 --a------ C:\Windows\mozy.blk
2008-05-18 23:53 . 2008-05-26 22:01 68 --a------ C:\Windows\mozy.flt
2008-05-17 00:37 . 2008-05-17 00:37 <DIR> d-------- C:\Program Files\Trials 2 Second Edition
2008-05-17 00:37 . 2007-10-12 15:14 3,734,536 --a------ C:\Windows\System32\d3dx9_36.dll
2008-05-11 11:55 . 2007-02-16 11:55 302 --a------ C:\Windows\System32\gmsblist.dll
2008-05-11 11:54 . 2008-05-11 18:30 <DIR> d-------- C:\gsak
2008-05-11 11:54 . 2000-01-24 06:01 111,104 --a------ C:\Windows\System32\midas.dll
2008-05-11 11:54 . 2005-11-22 22:20 7,348 --a------ C:\Windows\SDENSX.UDF
2008-05-08 18:43 . 2008-05-08 18:43 <DIR> d-------- C:\logs3
2008-05-07 00:32 . 2008-05-07 00:32 <DIR> d-------- C:\Program Files\GeoSetter
2008-05-02 18:05 . 2008-05-25 15:23 <DIR> d-------- C:\Program Files\Flock
2008-04-14 23:33 . 2008-04-14 23:33 <DIR> d-------- C:\Program Files\Memory-Map
2008-04-14 23:17 . 2008-05-31 19:35 12 --a------ C:\Windows\bthservsdp.dat
2008-04-14 23:15 . 2008-04-14 23:15 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi2_01_00_00.Wdf
2008-04-14 23:06 . 2008-04-14 23:06 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdRapi_01_00_00.Wdf
2008-04-14 22:23 . 2008-04-14 22:49 1,663 --a------ C:\printersettings
2008-04-13 13:48 . 2008-04-13 13:48 <DIR> d-------- C:\Program Files\iPod
2008-04-09 00:41 . 2008-04-09 00:46 6,213,632 --a------ C:\Windows\System32\microdem.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-30 20:46 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-05-29 19:55 --------- d-----w C:\Program Files\FlashGet
2008-05-29 19:54 --------- d-----w C:\Program Files\SystemRequirementsLab
2008-05-26 18:35 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 17:07 395,744 ----a-w C:\Windows\system32\drivers\timntr.sys
2008-05-25 17:07 39,264 ----a-w C:\Windows\system32\drivers\tifsfilt.sys
2008-05-25 17:06 114,048 ----a-w C:\Windows\system32\drivers\snapman.sys
2008-05-25 14:28 --------- d-----w C:\Program Files\P.H.L.O.P
2008-05-25 14:28 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-05-25 14:27 --------- d-----w C:\Program Files\NFR
2008-05-25 14:27 --------- d-----w C:\Program Files\MPDemo
2008-05-25 14:23 --------- d-----w C:\Program Files\eMusic Download Manager
2008-05-25 14:19 --------- d-----w C:\Program Files\Steam
2008-05-25 14:17 --------- d-----w C:\Program Files\Azureus
2008-05-21 02:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-13 23:54 --------- d-----w C:\Program Files\Windows Mail
2008-05-12 21:05 --------- d-----w C:\Program Files\Flickr Uploadr
2008-05-08 17:43 --------- d-----w C:\Program Files\Kontiki
2008-05-02 17:05 --------- d-----w C:\Program Files\Opera
2008-04-21 17:45 --------- d-----w C:\Program Files\Apple Software Update
2008-04-19 22:13 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-13 12:48 --------- d-----w C:\Program Files\iTunes
2008-04-13 12:47 --------- d-----w C:\Program Files\QuickTime
2008-03-29 16:18 --------- d-----w C:\Program Files\Google
2008-03-29 13:19 --------- d-----w C:\Program Files\Pantone
2008-03-23 23:17 174 --sha-w C:\Program Files\desktop.ini
2008-03-08 04:19 540,672 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-03-08 04:19 458,752 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-03-08 04:19 2,153,984 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-03-08 04:19 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-03-08 01:58 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2007-11-24 18:09 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112420071125\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007112620071203\index.dat
2007-12-03 18:08 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120320071204\index.dat
2007-12-04 17:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120420071205\index.dat
2007-12-06 23:50 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120620071207\index.dat
2007-12-07 14:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120720071208\index.dat
2007-12-09 13:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007120920071210\index.dat
2007-12-24 12:46 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007121720071224\index.dat
2008-01-07 20:12 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012007122420071231\index.dat
2008-01-14 20:33 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011420080115\index.dat
2008-01-15 18:15 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011520080116\index.dat
2008-01-16 18:19 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011620080117\index.dat
2008-01-17 18:14 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011720080118\index.dat
2008-01-18 18:29 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011820080119\index.dat
2008-01-19 12:25 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008011920080120\index.dat
2008-01-20 22:42 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012020080121\index.dat
2008-01-28 21:43 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012820080129\index.dat
2008-01-29 17:48 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008012920080130\index.dat
2008-01-30 17:35 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013020080131\index.dat
2008-01-31 17:34 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008013120080201\index.dat
2008-02-01 17:38 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020120080202\index.dat
2008-02-02 12:04 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020220080203\index.dat
2008-02-03 12:39 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008020320080204\index.dat
2008-02-25 10:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008021820080225\index.dat
2008-02-25 18:17 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022520080226\index.dat
2008-02-26 10:59 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022620080227\index.dat
2008-02-27 17:55 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012008022720080228\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot_2008-05-30_20.47.22.49 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-30 19:26:22 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-31 18:37:23 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-30 19:26:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-31 18:37:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
- 2008-05-30 19:26:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
+ 2008-05-31 18:37:23 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-30 19:29:04 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-31 18:38:51 262,144 --sha-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-05-30 19:29:56 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-31 18:38:50 262,144 --sha-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-31 18:38:50 262,144 ---ha-w C:\Windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2008-05-30 19:26:32 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-31 18:37:32 65,536 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-30 19:26:32 475,136 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-31 18:37:32 475,136 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-30 19:26:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-31 18:37:32 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-05-30 19:26:35 14,822 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\WTablet\tablet.dat
+ 2008-05-31 18:37:35 14,822 ----a-w C:\Windows\System32\config\systemprofile\AppData\Roaming\WTablet\tablet.dat
- 2008-05-30 19:04:53 25,186 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3018700875-756917214-4125846603-1000_UserData.bin
+ 2008-05-31 18:40:24 25,322 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-3018700875-756917214-4125846603-1000_UserData.bin
- 2008-05-30 19:04:52 110,386 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 18:40:23 110,746 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-30 19:04:42 101,188 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-31 10:05:57 101,196 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@={747E722C-CB46-4A9D-BDFE-192AAD5099B1}

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@={EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4A9D-BDFE-192AAD5099B1}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40F7-AB77-51FF9D6DEB20}]
2008-05-15 20:09 2393392 --a------ C:\Program Files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 08:33 125952]
"COMMUNICATOR"="C:\Program Files\Microsoft Office Communicator\Communicator.exe" [2007-07-23 10:33 5803368]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 08:33 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"JMB36X IDE Setup"="C:\Windows\JM\JMInsIDE.exe" [2006-10-30 20:44 36864]
"IAAnotif"="C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 13:00 174872]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2007-05-28 10:14 528384]
"XboxStat"="C:\Program Files\Microsoft Xbox 360 Accessories\XboxStat.exe" [2007-09-26 18:05 734264]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 15:45 279912]
"VX6000"="C:\Windows\vVX6000.exe" [2007-04-10 15:46 996712]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 08:00 33648]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2007-12-04 03:07 61440]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"RtHDVCpl"="RtHDVCpl.exe" [2007-03-23 19:04 4423680 C:\Windows\RtHDVCpl.exe]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-12-18 20:55 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-12-18 20:55 8530464]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-12-18 20:55 81920]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"Windows Mobile Device Center"="%windir%\WindowsMobile\wmdc.exe" [ ]
"TrueImageMonitor.exe"="C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2006-10-16 21:12 1164912]
"AcronisTimounterMonitor"="C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe" [2006-10-16 21:17 1941784]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2006-10-16 21:13 87584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"SENTINEL"= snti386.dll
"vidc.iv32"= C:\Windows\system32\ir32_32.dll
"vidc.iv31"= C:\Windows\system32\ir32_32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\Windows\pss\Adobe Acrobat Speed Launcher.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Acrobat Synchronizer.lnk]
path=C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Acrobat Synchronizer.lnk
backup=C:\Windows\pss\Adobe Acrobat Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1000]
"EnableNotificationsRef"=dword:00000006

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1003]
"EnableNotificationsRef"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-3018700875-756917214-4125846603-1006]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{18BDF8B2-297B-41ED-B785-4456C4C35F0E}"= UDP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{7F191103-DA52-4A8B-994F-CF3B20D80ED9}"= TCP:C:\Program Files\THQ\Gas Powered Games\Supreme Commander\bin\SupremeCommander.exe:Supreme Commander
"{8ED78554-DAF7-4C6A-A489-5A660ED02118}"= UDP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{9B02CA99-573B-4871-A8C8-A12BF8B1ED6A}"= TCP:C:\Program Files\THQ\Gas Powered Games\GPGNet\GPG.Multiplayer.Client.exe:GPGNet - Supreme Commander
"{63B0B5A3-97FD-4933-8888-5EC7A29994C3}"= UDP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{3C60C82B-AF6A-44CB-8975-8C9D5C1A0493}"= TCP:C:\Program Files\Electronic Arts\Battlefield 2142\BF2142.exe:Battlefield 2
"{CCB576D5-DBF5-40C6-92A2-537AA5093BCA}"= Disabled:UDP:3703:Adobe Version Cue CS3 Server
"{69477381-72CD-46D4-BEC0-B513DA95BC75}"= Disabled:UDP:3704:Adobe Version Cue CS3 Server
"{54DE8F49-6021-4A93-8616-E8A5FCB76F6E}"= Disabled:UDP:50900:Adobe Version Cue CS3 Server
"{48EE45D7-D6A6-48AF-9E0F-46D4A48BD469}"= Disabled:UDP:50901:Adobe Version Cue CS3 Server
"{7E6E8870-7F18-45CE-8224-3A87D5DD0839}"= TCP:6004|C:\Program Files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{4785F4DB-55D4-494A-A9D9-E925E5F9097E}"= UDP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FA010D46-165A-4454-BDB2-2D7900DBED48}"= TCP:C:\Program Files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BB9C8FB1-4E73-4567-A68A-D3112724C75E}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{FA7CBF35-A07A-47E0-A9D7-50C20535E862}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{461787F7-1521-4122-B621-1BC60DAA28C8}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{07F74CBF-B916-460D-8BAD-D7416A5BD19D}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{5FE214F2-AC23-4207-86B9-525F0494BEB6}C:\\program files\\world of warcraft\\repair.exe"= UDP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"UDP Query User{3F95654F-1281-489A-B008-2C1322E4FFCC}C:\\program files\\world of warcraft\\repair.exe"= TCP:C:\program files\world of warcraft\repair.exe:Blizzard Repair Utility
"TCP Query User{9193A6E3-7CBB-42DC-873D-9ABE4D39CC24}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{9841163A-2F93-44BE-82DB-F4B99B5EF1A7}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"{5B7A00E7-2B54-451B-B366-5A378F41A311}"= UDP:23486:az
"TCP Query User{8DEFD4B0-634E-4A79-8A5A-0005FFF2CA67}C:\\program files\\emule\\emule.exe"= UDP:C:\program files\emule\emule.exe:eMule
"UDP Query User{4ED61228-C7A0-4357-A2E6-B3E774AB461D}C:\\program files\\emule\\emule.exe"= TCP:C:\program files\emule\emule.exe:eMule
"{1867AF51-F149-4540-B0F6-AF33971442D0}"= Disabled:UDP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"{7360D78F-4FAF-4346-8E47-334F006198F0}"= Disabled:TCP:C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe:Adobe Version Cue CS3 Server
"TCP Query User{06E6C814-219F-4963-9F3C-AA6D4B7233B4}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= UDP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"UDP Query User{1C5CB88E-34AF-4FC8-B982-6499E1C5E4FD}C:\\program files\\trackmania nations eswc\\tmnationseswc.exe"= TCP:C:\program files\trackmania nations eswc\tmnationseswc.exe:TmNationsESWC
"TCP Query User{B1A3F406-5339-47F7-A78F-FA812145B7A4}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"UDP Query User{5BE0DE14-55D0-4897-AE8D-21AF7E7EFA03}C:\\program files\\steam\\steamapps\\[email protected]\\counter-strike source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\counter-strike source\hl2.exe:hl2
"TCP Query User{B81AB4F5-686E-4BB5-B9E5-073F43D01F0F}C:\\ut2003\\system\\ut2003.exe"= UDP:C:\ut2003\system\ut2003.exe:UT2003
"UDP Query User{DE240339-6278-42D1-AF37-AF8F5C428B3A}C:\\ut2003\\system\\ut2003.exe"= TCP:C:\ut2003\system\ut2003.exe:UT2003
"{92046C7E-6146-4F4E-90B0-FFC7C1B7D9EA}"= UDP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{93FD8633-9D90-4A50-9D4E-1A448F3197E6}"= TCP:C:\Program Files\Microsoft Games\Halo 2\halo2.exe:Halo 2
"{6B560FD2-6288-4D9D-86BE-FF4964D42598}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{3B03B7E4-23F2-4B26-B38E-535441EBFA2F}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{BEA3D129-6890-4FA7-9E15-FD33D3393768}"= UDP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{45287821-1A28-445E-8E9C-2CE6B836B2A3}"= TCP:C:\Program Files\Microsoft Office\Live Meeting 8\Console\PWConsole.exe:Microsoft Office Live Meeting 2007
"{8BE4C0CB-59FA-4D70-9969-932C4A0D8BAD}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{8EFBEB31-9C73-4F7C-87D8-6BD4E2702788}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Microsoft Office Communicator 2007
"{1928BBA8-81FD-4279-BF3F-212C6D3617CE}"= UDP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"{4E8311DB-5FD0-4DD2-9D09-E84A693C104F}"= TCP:C:\Program Files\Microsoft Office Communicator\communicator.exe:Communicator
"TCP Query User{325BF7F9-9721-49BC-B66D-23B8E2D210BA}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= UDP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"UDP Query User{0DB2E8C9-5D60-4E6F-8626-DCE802447E5C}C:\\users\\teacup\\appdata\\local\\temp\\electronicarts_patcher_000.exe"= TCP:C:\users\teacup\appdata\local\temp\electronicarts_patcher_000.exe:electronicarts_patcher_000.exe
"TCP Query User{75EC61A2-4ECF-476B-B316-EA0B4BB547F2}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= UDP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"UDP Query User{38E6771D-3F5C-4A86-A1D7-4BDC9F0E792C}C:\\program files\\autodesk\\maya2008\\bin\\maya.exe"= TCP:C:\program files\autodesk\maya2008\bin\maya.exe:Maya
"TCP Query User{132E4993-E899-47F9-8EF3-DCD104D6D78F}C:\\program files\\flashget\\flashget.exe"= UDP:C:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{8D708B08-C9B0-43D1-BCBF-8858DBA0D016}C:\\program files\\flashget\\flashget.exe"= TCP:C:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{1D761CD4-4DA7-416F-B17F-58DB06FB6454}C:\\program files\\steam\\steam.exe"= UDP:C:\program files\steam\steam.exe:Steam
"UDP Query User{531ADF73-460D-4668-A1C4-294D6EF1B1B3}C:\\program files\\steam\\steam.exe"= TCP:C:\program files\steam\steam.exe:Steam
"TCP Query User{3B7688ED-AB6B-42BF-9D32-EF345E512F52}C:\\program files\\thq\\dawn of war\\w40k.exe"= UDP:C:\program files\thq\dawn of war\w40k.exe:W40K
"UDP Query User{0DC3396F-9179-44A8-ABF0-47D556B73ED5}C:\\program files\\thq\\dawn of war\\w40k.exe"= TCP:C:\program files\thq\dawn of war\w40k.exe:W40K
"TCP Query User{3E51C875-37E3-4026-B4B3-272023FA5451}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= UDP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"UDP Query User{C598DB01-F87B-46BC-86CD-B60C90228541}C:\\users\\teacup\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= TCP:C:\users\teacup\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"TCP Query User{6266E821-F617-4C95-886C-B78495226262}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{81C97655-3250-4F94-914F-B56A2601080E}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{8C3442FA-6D2A-4408-B15D-82E03938181B}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{06D9E3D7-F7A3-456E-A69A-1BD3D241427C}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{6F0D7DB8-352D-49A9-BF15-079D552C11EF}C:\\aeriagames\\12sky\\twelvesky.exe"= UDP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"UDP Query User{0D4E321B-AD2F-4B75-A8D5-559D25CDDA29}C:\\aeriagames\\12sky\\twelvesky.exe"= TCP:C:\aeriagames\12sky\twelvesky.exe:TwelveSky
"TCP Query User{34943C87-20FF-40B7-AAA2-FB25C81F5B73}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"UDP Query User{4F415124-4E46-4832-947C-7595970C364D}C:\\program files\\steam\\steamapps\\[email protected]\\team fortress 2\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\team fortress 2\hl2.exe:hl2
"TCP Query User{E7400F46-DA85-431F-9A76-E296F770D10E}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= UDP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"UDP Query User{F4859058-E9DC-4CE7-8CE0-ACD64B6D42A7}C:\\program files\\steam\\steamapps\\[email protected]\\day of defeat source\\hl2.exe"= TCP:C:\program files\steam\steamapps\[email protected]\day of defeat source\hl2.exe:hl2
"{021A1887-AE38-4F27-8002-4EDAA85D32F4}"= UDP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{F107FA13-EF2E-4B03-9A9A-A3FA40ABD27F}"= TCP:L:\games\SettlersVI\base\bin\Settlers6.exe:THE SETTLERS - Rise of an Empire
"{97BF3F98-879C-4ED0-B6E2-3DA19181E87A}"= UDP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{DBCED2A4-1A49-470C-B63F-00C2754ACB33}"= TCP:Q:\Crysis\Bin32\Crysis.exe:Crysis_32
"{1EC83135-3718-474D-8A58-4D2DC96B1062}"= UDP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A4622FAC-8136-41A5-B57A-24F7D58C77E4}"= TCP:Q:\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{F91A78E6-505F-44F9-9645-E6C186C2A7DA}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{B304E257-54AA-47D6-92EE-85F78C87BFAC}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{FA7D5919-060F-480E-AD40-75057B806D6E}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{8B8FB35A-DD4F-427C-9AA9-C12AC3D0514D}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{BDDAD19D-5E05-4FC4-B372-4B7522035589}"= UDP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{559CE9BE-22D9-4AE2-969A-F6FDBE64AC71}"= TCP:C:\Program Files\Microsoft LifeCam\LifeCam.exe:LifeCam.exe
"{752CD407-5B6B-4863-A1B5-27F19710C13A}"= UDP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{9E8E19E6-4F55-4616-9C0E-A11C2B6E17AD}"= TCP:C:\Program Files\Microsoft LifeCam\LifeExp.exe:LifeExp.exe
"{D9668FE8-8086-4BBB-B985-C9F57F1BC9A2}"= UDP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"{588267D2-93E7-4C78-895D-71F8F5F36ABC}"= TCP:Q:\ut3\Binaries\UT3.exe:Unreal Tournament 3
"TCP Query User{50C85E55-2007-46B3-A4C5-3EDE00B3D6C7}C:\\program files\\microsoft lifecam\\lifeexp.exe"= UDP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"UDP Query User{872F0BEB-A94B-46FE-A8EE-5109C2A7075E}C:\\program files\\microsoft lifecam\\lifeexp.exe"= TCP:C:\program files\microsoft lifecam\lifeexp.exe:LifeExp.exe
"{D8327333-C35E-416E-93A6-B721770351DE}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{4DF67023-04D2-45F8-AED9-09EACD2D9608}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{49124406-D4CB-4BD4-A4C1-8358B0080874}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{D29180BD-1320-43B0-8D17-21841F8EF4D4}"= UDP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{DB0E8B5B-798E-48FF-8F40-0F271FFF0117}"= TCP:C:\Program Files\Kontiki\KService.exe:Delivery Manager Service
"{4F115BED-BB21-46DA-92EF-11EEE06030DB}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{E064BF92-C93B-4366-89EC-523B3C363AB0}"= Disabled:UDP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{EEC3B38E-7133-43AC-925B-6F2334DFFCB2}"= Disabled:TCP:C:\Program Files\Adobe\Photoshop Elements 6.0\AdobePhotoshopElementsMediaServer.exe:Adobe Photoshop Elements Media Server
"{AA69FF85-8860-46E3-AD09-5B0D1CD32BD2}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B4786107-6B46-4F54-9503-ABE76A0CF4FF}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{B9876473-803E-4CE4-9605-63D4EA7512F4}Q:\\tmunitedforever\\tmforever.exe"= UDP:Q:\tmunitedforever\tmforever.exe:TmForever
"UDP Query User{FDCA6782-2962-478A-9829-A2A1B5802B30}Q:\\tmunitedforever\\tmforever.exe"= TCP:Q:\tmunitedforever\tmforever.exe:TmForever
"TCP Query User{00EE6AEF-21C2-4998-AC96-36338F0B8B37}Q:\\trackmania united\\tmunited.exe"= UDP:Q:\trackmania united\tmunited.exe:TmUnited
"UDP Query User{45AC8227-399B-4C8C-A1F6-4CF47EBB3A2D}Q:\\trackmania united\\tmunited.exe"= TCP:Q:\trackmania united\tmunited.exe:TmUnited

R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);C:\Windows\system32\drivers\sfsync03.sys [2005-12-06 16:11]
R1 mozyFilter;mozyFilter;C:\Windows\system32\DRIVERS\mozy.sys [2008-05-15 20:08]
R2 MSCamSvc;MSCamSvc;"C:\Program Files\Microsoft LifeCam\MSCamS32.exe" [2007-05-17 15:45]
R2 RapiMgr;Windows Mobile-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R2 SRUserService;IT Connection Manager;"C:\Program Files\IT Connection Manager\SRUserService.exe" [2007-04-06 14:44]
R2 WcesComm;Windows Mobile-2003-based device connectivity;C:\Windows\system32\svchost.exe [2008-01-19 08:33]
R3 HabuFltr;Habu Mouse;C:\Windows\system32\drivers\habu.sys [2006-10-23 12:09]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\Windows\system32\DRIVERS\wacomvhid.sys [2006-11-15 11:55]
R3 yukonwlh;NDIS6.0 Miniport Driver for Marvell Yukon Ethernet Controller;C:\Windows\system32\DRIVERS\yk60x86.sys [2006-11-02 08:30]
S3 Alpham1;Ideazon Fang USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham1.sys [2007-03-20 10:49]
S3 Alpham2;Ideazon Fang MM USB Human Interface Device;C:\Windows\system32\DRIVERS\Alpham2.sys [2007-03-20 10:49]
S3 GEMPC430;GEMPC430;C:\Windows\system32\Drivers\gemusb.sys [2001-12-04 10:03]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-02-24 18:24]
S3 uisp;Freescale USB JW32 driver;C:\Windows\system32\Drivers\usbicp.sys [2005-12-21 11:23]
S3 UMPass;Microsoft UMPass Driver;C:\Windows\system32\DRIVERS\umpass.sys [2008-01-19 06:53]
S3 VX6000;Microsoft LifeCam VX-6000;C:\Windows\system32\DRIVERS\VX6000Xp.sys [2007-04-10 15:46]
S3 wacommousefilter;Wacom Mouse Filter Driver;C:\Windows\system32\DRIVERS\wacommousefilter.sys [2006-02-14 13:18]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
bthsvcs REG_MULTI_SZ BthServ

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 19:38:55
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\Explorer.exe
-> C:\Program Files\MozyHome\mozyshell.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Alias\Maya7.0\docs\wrapper.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Alias\Maya7.0\docs\jre\bin\java.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Windows\System32\Tablet.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\System32\WUDFHost.exe
C:\Program Files\MozyHome\mozybackup.exe
C:\Windows\System32\wisptis.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Windows\System32\WTablet\TabUserW.exe
C:\Windows\System32\Tablet.exe
C:\Windows\System32\rundll32.exe
C:\Windows\WindowsMobile\wmdc.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Pantone\huey\hueyTray.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe
C:\Program Files\DigiGuide TV Guide\DigiGuide.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-31 19:57:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-31 18:57:51
ComboFix2.txt 2008-05-31 16:47:45
ComboFix3.txt 2008-05-30 19:48:43
ComboFix4.txt 2008-05-30 17:19:07
ComboFix5.txt 2008-05-27 22:55:47

Pre-Run: 57,584,955,392 bytes free
Post-Run: 57,565,855,744 bytes free

404 --- E O F --- 2008-05-28 02:01:41
  • 0

#30
Rorschach112
Posted 31 May 2008 - 01:28 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Ok lets finish this up :)

Delete NIAP


Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here




Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:

SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts. Make sure you are only running one real-time protection program or there will be a conflict.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP