This topic is lockedfollowing these instructions: http://support.avast...kbarticleid=376
Can you please restore the file from Avast quarantine into a location of your choice and then upload it to virustotal.com or jotti.org as previously asked?
regards myrti
Constant attempts to access malware IPs
Started by
therealex
, May 18 2010 09:15 PM
#31
Posted 26 May 2010 - 03:00 PM
myrti
-
- Expert
-
- 2,580 posts
Expert
following these instructions: http://support.avast...kbarticleid=376
Can you please restore the file from Avast quarantine into a location of your choice and then upload it to virustotal.com or jotti.org as previously asked?
regards myrti
#32
Posted 26 May 2010 - 05:06 PM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
Well, all kinds of responses:
Scanners
[ArcaVir]
2010-05-26 Found nothing
[G DATA]
2010-05-27 Gen:Trojan.Heur.bqW@IDc2Troi
[Avast! antivirus]
2010-05-26 Win32:Malware-gen
[Ikarus]
2010-05-26 Trojan-Dropper.Win32.Malf
[Grisoft AVG Anti-Virus]
2010-05-26 Dropper.Generic2.KNB
[Kaspersky Anti-Virus]
2010-05-26 Found nothing
[Avira AntiVir]
2010-05-26 TR/Crypt.XDR.Gen
[ESET NOD32]
2010-05-26 Found nothing
[Softwin BitDefender]
2010-05-26 Gen:Trojan.Heur.bqW@IDc2Troi
[Panda Antivirus]
2010-05-26 Found nothing
[ClamAV]
2010-05-26 Found nothing
[Quick Heal]
2010-05-26 TrojanDropper.Malf
[CPsecure]
2010-05-26 Troj.PSW.W32.LdPinch.aepl
[Sophos]
2010-05-26 Sus/Behav-1018
[Dr.Web]
2010-05-27 Found nothing
[VirusBlokAda VBA32]
2010-05-26 Found nothing
[Frisk F-Prot Antivirus]
2010-05-26 W32/Dropper.gen8!Maximus
[VirusBuster]
2010-05-26 Found nothing
[F-Secure Anti-Virus]
2010-05-26 Found nothing
Scanners
[ArcaVir]
2010-05-26 Found nothing
[G DATA]
2010-05-27 Gen:Trojan.Heur.bqW@IDc2Troi
[Avast! antivirus]
2010-05-26 Win32:Malware-gen
[Ikarus]
2010-05-26 Trojan-Dropper.Win32.Malf
[Grisoft AVG Anti-Virus]
2010-05-26 Dropper.Generic2.KNB
[Kaspersky Anti-Virus]
2010-05-26 Found nothing
[Avira AntiVir]
2010-05-26 TR/Crypt.XDR.Gen
[ESET NOD32]
2010-05-26 Found nothing
[Softwin BitDefender]
2010-05-26 Gen:Trojan.Heur.bqW@IDc2Troi
[Panda Antivirus]
2010-05-26 Found nothing
[ClamAV]
2010-05-26 Found nothing
[Quick Heal]
2010-05-26 TrojanDropper.Malf
[CPsecure]
2010-05-26 Troj.PSW.W32.LdPinch.aepl
[Sophos]
2010-05-26 Sus/Behav-1018
[Dr.Web]
2010-05-27 Found nothing
[VirusBlokAda VBA32]
2010-05-26 Found nothing
[Frisk F-Prot Antivirus]
2010-05-26 W32/Dropper.gen8!Maximus
[VirusBuster]
2010-05-26 Found nothing
[F-Secure Anti-Virus]
2010-05-26 Found nothing
#33
Posted 27 May 2010 - 03:30 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
Please visit this site and upload the restored setup.exe there, so that I can take a look.
Have you noticed any pattern in the appearance of the file? For example does it usually appear when you surf the internet? Or when you play a game? Or something else?
regards myrti
Please visit this site and upload the restored setup.exe there, so that I can take a look.
Have you noticed any pattern in the appearance of the file? For example does it usually appear when you surf the internet? Or when you play a game? Or something else?
regards myrti
#34
Posted 27 May 2010 - 07:30 AM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
Hi,
No, it regenerates at odd times, often when I'm not even at the computer. Many times it will re-generate upon re-boot, but not necessarily.
I submitted the file, and got a "success" notice. But I also got a notice saying the site was being worked on and to try again in a couple of minutes. When I did so, I got a "improper submission" notice.
How long before I get a notification, in case it wasn't actually submitted properly? I noticed that it asked for a link to this thread.
No, it regenerates at odd times, often when I'm not even at the computer. Many times it will re-generate upon re-boot, but not necessarily.
I submitted the file, and got a "success" notice. But I also got a notice saying the site was being worked on and to try again in a couple of minutes. When I did so, I got a "improper submission" notice.
How long before I get a notification, in case it wasn't actually submitted properly? I noticed that it asked for a link to this thread.
#35
Posted 28 May 2010 - 11:59 AM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
I re-submitted it, as there hasn't been a response yet.
#36
Posted 28 May 2010 - 05:43 PM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
I haven't received anything yet. Could you please try once more.
regards myrti
I haven't received anything yet. Could you please try once more.
regards myrti
#37
Posted 28 May 2010 - 07:48 PM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
Okay, I'll submit it for the third time. But I think there's something else going on here. I didn't see the iexplore.exe problem in safe mode, so something ISN'T being loaded in Safe Mode. I'm going to reboot, stay in SM for a few hours, and see what happens.
#38
Posted 28 May 2010 - 09:40 PM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
I've kept it in safe mode for about two hours, and had no repeat of the iexplore.exe virus or the subsequent svchost error.
Now I've had it in normal mode for about 45 minutes and it has re-appeared. Isn't there SOME WAY to determine what's causing this? It's been almost two weeks, and I can't seem to track down the root cause.
Now I've had it in normal mode for about 45 minutes and it has re-appeared. Isn't there SOME WAY to determine what's causing this? It's been almost two weeks, and I can't seem to track down the root cause.
#39
Posted 29 May 2010 - 06:43 PM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
I've deleted wininit.ini, and I've tried to repair the MBR using MBRfix.
Let me put it this way:
I've put a lot of time into researching this, and I've seen over two dozen cases of this situation being reported. Not a single one was resolved.
Not one.
Numerous tests, using everything here (OTL, Combofix, HJT, Rootkit Revealer, GMER, Hitman Pro 3.5 - you name it.)
I ain't giving up. I want to find out what this piece of crap is, which is apparently infecting a lot of machines. Most are probably nuked, but who knows if that even fixes it?
Here's what happens when I rename iexplore.exe to something else, like .bad - the file regenerates within a couple of seconds. Now, is there some way to log what process is doing that? I have ProcessExplorer open, but there's no way I can find to log it.
Can we beat this [bleep] thing?
Let me put it this way:
I've put a lot of time into researching this, and I've seen over two dozen cases of this situation being reported. Not a single one was resolved.
Not one.
Numerous tests, using everything here (OTL, Combofix, HJT, Rootkit Revealer, GMER, Hitman Pro 3.5 - you name it.)
I ain't giving up. I want to find out what this piece of crap is, which is apparently infecting a lot of machines. Most are probably nuked, but who knows if that even fixes it?
Here's what happens when I rename iexplore.exe to something else, like .bad - the file regenerates within a couple of seconds. Now, is there some way to log what process is doing that? I have ProcessExplorer open, but there's no way I can find to log it.
Can we beat this [bleep] thing?
#40
Posted 30 May 2010 - 03:17 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
iexplore is very likely regenerated by Windows. It's trying to protect you from doing something stupid (not saying you did something stupid, it's just windows knowing best what you should (not) do)
Feel free to try this out with other files as well (eg Windows Media Player or explorer.exe or...) You can get some info here: Windows File Protection
Please also don't forget that you restored an image 5 days ago, so that all the previous steps where undone.
The upload isn't working, for some reason.It might be blocked by the infection. I would like to try to upload with ComboFix. Therefore please download a fresh copy of combofix and run it.
Please also upload the following files to virustotal:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.
C:\WINDOWS\SYSTEM32\DRIVERS\sysid.sys
C:\WINDOWS\system32\ckldrv.sys
c:\windows\system32\Spool\prtprocs\w32x86\aA555.dll (if present)
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
regards myrti
iexplore is very likely regenerated by Windows. It's trying to protect you from doing something stupid (not saying you did something stupid, it's just windows knowing best what you should (not) do)
Feel free to try this out with other files as well (eg Windows Media Player or explorer.exe or...) You can get some info here: Windows File Protection
Please also don't forget that you restored an image 5 days ago, so that all the previous steps where undone.
The upload isn't working, for some reason.It might be blocked by the infection. I would like to try to upload with ComboFix. Therefore please download a fresh copy of combofix and run it.
Please also upload the following files to virustotal:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows
Please click this link-->Jotti
When the jotti page has finished loading, click the browse button and navigate to the files listed below in bold, then click Submit. You will only be able to have one file scanned at a time.
C:\WINDOWS\SYSTEM32\DRIVERS\sysid.sys
C:\WINDOWS\system32\ckldrv.sys
c:\windows\system32\Spool\prtprocs\w32x86\aA555.dll (if present)
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
regards myrti
#41
Posted 30 May 2010 - 08:16 AM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
Hi,
I know I restored the image, but that was because not only was the process not working, but I was unable to log on to my system (this was due to a BIOS error, but I didn't know that at the time.)
The results of the Jotti scan were negative:
Filename: sysid.sys
Status:
Scan finished. 0 out of 19 scanners reported malware.
File size: 5568 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 83594e7039b260ef470293bcc5975497
SHA1: 16923bd427e97f0fe454a21396b437834f1e3a97
Filename: ckldrv.sys
Status:
Scan finished. 0 out of 19 scanners reported malware.
File size: 24608 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 3eb6fceaaa6f270ef51cd04f7c2733e2
SHA1: 60f4d7bdf1d7b62291e8baa671429f5c3921f617
c:\windows\system32\Spool\prtprocs\w32x86\aA555.dll
Not present
I will run CF and post the results. I'm leaving the rogue iexplore.exe process running so that CF can see it.
I know I restored the image, but that was because not only was the process not working, but I was unable to log on to my system (this was due to a BIOS error, but I didn't know that at the time.)
The results of the Jotti scan were negative:
Filename: sysid.sys
Status:
Scan finished. 0 out of 19 scanners reported malware.
File size: 5568 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 83594e7039b260ef470293bcc5975497
SHA1: 16923bd427e97f0fe454a21396b437834f1e3a97
Filename: ckldrv.sys
Status:
Scan finished. 0 out of 19 scanners reported malware.
File size: 24608 bytes
Filetype: PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5: 3eb6fceaaa6f270ef51cd04f7c2733e2
SHA1: 60f4d7bdf1d7b62291e8baa671429f5c3921f617
c:\windows\system32\Spool\prtprocs\w32x86\aA555.dll
Not present
I will run CF and post the results. I'm leaving the rogue iexplore.exe process running so that CF can see it.
#42
Posted 30 May 2010 - 08:52 AM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
Here's the CF log:
ComboFix 10-05-29.05 - Russell Alexander 05/30/2010 10:25:13.3.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1926 [GMT -4:00]
Running from: c:\documents and settings\Russell Alexander\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Russell Alexander\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Russell Alexander\g2ax_expert_downloadhelper_win32_x86.exe
c:\documents and settings\Russell Alexander\g2mdlhlpx.exe
c:\windows\system\Drivers
c:\windows\system\Drivers\PQNTDRV.sys
c:\windows\system32\VB40032.DLL
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-29 13:18 . 2010-05-29 13:18 503808 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcp71.dll
2010-05-29 13:18 . 2010-05-29 13:18 499712 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\jmc.dll
2010-05-29 13:18 . 2010-05-29 13:18 348160 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcr71.dll
2010-05-29 13:18 . 2010-05-29 13:18 61440 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-sse.dll
2010-05-29 13:18 . 2010-05-29 13:18 12800 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-d3d.dll
2010-05-29 13:18 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 01:14 . 2010-05-29 01:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-28 21:05 . 2010-05-29 02:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 21:05 . 2010-05-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-28 21:05 . 2010-05-28 21:05 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-28 14:14 . 2010-05-28 14:14 -------- d-----w- c:\program files\PortReporter
2010-05-28 14:13 . 2010-05-28 14:13 -------- d-----w- c:\temp\port reporter
2010-05-28 01:02 . 2010-05-28 01:02 -------- d-----w- C:\Backreg
2010-05-26 14:00 . 2010-05-26 14:02 -------- dc-h--w- c:\windows\ie8
2010-05-25 22:44 . 2010-05-25 22:53 -------- d-----w- C:\Lop SD
2010-05-25 04:11 . 2010-05-25 04:11 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-05-25 03:59 . 2010-05-28 01:53 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-25 03:17 . 2010-05-25 03:17 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-25 03:17 . 2010-05-25 03:17 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-25 03:16 . 2010-05-25 03:16 2 --shatr- c:\windows\winstart.bat
2010-05-24 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 23:59 . 2010-05-25 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 16:02 . 2010-05-23 16:02 -------- d-----w- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Painkiller Overdose
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 13:49 . 2004-11-20 07:09 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\MailWasherPro
2010-05-30 10:19 . 2007-04-05 01:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 22:58 . 2009-05-24 13:33 16608 ----a-w- c:\windows\gdrv.sys
2010-05-29 13:24 . 2002-05-20 22:34 -------- d-----w- c:\program files\Java
2010-05-29 13:19 . 2007-10-09 12:12 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 22:07 . 2003-11-03 21:12 -------- d-----w- c:\program files\FTP Commander
2010-05-26 03:23 . 2009-08-20 16:27 -------- d-----w- c:\program files\3gp Player
2010-05-25 00:00 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Malwarebytes
2010-05-24 23:59 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 22:45 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Line 6
2010-05-24 22:44 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Line 6
2010-05-24 22:43 . 2010-01-15 21:27 -------- d-----w- c:\program files\Line6
2010-05-23 16:54 . 2009-04-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-23 15:47 . 2003-01-30 15:14 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-23 15:47 . 2006-05-31 14:17 -------- d-----w- c:\program files\Roxio
2010-05-23 15:47 . 2006-05-31 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-06 20:59 . 2009-04-29 22:49 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-04-29 22:48 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-04-29 22:49 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-04-29 22:49 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-04-29 22:49 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-04-29 22:49 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-04-29 22:49 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-04-29 22:49 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-04-29 22:49 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-01 23:29 . 2009-12-16 12:59 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-04-01 02:48 . 2010-04-01 02:48 411494 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{90CAF868-0B06-4C4A-A6E9-D0FD17C7BAE1}\controlPanelIcon.exe
2010-04-01 02:48 . 2010-04-01 02:48 -------- d-----w- c:\program files\Future Systems Solutions
2010-03-30 14:17 . 2010-03-03 21:58 3823960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-13 02:01 . 2005-01-28 15:59 16 ----a-w- c:\windows\system32\mswin32.drv
2010-03-10 06:15 . 2004-11-20 06:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 01:47 . 2008-11-26 05:29 171552 ----a-w- c:\windows\system32\guard32.dll
2010-03-10 01:47 . 2008-11-26 05:29 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-03-09 22:42 . 2010-03-09 22:42 1974272 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\L6TWXG.dll
2010-03-09 22:41 . 2010-03-09 22:41 1521152 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\data\twx\L6TWX.dll
2010-03-07 17:49 . 2010-03-24 22:03 3862528 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
2010-03-05 00:01 . 2006-09-29 16:05 29312 ----a-w- c:\windows\system32\drivers\l6dp.sys
2010-03-04 04:10 . 2010-03-04 04:10 8854 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\Uninstall_Don_t_Pani_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut11_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut1_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 2238 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\ARPPRODUCTICON.exe
2002-05-08 03:42 . 2002-05-07 17:50 11079 ---h--w- c:\program files\folder.htt
2001-12-02 08:18 . 2002-05-07 18:26 1586 ------w- c:\program files\MSO_INST.LOG
2008-04-10 20:00 . 2007-03-22 18:57 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-04-10 20:00 . 2007-03-22 18:57 107928 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-07-18 19:54 . 2007-04-05 01:56 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2009-11-18 18:03 . 2009-11-18 18:03 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
2002-06-24 11:59 . 2003-05-14 11:37 1025 --sh--w- c:\windows\page files\maxmeg.sys
2004-11-05 15:27 . 2004-07-24 17:45 10022 --sh--w- c:\windows\SYSTEM\KGyGaAvL.sys
2006-05-03 09:06 . 2007-02-09 22:58 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2007-06-02 21:54 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\SYSTEM32\shell32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-27 503808]
"vscvol.exe"="h:\roland\VSC32\vscvol.exe" [2000-02-09 36864]
"vsc32cnf.exe"="h:\roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-30 1800464]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-28 5937984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]
"iLike"="c:\program files\iLike\1.1.41\ilikesidebar.exe" [2008-02-12 63024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2001-08-23 30208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 20:20 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI7"=vscapi.dll
"WAVE6"=vscapi.dll
"wave1"=rddv1006.dll
"midi2"=rddv1006.dll
"mixer1"=rddv1006.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
backup=c:\windows\pss\World Community Grid Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 13:40 34904 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-10-14 15:28 133104 ----atw- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 20:03 125528 ------w- c:\program files\Common Files\AOL\1110494747\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 15:00 200767 ------w- e:\microsoft money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-09-01 00:27 1658592 ------w- c:\program files\Messenger\Msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-01-03 14:58 208896 ------w- c:\windows\SYSTEM32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-01-03 14:59 69632 ------w- c:\windows\SYSTEM32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 18:00 3072 ------w- c:\windows\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"AOL TopSpeedMonitor"=3 (0x3)
"AOL ACS"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"GoToMyPC"=3 (0x3)
"C-DillaCdaC11BA"=3 (0x3)
"iPod Service"=3 (0x3)
"UleadBurningHelper"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IntuitUpdateService"=3 (0x3)
"QBFCService"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad"=
"RFAgent"=m:\registryfirstaid\rfagent.exe
"SpybotSD TeaTimer"=m:\spybot - search & destroy\TeaTimer.exe
"Steam"="m:\half-life 2\steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"ATIPTA"=atiptaxx.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"f:\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1110494747\\EE\\AOLServiceHost.exe"=
"f:\\bittorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AnalogX\\BitPump\\bitpump.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\SYSTEM32\DRIVERS\SI3112r.sys [5/12/2004 2:01 PM 97408]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\SYSTEM32\DRIVERS\tdrpm258.sys [12/15/2009 7:06 PM 911680]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/29/2009 6:49 PM 164048]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [11/26/2008 1:29 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [11/26/2008 1:29 AM 25160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\SYSTEM32\DRIVERS\sp_rsdrv2.sys [4/22/2009 11:26 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/29/2009 6:49 PM 19024]
R2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\SYSTEM32\DRIVERS\cx88xbar.sys [7/4/2007 11:01 PM 8960]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/24/2009 9:37 AM 68136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/2/2007 5:58 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/24/2010 7:59 PM 304464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 2:19 PM 50704]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [12/19/2009 8:02 PM 188276]
R3 L6DP;L6DP;c:\windows\SYSTEM32\DRIVERS\l6dp.sys [9/29/2006 12:05 PM 29312]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\SYSTEM32\DRIVERS\L6TPortB.sys [1/15/2010 5:28 PM 532992]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/24/2010 7:59 PM 20952]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\SYSTEM32\DRIVERS\vsc.sys [1/1/2006 10:31 PM 951284]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 PQV2i;PQV2i; [x]
S1 c2scsi;c2scsi; [x]
S3 afcdp;afcdp;c:\windows\SYSTEM32\DRIVERS\afcdp.sys [12/15/2009 7:06 PM 160288]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/15/2009 7:06 PM 2480048]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\SYSTEM32\DRIVERS\emuumidi.sys [3/14/2007 2:11 PM 37120]
S3 gupdate1c929d241ac157c;Google Update Service (gupdate1c929d241ac157c);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2008 1:45 AM 133104]
S3 Partizan;Partizan;c:\windows\SYSTEM32\DRIVERS\Partizan.sys [5/24/2010 11:17 PM 35816]
S3 PortReporter;Port Reporter;c:\program files\PortReporter\PortReporter.exe [5/28/2010 10:14 AM 90183]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\SYSTEM32\DRIVERS\p35u.sys [7/28/2008 9:15 PM 116448]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RD1006;Roland UA-100;c:\windows\SYSTEM32\DRIVERS\rdwm1006.sys [11/20/2004 11:28 AM 169086]
S3 RegGuard;RegGuard;c:\windows\SYSTEM32\DRIVERS\regguard.sys [5/24/2010 11:59 PM 24416]
S3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [10/22/2006 7:40 PM 65664]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sysid;sysid;c:\windows\SYSTEM32\DRIVERS\sysid.sys [4/15/2005 10:41 AM 5568]
S3 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
S3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\SYSTEM32\DRIVERS\dmdcap.sys [12/13/2008 9:53 PM 230784]
S3 VGAUTI;VGAUTI;c:\windows\SYSTEM32\DRIVERS\vgauti.sys [9/24/2004 10:00 AM 39208]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003Core.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003UA.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by MSN
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: &search with URSEARCH Toolbar
IE: Add to Google Photos Screensa&ver
IE: Append to Existing PDF
IE: Convert link target to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with BitPump - c:\program files\AnalogX\BitPump\ieint.htm
Trusted Zone: accountonline.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: line6.net
Trusted Zone: turbotax.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: ChatSpace Java Client 2.1.0.84 - hxxp://63.102.227.45/Java/cs4ms084.cab
DPF: Dialpad Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: Dialpad US Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Serome Web2Phone - hxxp://www.dialpad.com/applet/vscp.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB}
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8C6C6922-6258-44AC-9912-53964AC55276} - hxxp://217.160.140.67/download/xloader10.cab
FF - ProfilePath - c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\{50997114-a686-4585-8fb9-ce1093a1cf75}\components\FFAlert.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPil86.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\download manager\npfpdlm.dll
FF - plugin: e:\realplayer\Netscape6\nppl3260.dll
FF - plugin: e:\realplayer\Netscape6\nprjplug.dll
FF - plugin: e:\realplayer\Netscape6\nprpjplug.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdrmv2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdsplay.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin3.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin4.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin5.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npwmsdrm.dll
FF - plugin: h:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-RoxioDragToDisc - n:\easy media creator 8\Drag to Disc\DrgToDsc.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
MSConfigStartUp-SBAMTray - c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe
AddRemove-AntiFreeze_is1 - m:\antifreeze\unins000.exe
AddRemove-Card Classics and Solitaire Gold - d:\card classics and solitaire gold\DeIsL1.isu
AddRemove-Card Games for Windows - d:\cosmi\Card Games for Windows\DeIsL1.isu
AddRemove-PCMagazineUninstallKey - m:\intern~1\DeIsL1.isu
AddRemove-Sophos-AntiRootkit - m:\sophos anti-rootkit\helper.exe
AddRemove-WildWest1.5 - d:\return to castle wolfenstein\Uninst1505.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 10:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\$$$\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,0b,a3,4e,39,fb,e1,6f,e1,7c,f9,09,76,5c,d0,e0,d9,0e,ec,64,a2,c4,5d,
4e,3c,3a,17,fd,d8,d5,45,ce,84,0f,56,9c,36,87,46,b0,27,5a,d4,94,1a,a2,81,1e,\
"??"=hex:2f,b6,6f,45,ee,e2,ec,0a,29,d5,69,d3,55,fd,2c,18
[HKEY_USERS\$$$\Software\SecuROM\License information*]
"datasecu"=hex:3f,d8,08,15,6f,be,39,d7,ec,d2,25,24,1e,c7,72,6a,59,91,53,10,85,
ca,2a,56,69,d5,29,f9,fa,bc,44,07,e7,7f,b2,72,dd,a1,06,fe,b4,4d,49,25,8e,5c,\
"rkeysecu"=hex:38,98,b0,2f,0e,4a,40,d1,71,86,9b,cb,a4,d4,42,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1344)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(1400)
c:\windows\system32\rddv1006.dll
.
Completion time: 2010-05-30 10:36:54
ComboFix-quarantined-files.txt 2010-05-30 14:36
ComboFix2.txt 2010-03-28 18:52
ComboFix3.txt 2010-03-27 18:29
Pre-Run: 15,381,915,136 bytes free
Post-Run: 15,304,132,608 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - C162531B43E997AF669B1D1990B65F21
ComboFix 10-05-29.05 - Russell Alexander 05/30/2010 10:25:13.3.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1926 [GMT -4:00]
Running from: c:\documents and settings\Russell Alexander\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Russell Alexander\Application Data\ACD Systems\ACDSee\ImageDB.ddf
c:\documents and settings\Russell Alexander\g2ax_expert_downloadhelper_win32_x86.exe
c:\documents and settings\Russell Alexander\g2mdlhlpx.exe
c:\windows\system\Drivers
c:\windows\system\Drivers\PQNTDRV.sys
c:\windows\system32\VB40032.DLL
.
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-29 13:18 . 2010-05-29 13:18 503808 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcp71.dll
2010-05-29 13:18 . 2010-05-29 13:18 499712 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\jmc.dll
2010-05-29 13:18 . 2010-05-29 13:18 348160 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcr71.dll
2010-05-29 13:18 . 2010-05-29 13:18 61440 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-sse.dll
2010-05-29 13:18 . 2010-05-29 13:18 12800 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-d3d.dll
2010-05-29 13:18 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 01:14 . 2010-05-29 01:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-28 21:05 . 2010-05-29 02:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 21:05 . 2010-05-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-28 21:05 . 2010-05-28 21:05 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-28 14:14 . 2010-05-28 14:14 -------- d-----w- c:\program files\PortReporter
2010-05-28 14:13 . 2010-05-28 14:13 -------- d-----w- c:\temp\port reporter
2010-05-28 01:02 . 2010-05-28 01:02 -------- d-----w- C:\Backreg
2010-05-26 14:00 . 2010-05-26 14:02 -------- dc-h--w- c:\windows\ie8
2010-05-25 22:44 . 2010-05-25 22:53 -------- d-----w- C:\Lop SD
2010-05-25 04:11 . 2010-05-25 04:11 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-05-25 03:59 . 2010-05-28 01:53 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-25 03:17 . 2010-05-25 03:17 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-25 03:17 . 2010-05-25 03:17 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-25 03:16 . 2010-05-25 03:16 2 --shatr- c:\windows\winstart.bat
2010-05-24 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 23:59 . 2010-05-25 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 16:02 . 2010-05-23 16:02 -------- d-----w- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Painkiller Overdose
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 13:49 . 2004-11-20 07:09 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\MailWasherPro
2010-05-30 10:19 . 2007-04-05 01:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 22:58 . 2009-05-24 13:33 16608 ----a-w- c:\windows\gdrv.sys
2010-05-29 13:24 . 2002-05-20 22:34 -------- d-----w- c:\program files\Java
2010-05-29 13:19 . 2007-10-09 12:12 -------- d-----w- c:\program files\Common Files\Java
2010-05-27 22:07 . 2003-11-03 21:12 -------- d-----w- c:\program files\FTP Commander
2010-05-26 03:23 . 2009-08-20 16:27 -------- d-----w- c:\program files\3gp Player
2010-05-25 00:00 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Malwarebytes
2010-05-24 23:59 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 22:45 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Line 6
2010-05-24 22:44 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Line 6
2010-05-24 22:43 . 2010-01-15 21:27 -------- d-----w- c:\program files\Line6
2010-05-23 16:54 . 2009-04-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-23 15:47 . 2003-01-30 15:14 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-23 15:47 . 2006-05-31 14:17 -------- d-----w- c:\program files\Roxio
2010-05-23 15:47 . 2006-05-31 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-06 20:59 . 2009-04-29 22:49 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-04-29 22:48 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-04-29 22:49 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-04-29 22:49 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-04-29 22:49 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-04-29 22:49 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-04-29 22:49 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-04-29 22:49 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-04-29 22:49 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-01 23:29 . 2009-12-16 12:59 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-04-01 02:48 . 2010-04-01 02:48 411494 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{90CAF868-0B06-4C4A-A6E9-D0FD17C7BAE1}\controlPanelIcon.exe
2010-04-01 02:48 . 2010-04-01 02:48 -------- d-----w- c:\program files\Future Systems Solutions
2010-03-30 14:17 . 2010-03-03 21:58 3823960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-13 02:01 . 2005-01-28 15:59 16 ----a-w- c:\windows\system32\mswin32.drv
2010-03-10 06:15 . 2004-11-20 06:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 01:47 . 2008-11-26 05:29 171552 ----a-w- c:\windows\system32\guard32.dll
2010-03-10 01:47 . 2008-11-26 05:29 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-03-09 22:42 . 2010-03-09 22:42 1974272 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\L6TWXG.dll
2010-03-09 22:41 . 2010-03-09 22:41 1521152 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\data\twx\L6TWX.dll
2010-03-07 17:49 . 2010-03-24 22:03 3862528 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
2010-03-05 00:01 . 2006-09-29 16:05 29312 ----a-w- c:\windows\system32\drivers\l6dp.sys
2010-03-04 04:10 . 2010-03-04 04:10 8854 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\Uninstall_Don_t_Pani_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut11_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut1_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 2238 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\ARPPRODUCTICON.exe
2002-05-08 03:42 . 2002-05-07 17:50 11079 ---h--w- c:\program files\folder.htt
2001-12-02 08:18 . 2002-05-07 18:26 1586 ------w- c:\program files\MSO_INST.LOG
2008-04-10 20:00 . 2007-03-22 18:57 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-04-10 20:00 . 2007-03-22 18:57 107928 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-07-18 19:54 . 2007-04-05 01:56 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2009-11-18 18:03 . 2009-11-18 18:03 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
2002-06-24 11:59 . 2003-05-14 11:37 1025 --sh--w- c:\windows\page files\maxmeg.sys
2004-11-05 15:27 . 2004-07-24 17:45 10022 --sh--w- c:\windows\SYSTEM\KGyGaAvL.sys
2006-05-03 09:06 . 2007-02-09 22:58 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2007-06-02 21:54 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\SYSTEM32\shell32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-27 503808]
"vscvol.exe"="h:\roland\VSC32\vscvol.exe" [2000-02-09 36864]
"vsc32cnf.exe"="h:\roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-30 1800464]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-28 5937984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]
"iLike"="c:\program files\iLike\1.1.41\ilikesidebar.exe" [2008-02-12 63024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2001-08-23 30208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 20:20 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI7"=vscapi.dll
"WAVE6"=vscapi.dll
"wave1"=rddv1006.dll
"midi2"=rddv1006.dll
"mixer1"=rddv1006.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
backup=c:\windows\pss\World Community Grid Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 13:40 34904 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-10-14 15:28 133104 ----atw- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 20:03 125528 ------w- c:\program files\Common Files\AOL\1110494747\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 15:00 200767 ------w- e:\microsoft money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-09-01 00:27 1658592 ------w- c:\program files\Messenger\Msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-01-03 14:58 208896 ------w- c:\windows\SYSTEM32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-01-03 14:59 69632 ------w- c:\windows\SYSTEM32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 18:00 3072 ------w- c:\windows\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"AOL TopSpeedMonitor"=3 (0x3)
"AOL ACS"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"GoToMyPC"=3 (0x3)
"C-DillaCdaC11BA"=3 (0x3)
"iPod Service"=3 (0x3)
"UleadBurningHelper"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IntuitUpdateService"=3 (0x3)
"QBFCService"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad"=
"RFAgent"=m:\registryfirstaid\rfagent.exe
"SpybotSD TeaTimer"=m:\spybot - search & destroy\TeaTimer.exe
"Steam"="m:\half-life 2\steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"ATIPTA"=atiptaxx.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"f:\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1110494747\\EE\\AOLServiceHost.exe"=
"f:\\bittorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AnalogX\\BitPump\\bitpump.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\SYSTEM32\DRIVERS\SI3112r.sys [5/12/2004 2:01 PM 97408]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\SYSTEM32\DRIVERS\tdrpm258.sys [12/15/2009 7:06 PM 911680]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/29/2009 6:49 PM 164048]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [11/26/2008 1:29 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [11/26/2008 1:29 AM 25160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\SYSTEM32\DRIVERS\sp_rsdrv2.sys [4/22/2009 11:26 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/29/2009 6:49 PM 19024]
R2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\SYSTEM32\DRIVERS\cx88xbar.sys [7/4/2007 11:01 PM 8960]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/24/2009 9:37 AM 68136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/2/2007 5:58 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/24/2010 7:59 PM 304464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 2:19 PM 50704]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [12/19/2009 8:02 PM 188276]
R3 L6DP;L6DP;c:\windows\SYSTEM32\DRIVERS\l6dp.sys [9/29/2006 12:05 PM 29312]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\SYSTEM32\DRIVERS\L6TPortB.sys [1/15/2010 5:28 PM 532992]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/24/2010 7:59 PM 20952]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\SYSTEM32\DRIVERS\vsc.sys [1/1/2006 10:31 PM 951284]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S0 PQV2i;PQV2i; [x]
S1 c2scsi;c2scsi; [x]
S3 afcdp;afcdp;c:\windows\SYSTEM32\DRIVERS\afcdp.sys [12/15/2009 7:06 PM 160288]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/15/2009 7:06 PM 2480048]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\SYSTEM32\DRIVERS\emuumidi.sys [3/14/2007 2:11 PM 37120]
S3 gupdate1c929d241ac157c;Google Update Service (gupdate1c929d241ac157c);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2008 1:45 AM 133104]
S3 Partizan;Partizan;c:\windows\SYSTEM32\DRIVERS\Partizan.sys [5/24/2010 11:17 PM 35816]
S3 PortReporter;Port Reporter;c:\program files\PortReporter\PortReporter.exe [5/28/2010 10:14 AM 90183]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\SYSTEM32\DRIVERS\p35u.sys [7/28/2008 9:15 PM 116448]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RD1006;Roland UA-100;c:\windows\SYSTEM32\DRIVERS\rdwm1006.sys [11/20/2004 11:28 AM 169086]
S3 RegGuard;RegGuard;c:\windows\SYSTEM32\DRIVERS\regguard.sys [5/24/2010 11:59 PM 24416]
S3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [10/22/2006 7:40 PM 65664]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sysid;sysid;c:\windows\SYSTEM32\DRIVERS\sysid.sys [4/15/2005 10:41 AM 5568]
S3 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
S3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\SYSTEM32\DRIVERS\dmdcap.sys [12/13/2008 9:53 PM 230784]
S3 VGAUTI;VGAUTI;c:\windows\SYSTEM32\DRIVERS\vgauti.sys [9/24/2004 10:00 AM 39208]
--- Other Services/Drivers In Memory ---
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003Core.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003UA.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by MSN
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: &search with URSEARCH Toolbar
IE: Add to Google Photos Screensa&ver
IE: Append to Existing PDF
IE: Convert link target to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with BitPump - c:\program files\AnalogX\BitPump\ieint.htm
Trusted Zone: accountonline.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: line6.net
Trusted Zone: turbotax.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: ChatSpace Java Client 2.1.0.84 - hxxp://63.102.227.45/Java/cs4ms084.cab
DPF: Dialpad Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: Dialpad US Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Serome Web2Phone - hxxp://www.dialpad.com/applet/vscp.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB}
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8C6C6922-6258-44AC-9912-53964AC55276} - hxxp://217.160.140.67/download/xloader10.cab
FF - ProfilePath - c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\{50997114-a686-4585-8fb9-ce1093a1cf75}\components\FFAlert.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPil86.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\download manager\npfpdlm.dll
FF - plugin: e:\realplayer\Netscape6\nppl3260.dll
FF - plugin: e:\realplayer\Netscape6\nprjplug.dll
FF - plugin: e:\realplayer\Netscape6\nprpjplug.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdrmv2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdsplay.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin3.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin4.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin5.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npwmsdrm.dll
FF - plugin: h:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-RoxioDragToDisc - n:\easy media creator 8\Drag to Disc\DrgToDsc.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
MSConfigStartUp-SBAMTray - c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe
AddRemove-AntiFreeze_is1 - m:\antifreeze\unins000.exe
AddRemove-Card Classics and Solitaire Gold - d:\card classics and solitaire gold\DeIsL1.isu
AddRemove-Card Games for Windows - d:\cosmi\Card Games for Windows\DeIsL1.isu
AddRemove-PCMagazineUninstallKey - m:\intern~1\DeIsL1.isu
AddRemove-Sophos-AntiRootkit - m:\sophos anti-rootkit\helper.exe
AddRemove-WildWest1.5 - d:\return to castle wolfenstein\Uninst1505.isu
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 10:32
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\$$$\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,0b,a3,4e,39,fb,e1,6f,e1,7c,f9,09,76,5c,d0,e0,d9,0e,ec,64,a2,c4,5d,
4e,3c,3a,17,fd,d8,d5,45,ce,84,0f,56,9c,36,87,46,b0,27,5a,d4,94,1a,a2,81,1e,\
"??"=hex:2f,b6,6f,45,ee,e2,ec,0a,29,d5,69,d3,55,fd,2c,18
[HKEY_USERS\$$$\Software\SecuROM\License information*]
"datasecu"=hex:3f,d8,08,15,6f,be,39,d7,ec,d2,25,24,1e,c7,72,6a,59,91,53,10,85,
ca,2a,56,69,d5,29,f9,fa,bc,44,07,e7,7f,b2,72,dd,a1,06,fe,b4,4d,49,25,8e,5c,\
"rkeysecu"=hex:38,98,b0,2f,0e,4a,40,d1,71,86,9b,cb,a4,d4,42,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1344)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(1400)
c:\windows\system32\rddv1006.dll
.
Completion time: 2010-05-30 10:36:54
ComboFix-quarantined-files.txt 2010-05-30 14:36
ComboFix2.txt 2010-03-28 18:52
ComboFix3.txt 2010-03-27 18:29
Pre-Run: 15,381,915,136 bytes free
Post-Run: 15,304,132,608 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - C162531B43E997AF669B1D1990B65F21
#43
Posted 30 May 2010 - 09:39 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
Hi,
I was just pointing out, that we also started again 5 days ago and that all info we checked before was no longer true. See for example the fact, that the file is no longer there.
Open notepad and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Could you please also try to run gmer again and provide a new log if possible.
regards myrti
I was just pointing out, that we also started again 5 days ago and that all info we checked before was no longer true. See for example the fact, that the file is no longer there.
Open notepad and copy/paste the text in the quotebox below into it:
Driver:: PQV2i c2scsi Collect::[100] C:\windows\temp\setup.exe
Save this as CFScript.txt
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you. Post that log in your next reply.
**Note**
When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
- Ensure you are connected to the internet and click OK on the message box.
Could you please also try to run gmer again and provide a new log if possible.
regards myrti
#44
Posted 30 May 2010 - 05:51 PM
therealex
- Topic Starter
-
- Member
-
- 112 posts
Member
Here's the combofix log, and after that there was something pretty interesting:
ComboFix 10-05-29.05 - Russell Alexander 05/30/2010 17:06:11.4.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1780 [GMT -4:00]
Running from: c:\documents and settings\Russell Alexander\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Russell Alexander\Desktop\cfscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PQV2I
-------\Service_c2scsi
-------\Service_PQV2i
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-29 13:18 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 01:14 . 2010-05-29 01:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-28 21:05 . 2010-05-29 02:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 21:05 . 2010-05-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-28 21:05 . 2010-05-28 21:05 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-28 14:14 . 2010-05-28 14:14 -------- d-----w- c:\program files\PortReporter
2010-05-28 14:13 . 2010-05-28 14:13 -------- d-----w- c:\temp\port reporter
2010-05-28 01:02 . 2010-05-28 01:02 -------- d-----w- C:\Backreg
2010-05-26 14:00 . 2010-05-26 14:02 -------- dc-h--w- c:\windows\ie8
2010-05-25 22:44 . 2010-05-25 22:53 -------- d-----w- C:\Lop SD
2010-05-25 04:11 . 2010-05-25 04:11 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-05-25 03:59 . 2010-05-28 01:53 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-25 03:17 . 2010-05-25 03:17 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-25 03:17 . 2010-05-25 03:17 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-25 03:16 . 2010-05-25 03:16 2 --shatr- c:\windows\winstart.bat
2010-05-24 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 23:59 . 2010-05-25 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 16:02 . 2010-05-23 16:02 -------- d-----w- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Painkiller Overdose
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 21:16 . 2009-05-24 13:33 16608 ----a-w- c:\windows\gdrv.sys
2010-05-30 21:13 . 2004-11-20 07:09 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\MailWasherPro
2010-05-30 10:19 . 2007-04-05 01:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 13:24 . 2002-05-20 22:34 -------- d-----w- c:\program files\Java
2010-05-29 13:19 . 2007-10-09 12:12 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 13:18 . 2010-05-29 13:18 503808 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcp71.dll
2010-05-29 13:18 . 2010-05-29 13:18 499712 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\jmc.dll
2010-05-29 13:18 . 2010-05-29 13:18 348160 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcr71.dll
2010-05-29 13:18 . 2010-05-29 13:18 61440 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-sse.dll
2010-05-29 13:18 . 2010-05-29 13:18 12800 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-d3d.dll
2010-05-27 22:07 . 2003-11-03 21:12 -------- d-----w- c:\program files\FTP Commander
2010-05-26 03:23 . 2009-08-20 16:27 -------- d-----w- c:\program files\3gp Player
2010-05-25 00:00 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Malwarebytes
2010-05-24 23:59 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 22:45 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Line 6
2010-05-24 22:44 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Line 6
2010-05-24 22:43 . 2010-01-15 21:27 -------- d-----w- c:\program files\Line6
2010-05-23 16:54 . 2009-04-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-23 15:47 . 2003-01-30 15:14 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-23 15:47 . 2006-05-31 14:17 -------- d-----w- c:\program files\Roxio
2010-05-23 15:47 . 2006-05-31 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-06 20:59 . 2009-04-29 22:49 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-04-29 22:48 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-04-29 22:49 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-04-29 22:49 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-04-29 22:49 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-04-29 22:49 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-04-29 22:49 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-04-29 22:49 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-04-29 22:49 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-01 23:29 . 2009-12-16 12:59 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-04-01 02:48 . 2010-04-01 02:48 411494 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{90CAF868-0B06-4C4A-A6E9-D0FD17C7BAE1}\controlPanelIcon.exe
2010-04-01 02:48 . 2010-04-01 02:48 -------- d-----w- c:\program files\Future Systems Solutions
2010-03-30 14:17 . 2010-03-03 21:58 3823960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-13 02:01 . 2005-01-28 15:59 16 ----a-w- c:\windows\system32\mswin32.drv
2010-03-10 06:15 . 2004-11-20 06:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 01:47 . 2008-11-26 05:29 171552 ----a-w- c:\windows\system32\guard32.dll
2010-03-10 01:47 . 2008-11-26 05:29 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-03-09 22:42 . 2010-03-09 22:42 1974272 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\L6TWXG.dll
2010-03-09 22:41 . 2010-03-09 22:41 1521152 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\data\twx\L6TWX.dll
2010-03-07 17:49 . 2010-03-24 22:03 3862528 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
2010-03-05 00:01 . 2006-09-29 16:05 29312 ----a-w- c:\windows\system32\drivers\l6dp.sys
2010-03-04 04:10 . 2010-03-04 04:10 8854 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\Uninstall_Don_t_Pani_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut11_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut1_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 2238 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\ARPPRODUCTICON.exe
2002-05-08 03:42 . 2002-05-07 17:50 11079 ---h--w- c:\program files\folder.htt
2001-12-02 08:18 . 2002-05-07 18:26 1586 ------w- c:\program files\MSO_INST.LOG
2008-04-10 20:00 . 2007-03-22 18:57 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-04-10 20:00 . 2007-03-22 18:57 107928 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-07-18 19:54 . 2007-04-05 01:56 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2009-11-18 18:03 . 2009-11-18 18:03 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
2002-06-24 11:59 . 2003-05-14 11:37 1025 --sh--w- c:\windows\page files\maxmeg.sys
2004-11-05 15:27 . 2004-07-24 17:45 10022 --sh--w- c:\windows\SYSTEM\KGyGaAvL.sys
2006-05-03 09:06 . 2007-02-09 22:58 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2007-06-02 21:54 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\SYSTEM32\shell32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-27 503808]
"vscvol.exe"="h:\roland\VSC32\vscvol.exe" [2000-02-09 36864]
"vsc32cnf.exe"="h:\roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-30 1800464]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-28 5937984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]
"iLike"="c:\program files\iLike\1.1.41\ilikesidebar.exe" [2008-02-12 63024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2001-08-23 30208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 20:20 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI7"=vscapi.dll
"WAVE6"=vscapi.dll
"wave1"=rddv1006.dll
"midi2"=rddv1006.dll
"mixer1"=rddv1006.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
backup=c:\windows\pss\World Community Grid Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 13:40 34904 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-10-14 15:28 133104 ----atw- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 20:03 125528 ------w- c:\program files\Common Files\AOL\1110494747\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 15:00 200767 ------w- e:\microsoft money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-09-01 00:27 1658592 ------w- c:\program files\Messenger\Msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-01-03 14:58 208896 ------w- c:\windows\SYSTEM32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-01-03 14:59 69632 ------w- c:\windows\SYSTEM32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 18:00 3072 ------w- c:\windows\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"AOL TopSpeedMonitor"=3 (0x3)
"AOL ACS"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"GoToMyPC"=3 (0x3)
"C-DillaCdaC11BA"=3 (0x3)
"iPod Service"=3 (0x3)
"UleadBurningHelper"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IntuitUpdateService"=3 (0x3)
"QBFCService"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad"=
"RFAgent"=m:\registryfirstaid\rfagent.exe
"SpybotSD TeaTimer"=m:\spybot - search & destroy\TeaTimer.exe
"Steam"="m:\half-life 2\steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"ATIPTA"=atiptaxx.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"f:\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1110494747\\EE\\AOLServiceHost.exe"=
"f:\\bittorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AnalogX\\BitPump\\bitpump.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\SYSTEM32\DRIVERS\SI3112r.sys [5/12/2004 2:01 PM 97408]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\SYSTEM32\DRIVERS\tdrpm258.sys [12/15/2009 7:06 PM 911680]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/29/2009 6:49 PM 164048]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [11/26/2008 1:29 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [11/26/2008 1:29 AM 25160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\SYSTEM32\DRIVERS\sp_rsdrv2.sys [4/22/2009 11:26 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/29/2009 6:49 PM 19024]
R2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\SYSTEM32\DRIVERS\cx88xbar.sys [7/4/2007 11:01 PM 8960]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/24/2009 9:37 AM 68136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/2/2007 5:58 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/24/2010 7:59 PM 304464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 2:19 PM 50704]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [12/19/2009 8:02 PM 188276]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys [5/28/2010 5:05 PM 15944]
R3 L6DP;L6DP;c:\windows\SYSTEM32\DRIVERS\l6dp.sys [9/29/2006 12:05 PM 29312]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\SYSTEM32\DRIVERS\L6TPortB.sys [1/15/2010 5:28 PM 532992]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/24/2010 7:59 PM 20952]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\SYSTEM32\DRIVERS\vsc.sys [1/1/2006 10:31 PM 951284]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 afcdp;afcdp;c:\windows\SYSTEM32\DRIVERS\afcdp.sys [12/15/2009 7:06 PM 160288]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/15/2009 7:06 PM 2480048]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\SYSTEM32\DRIVERS\emuumidi.sys [3/14/2007 2:11 PM 37120]
S3 gupdate1c929d241ac157c;Google Update Service (gupdate1c929d241ac157c);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2008 1:45 AM 133104]
S3 Partizan;Partizan;c:\windows\SYSTEM32\DRIVERS\Partizan.sys [5/24/2010 11:17 PM 35816]
S3 PortReporter;Port Reporter;c:\program files\PortReporter\PortReporter.exe [5/28/2010 10:14 AM 90183]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\SYSTEM32\DRIVERS\p35u.sys [7/28/2008 9:15 PM 116448]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RD1006;Roland UA-100;c:\windows\SYSTEM32\DRIVERS\rdwm1006.sys [11/20/2004 11:28 AM 169086]
S3 RegGuard;RegGuard;c:\windows\SYSTEM32\DRIVERS\regguard.sys [5/24/2010 11:59 PM 24416]
S3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [10/22/2006 7:40 PM 65664]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sysid;sysid;c:\windows\SYSTEM32\DRIVERS\sysid.sys [4/15/2005 10:41 AM 5568]
S3 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
S3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\SYSTEM32\DRIVERS\dmdcap.sys [12/13/2008 9:53 PM 230784]
S3 VGAUTI;VGAUTI;c:\windows\SYSTEM32\DRIVERS\vgauti.sys [9/24/2004 10:00 AM 39208]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
*NewlyCreated* - HITMANPRO35
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003Core.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003UA.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by MSN
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: &search with URSEARCH Toolbar
IE: Add to Google Photos Screensa&ver
IE: Append to Existing PDF
IE: Convert link target to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with BitPump - c:\program files\AnalogX\BitPump\ieint.htm
Trusted Zone: accountonline.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: line6.net
Trusted Zone: turbotax.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: ChatSpace Java Client 2.1.0.84 - hxxp://63.102.227.45/Java/cs4ms084.cab
DPF: Dialpad Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: Dialpad US Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Serome Web2Phone - hxxp://www.dialpad.com/applet/vscp.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB}
DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8C6C6922-6258-44AC-9912-53964AC55276} - hxxp://217.160.140.67/download/xloader10.cab
FF - ProfilePath - c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\{50997114-a686-4585-8fb9-ce1093a1cf75}\components\FFAlert.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPil86.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\download manager\npfpdlm.dll
FF - plugin: e:\realplayer\Netscape6\nppl3260.dll
FF - plugin: e:\realplayer\Netscape6\nprjplug.dll
FF - plugin: e:\realplayer\Netscape6\nprpjplug.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdrmv2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdsplay.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin3.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin4.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin5.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npwmsdrm.dll
FF - plugin: h:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 19:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\$$$\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,0b,a3,4e,39,fb,e1,6f,e1,7c,f9,09,76,5c,d0,e0,d9,0e,ec,64,a2,c4,5d,
4e,3c,3a,17,fd,d8,d5,45,ce,84,0f,56,9c,36,87,46,b0,27,5a,d4,94,1a,a2,81,1e,\
"??"=hex:2f,b6,6f,45,ee,e2,ec,0a,29,d5,69,d3,55,fd,2c,18
[HKEY_USERS\$$$\Software\SecuROM\License information*]
"datasecu"=hex:3f,d8,08,15,6f,be,39,d7,ec,d2,25,24,1e,c7,72,6a,59,91,53,10,85,
ca,2a,56,69,d5,29,f9,fa,bc,44,07,e7,7f,b2,72,dd,a1,06,fe,b4,4d,49,25,8e,5c,\
"rkeysecu"=hex:38,98,b0,2f,0e,4a,40,d1,71,86,9b,cb,a4,d4,42,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\rddv1006.dll
- - - - - - - > 'explorer.exe'(14020)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\windows\system32\crypserv.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\smlogsvc.exe
f:\uphclean\uphclean.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\wscntfy.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-05-30 19:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 23:15
ComboFix2.txt 2010-05-30 14:36
ComboFix3.txt 2010-03-28 18:52
ComboFix4.txt 2010-03-27 18:29
Pre-Run: 15,359,689,216 bytes free
Post-Run: 15,352,502,784 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 681840A0E2949420EDFC66F931AFEE1A
Now, in order to run CF, I had to disable Avast and MBAM, as well as my firewall. When I checked MSConfig, I had a number of entries that were in my root folder that had never been there before. I started to uncheck them, then realized I should keep a record, so I canceled and started this reply.
I re-opened MSConfig, and guess what? All of those weird entries had disappeared! Here's some of the weird entries that I've found in my root:
IoU.sys
IPH.PH
key.sah
msbr (no extension)
NULL
and a number of others.
Jotti found nothing wrong with them, but why were they in MSConfig and then disappear? And IOU.sys is new, along with some .bin files.
I'm willing to work through this - I want to find out what this thing is and how to defeat it. Thanks for your help.
ComboFix 10-05-29.05 - Russell Alexander 05/30/2010 17:06:11.4.3 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2814.1780 [GMT -4:00]
Running from: c:\documents and settings\Russell Alexander\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Russell Alexander\Desktop\cfscript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_PQV2I
-------\Service_c2scsi
-------\Service_PQV2i
((((((((((((((((((((((((( Files Created from 2010-04-28 to 2010-05-30 )))))))))))))))))))))))))))))))
.
2010-05-29 13:18 . 2010-04-12 21:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-29 01:14 . 2010-05-29 01:14 12872 ----a-w- c:\windows\system32\bootdelete.exe
2010-05-28 21:05 . 2010-05-29 02:42 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-28 21:05 . 2010-05-28 23:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-28 21:05 . 2010-05-28 21:05 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-28 14:14 . 2010-05-28 14:14 -------- d-----w- c:\program files\PortReporter
2010-05-28 14:13 . 2010-05-28 14:13 -------- d-----w- c:\temp\port reporter
2010-05-28 01:02 . 2010-05-28 01:02 -------- d-----w- C:\Backreg
2010-05-26 14:00 . 2010-05-26 14:02 -------- dc-h--w- c:\windows\ie8
2010-05-25 22:44 . 2010-05-25 22:53 -------- d-----w- C:\Lop SD
2010-05-25 04:11 . 2010-05-25 04:11 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-05-25 03:59 . 2010-05-28 01:53 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-05-25 03:17 . 2010-05-25 03:17 37600 ----a-w- c:\windows\system32\Partizan.exe
2010-05-25 03:17 . 2010-05-25 03:17 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2010-05-25 03:16 . 2010-05-25 03:16 2 --shatr- c:\windows\winstart.bat
2010-05-24 23:59 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-24 23:59 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-24 23:59 . 2010-05-25 00:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-23 16:02 . 2010-05-23 16:02 -------- d-----w- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Painkiller Overdose
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-05-30 21:16 . 2009-05-24 13:33 16608 ----a-w- c:\windows\gdrv.sys
2010-05-30 21:13 . 2004-11-20 07:09 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\MailWasherPro
2010-05-30 10:19 . 2007-04-05 01:55 -------- d-----w- c:\program files\LogMeIn
2010-05-29 13:24 . 2002-05-20 22:34 -------- d-----w- c:\program files\Java
2010-05-29 13:19 . 2007-10-09 12:12 -------- d-----w- c:\program files\Common Files\Java
2010-05-29 13:18 . 2010-05-29 13:18 503808 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcp71.dll
2010-05-29 13:18 . 2010-05-29 13:18 499712 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\jmc.dll
2010-05-29 13:18 . 2010-05-29 13:18 348160 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6d3ce1d6-n\msvcr71.dll
2010-05-29 13:18 . 2010-05-29 13:18 61440 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-sse.dll
2010-05-29 13:18 . 2010-05-29 13:18 12800 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-419705bf-n\decora-d3d.dll
2010-05-27 22:07 . 2003-11-03 21:12 -------- d-----w- c:\program files\FTP Commander
2010-05-26 03:23 . 2009-08-20 16:27 -------- d-----w- c:\program files\3gp Player
2010-05-25 00:00 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Malwarebytes
2010-05-24 23:59 . 2008-10-26 21:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-24 22:45 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Line 6
2010-05-24 22:44 . 2006-10-17 02:24 -------- d-----w- c:\documents and settings\Russell Alexander\Application Data\Line 6
2010-05-24 22:43 . 2010-01-15 21:27 -------- d-----w- c:\program files\Line6
2010-05-23 16:54 . 2009-04-14 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-05-23 15:47 . 2003-01-30 15:14 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-23 15:47 . 2006-05-31 14:17 -------- d-----w- c:\program files\Roxio
2010-05-23 15:47 . 2006-05-31 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Roxio
2010-05-06 20:59 . 2009-04-29 22:49 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-05-06 20:59 . 2009-04-29 22:48 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-05-06 20:39 . 2009-04-29 22:49 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-05-06 20:39 . 2009-04-29 22:49 164048 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-05-06 20:34 . 2009-04-29 22:49 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-05-06 20:33 . 2009-04-29 22:49 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-05-06 20:33 . 2009-04-29 22:49 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-05-06 20:33 . 2009-04-29 22:49 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-05-06 20:33 . 2009-04-29 22:49 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-01 23:29 . 2009-12-16 12:59 2469728 ----a-w- c:\windows\system32\AutoPartNt.exe
2010-04-01 02:48 . 2010-04-01 02:48 411494 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{90CAF868-0B06-4C4A-A6E9-D0FD17C7BAE1}\controlPanelIcon.exe
2010-04-01 02:48 . 2010-04-01 02:48 -------- d-----w- c:\program files\Future Systems Solutions
2010-03-30 14:17 . 2010-03-03 21:58 3823960 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2010-03-13 02:01 . 2005-01-28 15:59 16 ----a-w- c:\windows\system32\mswin32.drv
2010-03-10 06:15 . 2004-11-20 06:49 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-10 01:47 . 2008-11-26 05:29 171552 ----a-w- c:\windows\system32\guard32.dll
2010-03-10 01:47 . 2008-11-26 05:29 134344 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2010-03-09 22:42 . 2010-03-09 22:42 1974272 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\L6TWXG.dll
2010-03-09 22:41 . 2010-03-09 22:41 1521152 ----a-w- c:\documents and settings\All Users\Application Data\Line 6\L6TWXG\data\twx\L6TWX.dll
2010-03-07 17:49 . 2010-03-24 22:03 3862528 ----a-w- c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
2010-03-05 00:01 . 2006-09-29 16:05 29312 ----a-w- c:\windows\system32\drivers\l6dp.sys
2010-03-04 04:10 . 2010-03-04 04:10 8854 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\Uninstall_Don_t_Pani_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut11_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 40960 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\NewShortcut1_8B46024A8C904725AE476444109CF5A9.exe
2010-03-04 04:10 . 2010-03-04 04:10 2238 ----a-r- c:\documents and settings\Russell Alexander\Application Data\Microsoft\Installer\{8B46024A-8C90-4725-AE47-6444109CF5A9}\ARPPRODUCTICON.exe
2002-05-08 03:42 . 2002-05-07 17:50 11079 ---h--w- c:\program files\folder.htt
2001-12-02 08:18 . 2002-05-07 18:26 1586 ------w- c:\program files\MSO_INST.LOG
2008-04-10 20:00 . 2007-03-22 18:57 44360 ------w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-04-10 20:00 . 2007-03-22 18:57 107928 ------w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-07-18 19:54 . 2007-04-05 01:56 245408 ----a-w- c:\program files\mozilla firefox\plugins\unicows.dll
2009-11-18 18:03 . 2009-11-18 18:03 0 --sha-w- c:\windows\All Users\DRM\Cache\Indiv01.tmp
2002-06-24 11:59 . 2003-05-14 11:37 1025 --sh--w- c:\windows\page files\maxmeg.sys
2004-11-05 15:27 . 2004-07-24 17:45 10022 --sh--w- c:\windows\SYSTEM\KGyGaAvL.sys
2006-05-03 09:06 . 2007-02-09 22:58 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-02-21 10:47 . 2007-06-02 21:54 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]
@="{7D688A77-C613-11D0-999B-00C04FD655E1}"
[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]
2008-06-17 19:02 8461312 ----a-w- c:\windows\SYSTEM32\shell32.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FinePrint Dispatcher v5"="c:\windows\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-09-27 503808]
"vscvol.exe"="h:\roland\VSC32\vscvol.exe" [2000-02-09 36864]
"vsc32cnf.exe"="h:\roland\VSC32\vsc32cnf.exe" [2000-02-07 36864]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 63048]
"LVCOMS"="c:\program files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 98304]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]
"nwiz"="nwiz.exe" [2009-01-15 1657376]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-01-30 1800464]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-05-06 2815192]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"HitmanPro35"="c:\program files\Hitman Pro 3.5\HitmanPro35.exe" [2010-05-28 5937984]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2007-05-30 5419008]
"iLike"="c:\program files\iLike\1.1.41\ilikesidebar.exe" [2008-02-12 63024]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Printing Migration"="c:\windows\system32\spool\migrate.dll" [2001-08-23 30208]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoStartMenuSubFolders"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"<NO NAME>"= 00000000
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2009-10-01 20:20 87352 ----a-w- c:\windows\SYSTEM32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI7"=vscapi.dll
"WAVE6"=vscapi.dll
"wave1"=rddv1006.dll
"midi2"=rddv1006.dll
"mixer1"=rddv1006.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
backup=c:\windows\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
backup=c:\windows\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^Registration Ghost Recon Advanced Warfighter.LNK]
backup=c:\windows\pss\Registration Ghost Recon Advanced Warfighter.LNKStartup
[HKLM\~\startupfolder\C:^Documents and Settings^Russell Alexander^Start Menu^Programs^Startup^World Community Grid Agent.lnk]
backup=c:\windows\pss\World Community Grid Agent.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-10-20 13:40 34904 ------w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-10-14 15:28 133104 ----atw- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2004-11-03 20:03 125528 ------w- c:\program files\Common Files\AOL\1110494747\EE\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
2002-07-17 15:00 200767 ------w- e:\microsoft money\System\mnyexpr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2005-09-01 00:27 1658592 ------w- c:\program files\Messenger\Msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ------w- c:\windows\SYSTEM32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-01-15 13:19 13680640 ----a-w- c:\windows\SYSTEM32\nvcpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-05-26 21:18 413696 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW20]
2006-01-03 14:58 208896 ------w- c:\windows\SYSTEM32\sw20.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SW24]
2006-01-03 14:59 69632 ------w- c:\windows\SYSTEM32\sw24.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemTray]
2001-08-23 18:00 3072 ------w- c:\windows\SYSTEM32\systray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"tmproxy"=2 (0x2)
"TmPfw"=2 (0x2)
"Tmntsrv"=2 (0x2)
"PcCtlCom"=2 (0x2)
"AOL TopSpeedMonitor"=3 (0x3)
"AOL ACS"=3 (0x3)
"Adobe LM Service"=3 (0x3)
"RoxLiveShare"=2 (0x2)
"LiveUpdate"=3 (0x3)
"iPodService"=3 (0x3)
"GoToMyPC"=3 (0x3)
"C-DillaCdaC11BA"=3 (0x3)
"iPod Service"=3 (0x3)
"UleadBurningHelper"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"IntuitUpdateService"=3 (0x3)
"QBFCService"=3 (0x3)
"Bonjour Service"=3 (0x3)
"Apple Mobile Device"=3 (0x3)
"TomTomHOMEService"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ATI Launchpad"=
"RFAgent"=m:\registryfirstaid\rfagent.exe
"SpybotSD TeaTimer"=m:\spybot - search & destroy\TeaTimer.exe
"Steam"="m:\half-life 2\steam.exe" -silent
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]
"Tweak UI"=RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
"ATIPTA"=atiptaxx.exe
"StillImageMonitor"=c:\windows\SYSTEM32\STIMON.EXE
"QuickTime Task"="c:\windows\SYSTEM32\qttask.exe" -atboottime
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"f:\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\1110494747\\EE\\AOLServiceHost.exe"=
"f:\\bittorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\Msmsgs.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\AnalogX\\BitPump\\bitpump.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"c:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"f:\\QuickBooks 2007\\QBDBMgrN.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"h:\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
R0 SI3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\SYSTEM32\DRIVERS\SI3112r.sys [5/12/2004 2:01 PM 97408]
R0 tdrpman258;Acronis Try&Decide and Restore Points filter (build 258);c:\windows\SYSTEM32\DRIVERS\tdrpm258.sys [12/15/2009 7:06 PM 911680]
R1 aswSP;aswSP;c:\windows\SYSTEM32\DRIVERS\aswSP.sys [4/29/2009 6:49 PM 164048]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\SYSTEM32\DRIVERS\cmdguard.sys [11/26/2008 1:29 AM 134344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\SYSTEM32\DRIVERS\cmdhlp.sys [11/26/2008 1:29 AM 25160]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\SYSTEM32\DRIVERS\sp_rsdrv2.sys [4/22/2009 11:26 PM 142592]
R2 aswFsBlk;aswFsBlk;c:\windows\SYSTEM32\DRIVERS\aswFsBlk.sys [4/29/2009 6:49 PM 19024]
R2 CX88XBAR;KWorld PVR 883 Crossbar;c:\windows\SYSTEM32\DRIVERS\cx88xbar.sys [7/4/2007 11:01 PM 8960]
R2 ES lite Service;ES lite Service for program management.;c:\program files\Gigabyte\EasySaver\essvr.exe [5/24/2009 9:37 AM 68136]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [6/2/2007 5:58 PM 12856]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [5/24/2010 7:59 PM 304464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\SYSTEM32\DRIVERS\npf.sys [10/20/2009 2:19 PM 50704]
R2 RVIEGVST;VSC VST Engine;c:\program files\Roland\Virtual Sound Canvas VST\RVIEg01VST.sys [12/19/2009 8:02 PM 188276]
R3 hitmanpro35;Hitman Pro 3.5 Support Driver;c:\windows\SYSTEM32\DRIVERS\hitmanpro35.sys [5/28/2010 5:05 PM 15944]
R3 L6DP;L6DP;c:\windows\SYSTEM32\DRIVERS\l6dp.sys [9/29/2006 12:05 PM 29312]
R3 L6TPortB;Service - Line 6 TonePort UX2;c:\windows\SYSTEM32\DRIVERS\L6TPortB.sys [1/15/2010 5:28 PM 532992]
R3 MBAMProtector;MBAMProtector;c:\windows\SYSTEM32\DRIVERS\mbam.sys [5/24/2010 7:59 PM 20952]
R3 vsc32;Virtual Sound Canvas 3.2;c:\windows\SYSTEM32\DRIVERS\vsc.sys [1/1/2006 10:31 PM 951284]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S3 afcdp;afcdp;c:\windows\SYSTEM32\DRIVERS\afcdp.sys [12/15/2009 7:06 PM 160288]
S3 afcdpsrv;Acronis Nonstop Backup service;c:\program files\Common Files\Acronis\CDP\afcdpsrv.exe [12/15/2009 7:06 PM 2480048]
S3 emuumidi;E-MU USB-MIDI Driver;c:\windows\SYSTEM32\DRIVERS\emuumidi.sys [3/14/2007 2:11 PM 37120]
S3 gupdate1c929d241ac157c;Google Update Service (gupdate1c929d241ac157c);c:\program files\Google\Update\GoogleUpdate.exe [10/9/2008 1:45 AM 133104]
S3 Partizan;Partizan;c:\windows\SYSTEM32\DRIVERS\Partizan.sys [5/24/2010 11:17 PM 35816]
S3 PortReporter;Port Reporter;c:\program files\PortReporter\PortReporter.exe [5/28/2010 10:14 AM 90183]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\SYSTEM32\DRIVERS\p35u.sys [7/28/2008 9:15 PM 116448]
S3 rcvpn;SonicWALL VPN Adapter;c:\windows\system32\DRIVERS\rcvpn.sys --> c:\windows\system32\DRIVERS\rcvpn.sys [?]
S3 RD1006;Roland UA-100;c:\windows\SYSTEM32\DRIVERS\rdwm1006.sys [11/20/2004 11:28 AM 169086]
S3 RegGuard;RegGuard;c:\windows\SYSTEM32\DRIVERS\regguard.sys [5/24/2010 11:59 PM 24416]
S3 s3legacy;s3legacy;c:\windows\SYSTEM32\DRIVERS\s3legacy.sys [10/22/2006 7:40 PM 65664]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
S3 sysid;sysid;c:\windows\SYSTEM32\DRIVERS\sysid.sys [4/15/2005 10:41 AM 5568]
S3 TomTomHOMEService;TomTomHOMEService;e:\tomtom home 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
S3 U6000ALL;HDTV110 TV Box(ALL);c:\windows\SYSTEM32\DRIVERS\dmdcap.sys [12/13/2008 9:53 PM 230784]
S3 VGAUTI;VGAUTI;c:\windows\SYSTEM32\DRIVERS\vgauti.sys [9/24/2004 10:00 AM 39208]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - GTNDIS5
*NewlyCreated* - HITMANPRO35
*Deregistered* - uphcleanhlp
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2008-06-09 14:14 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
2008-04-14 00:12 73216 ------w- c:\program files\Outlook Express\setup50.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]
2001-03-23 20:17 7168 ------w- c:\windows\SYSTEM32\updcrl.exe
.
Contents of the 'Scheduled Tasks' folder
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-10-09 05:45]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003Core.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1220945662-362288127-839522115-1003UA.job
- c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-10-31 15:28]
2010-05-30 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-02-04 21:50]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mWindow Title = Microsoft Internet Explorer provided by MSN
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = 0.0.0.0:80
IE: &AOL Toolbar search
IE: &search with URSEARCH Toolbar
IE: Add to Google Photos Screensa&ver
IE: Append to Existing PDF
IE: Convert link target to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - e:\adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Crawler Search - tbr:iemenu
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with BitPump - c:\program files\AnalogX\BitPump\ieint.htm
Trusted Zone: accountonline.com\www
Trusted Zone: intuit.com\ttlc
Trusted Zone: line6.net
Trusted Zone: turbotax.com
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
Name-Space Handler: ftp\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
Name-Space Handler: http\GetRightIEClickCatcher - {73BA8F12-723E-11D1-A9E2-00403320FCF2} - c:\progra~1\GetRight\xx2gr.dll
DPF: ChatSpace Java Client 2.1.0.84 - hxxp://63.102.227.45/Java/cs4ms084.cab
DPF: Dialpad Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: Dialpad US Java Applet - hxxp://www.dialpad.com/applet/src/vscp.cab
DPF: DirectAnimation Java Classes
DPF: Internet Explorer Classes for Java
DPF: Microsoft XML Parser for Java
DPF: Serome Web2Phone - hxxp://www.dialpad.com/applet/vscp.cab
DPF: {0B72CCA4-5F11-11D0-9CB5-0000C0EC9FDB}
DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2}
DPF: {76A2A0AB-38B7-46DB-8E47-F10CDE4D7920} - hxxp://aerial.leepa.org/ecwplugins/NCS.cab
DPF: {8C6C6922-6258-44AC-9912-53964AC55276} - hxxp://217.160.140.67/download/xloader10.cab
FF - ProfilePath - c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - component: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\{50997114-a686-4585-8fb9-ce1093a1cf75}\components\FFAlert.dll
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Russell Alexander\Application Data\Mozilla\Firefox\Profiles\8658kj9u.default\extensions\[email protected]\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\Russell Alexander\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPil86.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: d:\download manager\npfpdlm.dll
FF - plugin: e:\realplayer\Netscape6\nppl3260.dll
FF - plugin: e:\realplayer\Netscape6\nprjplug.dll
FF - plugin: e:\realplayer\Netscape6\nprpjplug.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdrmv2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npdsplay.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npmusicn.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\NPOFF12.DLL
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin2.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin3.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin4.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npqtplugin5.dll
FF - plugin: f:\netscape\PROGRAM\Plugins\npwmsdrm.dll
FF - plugin: h:\itunes\Mozilla Plugins\npitunes.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-30 19:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\$$$\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a4,0b,a3,4e,39,fb,e1,6f,e1,7c,f9,09,76,5c,d0,e0,d9,0e,ec,64,a2,c4,5d,
4e,3c,3a,17,fd,d8,d5,45,ce,84,0f,56,9c,36,87,46,b0,27,5a,d4,94,1a,a2,81,1e,\
"??"=hex:2f,b6,6f,45,ee,e2,ec,0a,29,d5,69,d3,55,fd,2c,18
[HKEY_USERS\$$$\Software\SecuROM\License information*]
"datasecu"=hex:3f,d8,08,15,6f,be,39,d7,ec,d2,25,24,1e,c7,72,6a,59,91,53,10,85,
ca,2a,56,69,d5,29,f9,fa,bc,44,07,e7,7f,b2,72,dd,a1,06,fe,b4,4d,49,25,8e,5c,\
"rkeysecu"=hex:38,98,b0,2f,0e,4a,40,d1,71,86,9b,cb,a4,d4,42,6a
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
- - - - - - - > 'lsass.exe'(1404)
c:\windows\system32\rddv1006.dll
- - - - - - - > 'explorer.exe'(14020)
c:\windows\system32\WININET.dll
c:\program files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Common Files\aolshare\aolshcpy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\COMODO\COMODO Internet Security\cmdagent.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\windows\system32\crypserv.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\LogMeIn\x86\RaMaint.exe
c:\program files\LogMeIn\x86\LogMeIn.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\smlogsvc.exe
f:\uphclean\uphclean.exe
c:\windows\system32\SearchIndexer.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
c:\program files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54Gv42.exe
c:\windows\system32\wscntfy.exe
c:\program files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
c:\program files\LogMeIn\x86\LMIGuardian.exe
.
**************************************************************************
.
Completion time: 2010-05-30 19:15:43 - machine was rebooted
ComboFix-quarantined-files.txt 2010-05-30 23:15
ComboFix2.txt 2010-05-30 14:36
ComboFix3.txt 2010-03-28 18:52
ComboFix4.txt 2010-03-27 18:29
Pre-Run: 15,359,689,216 bytes free
Post-Run: 15,352,502,784 bytes free
Current=3 Default=3 Failed=2 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 681840A0E2949420EDFC66F931AFEE1A
Now, in order to run CF, I had to disable Avast and MBAM, as well as my firewall. When I checked MSConfig, I had a number of entries that were in my root folder that had never been there before. I started to uncheck them, then realized I should keep a record, so I canceled and started this reply.
I re-opened MSConfig, and guess what? All of those weird entries had disappeared! Here's some of the weird entries that I've found in my root:
IoU.sys
IPH.PH
key.sah
msbr (no extension)
NULL
and a number of others.
Jotti found nothing wrong with them, but why were they in MSConfig and then disappear? And IOU.sys is new, along with some .bin files.
I'm willing to work through this - I want to find out what this thing is and how to defeat it. Thanks for your help.
#45
Posted 31 May 2010 - 05:24 AM
myrti
-
- Expert
-
- 2,580 posts
Expert
In which tab did they appear in msconfig?
Not finding anything definite about those files, but at least the first three files seem to belong to some kind of update-process from AOL.
regards myrti
Not finding anything definite about those files, but at least the first three files seem to belong to some kind of update-process from AOL.
regards myrti
Similar Topics
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
As Featured On:
Sign In
Create Account
