Squirrel

December 24, 2010

Dear Maniac,

Yes, Page file is important--but I had turned it off so scanners would not waste time on it. Obviously once the system is back to normal it will turned back on. The puzzle is why it never went.

I contacted F-Secure and was told to uninstall all nonF-Secure AV, then reinstall F-Secure and rely entirely upon F-Secure and not reinstall alternatives. Conflicts between AVs make sense for deep guard type active monitoring but the update concerned traces for scanning and this should not cause program conflicts--files would be just passively examined. I am awaiting a fuller response.

My concern is that F-Secure might actively be stopping other AV and their updates. F-Secure should not as it would it be illegal in the US, for example, in regard to antitrust laws (customers must be able to evaluate competitor software unless there is good reason and then with notification). But then programmers at google foolishly in Street view softwared the picking up of Wi-Fi network data--something google lawyers should have warned them as illegal.

Best

John

Thanks John, nothing special in Junction log.
Page file is very important. I suggest you to read this article from Microsoft for more information:
http://support.microsoft.com/kb/2267427
You can restrict these things, but I personally advise not to be confused in the operating system and the Microsoft.
You're right, this should be enough for Emsisoft. It seems a problem between them, so I suggest you to contact their tech support - Emsisoft or F-Secure, they will help you.
http://www.f-secure.com/en_EMEA/support/
http://www.emsisoft.com/en/support/

December 22, 2010

Maniac

Apologies I did not see your more recent post.

In f-secure connections emsisoft is given "allow" both for both outbound and inbound. I do not see a way to give it an exception in the firewall other than this. The puzzle is that emsisoft (I have rechecked) will download updates through the f-secure firewall but only if the rest of f-secure is unloaded.

John

Very interesting.... did you add them to exception of F-Secure Firewall? Maybe this is the problem. Yes, you can transfer your files.

December 22, 2010

Maniac

Apologies for not reading and understanding your last instruction.

I ran junction again it produced the following output:

Junction v1.06 - Windows junction creator and reparse point viewer

Sysinternals - www.sysinternals.com

Failed to open \\?\c:\\pagefile.sys: The process cannot access the file

because it is being used by another process.

Failed to open \\?\c:\\System Volume Information: Access is denied.

The existence of Pagefile.sys is a mystery since xp is set not to use it and it should have been deleted but a 2GB pagefile.sys file remains.

John

December 21, 2010

Maniac, thanks for your help.

Malwarebytes can now update. But Emsisoft Anti-Malware cannot. Or rather Emsisoft can update and connect to the internet provided f-secure is unloaded to only its firewall. Emsisoft has not had this problem before with f-secure. I ran both Malwarebytes and f-secure and they found nothing. Is it clean? Can I transfer files off the pc without transferring an infection?

John

What is the problem with MBAM? Run this tool and try again:
Download FixPolicies.exe (by Bill Castner) and save it to your desktop.
Double click on FixPolicies.exe to run it.
Click on Install. It will create a folder named FixPolicies on your desktop.
Open the FixPolicies folder.
Double click on Fix_policies.cmd to run it. Command Prompt will open and close quickly; this is normal.

December 21, 2010

Thanks Maniac,

Here is the cut and paste from junction.

best

John

-- 19:14:30 3/10/10 - LocalSocketProtocol::readNextMessage

(C:\Users\bitten\mendeley\manual\source\src\localSocket\LocalSocketProtocol.cpp:172)

readNextMessage: unexpected end of the ioDevice

-- 19:14:30 3/10/10 - LocalSocketProtocol::decodeMessage

(C:\Users\bitten\mendeley\manual\source\src\localSocket\LocalSocketProtocol.cpp:122)

LocalSocketProtocol: message malformed: empty

Please download Junction.zip and save it.
Unzip it and put junction.exe in the Windows directory (C:\Windows).
Go to Start => Run... and copy/paste the following command in the run box and click OK:
cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
A command window opens starting to scan the system. Wait until a log file opens. Copy and paste or attach the content of it.

December 18, 2010

Maniac,

Thanks for suggesting EsetOnlineScanne. It took sometime scanning but to nil result. Checked malwarebytes but it still will not update and indeed stopped firefox requiring a reboot.

Best

John

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=9fde2087d1acce4f8ea1e5b4112ca3e0

# end=stopped

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-12-17 09:58:37

# local_time=2010-12-17 09:58:37 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=2304 16777191 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 3774 3774 0 0

# scanned=73832

# found=0

# cleaned=0

# scan_time=2964

ESETSmartInstaller@High as downloader log:

all ok

# version=7

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.6415

# api_version=3.0.2

# EOSSerial=9fde2087d1acce4f8ea1e5b4112ca3e0

# end=finished

# remove_checked=true

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2010-12-18 06:19:40

# local_time=2010-12-18 06:19:40 (+0000, GMT Standard Time)

# country="United Kingdom"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=2304 16777175 100 0 0 0 0 0

# compatibility_mode=8192 67108863 100 0 41668 41668 0 0

# scanned=338992

# found=0

# cleaned=0

# scan_time=38424

December 17, 2010

Dear Maniac,

Thanks I followed your instructions and did a F-secure scan but this found nothing. I then retried malwarebytes. Unfortunately it still refused to connect as did other AV programs when tested even though firefox and Chrome have no problems accessing the internet.

I then did combo-fix several times (1st time it needed windows console), next I added that and fully turned off f-secure [unplugging the PC from the router] and killed all background programs. This seemed to be positive. Ran f-secure again which found Malware!Gemini .

Unfortunately, even though this was quarantined, the situation of not being able to update malwarebytes and other AV programs remains in spite of Firefox, chrome and f-secure being able to access the internet.

malwarebytes gives the error PROGRAM_ERROR_UPDATING (12002, 0, WinHttpReceiveResponse]

I cut and paste below the logs from f-secure and combo-fix.

Best

John

This is the f-secure log -- note the file XXOLDTRASH.MBX dates back to 2003.

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini file "C:\PROGRAM FILES\REGSEEKER\REGSEEKER.EXE" quarantined success

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini file "C:\PROGRAM FILES\REGSEEKER\REGSEEKER.EXE" deleted success

17.12.2010 04:42:42 Suspicious:W32/Malware!Gemini END

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini file "F:\SYSTEM VOLUME INFORMATION\_RESTORE{C4365319-5737-4505-B996-8F6CA36D2EBD}\RP90\A0018870.EXE" quarantined success

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini file "F:\SYSTEM VOLUME INFORMATION\_RESTORE{C4365319-5737-4505-B996-8F6CA36D2EBD}\RP90\A0018870.EXE" deleted success

17.12.2010 05:19:28 Suspicious:W32/Malware!Gemini END

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability file "J:\EMAIL BACKUP\__HOME_EMAIL\EUDORA6\XXOLDTRASH.MBX" quarantined failed

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability file "J:\EMAIL BACKUP\__HOME_EMAIL\EUDORA6\XXOLDTRASH.MBX" deleted failed

17.12.2010 05:36:08 Exploit.Iframe.Vulnerability END

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability BEGIN

;

;Log created by USS version 4.10.16410

;

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability file "J:\ARCHIVE\MY OTHER DOCUMENTS\EUDORA5\XXOLDTRASH.MBX" quarantined failed

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability file "J:\ARCHIVE\MY OTHER DOCUMENTS\EUDORA5\XXOLDTRASH.MBX" deleted failed

17.12.2010 05:40:01 Exploit.Iframe.Vulnerability END

----------------------------------------------------------------------

Combo-fix log

ComboFix 10-12-14.05 - Administrator 17/12/2010 3:44.6.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1503 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: F-Secure Client Security 9.01 *Enabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Disabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

((((((((((((((((((((((((( Files Created from 2010-11-17 to 2010-12-17 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys

2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe

2010-12-15 01:25 . 2010-12-17 03:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-17 02:44 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-17 02:46 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-17 03:38 -------- d-----w- c:\program files\Everything

2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128

2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%

2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs

2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys

2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys

2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys

2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll

2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll

2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll

2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl

2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec

2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll

2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll

2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys

2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe

2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe

2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys

2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys

2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys

2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll

2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll

2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll

2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll

2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe

2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe

2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe

2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe

2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe

2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe

2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe

2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll

.

((((((((((((((((((((((((((((( SnapShot_2010-12-16_18.58.23 )))))))))))))))))))))))))))))))))))))))))

.

+ 2003-02-07 18:24 . 2010-12-17 02:38 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2003-02-07 18:24 . 2010-12-14 02:55 32768 f:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2003-02-07 18:24 . 2010-12-17 02:38 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2003-02-07 18:24 . 2010-12-14 02:55 32768 f:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-12-11 15:38 . 2010-12-17 02:38 16384 f:\windows\system32\config\systemprofile\IETldCache\index.dat

- 2009-12-11 15:38 . 2010-12-14 02:55 16384 f:\windows\system32\config\systemprofile\IETldCache\index.dat

+ 2010-12-17 02:44 . 2010-12-17 02:44 1867776 f:\windows\Installer\7a5e0.msi

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]

@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"

[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]

@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"

[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]

2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]

"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]

"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]

"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]

"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]

"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]

"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]

"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]

"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\

OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoWinKeys"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoSMHelp"= 01000000

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 00000000

"NoNetworkConnections"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]

"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"

"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"

"WService"=WService.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]

"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe

"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe

"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"

"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR

"nwiz"=nwiz.exe /install

"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management

R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664]

R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]

R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]

R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]

R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]

R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]

R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]

R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]

R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]

S0 Lbd;Lbd; [x]

S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]

S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]

S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]

S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]

S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]

S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]

S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]

S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]

S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]

S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]

S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]

S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]

S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]

S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]

S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]

S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]

S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]

S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]

S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]

S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]

S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]

S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]

S4 NProtectService;Norton Unerase Protection; [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

getPlusHelper REG_MULTI_SZ getPlusHelper

HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

WINRM REG_MULTI_SZ WINRM

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]

2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll

.

Contents of the 'Scheduled Tasks' folder

2010-12-17 f:\windows\Tasks\GlaryInitialize.job

- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]

2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-17 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job

- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]

2010-12-17 f:\windows\Tasks\WGASetup.job

- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]

.

------- Supplementary Scan -------

.

uStart Page = about:blank

uSearchURL,(Default) = hxxp://www.google.com/keyword/%s

IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html

IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html

IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html

IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000

IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html

IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105

IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html

IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html

LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll

Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL

DPF: DirectAnimation Java Classes

DPF: Microsoft XML Parser for Java

FF - ProfilePath -

.

------- File Associations -------

.

txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2010-12-17 03:49

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]

@Denied: (2) (Administrator)

"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,

d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]

@Denied: (A 2) (Everyone)

@="FlashBroker"

"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]

@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]

@Denied: (A 2) (Everyone)

@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]

@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

"Version"="1.0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]

"Licence0"="04F0D21-79D8-7A25-D702-433F"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]

@DACL=(02 0000)

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(756)

f:\windows\system32\Ati2evxx.dll

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'lsass.exe'(812)

c:\program files\f-secure\hips\fshook32.dll

- - - - - - - > 'explorer.exe'(1728)

f:\windows\system32\WININET.dll

c:\program files\Logitech\MouseWare\System\LgWndHk.dll

c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf

c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll

c:\program files\MozyHome\mozyshell.dll

c:\program files\MozyHome\LIBEAY32.dll

c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll

f:\windows\system32\msi.dll

f:\windows\system32\ieframe.dll

f:\windows\system32\webcheck.dll

f:\windows\system32\WPDShServiceObj.dll

f:\windows\system32\PortableDeviceTypes.dll

f:\windows\system32\PortableDeviceApi.dll

f:\windows\System32\netshell.dll

.

Completion time: 2010-12-17 03:51:00

ComboFix-quarantined-files.txt 2010-12-17 03:50

ComboFix2.txt 2010-12-17 03:34

ComboFix3.txt 2010-12-17 03:24

ComboFix4.txt 2010-12-16 19:00

ComboFix5.txt 2010-12-17 03:41

Pre-Run: 55,017,357,312 bytes free

Post-Run: 54,987,948,032 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

UnsupportedDebug="do not select this" /debug

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS

- - End Of File - - 12F0778DACDA0CDA4AC1CD18015FE842

December 16, 2010

Maniac,

I notice combofix also created ComboFix-quarantined-files.txt. Here it is in case it is of any use

Best

John

2010-12-15 11:57:52 . 2010-12-15 11:57:52 1,154 ----a-w- F:\Qoobox\Quarantine\Registry_backups\AddRemove-{E2883E8F-472F-4fb0-9522-AC9BF37916A7}.reg.dat

2010-12-15 11:57:51 . 2010-12-15 11:57:51 494 ----a-w- F:\Qoobox\Quarantine\Registry_backups\AddRemove-SiS7018.reg.dat

2010-12-15 11:56:39 . 2010-12-15 11:56:39 853 ----a-w- F:\Qoobox\Quarantine\Registry_backups\WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98}.reg.dat

2010-12-15 11:56:37 . 2010-12-15 11:56:38 798 ----a-w- F:\Qoobox\Quarantine\Registry_backups\Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98}.reg.dat

2010-12-15 11:56:35 . 2010-12-15 11:56:35 571 ----a-w- F:\Qoobox\Quarantine\Registry_backups\BHO-{201f27d4-3704-41d6-89c1-aa35e39143ed}.reg.dat

2010-12-15 11:53:52 . 2010-12-15 11:53:52 336 ----a-w- F:\Qoobox\Quarantine\G\av1.zip

2010-12-15 11:53:52 . 2004-05-01 02:01:00 53 ----a-w- F:\Qoobox\Quarantine\G\Autorun.inf.vir

2010-12-15 11:32:39 . 2010-12-16 18:56:28 9,080 ----a-w- F:\Qoobox\Quarantine\Registry_backups\tcpip.reg

2010-12-15 11:27:31 . 2010-12-16 18:50:12 153 ----a-w- F:\Qoobox\Quarantine\catchme.log

2010-08-16 11:45:28 . 2007-12-15 08:07:52 90,112 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\ccrpTmr6.dll.vir

2004-02-16 10:56:05 . 2007-06-27 07:13:31 0 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\WIN.INI.vir

2003-04-08 10:48:22 . 1999-08-16 18:20:56 715 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\system\color\DivioCAM.icm.vir

2002-09-07 17:23:46 . 2002-09-07 17:23:46 28,672 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\WService.exe.vir

1999-12-06 23:00:00 . 1999-12-06 23:00:00 24,956 -c--a-w- F:\Qoobox\Quarantine\F\WINDOWS\twain_16.dll.vir

1617-10-04 18:22:49 . 1617-10-04 18:22:49 3,120 ----a-w- F:\Qoobox\Quarantine\F\WINDOWS\system32\42KJE738.ocx.vir

Thanks Maniac,
This is a bit of a learning curve for me so apologies for not realizing that WinPatrol should have been disabled.
I installed Recovery Console. Here is the new combotix.txt
Best
John
ComboFix 10-12-14.05 - Administrator 16/12/2010 18:53:44.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT 0:00]
Running from: l:\d\Combo-Fix.exe
Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}
FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}
.
((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))
.
2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository
2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp
2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys
2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe
2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}
2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft
2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft
2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData
2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX
2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler
2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc
2010-11-30 12:22 . 2010-12-16 17:47 -------- d-----w- c:\program files\Everything
2010-11-28 13:59 . 2010-11-28 14:33 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\imap-mail101128
2010-11-28 11:45 . 2010-11-28 11:45 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\%LOCALAPPDATA%
2010-11-28 10:39 . 2010-11-28 10:39 -------- d-----w- c:\program files\Microsoft Office Labs
2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- f:\windows\system32\dllcache\isign32.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-12-15 13:06 . 2009-08-30 10:06 42664 ----a-w- f:\windows\system32\drivers\fsbts.sys
2010-11-29 17:42 . 2009-09-17 02:03 38224 ----a-w- f:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2009-09-17 02:03 20952 ----a-w- f:\windows\system32\drivers\mbam.sys
2010-11-18 18:12 . 2003-02-07 18:15 81920 ----a-w- f:\windows\system32\isign32.dll
2010-11-06 00:26 . 2006-02-28 12:00 916480 ----a-w- f:\windows\system32\wininet.dll
2010-11-06 00:26 . 2006-02-28 12:00 43520 ----a-w- f:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2006-02-28 12:00 1469440 ------w- f:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2006-02-28 12:00 385024 ------w- f:\windows\system32\html.iec
2010-11-02 15:17 . 2006-02-28 12:00 40960 ----a-w- f:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd.dll
2010-10-28 13:13 . 2006-02-28 12:00 290048 ----a-w- f:\windows\system32\atmfd(2).dll
2010-10-26 13:25 . 2006-02-28 12:00 1853312 ----a-w- f:\windows\system32\win32k.sys
2010-10-13 10:55 . 2010-10-13 10:55 236160 ------w- f:\windows\EasyGifAnimator_Toolbar_Uninstaller_7125.exe
2010-10-10 05:19 . 2010-10-10 05:19 121233 ------w- f:\windows\File Renamer - Basic Uninstaller.exe
2010-09-28 13:03 . 2010-09-28 13:40 12256 ------w- f:\windows\system32\drivers\PSVolAcc.sys
2010-09-28 13:03 . 2010-09-28 13:40 15328 ------w- f:\windows\system32\drivers\pssnap.sys
2010-09-28 13:03 . 2010-09-28 13:40 44512 ------w- f:\windows\system32\drivers\psmounter.sys
2010-09-18 11:23 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2006-02-28 12:00 974848 ----a-w- f:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2006-02-28 12:00 954368 ----a-w- f:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2006-02-28 12:00 953856 ----a-w- f:\windows\system32\mfc40u.dll
2010-08-13 21:28 . 2010-08-21 06:51 1237504 ------w- c:\program files\TweakMe!.exe
2010-08-08 08:58 . 2010-08-17 13:21 33280 ------w- c:\program files\shmnview.exe
2009-08-15 17:09 . 2009-10-13 07:29 32256 ------w- c:\program files\OfficeIns.exe
2008-03-16 20:32 . 2010-11-10 05:31 2507710 ----a-w- c:\program files\bomb-countdown.exe
2004-11-28 19:33 . 2009-09-08 06:44 1208320 ------w- c:\program files\IfoEdit.exe
2002-11-24 20:53 . 2009-09-08 06:44 507904 ------w- c:\program files\TheRenameProgram.exe
2000-10-16 12:30 . 2009-09-30 13:39 217088 ------w- c:\program files\SpaceMonger.exe
2010-09-17 03:00 . 2010-01-27 17:58 119808 ------w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-12-15_11.54.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-07-11 16:04 . 2010-11-03 13:12 46080 f:\windows\system32\tzchange.exe
- 2008-07-11 16:04 . 2010-06-21 14:46 46080 f:\windows\system32\tzchange.exe
+ 2009-09-21 14:25 . 2009-05-26 11:40 17272 f:\windows\system32\spmsg.dll
- 2009-09-21 14:25 . 2007-11-30 05:39 17272 f:\windows\system32\spmsg.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 66560 f:\windows\system32\mshtmled.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 66560 f:\windows\system32\mshtmled.dll
- 2009-03-08 03:31 . 2010-09-10 05:58 55296 f:\windows\system32\msfeedsbs.dll
+ 2009-03-08 03:31 . 2010-11-06 00:26 55296 f:\windows\system32\msfeedsbs.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 25600 f:\windows\system32\jsproxy.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 25600 f:\windows\system32\jsproxy.dll
+ 2009-09-14 17:31 . 2010-11-06 00:26 12800 f:\windows\system32\dllcache\xpshims.dll
- 2009-09-14 17:31 . 2010-09-10 05:58 12800 f:\windows\system32\dllcache\xpshims.dll
+ 2009-03-08 03:31 . 2010-11-06 00:26 66560 f:\windows\system32\dllcache\mshtmled.dll
- 2009-03-08 03:31 . 2010-09-10 05:58 66560 f:\windows\system32\dllcache\mshtmled.dll
+ 2009-09-14 17:31 . 2010-11-06 00:26 55296 f:\windows\system32\dllcache\msfeedsbs.dll
- 2009-09-14 17:31 . 2010-09-10 05:58 55296 f:\windows\system32\dllcache\msfeedsbs.dll
+ 2009-03-08 03:34 . 2010-11-06 00:26 43520 f:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 03:34 . 2010-09-10 05:58 43520 f:\windows\system32\dllcache\licmgr10.dll
- 2009-03-08 03:33 . 2010-09-10 05:58 25600 f:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 03:33 . 2010-11-06 00:26 25600 f:\windows\system32\dllcache\jsproxy.dll
+ 2010-11-16 12:36 . 2010-12-16 18:27 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 34144 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\oisicon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 42848 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\msouc.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 19296 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\cagicon.exe
+ 2010-02-28 02:22 . 2010-02-28 02:22 48504 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBTRAP.DLL
+ 2010-12-16 18:27 . 2010-09-10 05:58 12800 f:\windows\ie8updates\KB2416400-IE8\xpshims.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 66560 f:\windows\ie8updates\KB2416400-IE8\mshtmled.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 55296 f:\windows\ie8updates\KB2416400-IE8\msfeedsbs.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 43520 f:\windows\ie8updates\KB2416400-IE8\licmgr10.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 25600 f:\windows\ie8updates\KB2416400-IE8\jsproxy.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 206848 f:\windows\system32\occache.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 206848 f:\windows\system32\occache.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 611840 f:\windows\system32\mstime.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 611840 f:\windows\system32\mstime.dll
+ 2009-03-08 03:32 . 2010-11-06 00:26 602112 f:\windows\system32\msfeeds.dll
- 2009-03-08 03:32 . 2010-09-10 05:58 602112 f:\windows\system32\msfeeds.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 184320 f:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 184320 f:\windows\system32\iepeers.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 387584 f:\windows\system32\iedkcs32.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 387584 f:\windows\system32\iedkcs32.dll
+ 2006-02-28 12:00 . 2010-11-03 12:26 173568 f:\windows\system32\ie4uinit.exe
+ 2003-02-07 17:59 . 2010-12-16 18:38 396752 f:\windows\system32\FNTCACHE.DAT
- 2003-02-07 17:59 . 2010-12-15 07:20 396752 f:\windows\system32\FNTCACHE.DAT
- 2009-06-26 16:50 . 2010-09-10 05:58 916480 f:\windows\system32\dllcache\wininet.dll
+ 2009-06-26 16:50 . 2010-11-06 00:26 916480 f:\windows\system32\dllcache\wininet.dll
- 2009-03-08 03:34 . 2010-09-10 05:58 206848 f:\windows\system32\dllcache\occache.dll
+ 2009-03-08 03:34 . 2010-11-06 00:26 206848 f:\windows\system32\dllcache\occache.dll
+ 2009-03-08 03:32 . 2010-11-06 00:26 611840 f:\windows\system32\dllcache\mstime.dll
- 2009-03-08 03:32 . 2010-09-10 05:58 611840 f:\windows\system32\dllcache\mstime.dll
- 2009-09-14 17:31 . 2010-09-10 05:58 602112 f:\windows\system32\dllcache\msfeeds.dll
+ 2009-09-14 17:31 . 2010-11-06 00:26 602112 f:\windows\system32\dllcache\msfeeds.dll
+ 2009-09-14 17:31 . 2010-11-06 00:26 247808 f:\windows\system32\dllcache\ieproxy.dll
- 2009-09-14 17:31 . 2010-09-10 05:58 247808 f:\windows\system32\dllcache\ieproxy.dll
- 2009-03-08 03:31 . 2010-09-10 05:58 184320 f:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 03:31 . 2010-11-06 00:26 184320 f:\windows\system32\dllcache\iepeers.dll
- 2010-06-11 12:45 . 2010-09-10 05:58 743424 f:\windows\system32\dllcache\iedvtool.dll
+ 2010-06-11 12:45 . 2010-11-06 00:26 743424 f:\windows\system32\dllcache\iedvtool.dll
- 2009-03-08 13:09 . 2010-09-10 05:58 387584 f:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 13:09 . 2010-11-06 00:26 387584 f:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 03:32 . 2010-11-03 12:26 173568 f:\windows\system32\dllcache\ie4uinit.exe
+ 2010-04-20 05:30 . 2010-10-28 13:13 290048 f:\windows\system32\dllcache\atmfd.dll
+ 2010-07-22 02:43 . 2010-07-22 02:43 257024 f:\windows\Installer\68d44b4.msp
+ 2010-12-09 11:39 . 2010-12-09 11:39 720896 f:\windows\Installer\68d4493.msp
- 2010-11-16 12:36 . 2010-11-16 13:22 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 415584 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pubs.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 303456 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\outicon.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 571232 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\misc.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 326496 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\joticon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 469856 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\inficon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 178528 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\grvicons.exe
+ 2010-03-01 04:56 . 2010-03-01 04:56 604024 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\PUBCONV.DLL
+ 2010-01-09 21:50 . 2010-01-09 21:50 119160 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSCONV97.DLL
+ 2010-03-01 04:56 . 2010-03-01 04:56 457104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MORPH9.DLL
+ 2010-12-16 18:27 . 2010-09-10 05:58 916480 f:\windows\ie8updates\KB2416400-IE8\wininet.dll
+ 2010-12-16 18:27 . 2010-07-05 13:16 382840 f:\windows\ie8updates\KB2416400-IE8\spuninst\updspapi.dll
+ 2010-12-16 18:27 . 2010-02-22 14:23 231288 f:\windows\ie8updates\KB2416400-IE8\spuninst\spuninst.exe
+ 2010-12-16 18:27 . 2010-09-10 05:58 206848 f:\windows\ie8updates\KB2416400-IE8\occache.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 611840 f:\windows\ie8updates\KB2416400-IE8\mstime.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 602112 f:\windows\ie8updates\KB2416400-IE8\msfeeds.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 247808 f:\windows\ie8updates\KB2416400-IE8\ieproxy.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 184320 f:\windows\ie8updates\KB2416400-IE8\iepeers.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 743424 f:\windows\ie8updates\KB2416400-IE8\iedvtool.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 387584 f:\windows\ie8updates\KB2416400-IE8\iedkcs32.dll
+ 2010-12-16 18:27 . 2010-08-26 12:22 173056 f:\windows\ie8updates\KB2416400-IE8\ie4uinit.exe
+ 2006-02-28 12:00 . 2010-11-06 00:26 1210880 f:\windows\system32\urlmon.dll
- 2006-02-28 12:00 . 2010-09-10 05:58 1210880 f:\windows\system32\urlmon.dll
+ 2006-02-28 12:00 . 2010-11-06 00:26 5959168 f:\windows\system32\mshtml.dll
+ 2009-03-08 03:32 . 2010-11-06 00:26 1991680 f:\windows\system32\iertutil.dll
+ 2009-04-17 12:26 . 2010-10-26 13:25 1853312 f:\windows\system32\dllcache\win32k.sys
+ 2009-06-26 16:50 . 2010-11-06 00:26 1210880 f:\windows\system32\dllcache\urlmon.dll
- 2009-06-26 16:50 . 2010-09-10 05:58 1210880 f:\windows\system32\dllcache\urlmon.dll
+ 2009-07-18 16:05 . 2010-11-06 00:26 5959168 f:\windows\system32\dllcache\mshtml.dll
+ 2009-09-14 17:31 . 2010-11-06 00:26 1991680 f:\windows\system32\dllcache\iertutil.dll
+ 2010-10-08 22:12 . 2010-10-08 22:12 8354304 f:\windows\Installer\68d445e.msp
+ 2010-11-19 13:34 . 2010-11-19 13:34 3459584 f:\windows\Installer\68d443c.msp
+ 2010-11-11 12:54 . 2010-11-11 12:54 1002496 f:\windows\Installer\68d441b.msp
+ 2010-11-11 12:54 . 2010-11-11 12:54 1121792 f:\windows\Installer\68d441a.msp
+ 2010-11-11 12:54 . 2010-11-11 12:54 1310720 f:\windows\Installer\68d4419.msp
- 2010-11-16 12:36 . 2010-11-16 13:22 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 1479520 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\xlicons.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 1858400 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\wordicon.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 3792736 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\pptico.exe
- 2010-11-16 12:36 . 2010-11-16 13:22 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-11-16 12:36 . 2010-12-16 18:27 1449312 f:\windows\Installer\{91140000-0011-0000-0000-0000000FF1CE}\accicons.exe
+ 2010-03-01 05:20 . 2010-03-01 05:20 2323840 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKWORD.DLL
+ 2010-03-01 05:20 . 2010-03-01 05:20 2102656 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKPOWERPOINT.DLL
+ 2010-03-01 05:20 . 2010-03-01 05:20 3355008 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\GKEXCEL.DLL
+ 2010-12-16 18:27 . 2010-09-10 05:58 1210880 f:\windows\ie8updates\KB2416400-IE8\urlmon.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 5957120 f:\windows\ie8updates\KB2416400-IE8\mshtml.dll
+ 2010-12-16 18:27 . 2010-09-10 05:58 1986560 f:\windows\ie8updates\KB2416400-IE8\iertutil.dll
+ 2005-05-31 22:17 . 2010-12-16 18:23 37366216 f:\windows\system32\MRT.exe
+ 2009-03-08 03:39 . 2010-11-06 00:26 11080704 f:\windows\system32\ieframe.dll
+ 2009-07-19 17:48 . 2010-11-06 00:26 11080704 f:\windows\system32\dllcache\ieframe.dll
+ 2010-11-11 12:52 . 2010-11-11 12:52 13486592 f:\windows\Installer\68d4481.msp
+ 2010-03-01 04:56 . 2010-03-01 04:56 10272104 f:\windows\Installer\$PatchCache$\Managed\00004119110000000000000000F01FEC\14.0.4763\MSPUB.EXE
+ 2010-12-16 18:27 . 2010-09-10 05:58 11080192 f:\windows\ie8updates\KB2416400-IE8\ieframe.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2010-08-10 21:35 3412792 ------w- c:\program files\MozyHome\mozyshell.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Update"="f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-10-04 136176]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure Manager"="c:\program files\F-Secure\Common\FSM32.EXE" [2010-03-26 301744]
"F-Secure TNB"="c:\program files\F-Secure\FSGUI\TNBUtil.exe" [2010-03-26 1653424]
"logo mouse"="c:\program files\Logitech\MouseWare\system\EM_EXEC.EXE" [2004-01-08 37888]
"Logitech Utility"="Logi_MwX.Exe" [2003-12-17 19968]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2010-09-17 30192]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-05-31 323976]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"NvCplDaemon"="f:\windows\system32\NvCpl.dll" [2009-05-12 13684736]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Start Menu\Programs\System Tools\Startup\
OneNote 2010 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office14\ONENOTEM.EXE [2010-3-29 227712]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMHelp"= 01000000
"NoRecentDocsNetHood"= 01000000
"NoSMMyDocs"= 01000000
"NoSMMyPictures"= 00000000
"NoNetworkConnections"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\rundisabled]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe"
"WService"=WService.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"NeroFilterCheck"=c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
"SecurDisc"=c:\program files\Nero\Nero 7\InCD\NBHGui.exe
"InCD"=c:\program files\Nero\Nero 7\InCD\InCD.exe
"PivotSoftware"="c:\program files\Portrait Displays\Pivot Software\wpctrl.exe"
"DT ACR"=c:\program files\Common Files\Portrait Displays\Shared\DT_startup.exe -ACR
"nwiz"=nwiz.exe /install
"00Hotkeys"="c:\program files\Qliner Hotkeys\HotKeys.exe"
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
R0 fsbts;fsbts;f:\windows\system32\drivers\fsbts.sys [30/08/2009 10:06 42664]
R0 FSFW;F-Secure Firewall Driver;f:\windows\system32\drivers\fsdfw.sys [23/10/2007 12:11 80080]
R0 pssnap;Paramount Software Snapshot Filter;f:\windows\system32\drivers\pssnap.sys [28/09/2010 13:40 15328]
R1 Asapi;Asapi;f:\windows\system32\drivers\asapi.sys [07/02/2004 18:27 10240]
R1 F-Secure HIPS;F-Secure HIPS Driver;c:\program files\F-Secure\HIPS\drivers\fshs.sys [08/09/2009 05:23 68144]
R2 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [06/08/2010 03:54 2953808]
R2 NTIOWP;NTIOWP;f:\windows\system32\drivers\NTIOWP.SYS [06/02/2004 10:35 10112]
R2 ReflectService;Macrium Reflect Image Mounting Service;c:\program files\Macrium\Reflect\ReflectService.exe [28/09/2010 13:40 220128]
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;c:\program files\F-Secure\Anti-Virus\minifilter\fsgk.sys [08/09/2009 05:23 130728]
S0 Lbd;Lbd; [x]
S1 GhPciScan;GhostPciScanner;\??\c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys --> c:\program files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;f:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 13:16 130384]
S2 SVKP;SVKP;\??\c:\windows\System32\SVKP.sys --> c:\windows\System32\SVKP.sys [?]
S3 a2acc;a2acc;c:\program files\Emsisoft Anti-Malware\a2accx86.sys [06/08/2010 03:54 72808]
S3 DCamUSBNW802;Mustek Wcam 300;f:\windows\system32\drivers\pcam.sys [08/04/2003 10:48 265904]
S3 epmntdrv;epmntdrv;f:\windows\system32\epmntdrv.sys [03/08/2010 15:37 13192]
S3 EuGdiDrv;EuGdiDrv;f:\windows\system32\EuGdiDrv.sys [03/08/2010 15:37 8456]
S3 FSORSPClient;F-Secure ORSP Client;c:\program files\F-Secure\ORSP Client\fsorsp.exe [08/09/2009 05:23 64016]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [27/01/2010 17:58 30192]
S3 ham50;Intel 56K HaM Data Fax Voice Modem;f:\windows\system32\drivers\ham50.sys [24/07/2008 20:36 366525]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [25/03/2010 10:25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [09/01/2010 21:37 4640000]
S3 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [08/09/2009 12:58 90112]
S3 PSI;PSI;f:\windows\system32\drivers\psi_mf.sys [28/05/2010 11:04 14896]
S3 PSMounter;Macrium Reflect Image Explorer Service;f:\windows\system32\drivers\psmounter.sys [28/09/2010 13:40 44512]
S3 PSVolAcc;PSVolAcc;f:\windows\system32\drivers\PSVolAcc.sys [28/09/2010 13:40 12256]
S3 Second Backup Service;Second Backup Service;c:\program files\Second Backup\SecondBackup.exe [27/12/2007 05:22 1744896]
S3 SiS630;SiS630;f:\windows\system32\drivers\sis630p.sys [08/01/2002 18:53 162048]
S3 WinRM;Windows Remote Management (WS-Management);f:\windows\system32\svchost.exe -k WINRM [28/02/2006 12:00 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;f:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [18/03/2010 13:16 753504]
S4 F-Secure Filter;F-Secure File System Filter;c:\program files\F-Secure\Anti-Virus\win2k\fsfilter.sys [08/09/2009 05:23 39856]
S4 F-Secure Recognizer;F-Secure File System Recognizer;c:\program files\F-Secure\Anti-Virus\win2k\fsrec.sys [08/09/2009 05:23 25264]
S4 NProtectService;Norton Unerase Protection; [x]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WINRM REG_MULTI_SZ WINRM
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
2009-03-08 03:32 128512 ----a-w- f:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
2010-12-16 f:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-09-08 10:21]
2010-12-15 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500Core.job
- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]
2010-12-16 f:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-220523388-789336058-1957994488-500UA.job
- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-10-04 16:48]
2010-12-16 f:\windows\Tasks\WGASetup.job
- f:\windows\system32\KB905474\wgasetup.exe [2009-08-31 21:18]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Google Search - c:\program files\Google\GoogleToolbar1.dll/cmsearch.html
IE: Backward &Links - c:\program files\Google\GoogleToolbar1.dll/cmbacklinks.html
IE: Cac&hed Snapshot of Page - c:\program files\Google\GoogleToolbar1.dll/cmcache.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office14\EXCEL.EXE/3000
IE: Read By Natural Voice Reader - c:\program files\NaturalReaders\Natural Voice Reader Pro\read.html
IE: Se&nd to OneNote - c:\progra~1\MI1933~1\Office14\ONBttnIE.dll/105
IE: Si&milar Pages - c:\program files\Google\GoogleToolbar1.dll/cmsimilar.html
IE: Translate into English - c:\program files\Google\GoogleToolbar1.dll/cmtrans.html
LSP: c:\program files\F-Secure\FSPS\program\fslsp.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
FF - ProfilePath -
.
.
------- File Associations -------
.
txtfile="c:\program files\JGsoft\EditPadLite\EditPadLite.exe" "%1"
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-16 18:58
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-220523388-789336058-1957994488-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\
"6256FFB019F8FDFBD36745B06F4540E9AEAF222A25"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,0f,d6,bb,b4,a5,82,17,42,88,32,2e,\
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="f:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="04F0D21-79D8-7A25-D702-433F"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Enum\HID\Vid_413c&Pid_3016\6&280bb194&0&0000\LogConf]
@DACL=(02 0000)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(752)
f:\windows\system32\Ati2evxx.dll
c:\program files\f-secure\hips\fshook32.dll
- - - - - - - > 'lsass.exe'(808)
c:\program files\f-secure\hips\fshook32.dll
- - - - - - - > 'explorer.exe'(2076)
f:\windows\system32\WININET.dll
c:\program files\Logitech\MouseWare\System\LgWndHk.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MI1933~1\Office14\1033\GrooveIntlResource.dll
c:\program files\MozyHome\mozyshell.dll
c:\program files\MozyHome\LIBEAY32.dll
c:\program files\Common Files\Logitech\Scrolling\LgMsgHk.dll
f:\windows\system32\msi.dll
f:\windows\system32\ieframe.dll
f:\windows\system32\webcheck.dll
f:\windows\system32\WPDShServiceObj.dll
f:\windows\system32\PortableDeviceTypes.dll
f:\windows\system32\PortableDeviceApi.dll
f:\windows\System32\netshell.dll
.
Completion time: 2010-12-16 19:00:22
ComboFix-quarantined-files.txt 2010-12-16 19:00
ComboFix2.txt 2010-12-15 11:58
Pre-Run: 55,118,704,640 bytes free
Post-Run: 55,101,149,184 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /usepmtimer /SOS
- - End Of File - - B80A44C72052C7E20FCEC3FBD1A36E21

December 16, 2010

Thanks Maniac,

This is a bit of a learning curve for me so apologies for not realizing that WinPatrol should have been disabled.

I installed Recovery Console. Here is the new combotix.txt

Best

John

ComboFix 10-12-14.05 - Administrator 16/12/2010 18:53:44.3.1 - x86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT 0:00]

Running from: l:\d\Combo-Fix.exe

Command switches used :: l:\d\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

AV: F-Secure Client Security 9.01 *Disabled/Updated* {E7512ED5-4245-4B4D-AF3A-382D3F313F15}

FW: F-Secure Client Security 9.01 *Enabled* {D4747503-0346-49EB-9262-997542F79BF4}

.

((((((((((((((((((((((((( Files Created from 2010-11-16 to 2010-12-16 )))))))))))))))))))))))))))))))

.

2010-12-15 07:19 . 2010-12-15 07:19 -------- d-----w- f:\windows\system32\wbem\Repository

2010-12-15 07:11 . 2010-12-15 07:11 709456 ----a-w- f:\windows\isRS-000.tmp

2010-12-15 02:44 . 2010-11-02 15:17 40960 -c----w- f:\windows\system32\dllcache\ndproxy.sys

2010-12-15 02:43 . 2010-10-11 14:59 45568 -c----w- f:\windows\system32\dllcache\wab.exe

2010-12-15 01:25 . 2010-12-15 07:19 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2010-12-14 13:09 . 2010-12-15 02:39 -------- dc----w- f:\documents and settings\All Users\Application Data\{2162CCC0-3A5F-4887-B51F-CE5F195B3620}

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- f:\documents and settings\All Users\Application Data\Lavasoft

2010-12-14 13:09 . 2010-12-14 13:09 -------- d-----w- c:\program files\Lavasoft

2010-12-13 05:54 . 2010-12-15 01:25 -------- d-----w- f:\documents and settings\All Users\Application Data\MFAData

2010-12-12 07:42 . 2010-12-12 07:42 -------- d-----w- f:\documents and settings\All Users\Application Data\DivX

2010-12-05 13:57 . 2010-12-05 16:11 -------- d-----w- c:\program files\Network Stumbler

2010-11-30 13:15 . 2010-11-30 13:31 -------- d-----w- f:\documents and settings\Administrator.JRS-1GP3GJVWO3B\Application Data\vlc

2010-11-30 12:22 . 2010-12-16 17:47 -------- d-----w- c:\program files\Everything