Jump to content

MSI service won't start - Malware?


Recommended Posts

A fuller description of my issues can be found in this thread.

I am posting in this forum to ask assistance in looking over my hijackthis log to check for malware. I have performed an anti-malware full scan which did not turn up anything:

Malwarebytes' Anti-Malware 1.34

Database version: 1813

Windows 5.1.2600 Service Pack 3

03/03/2009 08:02:20

mbam-log-2009-03-03 (08-02-20).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 422210

Time elapsed: 2 hour(s), 14 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

and here is the hijack-this log:

Logfile of HijackThis v1.99.1

Scan saved at 14:42:12, on 01/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ASUS\AI Gear2\GearHelp.exe

C:\Program Files\ASUS\Ai Nap\AiNap.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe

C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Taskix\Taskix32.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\Program Files\COMODO\Firewall\cfp.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\NetMeter\NetMeter.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe

C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Dropbox\dropbox.exe

C:\Program Files\Password Safe\pwsafe.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\mmc.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\WINDOWS\system32\mmc.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Chrome\Application\chrome.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java

Link to post
Share on other sites

  • Root Admin

Okay, since you're about to wipe and reload, then lets do some detailed logs and see what we can find first.

If we can't find anything then at least hopefully you've gained a bit more knowledge along the way.

STEP 01

Please visit this webpage for instructions for downloading ComboFix to your
DESKTOP
:
how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run
ComboFix.exe
on your DESKTOP and not from any other folder.

Also,
DO NOT
click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

Note:

The
Windows Recovery Console
will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click
    Yes
    to allow ComboFix to continue scanning for malware.

  • When the tool is finished, it will produce a report for you.

  • Please post the
    C:\ComboFix.txt
    along with a
    new HijackThis log
    so we may continue cleaning the system.

STEP 02

Download
DDS
and save it to your desktop

Disable any script blocker if your Anti-Virus/Anti-Malware has it.

Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.

Then double click
dds.scr
to run the tool.

When done, the
DDS.txt
will open.

Click Yes at the next prompt for Optional Scan.
    When done, DDS will open two (2) logs:

  1. DDS.txt
  2. Attach.txt

  • Save both reports to your desktop
  • Please include the following logs in your next reply:
    DDS.txt
    and
    Attach.txt

STEP 03

    Please create a BOOTLOG
  • Restart the computer and press F8 when Windows start booting. This will bring up the startup options.
  • Select "Enable Boot Logging" option and press enter.
  • Windows prompts you to select a Windows Installation (even if there is only one windows installation)
  • This boots windows normally and creates a boot log named ntbtlog.txt and saves it to C:\Windows
Link to post
Share on other sites

That's brilliant - I will work through those when I'm back from work tonight.

As you say, if it doesn't fix the issues then I will at least have learnt more about the troubleshooting process which is always handy for the future.

Link to post
Share on other sites

OK, here's the combofix log:

ComboFix 09-03-02.03 - John 2009-03-03 17:55:08.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2589 [GMT 0:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

FW: COMODO Firewall *disabled*

* Created a new restore point

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\John\Local Settings\Temporary Internet Files\SLC_John.prx

c:\windows\system32\_004048_.tmp.dll

c:\windows\system32\_004064_.tmp.dll

c:\windows\system32\_004072_.tmp.dll

c:\windows\system32\_004080_.tmp.dll

c:\windows\system32\_004208_.tmp.dll

c:\windows\system32\_004209_.tmp.dll

c:\windows\system32\_004210_.tmp.dll

c:\windows\system32\_004211_.tmp.dll

c:\windows\system32\_004214_.tmp.dll

c:\windows\system32\_004215_.tmp.dll

c:\windows\system32\_004216_.tmp.dll

c:\windows\system32\_004217_.tmp.dll

c:\windows\system32\_004223_.tmp.dll

c:\windows\system32\_004225_.tmp.dll

c:\windows\system32\_004230_.tmp.dll

c:\windows\system32\_004231_.tmp.dll

c:\windows\system32\_004232_.tmp.dll

c:\windows\system32\_004233_.tmp.dll

c:\windows\system32\_004238_.tmp.dll

c:\windows\system32\_004239_.tmp.dll

c:\windows\system32\_004240_.tmp.dll

c:\windows\system32\_004241_.tmp.dll

c:\windows\system32\_004246_.tmp.dll

c:\windows\system32\_004247_.tmp.dll

c:\windows\system32\_004248_.tmp.dll

c:\windows\system32\_004249_.tmp.dll

c:\windows\system32\_004252_.tmp.dll

.

((((((((((((((((((((((((( Files Created from 2009-02-03 to 2009-03-03 )))))))))))))))))))))))))))))))

.

2009-03-03 17:47 . 2009-03-03 17:47 <DIR> d-------- c:\documents and settings\John\Application Data\Windows Search

2009-03-01 11:56 . 2008-12-20 23:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll

2009-03-01 11:56 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2009-03-01 11:56 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2009-03-01 11:56 . 2008-12-20 23:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2009-03-01 11:56 . 2008-12-20 23:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2009-03-01 11:56 . 2008-12-20 23:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2009-03-01 11:56 . 2008-12-20 23:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2009-03-01 11:56 . 2008-12-20 23:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2009-03-01 11:56 . 2008-12-19 09:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2009-03-01 11:31 . 2009-03-03 17:55 <DIR> d-------- c:\windows\system32\CatRoot2

2009-03-01 09:34 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-03-01 09:34 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-03-01 09:34 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-03-01 09:34 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-03-01 09:32 . 2008-04-14 00:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll

2009-03-01 09:32 . 2008-04-14 00:12 380,416 --------- c:\windows\system32\irprops.cpl

2009-03-01 09:32 . 2008-04-14 00:10 102,912 -----c--- c:\windows\system32\dllcache\dpcdll.dll

2009-03-01 09:32 . 2008-04-13 21:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll

2009-03-01 09:32 . 2008-04-14 00:09 24,064 -----c--- c:\windows\system32\dllcache\pidgen.dll

2009-03-01 09:32 . 2006-12-28 19:01 19,569 --a------ c:\windows\006317_.tmp

2009-03-01 09:32 . 2008-04-14 00:12 10,752 --------- c:\windows\system32\smtpapi.dll

2009-03-01 09:32 . 2008-04-14 00:12 9,728 --------- c:\windows\system32\rwnh.dll

2009-03-01 09:29 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2009-03-01 09:21 . 2008-06-17 19:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll

2009-03-01 09:21 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll

2009-03-01 09:21 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-03-01 09:21 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys

2009-03-01 09:21 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll

2009-03-01 09:21 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys

2009-03-01 09:20 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2009-03-01 09:20 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2009-03-01 09:20 . 2008-10-03 10:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll

2009-03-01 00:21 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl

2009-03-01 00:21 . 2008-10-16 14:12 213,528 --a--c--- c:\windows\system32\dllcache\wuaucpl.cpl

2009-03-01 00:20 . 2009-03-01 09:49 <DIR> d-------- c:\windows\ServicePackFiles

2009-03-01 00:19 . 2004-07-17 11:40 19,528 --a------ c:\windows\002781_.tmp

2009-02-28 23:56 . 2004-08-04 00:56 1,134,592 --a------ c:\windows\system32\SET1430.tmp

2009-02-28 23:56 . 2004-08-04 00:56 382,464 --a------ c:\windows\system32\SET143B.tmp

2009-02-28 23:56 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\SET1433.tmp

2009-02-28 23:56 . 2004-08-04 00:56 6,656 --a------ c:\windows\system32\SET142F.tmp

2009-02-28 23:54 . 2008-04-14 00:12 4,274,816 --a------ c:\windows\system32\nv4_disp.dll

2009-02-28 23:52 . 2009-03-01 00:13 2,167,506 --a------ c:\windows\setupapi.log.5.old

2009-02-28 23:34 . 2004-08-04 00:56 1,134,592 --a------ c:\windows\system32\SET1335.tmp

2009-02-28 23:34 . 2004-08-04 00:56 382,464 --a------ c:\windows\system32\SET1340.tmp

2009-02-28 23:34 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\SET1338.tmp

2009-02-28 23:34 . 2004-08-04 00:56 6,656 --a------ c:\windows\system32\SET1334.tmp

2009-02-28 23:31 . 2004-08-04 00:56 359,936 --a------ c:\windows\system32\SET179.tmp

2009-02-28 23:31 . 2004-08-04 00:56 264,192 --a------ c:\windows\system32\SET1D9.tmp

2009-02-28 23:31 . 2004-08-04 00:56 82,944 --a------ c:\windows\system32\SET1CB.tmp

2009-02-28 23:31 . 2004-08-04 00:56 42,496 --a------ c:\windows\system32\SET18F.tmp

2009-02-28 23:31 . 2004-08-04 00:56 22,528 --a------ c:\windows\system32\SET18E.tmp

2009-02-28 23:31 . 2004-08-04 00:56 19,968 --a------ c:\windows\system32\SET1CA.tmp

2009-02-28 23:31 . 2004-08-04 00:56 19,968 --a------ c:\windows\system32\SET194.tmp

2009-02-28 23:31 . 2004-07-17 11:40 19,528 --a------ c:\windows\002765_.tmp

2009-02-28 23:31 . 2004-08-04 00:56 18,432 --a------ c:\windows\system32\SET187.tmp

2009-02-28 23:28 . 2009-02-28 23:48 2,224,825 --a------ c:\windows\setupapi.log.4.old

2009-02-28 23:06 . 2004-08-04 00:56 1,134,592 --a------ c:\windows\system32\SET1237.tmp

2009-02-28 23:06 . 2004-08-04 00:56 382,464 --a------ c:\windows\system32\SET1242.tmp

2009-02-28 23:06 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\SET123A.tmp

2009-02-28 23:06 . 2004-08-04 00:56 6,656 --a------ c:\windows\system32\SET1236.tmp

2009-02-28 23:04 . 2004-08-04 00:56 8,384,000 --a------ c:\windows\system32\SET38E.tmp

2009-02-28 23:01 . 2009-02-28 23:25 2,160,634 --a------ c:\windows\setupapi.log.3.old

2009-02-28 22:29 . 2004-08-04 00:56 1,134,592 --a------ c:\windows\system32\SET1194.tmp

2009-02-28 22:22 . 2004-08-04 00:56 8,384,000 --a------ c:\windows\system32\SET2F2.tmp

2009-02-28 22:21 . 2004-08-04 00:56 723,456 --a------ c:\windows\system32\SET20C.tmp

2009-02-28 22:20 . 2004-07-17 11:40 19,528 --a------ c:\windows\002749_.tmp

2009-02-28 20:54 . 2004-08-04 00:56 1,134,592 --a------ c:\windows\system32\SET10B6.tmp

2009-02-28 20:54 . 2004-08-04 00:56 382,464 --a------ c:\windows\system32\SET10C1.tmp

2009-02-28 20:54 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\SET10B9.tmp

2009-02-28 20:54 . 2004-08-04 00:56 6,656 --a------ c:\windows\system32\SET10B5.tmp

2009-02-28 20:52 . 2004-07-17 11:40 19,528 --a------ c:\windows\002741_.tmp

2009-02-28 19:18 . 2004-08-04 00:56 1,134,592 --a------ c:\windows\system32\SETFB3.tmp

2009-02-28 19:18 . 2004-08-04 00:56 382,464 --a------ c:\windows\system32\SETFBE.tmp

2009-02-28 19:18 . 2004-08-04 00:56 351,232 --a------ c:\windows\system32\SETFB6.tmp

2009-02-28 19:18 . 2004-08-04 00:56 6,656 --a------ c:\windows\system32\SETFB2.tmp

2009-02-28 19:17 . 2004-08-04 00:56 1,032,192 --a------ c:\windows\SET494.tmp

2009-02-28 19:17 . 2004-08-04 00:56 194,048 --a------ c:\windows\system32\SET469.tmp

2009-02-28 19:17 . 2004-08-04 00:56 143,360 --a------ c:\windows\system32\SET464.tmp

2009-02-28 19:17 . 2004-08-04 00:56 126,976 --a------ c:\windows\system32\SET45C.tmp

2009-02-28 19:17 . 2004-08-04 00:56 101,888 --a------ c:\windows\system32\SET467.tmp

2009-02-28 19:17 . 2004-08-04 00:56 99,840 --a------ c:\windows\system32\SET461.tmp

2009-02-28 19:17 . 2004-08-04 00:56 44,544 --a------ c:\windows\system32\SET45F.tmp

2009-02-28 18:55 . 2002-08-29 12:00 455,168 --a--c--- c:\windows\system32\dllcache\tintsetp.exe

2009-02-28 18:54 . 2002-08-29 12:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll

2009-02-28 18:52 . 2002-08-29 12:00 73,728 --a--c--- c:\windows\system32\dllcache\icwtutor.exe

2009-02-28 18:52 . 2002-08-29 12:00 61,440 --a--c--- c:\windows\system32\dllcache\icwres.dll

2009-02-28 18:52 . 2002-08-29 12:00 40,960 --a--c--- c:\windows\system32\dllcache\trialoc.dll

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\WindowsShell.Manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 488 -rah----- c:\windows\system32\logonui.exe.manifest

2009-02-28 18:51 . 2008-04-14 00:11 167,424 --a------ c:\windows\system32\comsnap.dll

2009-02-28 18:51 . 2008-04-14 00:11 97,792 --a------ c:\windows\system32\comrepl.dll

2009-02-28 18:51 . 2008-04-14 00:12 59,392 --a------ c:\windows\system32\stclient.dll

2009-02-28 18:51 . 2008-04-14 00:12 34,304 --a------ c:\windows\system32\mtxlegih.dll

2009-02-28 18:51 . 2008-04-14 00:12 30,720 --a------ c:\windows\system32\mtxdm.dll

2009-02-28 18:51 . 2008-04-14 00:11 28,160 --a------ c:\windows\system32\comaddin.dll

2009-02-28 18:51 . 2008-04-14 00:12 6,144 --a------ c:\windows\system32\dcomcnfg.exe

2009-02-28 18:51 . 2008-04-14 00:12 4,096 --a------ c:\windows\system32\mtxex.dll

2009-02-28 18:42 . 2002-08-29 12:00 24,661 --a------ c:\windows\system32\spxcoins.dll

2009-02-28 18:42 . 2002-08-29 12:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll

2009-02-28 18:42 . 2002-08-29 12:00 13,312 --a------ c:\windows\system32\irclass.dll

2009-02-28 18:42 . 2002-08-29 12:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll

2009-02-28 18:41 . 2002-08-29 12:00 1,086,182 -ra------ c:\windows\SETD2.tmp

2009-02-28 18:41 . 2002-08-29 12:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT

2009-02-28 18:41 . 2002-08-29 12:00 657,548 --a--c--- c:\windows\system32\dllcache\CLASSES.CAT

2009-02-28 18:41 . 2002-08-29 12:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT

2009-02-28 18:41 . 2002-08-29 12:00 56,081 --a--c--- c:\windows\system32\dllcache\DAJAVAC.CAT

2009-02-28 18:41 . 2002-08-29 12:00 52,311 --a--c--- c:\windows\system32\dllcache\DX3.CAT

2009-02-28 18:41 . 2002-08-29 12:00 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT

2009-02-28 18:41 . 2002-08-29 12:00 14,031 --a--c--- c:\windows\system32\dllcache\MSJDBC.CAT

2009-02-28 18:41 . 2002-08-29 12:00 13,608 -ra------ c:\windows\SETE7.tmp

2009-02-28 18:41 . 2002-08-29 12:00 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT

2009-02-28 18:41 . 2002-08-29 12:00 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT

2009-02-28 18:41 . 2002-08-29 12:00 7,382 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT

2009-02-28 18:40 . 2009-02-28 22:57 2,997,144 --a------ c:\windows\setupapi.log.2.old

2009-02-28 14:16 . 2009-02-28 14:16 <DIR> d-------- c:\documents and settings\John\Application Data\Xitona

2009-02-28 13:49 . 2009-02-28 13:49 <DIR> d-------- c:\program files\Singing Tutor

2009-02-28 13:49 . 2003-02-14 13:47 150 --a------ c:\windows\Song_w.ini

2009-02-28 12:43 . 2009-02-28 12:44 <DIR> d-------- c:\program files\Singing Tutor Duet 2.2 Win 2k-XP

2009-02-22 17:55 . 2009-02-22 17:55 <DIR> d-------- c:\program files\Ulead Systems

2009-02-11 03:00 . 2009-03-01 10:09 1,891 --a------ c:\windows\imsins.BAK

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-03 18:00 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-03-03 17:58 --------- d-----w c:\program files\Password Safe

2009-03-03 17:58 --------- d-----w c:\documents and settings\John\Application Data\Dropbox

2009-03-03 17:57 --------- d-----w c:\documents and settings\John\Application Data\WTablet

2009-03-03 17:47 --------- d-----w c:\documents and settings\John\Application Data\uTorrent

2009-03-01 15:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-01 12:11 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet

2009-03-01 11:33 --------- d-----w c:\documents and settings\John\Application Data\Orbit

2009-03-01 11:25 --------- d-----w c:\program files\MSECache

2009-03-01 08:55 --------- d-----w c:\documents and settings\John\Application Data\U3

2009-02-28 13:23 --------- d-----w c:\program files\Orbitdownloader

2009-02-14 10:56 --------- d-----w c:\program files\Google

2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-02 17:47 --------- d-----w c:\documents and settings\John\Application Data\foobar2000

2009-01-24 14:21 --------- d-----w c:\program files\RescuePRO

2009-01-24 13:56 286,720 ----a-w c:\windows\iun507.exe

2009-01-20 23:48 --------- d-----w c:\documents and settings\John\Application Data\Photojunction

2009-01-19 17:15 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-17 10:39 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-01-17 10:21 --------- d-----w c:\program files\CCleaner

2009-01-16 18:47 --------- d-----w c:\program files\PJ Remix

2009-01-15 18:56 --------- d-----w c:\documents and settings\All Users\Application Data\Photojunction

2009-01-15 08:14 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-14 23:34 --------- d-----w c:\documents and settings\John\Application Data\Media Player Classic

2009-01-11 09:44 --------- d-----w c:\program files\K-Lite Codec Pack

2009-01-08 17:33 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys

2009-01-08 17:32 101,776 ----a-w c:\windows\system32\drivers\cmdguard.sys

2009-01-08 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\Macrovision

2009-01-08 16:43 --------- d-----w c:\program files\Common Files\Macromedia Shared

2009-01-08 16:42 --------- d-----w c:\program files\Macromedia

2009-01-08 16:42 --------- d-----w c:\program files\Common Files\Macromedia

2009-01-08 15:14 20,747 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-01-08 15:13 --------- d-----w c:\program files\Sitecom

2009-01-07 13:28 --------- d-----w c:\program files\Common Files\Adobe

2009-01-06 19:26 --------- d-----w c:\program files\Free Easy Burner

2009-01-06 16:53 --------- d-----w c:\program files\Microsoft Reader

2008-08-28 17:14 2,634 ----a-w c:\documents and settings\John\Application Data\SAS7_000.DAT

2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2008-06-13 22:19 527296 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2008-06-13 22:19 527296 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2008-06-13 22:19 527296 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-02-15 270128]

"c:\program files\NetMeter\NetMeter.exe"="c:\program files\NetMeter\NetMeter.exe" [2007-08-11 331264]

"Google Update"="c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ai Gear Help"="c:\program files\ASUS\AI Gear2\GearHelp.exe" [2006-07-27 415744]

"Ai Nap"="c:\program files\ASUS\Ai Nap\AiNap.exe" [2007-01-12 1423360]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]

"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2008-07-07 675935]

"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]

"tsnp2std"="c:\windows\tsnp2std.exe" [2007-05-10 270336]

"snp2std"="c:\windows\vsnp2std.exe" [2007-09-28 344064]

"Taskix"="c:\program files\Taskix\Taskix32.exe" [2008-04-02 61440]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-06-13 600000]

"ElbyCheckAnyDVD"="c:\program files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2007-03-19 259624]

"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-01-08 1797880]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-11 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-11 172032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-11 143360]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\John\Start Menu\Programs\Startup\

Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-09-26 24096981]

Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-08-30 1949696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hueyPROTray.lnk - c:\program files\Pantone\hueyPRO\hueyPROTray.exe [2008-06-07 1081344]

Sitecom Wireless Utility.lnk - c:\program files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE [2009-01-08 913408]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]

--a------ 2007-07-11 15:09 20480 c:\windows\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-02-16 15:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2008-09-11 10:16 143360 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

--a------ 2006-10-25 08:03 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\Program Files\\PPMate\\ppamnet.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=

"c:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-09-25 38448]

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-08-13 101776]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-08-13 31504]

R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2008-06-05 344161]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-06-07 3024168]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2008-06-05 120976]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-06-07 15144]

S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [2009-01-15 112835]

S2 gupdate1c90d32140ed6d4;Google Update Service (gupdate1c90d32140ed6d4);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 133104]

S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [2009-01-15 5325]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-11-11 13352]

S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-06-07 83880]

S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-06-07 15016]

S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-06-07 110632]

S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-06-07 104616]

S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-06-07 25512]

S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-06-07 100648]

S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-06-07 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-03 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 19:28]

2009-03-03 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1364589140-839522115-1003.job

- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:28]

.

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with KUSO EXIF Viewer - c:\program files\KUSO EXIF Viewer\EXIF.htm

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn1.hw.ac.uk/sre/ICSScanner.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn1.hw.ac.uk/SNX/CSHELL/extender.cab

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll

FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\John\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\John\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-03 18:01:56

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\Secure]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\9C0121F80A833D11581E000540386890]

@DACL=(02 0000)

"0B79C053C7D38EE4AB9A00CB3B5D2472"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\038648152B7E812498867BF7F04F578B\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\0B79C053C7D38EE4AB9A00CB3B5D2472\Features]

@DACL=(02 0000)

"WebPublFiles"="]aZF&kXsf(lf*L[_GKba}gbvW,Qmf(G'*L[H+8]b_aZF&kXsf(lf*L[_GKba_{@h=i,nf(R8(L[JO9}X_}M^V8Xqf(Rp)L[_GKbahlT]jI{jf(=1&L[-81-]eoT]jI{jf(=1&L[-81-]as@O+Khtf(=V*L[JO9}X"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\10AF64009B5C5894ABBC93D84C08CF50\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\13353B9B4E7BC5E4FBC4B78C876521D4\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\1CB5DF8CFE2951C4299A9FCAF71689F5\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\2AD5C400150252D449AB15FC18C019BE\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\2B09DDDD2F08A314A8E8835C70A6D7AB\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\4DE556595AC7FD6409F7174478A7235E\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\5C3BD7DD3AF63AF4A8172C2F49E00B92\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\5DE5D10FA35D86444B8241D92CBC1301\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\5EAD28C50BE647342945EB3391ABE428\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\8A0F842331866D117AB7000B0D610006\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\8A0F842331866D117AB7000B0D610007\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\B024059C2814AE9458A06A2ABA0FC6B6\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\B0B4314DB9AE53847AA706EB6E721710\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\D6437D424B4D8E5489AE57CE414BD28D\Transforms]

@DACL=(02 0000)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe

c:\program files\COMODO\Firewall\cmdagent.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\WTablet\Pen_TabletUser.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-03-03 18:05:44 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-03 18:05:41

Pre-Run: 111,421,419,520 bytes free

Post-Run: 111,321,038,848 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

491 --- E O F --- 2009-03-03 03:00:37

and the new hijackthis log:

Logfile of HijackThis v1.99.1

Scan saved at 19:14:13, on 03/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ASUS\AI Gear2\GearHelp.exe

C:\Program Files\ASUS\Ai Nap\AiNap.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\uTorrent\uTorrent.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\notepad.exe

C:\WINDOWS\System32\vssvc.exe

C:\WINDOWS\System32\dllhost.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\WINDOWS\system32\mmc.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Ai Gear Help] "C:\Program Files\ASUS\AI Gear2\GearHelp.exe"

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Nap\AiNap.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [Taskix] C:\Program Files\Taskix\Taskix32.exe start

O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe

O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe

O4 - Global Startup: hueyPROTray.lnk = C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe

O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with KUSO EXIF Viewer - C:\Program Files\KUSO EXIF Viewer\EXIF.htm

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll

O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International*

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222601183843

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://vpn1.hw.ac.uk/sre/ICSScanner.cab

O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://vpn1.hw.ac.uk/SNX/CSHELL/extender.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)

O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll

O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

It was too long(>350k) to post the whole ntbtlog.txt so here's the end of it which I think contains the stuff for the last boot. Let me know if not and I'll post a bit more of it:

Service Pack 3 3 3 2009 19:33:10.375

Loaded driver \WINDOWS\system32\ntkrnlpa.exe

Loaded driver \WINDOWS\system32\hal.dll

Loaded driver \WINDOWS\system32\KDCOM.DLL

Loaded driver \WINDOWS\system32\BOOTVID.dll

Loaded driver ACPI.sys

Loaded driver \WINDOWS\System32\DRIVERS\WMILIB.SYS

Loaded driver pci.sys

Loaded driver isapnp.sys

Loaded driver ohci1394.sys

Loaded driver \WINDOWS\System32\DRIVERS\1394BUS.SYS

Loaded driver pciide.sys

Loaded driver \WINDOWS\System32\DRIVERS\PCIIDEX.SYS

Loaded driver MountMgr.sys

Loaded driver ftdisk.sys

Loaded driver dmload.sys

Loaded driver dmio.sys

Loaded driver PartMgr.sys

Loaded driver hotcore3.sys

Loaded driver VolSnap.sys

Loaded driver atapi.sys

Loaded driver disk.sys

Loaded driver \WINDOWS\System32\DRIVERS\CLASSPNP.SYS

Loaded driver fltmgr.sys

Loaded driver sr.sys

Loaded driver PxHelp20.sys

Loaded driver KSecDD.sys

Loaded driver WudfPf.sys

Loaded driver Ntfs.sys

Loaded driver inspect.sys

Loaded driver \WINDOWS\System32\DRIVERS\NDIS.SYS

Loaded driver \WINDOWS\System32\DRIVERS\TDI.SYS

Loaded driver sbp2port.sys

Loaded driver Mup.sys

Loaded driver \SystemRoot\System32\DRIVERS\processr.sys

Loaded driver \SystemRoot\system32\DRIVERS\igxpmp32.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbuhci.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbehci.sys

Loaded driver \SystemRoot\system32\DRIVERS\HDAudBus.sys

Loaded driver \SystemRoot\system32\DRIVERS\yk51x86.sys

Loaded driver \SystemRoot\System32\DRIVERS\usbohci.sys

Loaded driver \SystemRoot\System32\DRIVERS\nic1394.sys

Loaded driver \SystemRoot\System32\DRIVERS\fdc.sys

Loaded driver \SystemRoot\System32\DRIVERS\parport.sys

Loaded driver \SystemRoot\system32\DRIVERS\ASACPI.sys

Loaded driver \SystemRoot\System32\DRIVERS\serial.sys

Loaded driver \SystemRoot\System32\DRIVERS\serenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\imapi.sys

Loaded driver \SystemRoot\System32\Drivers\AnyDVD.sys

Loaded driver \SystemRoot\System32\DRIVERS\cdrom.sys

Loaded driver \SystemRoot\System32\DRIVERS\redbook.sys

Loaded driver \SystemRoot\System32\Drivers\GEARAspiWDM.sys

Loaded driver \SystemRoot\system32\DRIVERS\wacomvhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\WacomVKHid.sys

Loaded driver \SystemRoot\System32\DRIVERS\audstub.sys

Loaded driver \SystemRoot\System32\DRIVERS\rasl2tp.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndistapi.sys

Loaded driver \SystemRoot\System32\DRIVERS\ndiswan.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspppoe.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspptp.sys

Loaded driver \SystemRoot\System32\DRIVERS\msgpc.sys

Loaded driver \SystemRoot\System32\DRIVERS\psched.sys

Loaded driver \SystemRoot\System32\DRIVERS\ptilink.sys

Loaded driver \SystemRoot\System32\DRIVERS\raspti.sys

Loaded driver \SystemRoot\system32\DRIVERS\vna.sys

Loaded driver \SystemRoot\System32\DRIVERS\rdpdr.sys

Loaded driver \SystemRoot\System32\DRIVERS\termdd.sys

Loaded driver \SystemRoot\System32\DRIVERS\mouclass.sys

Loaded driver \SystemRoot\System32\DRIVERS\swenum.sys

Loaded driver \SystemRoot\System32\DRIVERS\update.sys

Loaded driver \SystemRoot\System32\DRIVERS\mssmbios.sys

Loaded driver \SystemRoot\System32\DRIVERS\mouhid.sys

Loaded driver \SystemRoot\system32\DRIVERS\wacommousefilter.sys

Loaded driver \SystemRoot\System32\DRIVERS\kbdhid.sys

Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS

Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbhub.sys

Loaded driver \SystemRoot\system32\drivers\RtkHDAud.sys

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys

Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS

Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS

Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS

Loaded driver \SystemRoot\System32\DRIVERS\cmdguard.sys

Did not load driver \SystemRoot\System32\Drivers\Changer.SYS

Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS

Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS

Loaded driver \SystemRoot\System32\Drivers\Null.SYS

Loaded driver \SystemRoot\System32\Drivers\Beep.SYS

Loaded driver \SystemRoot\System32\DRIVERS\i8042prt.sys

Loaded driver \SystemRoot\System32\DRIVERS\hidusb.sys

Loaded driver \SystemRoot\System32\drivers\vga.sys

Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS

Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys

Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS

Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rasacd.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipsec.sys

Loaded driver \SystemRoot\System32\DRIVERS\tcpip.sys

Loaded driver \SystemRoot\System32\DRIVERS\cmdhlp.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbt.sys

Loaded driver \SystemRoot\System32\drivers\afd.sys

Loaded driver \SystemRoot\System32\DRIVERS\netbios.sys

Did not load driver \SystemRoot\System32\DRIVERS\intelppm.sys

Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS

Loaded driver \SystemRoot\system32\DRIVERS\ssmdrv.sys

Loaded driver \SystemRoot\System32\Drivers\SCDEmu.SYS

Loaded driver \SystemRoot\System32\DRIVERS\rdbss.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\DRIVERS\wanarp.sys

Loaded driver \SystemRoot\System32\DRIVERS\arp1394.sys

Loaded driver \SystemRoot\System32\Drivers\Fips.SYS

Loaded driver \SystemRoot\system32\DRIVERS\avipbb.sys

Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgio.sys

Loaded driver \SystemRoot\system32\drivers\AsIO.sys

Loaded driver \SystemRoot\system32\DRIVERS\rt73.sys

Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS

Loaded driver \SystemRoot\System32\DRIVERS\usbccgp.sys

Loaded driver \SystemRoot\system32\DRIVERS\wacmoumonitor.sys

Loaded driver \SystemRoot\system32\drivers\usbaudio.sys

Did not load driver \SystemRoot\System32\Drivers\ALIEHCI.sys

Loaded driver \SystemRoot\system32\DRIVERS\AegisP.sys

Did not load driver \SystemRoot\System32\DRIVERS\rdbss.sys

Did not load driver \SystemRoot\System32\DRIVERS\mrxsmb.sys

Loaded driver \SystemRoot\System32\DRIVERS\mrxdav.sys

Loaded driver \SystemRoot\system32\drivers\wdmaud.sys

Loaded driver \SystemRoot\system32\drivers\sysaudio.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\system32\drivers\aec.sys

Loaded driver \SystemRoot\system32\drivers\swmidi.sys

Loaded driver \SystemRoot\system32\drivers\DMusic.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\drmkaud.sys

Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS

Loaded driver \SystemRoot\System32\Drivers\Aspi32.SYS

Loaded driver \??\C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgntflt.sys

Loaded driver \SystemRoot\System32\Drivers\ElbyCDIO.sys

Loaded driver \SystemRoot\System32\DRIVERS\srv.sys

Did not load driver \SystemRoot\System32\DRIVERS\ipnat.sys

Loaded driver \SystemRoot\System32\Drivers\HTTP.sys

Loaded driver \SystemRoot\system32\drivers\kmixer.sys

Loaded driver \SystemRoot\system32\drivers\splitter.sys

Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS

Link to post
Share on other sites

There sure is a lot of these logs!

ROOTREPEAL © AD, 2007-2008

==================================================

Scan Time: 2009/03/03 22:06

Program Version: Version 1.2.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xA7A71000 Size: 98304 File Visible: No

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA62C000 Size: 8192 File Visible: No

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA601D000 Size: 45056 File Visible: No

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\Prefetch\AVWSC.EXE-347FCF75.pf

Status: Size mismatch (API: 32122, Raw: 32082)

Path: C:\Documents and Settings\All Users\Start Menu\Programs\LTI

Status: Locked to the Windows API!

Path: C:\Documents and Settings\John\Local Settings\temp\etilqs_seDKW2cswpPxffc4A2Iz

Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl

Status: Allocation size mismatch (API: 16384, Raw: 4096)

Path: C:\Documents and Settings\John\My Documents\My Pictures\Lightroom bak\Lightroom\Lightroom Previews.lrdata\A\A493\A4耹38F1C-CF2A-408E-9436-3DCB7386CD3C-.lr-preview.noindex

Status: Locked to the Windows API!

SSDT

-------------------

#: 011 Function Name: NtAdjustPrivilegesToken

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc1906

#: 031 Function Name: NtConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc0e66

#: 037 Function Name: NtCreateFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc14c2

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc20d0

#: 046 Function Name: NtCreatePort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc0bc0

#: 050 Function Name: NtCreateSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc2dc0

#: 052 Function Name: NtCreateSymbolicLinkObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc1aec

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xba687bf4

#: 063 Function Name: NtDeleteKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc1d3a

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc1eea

#: 068 Function Name: NtDuplicateObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc04f8

#: 097 Function Name: NtLoadDriver

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc2a42

#: 105 Function Name: NtMakeTemporaryObject

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc10ac

#: 116 Function Name: NtOpenFile

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc16fa

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xba687be0

#: 125 Function Name: NtOpenSection

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc133c

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xba687be5

#: 192 Function Name: NtRenameKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc2496

#: 200 Function Name: NtRequestWaitReplyPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc0cde

#: 210 Function Name: NtSecureConnectPort

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc27fa

#: 240 Function Name: NtSetSystemInformation

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc2bf0

#: 247 Function Name: NtSetValueKey

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc2296

#: 249 Function Name: NtShutdownSystem

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc1046

#: 255 Function Name: NtSystemDebugControl

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc1230

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xba687bef

#: 258 Function Name: NtTerminateThread

Status: Hooked by "C:\WINDOWS\System32\DRIVERS\cmdguard.sys" at address 0xa7cc0958

#: 277 Function Name: NtWriteVirtualMemory

Status: Hooked by "<unknown>" at address 0xba687bea

Link to post
Share on other sites

reglooks:

REGLOOKS logfile

version 0.977

03/03/2009 23:10:14.92

running from: "C:\Program Files\Mozilla Firefox"

--- SSODL regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad

only standard or legit regkeys found

--- STS regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler

only standard or legit regkeys found

--- USERINIT regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"

--- SHELL regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

"Shell"="Explorer.exe"

--- SYSTEM regkey ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

"System"=""

--- APPINIT_DLLS regkey ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows

"AppInit_DLLs"="C:\\WINDOWS\\system32\\guard32.dll"

--- NOTIFY regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

"dimsntfy" "DllName"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,\

"igfxcui" "DLLName"="igfxdev.dll"

--- BOOTEXECUTE regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager

BootExecute= autocheck autochk *\0\0

--- SHELLEXECUTEHOOKS regkey ---

HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks

"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"=""

--- HKLM\Run regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"

"SkyTel"="SkyTel.EXE"

"Ai Gear Help"="\"C:\\Program Files\\ASUS\\AI Gear2\\GearHelp.exe\""

"Ai Nap"="\"C:\\Program Files\\ASUS\\Ai Nap\\AiNap.exe\""

"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

"Name of App"="C:\\Program Files\\SAMSUNG\\FW LiveUpdate\\FWManager.exe r"

"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Adobe Photoshop Lightroom 1.4\\apdproxy.exe\""

"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"

"googletalk"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe /autostart"

"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre6\\bin\\jusched.exe\""

"tsnp2std"="C:\\WINDOWS\\tsnp2std.exe"

"snp2std"="C:\\WINDOWS\\vsnp2std.exe"

"Taskix"="C:\\Program Files\\Taskix\\Taskix32.exe start"

"Carbonite Backup"="C:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteUI.exe"

"ElbyCheckAnyDVD"="\"C:\\Program Files\\SlySoft\\AnyDVD\\ElbyCheck.exe\" /L AnyDVD"

"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"

"DNS7reminder"="\"C:\\Program Files\\Nuance\\NaturallySpeaking9\\Ereg\\Ereg.exe\" -r \"C:\\Documents and Settings\\All Users\\Application Data\\Nuance\\NaturallySpeaking9\\Ereg.ini"

"COMODO Firewall Pro"="\"C:\\Program Files\\COMODO\\Firewall\\cfp.exe\" -h"

"ISUSPM Startup"="c:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\isuspm.exe -startup"

"AppleSyncNotifier"="C:\\Program Files\\Common Files\\Apple\\Mobile Device Support\\bin\\AppleSyncNotifier.exe"

"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"

"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""

"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"

"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"

"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"

"RTHDCPL"="RTHDCPL.EXE"

[Run\OptionalComponents]

@=""

[Run\OptionalComponents\IMAIL]

"Installed"="1"

@=""

[Run\OptionalComponents\MAPI]

"NoChange"="1"

"Installed"="1"

@=""

[Run\OptionalComponents\MSFS]

"Installed"="1"

@=""

--- HKLM\RunOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

no HKLM RunOnce keys found

--- HKLM\RunOnceEx regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

no HKLM RunOnceEx keys found

--- HKLM\RunServices regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

no HKLM RunServices keys found

--- HKLM\RunServicesOnce regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

no HKLM RunServicesOnce keys found

--- HKCU\Run regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

"uTorrent"="\"C:\\Program Files\\uTorrent\\uTorrent.exe\""

"C:\\Program Files\\NetMeter\\NetMeter.exe"="C:\\Program Files\\NetMeter\\NetMeter.exe"

"Google Update"="\"C:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Update\\GoogleUpdate.exe\" /c"

[Run\AdobeUpdater]

@=""

--- HKCU\RunOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

no HKCU RunOnce keys found

--- HKCU\RunOnceEx regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

regkey does not exist

--- HKCU\RunServices regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

no HKCU RunServices keys found

--- HKCU\RunServicesOnce regkeys ---

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

no HKCU RunServicesOnce keys found

--- HKU\.DEFAULT\Run regkeys - Default user ---

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

no HKU\.DEFAULT\Run keys found

--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

no HKU\S-1-5-18\Run keys found

--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

regkey does not exist

--- HKU\S-1-5-20\Run regkeys - User Netwerkservice ---

HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

regkey does not exist

--- HKLM\Explorer\Run regkeys ---

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

regkey does not exist

--- HKCU\Explorer\Run regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

no HKCU Explorer\Run keys found

--- Image File Execution regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

no debuggers found

--- BROWSER HELPER OBJECTS regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

"{000123B4-9B42-4900-B3F7-F4B073EFC214}" FILE ="C:\\Program Files\\Orbitdownloader\\orbitcth.dll"

"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}" FILE ="C:\\Program Files\\Common Files\\Adobe\\Acrobat\\ActiveX\\AcroIEHelper.dll"

"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}" FILE ="C:\\Program Files\\Java\\jre6\\bin\\ssv.dll"

"{CC7E636D-39AA-49b6-B511-65413DA137A1}" FILE ="C:\\Program Files\\Microsoft\\Internet Explorer Developer Toolbar\\IEDevToolbar.dll"

"{DBC80044-A445-435b-BC74-9C25C1C588A9}" FILE ="C:\\Program Files\\Java\\jre6\\bin\\jp2ssv.dll"

"{E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53}" FILE ="C:\\Program Files\\Google\\Google Gears\\Internet Explorer\\0.5.4.2\\gears.dll"

"{E7E6F031-17CE-4C07-BC86-EABFE594F69C}" FILE ="C:\\Program Files\\Java\\jre6\\lib\\deploy\\jqs\\ie\\jqs_plugin.dll"

--- TOOLBAR regkeys ---

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar

"{C55BBCD6-41AD-48AD-9953-3609C48EACC7}" FILE ="C:\\Program Files\\Orbitdownloader\\GrabPro.dll"

--- URLSEARCHHOOKS regkeys ---

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks

only standard regkeys found

--- CONTEXTMENUHANDLERS regkeys ---

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

"Arcsoft" CLSID ={807F863A-CD58-46BB-BC25-598D5A34C195} FILE ="C:\\PROGRA~1\\ArcSoft\\RAWTHU~1\\IRawExtract.dll"

"Carbonite" CLSID ={FE8BD682-9A64-4740-A92B-EE7E5F7FA0A5} FILE ="C:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteNSE.dll"

"Cover Designer" CLSID ={73FCA462-9BD5-4065-A73F-A8E5F6904EF7} FILE ="C:\\Program Files\\Nero\\Nero 7\\Nero CoverDesigner\\CoverEdExtension.dll"

"DropboxExt" CLSID ={FB314ED9-A251-47B7-93E1-CDD82E34AF8B} FILE ="C:\\Program Files\\Dropbox\\DropboxExt.dll"

"MagicISO" CLSID ={DB85C504-C730-49DD-BEC1-7B39C6103B7A} FILE ="C:\\Program Files\\MagicISO\\misosh.dll"

"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll

"Open With" CLSID ={09799AFB-AD67-11d1-ABCD-00C04FC30936} FILE =%SystemRoot%\system32\SHELL32.dll

"Open With EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll

"PowerISO" CLSID ={967B2D40-8B7D-4127-9049-61EA0C2C6DCE} FILE NOT FOUND

"Shell Extension for Malware scanning" CLSID ={45AC2688-0253-4ED8-97DE-B5370FA7D48A} FILE ="C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\shlext.dll"

"SmartFTP" CLSID ={F87DED31-303F-4ED1-9BCE-D360FBC74E0A} FILE ="C:\\Program Files\\SmartFTP Client\\sfShellTools.dll"

"SrExt" CLSID ={a90d5ea2-a1d7-11cf-8dc1-00805fc2353f} FILE ="C:\\PROGRA~1\\Funduc\\SEARCH~1\\srext.dll"

"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"

"{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}" Start Menu Pin FILE =%SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers

"Carbonite" CLSID ={FE8BD682-9A64-4740-A92B-EE7E5F7FA0A5} FILE ="C:\\Program Files\\Carbonite\\Carbonite Backup\\CarboniteNSE.dll"

"DropboxExt" CLSID ={FB314ED9-A251-47B7-93E1-CDD82E34AF8B} FILE ="C:\\Program Files\\Dropbox\\DropboxExt.dll"

"EncryptionMenu" CLSID ={A470F8CF-A1E8-4f65-8335-227475AA5C46} FILE =%SystemRoot%\system32\SHELL32.dll

"MagicISO" CLSID ={DB85C504-C730-49DD-BEC1-7B39C6103B7A} FILE ="C:\\Program Files\\MagicISO\\misosh.dll"

"Offline Files" CLSID ={750fdf0e-2a26-11d1-a3ea-080036587f03} FILE =%SystemRoot%\System32\cscui.dll

"PowerISO" CLSID ={967B2D40-8B7D-4127-9049-61EA0C2C6DCE} FILE NOT FOUND

"Sharing" CLSID ={f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} FILE ="ntshrui.dll"

"SmartFTP" CLSID ={F87DED31-303F-4ED1-9BCE-D360FBC74E0A} FILE ="C:\\Program Files\\SmartFTP Client\\sfShellTools.dll"

"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"

HKEY_CLASSES_ROOT\Folder\shellex\ContextMenuHandlers

"MagicISO" CLSID ={DB85C504-C730-49DD-BEC1-7B39C6103B7A} FILE ="C:\\Program Files\\MagicISO\\misosh.dll"

"MBAMShlExt" CLSID ={57CE581A-0CB6-4266-9CA0-19364C90A0B3} FILE ="C:\\Program Files\\Malwarebytes' Anti-Malware\\mbamext.dll"

"PowerISO" CLSID ={967B2D40-8B7D-4127-9049-61EA0C2C6DCE} FILE NOT FOUND

"Shell Extension for Malware scanning" CLSID ={45AC2688-0253-4ED8-97DE-B5370FA7D48A} FILE ="C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\shlext.dll"

"SrExt" CLSID ={a90d5ea2-a1d7-11cf-8dc1-00805fc2353f} FILE ="C:\\PROGRA~1\\Funduc\\SEARCH~1\\srext.dll"

"WinRAR" CLSID ={B41DB860-8EE4-11D2-9906-E49FADC173CA} FILE ="C:\\Program Files\\WinRAR\\rarext.dll"

--- ALTERNATESHELL regkey ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot

"AlternateShell"="cmd.exe"

--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

no unknown services found

--- SAFEBOOT NETWORK SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

no unknown services found

--- SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ALIEHCD

"DisplayName"="ALi PCI to USB Enhanced Host Controller"

System32\Drivers\ALIEHCI.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aliroothub

"DisplayName"="USB 2.0 Root Hub"

system32\DRIVERS\AliRtHub.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AnyDVD

"DisplayName"="AnyDVD"

System32\Drivers\AnyDVD.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AsIO

"DisplayName"="AsIO"

system32\drivers\AsIO.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CarboniteService

"DisplayName"="CarboniteService"

"C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdGuard

"DisplayName"="COMODO Firewall Pro Sandbox Driver"

System32\DRIVERS\cmdguard.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdHlp

"DisplayName"="COMODO Firewall Pro Helper Driver"

System32\DRIVERS\cmdhlp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpextender

"DisplayName"="Check Point SSL Network Extender"

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FW1

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ggflt

"DisplayName"="SEMC USB Flash Driver Filter"

system32\DRIVERS\ggflt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ggsemc

"DisplayName"="SEMC USB Flash Driver"

system32\DRIVERS\ggsemc.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate1c90d32140ed6d4

"DisplayName"="Google Update Service (gupdate1c90d32140ed6d4)"

"C:\Program Files\Google\Update\GoogleUpdate.exe" /svc

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HidBth

"DisplayName"="Microsoft Bluetooth HID Miniport"

system32\DRIVERS\hidbth.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hotcore3

"DisplayName"="hotcore3"

system32\drivers\hotcore3.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Inspect

"DisplayName"="COMODO Firewall Pro Firewall Driver"

System32\DRIVERS\inspect.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService

"DisplayName"="Java Quick Starter"

"C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\KService

"DisplayName"="KService"

"C:\Program Files\Kontiki\KService.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\n558

"DisplayName"="N558 Bluetooth USB Filter Driver"

System32\Drivers\n558.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PCANDIS5

"DisplayName"="PCANDIS5 Protocol Driver"

\??\C:\WINDOWS\system32\PCANDIS5.SYS

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017bus

"DisplayName"="Sony Ericsson Device 3017 driver (WDM)"

system32\DRIVERS\s3017bus.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017mdfl

"DisplayName"="Sony Ericsson Device 3017 USB WMC Modem Filter"

system32\DRIVERS\s3017mdfl.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017mdm

"DisplayName"="Sony Ericsson Device 3017 USB WMC Modem Driver"

system32\DRIVERS\s3017mdm.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017mgmt

"DisplayName"="Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM)"

system32\DRIVERS\s3017mgmt.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017nd5

"DisplayName"="Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS)"

system32\DRIVERS\s3017nd5.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017obex

"DisplayName"="Sony Ericsson Device 3017 USB WMC OBEX Interface"

system32\DRIVERS\s3017obex.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\s3017unic

"DisplayName"="Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM)"

system32\DRIVERS\s3017unic.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sbp2port

"DisplayName"="SBP-2 Transport/Protocol Bus Driver"

System32\DRIVERS\sbp2port.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SCDEmu

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNP2STD

"DisplayName"="USB2.0 PC Camera (SNP2STD)"

system32\DRIVERS\snp2sxp.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TabletServicePen

"DisplayName"="TabletServicePen"

C:\WINDOWS\system32\Pen_Tablet.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VNA

"DisplayName"="Check Point Virtual Network Adapter"

system32\DRIVERS\vna.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wacmoumonitor

"DisplayName"="Wacom Mode Helper"

system32\DRIVERS\wacmoumonitor.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wacommousefilter

"DisplayName"="Wacom Mouse Filter Driver"

system32\DRIVERS\wacommousefilter.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wacomvhid

"DisplayName"="Wacom Virtual Hid Driver"

system32\DRIVERS\wacomvhid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WacomVKHid

"DisplayName"="Virtual Keyboard Driver"

system32\DRIVERS\WacomVKHid.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wampapache

"DisplayName"="wampapache"

"c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wampmysqld

"DisplayName"="wampmysqld"

c:\wamp\bin\mysql\mysql5.0.51b\bin\mysqld-nt.exe wampmysqld

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wg111nd5

"DisplayName"="NETGEAR WG111 802.11g Wireless USB Adapter Driver"

system32\DRIVERS\wg111nd5.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\yukonwxp

"DisplayName"="NDIS5.1 Miniport Driver for Marvell Yukon Ethernet Controller"

system32\DRIVERS\yk51x86.sys

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{08E26198-2F9B-4B64-94F9-4EA2BF194296}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{1142CA0E-CA34-4E72-A900-C58CB372DA8D}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{389868CA-19BA-48A9-BCCD-B8D9B3C741BC}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{6067153D-7E3B-4596-9794-85D4AC03DA10}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{8BF3C18E-C47B-4735-9605-6486D0A77FF6}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{901450E5-58DB-44AA-B631-0C8C46858DA4}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{905CB780-7047-4FED-AA3D-4F7AEE1E4B70}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{92AF1341-FD59-4F6D-BB01-26B4A39CBDFB}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{ACA35025-7C7F-45D2-B9A7-EBF01DF55011}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{ADB0D6F7-942B-4D44-8DC1-69901235F22D}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{CEADCF18-60AF-4567-8C4E-757B58C3A84C}

no imagepath value found

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{FE47F6DB-21C0-470F-968C-A3527ACDE771}

no imagepath value found

--- SECURITYPROVIDERS regkey ---

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

--- SVCHOST regkey ---

HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost

LocalService: Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0

NetworkService: DnsCache\0\0

netsvcs: 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0TermService\0wuauserv\0BITS\0ShellHWDetection\0WmdmPmSN\0helpsvc\0xmlprov\0wscsvc\0napagent\0hkmsvc\0\0

rpcss: RpcSs\0\0

imgsvc: StiSvc\0\0

termsvcs: TermService\0\0

HTTPFilter: HTTPFilter\0\0

DcomLaunch: DcomLaunch\0TermService\0\0

bthsvcs: BthServ\0\0

eapsvcs: eaphost\0\0

dot3svc: dot3svc\0\0

WudfServiceGroup: WUDFSvc\0\0

--- WOW-CMDLINE regkeys ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW

"cmdline" = %SystemRoot%\system32\ntvdm.exe

"wowcmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

--- DNS SERVER regkeys ---

no "NameServer" values found

--- STARTUP FOLDERS ---

C:\Documents and Settings\John\Start Menu\Programs\Startup\desktop.ini

C:\Documents and Settings\John\Start Menu\Programs\Startup\Dropbox.lnk

C:\Documents and Settings\John\Start Menu\Programs\Startup\Password Safe.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hueyPROTray.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sitecom Wireless Utility.lnk

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk

--- TASK SCHEDULER JOBS ---

C:\WINDOWS\tasks\AppleSoftwareUpdate.job

C:\WINDOWS\tasks\GoogleUpdateTaskMachine.job

C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1364589140-839522115-1003.job

--- File associations ---

.BAT files: ("%1" %*)

.COM files: ("%1" %*)

.EXE files: ("%1" %*)

.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)

.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)

.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)

.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

.PIF files: ("%1" %*)

.REG files: (regedit.exe "%1")

.SCR files: ("%1" /S)

.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)

.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)

FINISHED

Link to post
Share on other sites

I have been through every step now. The MSI service still refuses to start (started and then stopped)

Event Type: Warning

Event Source: MsiInstaller

Event Category: None

Event ID: 1015

Date: 04/03/2009

Time: 04:24:29

User: JOHN-PC\John

Computer: JOHN-PC

Description:

The description for Event ID ( 1015 ) in Source ( MsiInstaller ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: 0x80080005, (NULL), (NULL), (NULL), (NULL), , .

Link to post
Share on other sites

Thanks for the reply, I'll work through those steps later. Here's the new HJT log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 08:09:14, on 05/03/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe

C:\Program Files\COMODO\Firewall\cmdagent.exe

C:\Program Files\CheckPoint\SSL Network Extender\slimsvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Kontiki\KService.exe

C:\Program Files\Google\Update\GoogleUpdate.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\SearchIndexer.exe

C:\WINDOWS\system32\WTablet\Pen_TabletUser.exe

C:\WINDOWS\system32\Pen_Tablet.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\ASUS\AI Gear2\GearHelp.exe

C:\Program Files\ASUS\Ai Nap\AiNap.exe

C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe

C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\Google\Google Talk\googletalk.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\WINDOWS\tsnp2std.exe

C:\WINDOWS\vsnp2std.exe

C:\Program Files\Taskix\Taskix32.exe

C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\NetMeter\NetMeter.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe

C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE

C:\Program Files\Windows Desktop Search\WindowsSearch.exe

C:\Program Files\Dropbox\dropbox.exe

C:\Program Files\Password Safe\pwsafe.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe

C:\WINDOWS\System32\dllhost.exe

C:\Program Files\iTunes\iTunes.exe

C:\Program Files\Last.fm\LastFM.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\John\Local Settings\Application Data\Google\Google Talk Plugin\googletalkplugin.exe

C:\WINDOWS\system32\SearchProtocolHost.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: IE Developer Toolbar BHO - {CC7E636D-39AA-49b6-B511-65413DA137A1} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Ai Gear Help] "C:\Program Files\ASUS\AI Gear2\GearHelp.exe"

O4 - HKLM\..\Run: [Ai Nap] "C:\Program Files\ASUS\Ai Nap\AiNap.exe"

O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min

O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\FWManager.exe r

O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe"

O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe

O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe

O4 - HKLM\..\Run: [Taskix] C:\Program Files\Taskix\Taskix32.exe start

O4 - HKLM\..\Run: [Carbonite Backup] C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe

O4 - HKLM\..\Run: [ElbyCheckAnyDVD] "C:\Program Files\SlySoft\AnyDVD\ElbyCheck.exe" /L AnyDVD

O4 - HKLM\..\Run: [iSUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

O4 - HKLM\..\Run: [DNS7reminder] "C:\Program Files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\Nuance\NaturallySpeaking9\Ereg.ini

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h

O4 - HKLM\..\Run: [iSUSPM Startup] c:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup

O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"

O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - Startup: Dropbox.lnk = C:\Program Files\Dropbox\dropbox.exe

O4 - Startup: Password Safe.lnk = C:\Program Files\Password Safe\pwsafe.exe

O4 - Global Startup: hueyPROTray.lnk = C:\Program Files\Pantone\hueyPRO\hueyPROTray.exe

O4 - Global Startup: Sitecom Wireless Utility.lnk = C:\Program Files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE

O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201

O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203

O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with KUSO EXIF Viewer - C:\Program Files\KUSO EXIF Viewer\EXIF.htm

O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll

O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll

O9 - Extra button: IE Developer Toolbar - {48FFE35F-36D9-44bd-A6CC-1D34414EAC0D} - C:\Program Files\Microsoft\Internet Explorer Developer Toolbar\IEDevToolbar.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1222601183843

O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - https://vpn1.hw.ac.uk/sre/ICSScanner.cab

O16 - DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} (SlimClient Class) - https://vpn1.hw.ac.uk/SNX/CSHELL/extender.cab

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll

O23 - Service: Avira AntiVir Personal

Link to post
Share on other sites

ComboFix 09-03-02.03 - John 2009-03-05 8:46:04.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3318.2571 [GMT 0:00]

Running from: c:\documents and settings\John\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\John\Desktop\CFScript.txt

AV: Avira AntiVir PersonalEdition *On-access scanning disabled* (Updated)

FW: COMODO Firewall *disabled*

* Created a new restore point

FILE ::

c:\documents and settings\John\Application Data\SAS7_000.DAT

c:\program files\NetMeter\NetMeter.exe

c:\windows\002741_.tmp

c:\windows\002749_.tmp

c:\windows\002765_.tmp

c:\windows\002781_.tmp

c:\windows\006317_.tmp

c:\windows\imsins.BAK

c:\windows\SET494.tmp

c:\windows\SETD2.tmp

c:\windows\SETE7.tmp

c:\windows\system32\SET10B5.tmp

c:\windows\system32\SET10B6.tmp

c:\windows\system32\SET10B9.tmp

c:\windows\system32\SET10C1.tmp

c:\windows\system32\SET1194.tmp

c:\windows\system32\SET1236.tmp

c:\windows\system32\SET1237.tmp

c:\windows\system32\SET123A.tmp

c:\windows\system32\SET1242.tmp

c:\windows\system32\SET1334.tmp

c:\windows\system32\SET1335.tmp

c:\windows\system32\SET1338.tmp

c:\windows\system32\SET1340.tmp

c:\windows\system32\SET142F.tmp

c:\windows\system32\SET1430.tmp

c:\windows\system32\SET1433.tmp

c:\windows\system32\SET143B.tmp

c:\windows\system32\SET179.tmp

c:\windows\system32\SET187.tmp

c:\windows\system32\SET18E.tmp

c:\windows\system32\SET18F.tmp

c:\windows\system32\SET194.tmp

c:\windows\system32\SET1CA.tmp

c:\windows\system32\SET1CB.tmp

c:\windows\system32\SET1D9.tmp

c:\windows\system32\SET20C.tmp

c:\windows\system32\SET2F2.tmp

c:\windows\system32\SET38E.tmp

c:\windows\system32\SET45C.tmp

c:\windows\system32\SET45F.tmp

c:\windows\system32\SET461.tmp

c:\windows\system32\SET464.tmp

c:\windows\system32\SET467.tmp

c:\windows\system32\SET469.tmp

c:\windows\system32\SETFB2.tmp

c:\windows\system32\SETFB3.tmp

c:\windows\system32\SETFB6.tmp

c:\windows\system32\SETFBE.tmp

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\documents and settings\John\Application Data\SAS7_000.DAT

c:\documents and settings\John\Local Settings\Temporary Internet Files\SLC_John.prx

c:\program files\NetMeter\NetMeter.exe

c:\windows\002741_.tmp

c:\windows\002749_.tmp

c:\windows\002765_.tmp

c:\windows\002781_.tmp

c:\windows\006317_.tmp

c:\windows\imsins.BAK

c:\windows\SET494.tmp

c:\windows\SETD2.tmp

c:\windows\SETE7.tmp

c:\windows\system32\SET10B5.tmp

c:\windows\system32\SET10B6.tmp

c:\windows\system32\SET10B9.tmp

c:\windows\system32\SET10C1.tmp

c:\windows\system32\SET1194.tmp

c:\windows\system32\SET1236.tmp

c:\windows\system32\SET1237.tmp

c:\windows\system32\SET123A.tmp

c:\windows\system32\SET1242.tmp

c:\windows\system32\SET1334.tmp

c:\windows\system32\SET1335.tmp

c:\windows\system32\SET1338.tmp

c:\windows\system32\SET1340.tmp

c:\windows\system32\SET142F.tmp

c:\windows\system32\SET1430.tmp

c:\windows\system32\SET1433.tmp

c:\windows\system32\SET143B.tmp

c:\windows\system32\SET179.tmp

c:\windows\system32\SET187.tmp

c:\windows\system32\SET18E.tmp

c:\windows\system32\SET18F.tmp

c:\windows\system32\SET194.tmp

c:\windows\system32\SET1CA.tmp

c:\windows\system32\SET1CB.tmp

c:\windows\system32\SET1D9.tmp

c:\windows\system32\SET20C.tmp

c:\windows\system32\SET2F2.tmp

c:\windows\system32\SET38E.tmp

c:\windows\system32\SET45C.tmp

c:\windows\system32\SET45F.tmp

c:\windows\system32\SET461.tmp

c:\windows\system32\SET464.tmp

c:\windows\system32\SET467.tmp

c:\windows\system32\SET469.tmp

c:\windows\system32\SETFB2.tmp

c:\windows\system32\SETFB3.tmp

c:\windows\system32\SETFB6.tmp

c:\windows\system32\SETFBE.tmp

.

((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))

.

2009-03-05 08:09 . 2009-03-05 08:09 <DIR> d-------- c:\program files\Trend Micro

2009-03-03 21:23 . 2009-03-03 22:10 <DIR> d-------- c:\program files\Canta

2009-03-03 19:44 . 2009-03-03 20:36 250 --a------ c:\windows\gmer.ini

2009-03-03 17:47 . 2009-03-03 17:47 <DIR> d-------- c:\documents and settings\John\Application Data\Windows Search

2009-03-01 11:56 . 2008-12-20 23:15 6,066,688 -----c--- c:\windows\system32\dllcache\ieframe.dll

2009-03-01 11:56 . 2007-04-17 09:32 2,455,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dat

2009-03-01 11:56 . 2007-03-08 05:10 991,232 -----c--- c:\windows\system32\dllcache\ieframe.dll.mui

2009-03-01 11:56 . 2008-12-20 23:15 459,264 -----c--- c:\windows\system32\dllcache\msfeeds.dll

2009-03-01 11:56 . 2008-12-20 23:15 383,488 -----c--- c:\windows\system32\dllcache\ieapfltr.dll

2009-03-01 11:56 . 2008-12-20 23:15 267,776 -----c--- c:\windows\system32\dllcache\iertutil.dll

2009-03-01 11:56 . 2008-12-20 23:15 63,488 -----c--- c:\windows\system32\dllcache\icardie.dll

2009-03-01 11:56 . 2008-12-20 23:15 52,224 -----c--- c:\windows\system32\dllcache\msfeedsbs.dll

2009-03-01 11:56 . 2008-12-19 09:10 13,824 -----c--- c:\windows\system32\dllcache\ieudinit.exe

2009-03-01 11:31 . 2009-03-05 08:50 <DIR> d-------- c:\windows\system32\CatRoot2

2009-03-01 09:34 . 2008-08-14 10:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe

2009-03-01 09:34 . 2008-08-14 10:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe

2009-03-01 09:34 . 2008-08-14 09:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe

2009-03-01 09:34 . 2008-08-14 09:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe

2009-03-01 09:32 . 2008-04-14 00:12 1,306,624 -----c--- c:\windows\system32\dllcache\msxml6.dll

2009-03-01 09:32 . 2008-04-14 00:12 380,416 --------- c:\windows\system32\irprops.cpl

2009-03-01 09:32 . 2008-04-14 00:10 102,912 -----c--- c:\windows\system32\dllcache\dpcdll.dll

2009-03-01 09:32 . 2008-04-13 21:57 79,872 -----c--- c:\windows\system32\dllcache\msxml6r.dll

2009-03-01 09:32 . 2008-04-14 00:09 24,064 -----c--- c:\windows\system32\dllcache\pidgen.dll

2009-03-01 09:32 . 2008-04-14 00:12 10,752 --------- c:\windows\system32\smtpapi.dll

2009-03-01 09:32 . 2008-04-14 00:12 9,728 --------- c:\windows\system32\rwnh.dll

2009-03-01 09:29 . 2008-09-15 12:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys

2009-03-01 09:21 . 2008-06-17 19:02 8,461,312 -----c--- c:\windows\system32\dllcache\shell32.dll

2009-03-01 09:21 . 2008-04-11 19:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll

2009-03-01 09:21 . 2008-10-24 11:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys

2009-03-01 09:21 . 2008-12-11 10:57 333,952 -----c--- c:\windows\system32\dllcache\srv.sys

2009-03-01 09:21 . 2008-05-01 14:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll

2009-03-01 09:21 . 2008-05-08 14:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys

2009-03-01 09:20 . 2008-09-04 17:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll

2009-03-01 09:20 . 2008-10-15 16:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll

2009-03-01 09:20 . 2008-10-03 10:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll

2009-03-01 00:21 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl

2009-03-01 00:21 . 2008-10-16 14:12 213,528 --a--c--- c:\windows\system32\dllcache\wuaucpl.cpl

2009-03-01 00:20 . 2009-03-01 09:49 <DIR> d-------- c:\windows\ServicePackFiles

2009-02-28 23:54 . 2008-04-14 00:12 4,274,816 --a------ c:\windows\system32\nv4_disp.dll

2009-02-28 23:52 . 2009-03-01 00:13 2,167,506 --a------ c:\windows\setupapi.log.5.old

2009-02-28 23:28 . 2009-02-28 23:48 2,224,825 --a------ c:\windows\setupapi.log.4.old

2009-02-28 23:04 . 2004-08-04 00:56 2,804,224 --a------ c:\windows\system32\SET55E.tmp

2009-02-28 23:01 . 2009-02-28 23:25 2,160,634 --a------ c:\windows\setupapi.log.3.old

2009-02-28 22:22 . 2004-08-04 00:56 3,003,392 --a------ c:\windows\system32\SET4B2.tmp

2009-02-28 22:21 . 2004-08-04 00:56 656,384 --a------ c:\windows\system32\SET1C6.tmp

2009-02-28 19:16 . 2004-08-04 00:56 8,384,000 --a------ c:\windows\system32\SET212.tmp

2009-02-28 18:55 . 2002-08-29 12:00 455,168 --a--c--- c:\windows\system32\dllcache\tintsetp.exe

2009-02-28 18:54 . 2002-08-29 12:00 10,096,640 --a--c--- c:\windows\system32\dllcache\hwxcht.dll

2009-02-28 18:52 . 2002-08-29 12:00 73,728 --a--c--- c:\windows\system32\dllcache\icwtutor.exe

2009-02-28 18:52 . 2002-08-29 12:00 61,440 --a--c--- c:\windows\system32\dllcache\icwres.dll

2009-02-28 18:52 . 2002-08-29 12:00 40,960 --a--c--- c:\windows\system32\dllcache\trialoc.dll

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\WindowsShell.Manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\wuaucpl.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\sapi.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\nwc.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 749 -rah----- c:\windows\system32\ncpa.cpl.manifest

2009-02-28 18:52 . 2009-02-28 18:52 488 -rah----- c:\windows\system32\logonui.exe.manifest

2009-02-28 18:51 . 2008-04-14 00:11 167,424 --a------ c:\windows\system32\comsnap.dll

2009-02-28 18:51 . 2008-04-14 00:11 97,792 --a------ c:\windows\system32\comrepl.dll

2009-02-28 18:51 . 2008-04-14 00:12 59,392 --a------ c:\windows\system32\stclient.dll

2009-02-28 18:51 . 2008-04-14 00:12 34,304 --a------ c:\windows\system32\mtxlegih.dll

2009-02-28 18:51 . 2008-04-14 00:12 30,720 --a------ c:\windows\system32\mtxdm.dll

2009-02-28 18:51 . 2008-04-14 00:11 28,160 --a------ c:\windows\system32\comaddin.dll

2009-02-28 18:51 . 2008-04-14 00:12 6,144 --a------ c:\windows\system32\dcomcnfg.exe

2009-02-28 18:51 . 2008-04-14 00:12 4,096 --a------ c:\windows\system32\mtxex.dll

2009-02-28 18:42 . 2002-08-29 12:00 24,661 --a------ c:\windows\system32\spxcoins.dll

2009-02-28 18:42 . 2002-08-29 12:00 24,661 --a--c--- c:\windows\system32\dllcache\spxcoins.dll

2009-02-28 18:42 . 2002-08-29 12:00 13,312 --a------ c:\windows\system32\irclass.dll

2009-02-28 18:42 . 2002-08-29 12:00 13,312 --a--c--- c:\windows\system32\dllcache\irclass.dll

2009-02-28 18:41 . 2002-08-29 12:00 797,189 --a--c--- c:\windows\system32\dllcache\NT5IIS.CAT

2009-02-28 18:41 . 2002-08-29 12:00 657,548 --a--c--- c:\windows\system32\dllcache\CLASSES.CAT

2009-02-28 18:41 . 2002-08-29 12:00 399,645 --a--c--- c:\windows\system32\dllcache\MAPIMIG.CAT

2009-02-28 18:41 . 2002-08-29 12:00 56,081 --a--c--- c:\windows\system32\dllcache\DAJAVAC.CAT

2009-02-28 18:41 . 2002-08-29 12:00 52,311 --a--c--- c:\windows\system32\dllcache\DX3.CAT

2009-02-28 18:41 . 2002-08-29 12:00 37,484 --a--c--- c:\windows\system32\dllcache\MW770.CAT

2009-02-28 18:41 . 2002-08-29 12:00 14,031 --a--c--- c:\windows\system32\dllcache\MSJDBC.CAT

2009-02-28 18:41 . 2002-08-29 12:00 13,472 --a--c--- c:\windows\system32\dllcache\HPCRDP.CAT

2009-02-28 18:41 . 2002-08-29 12:00 8,574 --a--c--- c:\windows\system32\dllcache\IASNT4.CAT

2009-02-28 18:41 . 2002-08-29 12:00 7,382 --a--c--- c:\windows\system32\dllcache\OEMBIOS.CAT

2009-02-28 18:40 . 2009-02-28 22:57 2,997,144 --a------ c:\windows\setupapi.log.2.old

2009-02-28 14:16 . 2009-02-28 14:16 <DIR> d-------- c:\documents and settings\John\Application Data\Xitona

2009-02-28 13:49 . 2009-02-28 13:49 <DIR> d-------- c:\program files\Singing Tutor

2009-02-28 13:49 . 2003-02-14 13:47 150 --a------ c:\windows\Song_w.ini

2009-02-28 12:43 . 2009-02-28 12:44 <DIR> d-------- c:\program files\Singing Tutor Duet 2.2 Win 2k-XP

2009-02-22 17:55 . 2009-02-22 17:55 <DIR> d-------- c:\program files\Ulead Systems

2009-02-05 20:53 . 2009-02-11 12:12 <DIR> d-------- c:\documents and settings\John\Application Data\Spotify

2009-02-05 20:52 . 2009-02-05 20:53 <DIR> d-------- c:\program files\Spotify

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-03-05 08:53 --------- d-----w c:\documents and settings\John\Application Data\Dropbox

2009-03-05 08:53 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki

2009-03-05 08:52 --------- d-----w c:\program files\Password Safe

2009-03-05 08:51 --------- d-----w c:\documents and settings\John\Application Data\WTablet

2009-03-05 08:46 --------- d-----w c:\program files\NetMeter

2009-03-05 08:44 --------- d-----w c:\documents and settings\John\Application Data\uTorrent

2009-03-04 07:50 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-03-01 15:44 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-03-01 12:11 --------- d-----w c:\documents and settings\LocalService\Application Data\WTablet

2009-03-01 11:33 --------- d-----w c:\documents and settings\John\Application Data\Orbit

2009-03-01 11:25 --------- d-----w c:\program files\MSECache

2009-03-01 08:55 --------- d-----w c:\documents and settings\John\Application Data\U3

2009-02-28 13:23 --------- d-----w c:\program files\Orbitdownloader

2009-02-14 10:56 --------- d-----w c:\program files\Google

2009-02-11 10:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 10:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-02 17:47 --------- d-----w c:\documents and settings\John\Application Data\foobar2000

2009-01-24 14:21 --------- d-----w c:\program files\RescuePRO

2009-01-24 13:56 286,720 ----a-w c:\windows\iun507.exe

2009-01-20 23:48 --------- d-----w c:\documents and settings\John\Application Data\Photojunction

2009-01-19 17:15 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-01-17 10:21 --------- d-----w c:\program files\CCleaner

2009-01-16 18:47 --------- d-----w c:\program files\PJ Remix

2009-01-15 18:56 --------- d-----w c:\documents and settings\All Users\Application Data\Photojunction

2009-01-15 08:14 --------- d--h--w c:\program files\InstallShield Installation Information

2009-01-14 23:34 --------- d-----w c:\documents and settings\John\Application Data\Media Player Classic

2009-01-11 09:44 --------- d-----w c:\program files\K-Lite Codec Pack

2009-01-08 17:33 31,504 ----a-w c:\windows\system32\drivers\cmdhlp.sys

2009-01-08 17:32 101,776 ----a-w c:\windows\system32\drivers\cmdguard.sys

2009-01-08 16:44 --------- d-----w c:\documents and settings\All Users\Application Data\Macrovision

2009-01-08 16:43 --------- d-----w c:\program files\Common Files\Macromedia Shared

2009-01-08 16:42 --------- d-----w c:\program files\Macromedia

2009-01-08 16:42 --------- d-----w c:\program files\Common Files\Macromedia

2009-01-08 15:14 20,747 ----a-w c:\windows\system32\drivers\AegisP.sys

2009-01-08 15:13 --------- d-----w c:\program files\Sitecom

2009-01-07 13:28 --------- d-----w c:\program files\Common Files\Adobe

2009-01-06 19:26 --------- d-----w c:\program files\Free Easy Burner

2009-01-06 16:53 --------- d-----w c:\program files\Microsoft Reader

2006-06-23 06:48 32,768 ----a-r c:\windows\inf\UpdateUSB.exe

.

((((((((((((((((((((((((((((( SnapShot@2009-03-03_18.04.54.89 )))))))))))))))))))))))))))))))))))))))))

.

+ 2009-03-03 19:44:33 884,736 ----a-w c:\windows\gmer.dll

+ 2008-04-17 21:13:00 811,008 ----a-w c:\windows\gmer.exe

- 2009-03-03 17:57:37 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-03-04 17:41:27 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-03-03 17:57:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-03-04 17:41:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-03-03 17:57:37 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-04 17:41:27 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-03-03 19:44:33 85,969 ----a-w c:\windows\system32\drivers\gmer.sys

+ 2009-03-05 08:51:48 16,384 ----atw c:\windows\temp\Perflib_Perfdata_26c.dat

+ 2009-03-05 08:51:51 16,384 ----atw c:\windows\temp\Perflib_Perfdata_28c.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]

@="{95A27763-F62A-4114-9072-E81D87DE3B68}"

[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]

2008-06-13 22:19 527296 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]

@="{E300CD91-100F-4E67-9AF3-1384A6124015}"

[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]

2008-06-13 22:19 527296 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]

@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"

[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]

2008-06-13 22:19 527296 -ra------ c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]

@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]

@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]

@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"

[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]

2008-09-07 07:20 143360 --a------ c:\program files\Dropbox\DropboxExt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"Google Update"="c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-02 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Ai Gear Help"="c:\program files\ASUS\AI Gear2\GearHelp.exe" [2006-07-27 415744]

"Ai Nap"="c:\program files\ASUS\Ai Nap\AiNap.exe" [2007-01-12 1423360]

"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-07-18 266497]

"Name of App"="c:\program files\SAMSUNG\FW LiveUpdate\FWManager.exe" [2008-07-07 675935]

"Adobe Photo Downloader"="c:\program files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe" [2008-04-01 61440]

"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]

"googletalk"="c:\program files\Google\Google Talk\googletalk.exe" [2007-01-01 3739648]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-16 136600]

"tsnp2std"="c:\windows\tsnp2std.exe" [2007-05-10 270336]

"snp2std"="c:\windows\vsnp2std.exe" [2007-09-28 344064]

"Taskix"="c:\program files\Taskix\Taskix32.exe" [2008-04-02 61440]

"Carbonite Backup"="c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe" [2008-06-13 600000]

"ElbyCheckAnyDVD"="c:\program files\SlySoft\AnyDVD\ElbyCheck.exe" [2003-09-20 45056]

"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]

"DNS7reminder"="c:\program files\Nuance\NaturallySpeaking9\Ereg\Ereg.exe" [2007-03-19 259624]

"COMODO Firewall Pro"="c:\program files\COMODO\Firewall\cfp.exe" [2009-01-08 1797880]

"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2005-02-16 221184]

"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]

"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-03 208952]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-09-11 143360]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-09-11 172032]

"Persistence"="c:\windows\system32\igfxpers.exe" [2008-09-11 143360]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 c:\windows\system32\bthprops.cpl]

"SkyTel"="SkyTel.EXE" [2006-05-16 c:\windows\SkyTel.exe]

"RTHDCPL"="RTHDCPL.EXE" [2007-01-30 c:\windows\RTHDCPL.exe]

c:\documents and settings\John\Start Menu\Programs\Startup\

Dropbox.lnk - c:\program files\Dropbox\dropbox.exe [2008-09-26 24096981]

Password Safe.lnk - c:\program files\Password Safe\pwsafe.exe [2008-08-30 1949696]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

hueyPROTray.lnk - c:\program files\Pantone\hueyPRO\hueyPROTray.exe [2008-06-07 1081344]

Sitecom Wireless Utility.lnk - c:\program files\Sitecom\Sitecom Wireless Network USB Adapter Turbo G WL-172\Installer\WLANUTL.EXE [2009-01-08 913408]

Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-05-26 123904]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-26 304128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Notification Packages REG_MULTI_SZ cli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

--a------ 2008-10-15 01:04 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2007-06-27 18:03 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FixCamera]

--a------ 2007-07-11 15:09 20480 c:\windows\FixCamera.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]

--a------ 2005-02-16 15:15 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]

--a------ 2008-09-11 10:16 143360 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]

--a------ 2006-10-25 08:03 210472 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=

"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=

"c:\\Program Files\\uTorrent\\uTorrent.exe"=

"c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"=

"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=

"c:\\Program Files\\SopCast\\SopCast.exe"=

"c:\\Program Files\\TVAnts\\Tvants.exe"=

"c:\\Program Files\\PPMate\\ppamnet.exe"=

"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=

"c:\\Program Files\\Kontiki\\KService.exe"=

"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=

"c:\\Program Files\\CheckPoint\\SSL Network Extender\\slimsvc.exe"=

"c:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=

"c:\\Documents and Settings\\John\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=

"c:\\Program Files\\Spotify\\spotify.exe"=

"c:\\WINDOWS\\system32\\mmc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [2008-09-25 38448]

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [2008-08-13 101776]

R1 cmdHlp;COMODO Firewall Pro Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2008-08-13 31504]

R2 cpextender;Check Point SSL Network Extender;c:\program files\CheckPoint\SSL Network Extender\slimsvc.exe [2008-06-05 344161]

R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-06-07 3024168]

R3 VNA;Check Point Virtual Network Adapter;c:\windows\system32\drivers\vna.sys [2008-06-05 120976]

R3 wacmoumonitor;Wacom Mode Helper;c:\windows\system32\drivers\wacmoumonitor.sys [2008-06-07 15144]

S2 ALIEHCD;ALi PCI to USB Enhanced Host Controller;c:\windows\system32\drivers\AliEhci.sys [2009-01-15 112835]

S2 gupdate1c90d32140ed6d4;Google Update Service (gupdate1c90d32140ed6d4);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 133104]

S3 aliroothub;USB 2.0 Root Hub;c:\windows\system32\drivers\AliRtHub.sys [2009-01-15 5325]

S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-11-11 13352]

S3 s3017bus;Sony Ericsson Device 3017 driver (WDM);c:\windows\system32\drivers\s3017bus.sys [2008-06-07 83880]

S3 s3017mdfl;Sony Ericsson Device 3017 USB WMC Modem Filter;c:\windows\system32\drivers\s3017mdfl.sys [2008-06-07 15016]

S3 s3017mdm;Sony Ericsson Device 3017 USB WMC Modem Driver;c:\windows\system32\drivers\s3017mdm.sys [2008-06-07 110632]

S3 s3017mgmt;Sony Ericsson Device 3017 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3017mgmt.sys [2008-06-07 104616]

S3 s3017nd5;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (NDIS);c:\windows\system32\drivers\s3017nd5.sys [2008-06-07 25512]

S3 s3017obex;Sony Ericsson Device 3017 USB WMC OBEX Interface;c:\windows\system32\drivers\s3017obex.sys [2008-06-07 100648]

S3 s3017unic;Sony Ericsson Device 3017 USB Ethernet Emulation SEMC3017 (WDM);c:\windows\system32\drivers\s3017unic.sys [2008-06-07 110120]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

\Shell\AutoRun\command - E:\autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]

"c:\program files\Common Files\LightScribe\LSRunOnce.exe"

.

Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-03-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job

- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-02 19:28]

2009-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-1364589140-839522115-1003.job

- c:\documents and settings\John\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-02 19:28]

.

- - - - ORPHANS REMOVED - - - -

HKCU-Run-c:\program files\NetMeter\NetMeter.exe - c:\program files\NetMeter\NetMeter.exe

.

------- Supplementary Scan -------

.

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Connection Wizard,ShellNext = iexplore

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201

IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203

IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with KUSO EXIF Viewer - c:\program files\KUSO EXIF Viewer\EXIF.htm

DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab

DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab

DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} - hxxps://vpn1.hw.ac.uk/sre/ICSScanner.cab

DPF: {B4CB50E4-0309-4906-86EA-10B6641C8392} - hxxps://vpn1.hw.ac.uk/SNX/CSHELL/extender.cab

FF - ProfilePath - c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll

FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\{6AC85730-7D0F-4de0-B3FA-21142DD85326}\platform\WINNT\components\ColorZilla.dll

FF - component: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll

FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll

FF - plugin: c:\documents and settings\John\Application Data\Mozilla\Firefox\Profiles\9b35vlkn.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll

FF - plugin: c:\documents and settings\John\Application Data\Mozilla\plugins\npgoogletalk.dll

FF - plugin: c:\documents and settings\John\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll

FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll

FF - plugin: c:\program files\Mozilla Firefox\plugins\npBBCPlugin.dll

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-03-05 08:53:45

Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:

ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\038648152B7E812498867BF7F04F578B\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\0B79C053C7D38EE4AB9A00CB3B5D2472\Features]

@DACL=(02 0000)

"WebPublFiles"="]aZF&kXsf(lf*L[_GKba}gbvW,Qmf(G'*L[H+8]b_aZF&kXsf(lf*L[_GKba_{@h=i,nf(R8(L[JO9}X_}M^V8Xqf(Rp)L[_GKbahlT]jI{jf(=1&L[-81-]eoT]jI{jf(=1&L[-81-]as@O+Khtf(=V*L[JO9}X"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\10AF64009B5C5894ABBC93D84C08CF50\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\13353B9B4E7BC5E4FBC4B78C876521D4\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\1CB5DF8CFE2951C4299A9FCAF71689F5\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\2AD5C400150252D449AB15FC18C019BE\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\2B09DDDD2F08A314A8E8835C70A6D7AB\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\4DE556595AC7FD6409F7174478A7235E\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\5C3BD7DD3AF63AF4A8172C2F49E00B92\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\5DE5D10FA35D86444B8241D92CBC1301\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\5EAD28C50BE647342945EB3391ABE428\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\8A0F842331866D117AB7000B0D610006\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\8A0F842331866D117AB7000B0D610007\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\B024059C2814AE9458A06A2ABA0FC6B6\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\B0B4314DB9AE53847AA706EB6E721710\Transforms]

@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Products\D6437D424B4D8E5489AE57CE414BD28D\Transforms]

@DACL=(02 0000)

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir PersonalEdition Classic\sched.exe

c:\program files\Avira\AntiVir PersonalEdition Classic\avguard.exe

c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

c:\program files\Bonjour\mDNSResponder.exe

c:\program files\Carbonite\Carbonite Backup\CarboniteService.exe

c:\program files\COMODO\Firewall\cmdagent.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Kontiki\KService.exe

c:\program files\Common Files\LightScribe\LSSrvc.exe

c:\windows\system32\msiexec.exe

c:\windows\system32\HPZipm12.exe

c:\windows\system32\wdfmgr.exe

c:\windows\system32\searchindexer.exe

c:\windows\system32\WTablet\Pen_TabletUser.exe

c:\windows\system32\rundll32.exe

c:\windows\system32\wscntfy.exe

c:\windows\system32\igfxsrvc.exe

c:\program files\iPod\bin\iPodService.exe

c:\windows\system32\vssvc.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\dllhost.exe

c:\windows\system32\msdtc.exe

.

**************************************************************************

.

Completion time: 2009-03-05 8:57:31 - machine was rebooted

ComboFix-quarantined-files.txt 2009-03-05 08:57:28

ComboFix2.txt 2009-03-03 18:05:45

Pre-Run: 108,918,595,584 bytes free

Post-Run: 108,923,006,976 bytes free

534 --- E O F --- 2009-03-03 03:00:37

Link to post
Share on other sites

Well, I'm pleased to report that after running combofix my windows installer service has started! I've not actually tried installing anything yet but that's definitely an improvement. I will go through all the other steps you suggest first.

I'm delighted with this result, thanks so much for your help!

Link to post
Share on other sites

Strangely I don't have the 'Local System' key in my registry. I just have:

S-1-5-18 with sub-keys Components, Products, Patches

and

S-1-5-21-861567501-1364589140-839522115-1003 with sub-keys Components, Products

This looks as though the keys have been renamed, is that right? Should I renamed them to Local System and something else?

That would at least explain why combofix couldn't change the permissions.

I have run the microsoft restore security settings tool too.

Link to post
Share on other sites

  • Root Admin

They could be orphaned SIDS or something. Be careful and don't remove stuff without knowing for sure and having a GOOD registry backup.

If I didn't tell you before, please download and run this tool. It is an excellent Registry backup utility.

Back up your registry with ERUNT

  • Download ERUNT from here and save it to your desktop.
  • Double click erunt-setup.exe to install the program
  • Follow the prompts, and then uncheck Create NTREGOPT desktop icon at the Additional Tasks screen.
  • At the next screen, uncheck Show documentation and check Launch ERUNT
  • If ERUNT doesnt start by itself, launch it from the desktop shortcut.
  • At the configuration screen, make sure all 3 checkboxes are checked
  • Click Ok to run the backup process
    Note:
    The backups can be restored from here:
    C:\windows\ERDNT\<todays date>\ERDNT.exe

Please review these articles on SID and get a better grasp of what it is you're looking at or what you're doing.

Well-known security identifiers in Windows operating systems

http://support.microsoft.com/kb/243330

Well-known SIDs

http://msdn.microsoft.com/en-us/library/aa379649.aspx

If the Windows installer service is working now then try to see if the Windows Update site works. Those Reg keys can be looked at further later on.

I would recommend trying to download and use this update and not use the Website download install version from Windows Update site.

Windows XP Service Pack 3 Network Installation Package for IT Professionals and Developers

http://www.microsoft.com/DownLoads/details...;displaylang=en

Link to post
Share on other sites

Well, my computer still isn't the happiest bunny in the woods. Installation just seem to hang now.

I tried to remove those registry keys but it won't let me and I can't add any permissions to allow me to do so. I tried running regassassin to unlock them but despite claiming to have unlocked them it hadn't actually done so.

What is actually wrong with my computer? Has it just got in to a tangle or is it as a result of some sort of malware infection?

Link to post
Share on other sites

OK, made a bit of progress now. Managed to unlock those registry keys by first setting the owner to administrator and then setting the permissions to everyone with full control.

I then managed to get rid of the old java installations, here's the log file:

JavaRa 1.13 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Mar 05 21:24:55 2009

Found and removed: C:\Program Files\Java\jre1.6.0_07

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610006

Found and removed: Software\JavaSoft\Java2D\1.6.0_01

------------------------------------

Finished reporting.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.