Jump to content

Malwarebytes + hijack this crash after seconds


Recommended Posts

I am having basicly the same problem everyone posting here is atm.

I try to run anti virus/or/ antimalware progs an they just terminate/crash/disapear after sconds of starting scans. MY virus programs, AntiVir/Vipre/AVG can find viruses but when i do a removal at the end of the scans they do same as other progs... either lock up [vipre durring removal], or just disappear.

So far I have tried these progs in turn....

[All updated to newest before running]

Antivirus programs tried

--------------------------

Avira AntiVir -for virus scans, finds virus's but cant remove them.. then wont ever scan again.

AVG [8.5] - same as above... then cant scan again... just doesnt ever start... "assume locked"

Vipre - scans then locks durring removal.

Malware programs tried

---------------------------

Malwarebytes - tried renaming... same prob, kills after 2-3 seconds of scanning

...an then mbam fix... nadda

Spyware Doctor runs for about 30 seconds... then same as first one above

Spybot S&D

Spyhunter 3 security Suite - crashes about 30 seconds in... then locked as others are

AdAware 6 - same as others.

Other progs

--------------------------

combo-fix

Killbox

Hijackthis

Regcure

This is the ONLY logging program that has worked so far and not crashed before making its logs...

DDs. scr

here is the dds log [ btw... if no one can help me my final choice is to do a total restore.. so PLEASE someone help me]...

-----------------------------------------------------

DDS (Ver_09-07-30.01) - NTFSx86

Run by Anthony at 12:37:04.76 on Sat 08/08/2009

Internet Explorer: 6.0.2900.5512

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2619 [GMT -4:00]

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

svchost.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Spyware Terminator\sp_rsser.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Anthony\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.garfield.com/

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: BHO Class: {8b3868b4-eba8-48fa-a19b-e1dfb99066fa} - c:\program files\flashcapture\FCBHO.dll

TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File

TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File

EB: Groove Folder Synchronization: {2a541ae1-5bf6-4665-a8a3-cfa9672e4291} - c:\progra~1\micros~2\office12\GRA8E1~1.DLL

uRun: [PeerGuardian] c:\program files\peerguardian2\pg2.exe

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [HijackThis startup scan] c:\program files\trend micro\hijackthis8\HijackThis.exe /startupscan

mRun: [startCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [iSTray] "c:\program files\spyware doctor\pctsTray.exe"

mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe

IE: &Save Flash In This Page - c:\progra~1\flashs~1.0\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000

IE: Save F&lash with FlashCapture - c:\program files\flashcapture\FCIEXT.dll/FCIEXT.htm

IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210

IE: {09EA1F80-F40A-11D1-B792-444553540001} - c:\progra~1\flashs~1.0\save.htm

IE: {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - res://c:\program files\flashcapture\FCIEXT.dll/FCIEXT.htm

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL

DPF: {17492023-c23a-453e-a040-c7c580bbf700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {2bc66f54-93a8-11d3-beb6-00105aa9b6ae} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1240717898421

DPF: {644e432f-49d3-41a1-8dd5-e099162eeec5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1245856334609

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://javadl.sun.com/webapps/download/AutoDL?BundleId=29223

DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab

DPF: {9c23d886-43cb-43de-b2db-112a68d7e10a} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~2\office12\GR99D3~1.DLL

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

Notify: gotoassist - c:\program files\citrix\gotoassist\514\G2AWinLogon.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: {0f147d1d-5b44-4a4d-bc33-96dac3c7ed6e}: {e6de7c3c-ad69-33cb-d4a4-44b5d1d741f0}

SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File

============= SERVICES / DRIVERS ===============

R0 avgrkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2009-8-6 12552]

R0 gxc108b;gxc108b;c:\windows\system32\drivers\gxc108b.sys [2009-4-26 137216]

R0 gxc108p;gxc108p;c:\windows\system32\drivers\gxc108p.sys [2009-4-26 5248]

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-8-7 11608]

R1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-8-6 335240]

R1 avgmfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-8-6 27784]

R1 avgtdix;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-8-6 108552]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2009-8-8 13360]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [2009-8-8 202928]

R2 antivirschedulerservice;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-8-7 108289]

R2 antivirservice;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-8-7 185089]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-8-6 297752]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-4-26 55656]

S0 cerc6;cerc6; [x]

S0 fith;fith; [x]

S0 fssvvigd;fssvvigd; [x]

S0 gsfl;gsfl; [x]

S0 ilgeyrra;ilgeyrra; [x]

S0 kfzaocai;kfzaocai; [x]

S0 pctcore;PCTools KDS;c:\windows\system32\drivers\pctcore.sys --> c:\windows\system32\drivers\PCTCore.sys [?]

S0 pletnup;pletnup; [x]

S0 qihwewl;qihwewl; [x]

S0 wkapbfet;wkapbfet; [x]

S0 xpfcw;xpfcw; [x]

S0 yflbyg;yflbyg; [x]

S1 saskutil;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]

S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service; [x]

S2 neroregincdsrv;Nero Registry InCD Service;c:\program files\nero\nero8\incd\NBHRegInCDSrv.exe [2008-2-28 53032]

S2 sbamsvc;VIPRE Antivirus + Antispyware;c:\program files\sunbelt software\vipre2\SBAMSvc.exe [2009-6-10 980264]

S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2009-8-8 69936]

S2 sdauxservice;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsauxs.exe --> c:\program files\spyware doctor\pctsAuxs.exe [?]

S2 sdcoreservice;PC Tools Security Service;c:\program files\spyware doctor\pctssvc.exe --> c:\program files\spyware doctor\pctsSvc.exe [?]

S2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\uniblue\diskrescue\UBDiskRescueSrv.exe [2008-9-10 229648]

S2 wwEngineSvc;Window Washer Engine;c:\program files\webroot\washer\WasherSvc.exe [2009-4-29 598856]

S2 ytjuy;ytjuy;c:\windows\system32\svchost.exe -k netsvcs [2008-4-14 14336]

S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2009-4-25 84992]

=============== Created Last 30 ================

2009-08-08 11:00 <DIR> --d----- C:\VundoFix Backups

2009-08-08 01:37 0 a------- c:\windows\system32\SBRC.dat

2009-08-08 01:35 69,936 a------- c:\windows\system32\drivers\sbapifs.sys

2009-08-08 01:35 13,360 a------- c:\windows\system32\drivers\sbaphd.sys

2009-08-08 00:42 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sunbelt

2009-08-08 00:42 <DIR> --d----- c:\docume~1\anthony\applic~1\Sunbelt

2009-08-08 00:41 202,928 a------- c:\windows\system32\drivers\sbtis.sys

2009-08-07 22:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira

2009-08-07 22:30 <DIR> --d----- c:\program files\Sunbelt Software

2009-08-07 15:44 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware2

2009-08-07 11:01 <DIR> --d----- c:\program files\Zone Labs

2009-08-07 11:00 <DIR> --d----- c:\windows\Internet Logs

2009-08-07 10:01 <DIR> --d----- c:\program files\common files\PC Tools

2009-08-07 09:45 <DIR> --d----- c:\documents and settings\anthony\.housecall6.6

2009-08-07 09:30 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-07 09:30 19,096 a------- c:\windows\system32\drivers\mbam.sys

2009-08-07 09:30 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-08-07 00:20 93,180 a------- c:\windows\system32\drivers\847b4010.sys

2009-08-06 23:29 <DIR> --d----- c:\program files\Trend Micro

2009-08-06 21:48 <DIR> --d----- c:\program files\Spybot - Search & Destroy

2009-08-06 21:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy

2009-08-06 20:50 <DIR> --d----- c:\documents and settings\anthony\DoctorWeb

2009-08-06 18:28 <DIR> --d----- c:\program files\BulletProofSoft.com

2009-08-06 15:29 <DIR> --d----- C:\!KillBox

2009-08-06 15:00 <DIR> --d----- c:\program files\Spyware Doctor

2009-08-06 14:59 141,312 a------- c:\windows\system32\drivers\sp_rsdrv2.sys

2009-08-06 14:59 <DIR> --d----- c:\docume~1\anthony\applic~1\Spyware Terminator

2009-08-06 14:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spyware Terminator

2009-08-06 14:59 <DIR> --d----- c:\program files\Spyware Terminator

2009-08-06 14:49 <DIR> --d----- c:\windows\RegCure

2009-08-06 14:44 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-08-06 14:44 <DIR> --d----- c:\docume~1\anthony\applic~1\SUPERAntiSpyware.com

2009-08-06 14:39 61,440 a------- c:\windows\system32\drivers\bivuu.sys

2009-08-06 14:27 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-08-06 14:27 108,552 a------- c:\windows\system32\drivers\avgtdix.sys

2009-08-06 14:27 12,552 a------- c:\windows\system32\drivers\avgrkx86.sys

2009-08-06 14:27 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-06 14:27 <DIR> --d----- c:\windows\system32\drivers\Avg

2009-08-06 14:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8

2009-08-06 14:07 <DIR> -cd-h--- c:\docume~1\alluse~1\applic~1\{83C91755-2546-441D-AC40-9A6B4B860800}(2)

2009-08-06 14:00 <DIR> --d----- c:\program files\Lavasoft

2009-08-06 13:27 <DIR> --d----- c:\program files\GoldEsel

2009-08-06 13:23 1,238,456 a------- c:\windows\system32\NMSDVDXU.dll

2009-08-06 13:23 877,568 a------- c:\windows\system32\NCTAudioFile2.dll

2009-08-06 13:23 376,832 a------- c:\windows\system32\cmd22.dll

2009-08-06 13:23 102,400 a------- c:\windows\system32\ccrpprg6.ocx

2009-08-06 13:23 724,992 a------- c:\windows\system32\ebCrypt.dll

2009-08-06 13:23 401,408 a------- c:\windows\system32\srmInfo.dll

2009-08-06 13:23 253,952 a------- c:\windows\system32\SkinBoxer43.dll

2009-08-06 13:21 <DIR> --d----- c:\program files\Exact Audio Copy

2009-08-05 15:33 <DIR> --d----- c:\program files\Autodesk

2009-07-29 13:16 <DIR> --d----- c:\docume~1\anthony\applic~1\Star Trek Armada II Fleet Operations

2009-07-21 14:50 10,240 a------- c:\windows\system32\virport.dll

2009-07-21 14:42 176,235 a------- c:\windows\system32\Primomonnt.dll

2009-07-19 18:17 <DIR> --d----- C:\DOWNLOADS

2009-07-19 18:17 <DIR> --d----- C:\!Temp

2009-07-16 18:25 5,632 a------- c:\windows\system32\ptpusb.dll

2009-07-16 18:25 159,232 a------- c:\windows\system32\ptpusd.dll

2009-07-15 19:23 <DIR> --d----- c:\windows\Logs

2009-07-15 19:23 <DIR> --d-h--- c:\windows\msdownld.tmp

2009-07-15 19:23 <DIR> --d----- c:\program files\Utherverse Digital Inc

2009-07-15 13:40 <DIR> --d----- c:\windows\Downloaded Installations

2009-07-11 19:56 32 a------- c:\windows\Start.INI

==================== Find3M ====================

2009-07-28 16:33 55,656 a------- c:\windows\system32\drivers\avgntflt.sys

2009-06-10 06:00 68,392 a------- c:\windows\system32\sbbd.exe

2009-06-04 23:21 113,116 a------- c:\windows\xobglu32.dll

2009-06-04 23:21 63,488 a------- c:\windows\xobglu16.dll

2009-05-22 18:33 217,088 -------- c:\windows\system32\SpaceBattleSS.scr

2009-05-05 09:56 88,576 a---h--- c:\docume~1\anthony\applic~1\rbap550.dll

2005-01-31 20:38 1,340,416 a------- c:\program files\mplayerc.exe

2003-09-16 01:19 99,544 a------- c:\windows\inf\virprn.exe

2003-09-16 01:19 18,950 a------- c:\windows\inf\virpntd.dll

2003-09-16 01:19 10,240 a------- c:\windows\inf\virport.dll

2003-09-16 01:19 90,624 a------- c:\windows\inf\prtproc.dll

============= FINISH: 12:37:14.59 ===============

the attach.txt is linked here...

http://www.megaupload.com/?d=O1OPKHJU

[megaupload was only place I could find to link it]

Link to post
Share on other sites

Update

Here is an aditional scan using root repeal....

couldnt post it here ... said it was too long.

http://www.megaupload.com/?d=DY1Q31TZ

ROOTREPEAL © AD, 2007-2009

==================================================

Scan Start Time: 2009/08/08 13:23

Program Version: Version 1.3.3.0

Windows Version: Windows XP SP3

==================================================

Drivers

-------------------

Name:

Image Path:

Address: 0xB9DAC000 Size: 98304 File Visible: No Signed: -

Status: -

Name: 847b4010.sys

Image Path: C:\WINDOWS\System32\drivers\847b4010.sys

Address: 0xBA288000 Size: 47488 File Visible: No Signed: -

Status: -

Name: dump_atapi.sys

Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys

Address: 0xACAE1000 Size: 98304 File Visible: No Signed: -

Status: -

Name: dump_WMILIB.SYS

Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS

Address: 0xBA5E8000 Size: 8192 File Visible: No Signed: -

Status: -

Name: PCI_PNP1036

Image Path: \Driver\PCI_PNP1036

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: rootrepeal.sys

Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys

Address: 0xA9AA2000 Size: 49152 File Visible: No Signed: -

Status: -

Name: spmt.sys

Image Path: spmt.sys

Address: 0xB9EAA000 Size: 1036288 File Visible: No Signed: -

Status: -

Name: sptd

Image Path: \Driver\sptd

Address: 0x00000000 Size: 0 File Visible: No Signed: -

Status: -

Name: win32k.sys:1

Image Path: C:\WINDOWS\win32k.sys:1

Address: 0xBA490000 Size: 20480 File Visible: No Signed: -

Status: -

Name: win32k.sys:2

Image Path: C:\WINDOWS\win32k.sys:2

Address: 0xBA298000 Size: 61440 File Visible: No Signed: -

Status: -

Hidden/Locked Files

-------------------

Path: C:\WINDOWS\system32\scecli.dll

Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\drivers\847b4010.sys

Status: Locked to the Windows API!

SSDT

-------------------

#: 025 Function Name: NtClose

Status: Hooked by "a347bus.sys" at address 0xb9e78028

#: 035 Function Name: NtCreateEvent

Status: Hooked by "C:\WINDOWS\System32\drivers\847b4010.sys" at address 0xba28ebad

#: 041 Function Name: NtCreateKey

Status: Hooked by "C:\WINDOWS\System32\drivers\847b4010.sys" at address 0xba28cc85

#: 045 Function Name: NtCreatePagingFile

Status: Hooked by "a347bus.sys" at address 0xb9e6bb00

#: 053 Function Name: NtCreateThread

Status: Hooked by "<unknown>" at address 0xba6c8a7c

#: 063 Function Name: NtDeleteKey

Status: Hooked by "<unknown>" at address 0xba6c8a8b

#: 065 Function Name: NtDeleteValueKey

Status: Hooked by "<unknown>" at address 0xba6c8a95

#: 071 Function Name: NtEnumerateKey

Status: Hooked by "a347bus.sys" at address 0xb9e6c5dc

#: 073 Function Name: NtEnumerateValueKey

Status: Hooked by "a347bus.sys" at address 0xb9e78120

#: 098 Function Name: NtLoadKey

Status: Hooked by "<unknown>" at address 0xba6c8a9a

#: 116 Function Name: NtOpenFile

Status: Hooked by "a347bus.sys" at address 0xb9e6bb40

#: 119 Function Name: NtOpenKey

Status: Hooked by "C:\WINDOWS\System32\drivers\847b4010.sys" at address 0xba28cd45

#: 122 Function Name: NtOpenProcess

Status: Hooked by "<unknown>" at address 0xba6c8a68

#: 128 Function Name: NtOpenThread

Status: Hooked by "<unknown>" at address 0xba6c8a6d

#: 160 Function Name: NtQueryKey

Status: Hooked by "a347bus.sys" at address 0xb9e6c5fc

#: 177 Function Name: NtQueryValueKey

Status: Hooked by "a347bus.sys" at address 0xb9e78076

#: 193 Function Name: NtReplaceKey

Status: Hooked by "<unknown>" at address 0xba6c8aa4

#: 204 Function Name: NtRestoreKey

Status: Hooked by "<unknown>" at address 0xba6c8a9f

#: 241 Function Name: NtSetSystemPowerState

Status: Hooked by "a347bus.sys" at address 0xb9e77550

#: 247 Function Name: NtSetValueKey

Status: Hooked by "<unknown>" at address 0xba6c8a90

#: 257 Function Name: NtTerminateProcess

Status: Hooked by "<unknown>" at address 0xba6c8a77

Stealth Objects

-------------------

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]

Process: System Address: 0x8a71687c Size: 11

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]

Process: System Address: 0x8a7071f8 Size: 121

Object: Hidden Code [Driver: incdrec, IRP_MJ_READ]

Process: System Address: 0x8a014d64 Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CREATE]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLOSE]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_READ]

Process: System Address: 0x899c517c Size: 11

Object: Hidden Code [Driver: Fastfat, IRP_MJ_WRITE]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_EA]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_EA]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_CLEANUP]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: Fastfat, IRP_MJ_PNP]

Process: System Address: 0x89eac500 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CREATE]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_CLOSE]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_POWER]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: a347scsi, IRP_MJ_PNP]

Process: System Address: 0x8a7081f8 Size: 121

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLOSE]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_READ]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_WRITE]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_EA]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CLEANUP]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_POWER]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: atapi, IRP_MJ_PNP]

Process: System Address: 0x8a5f3af0 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_EA]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_EA]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLEANUP]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_SECURITY]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SET_QUOTA]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]

Process: System Address: 0x8a5a7250 Size: 99

Object: Hidden Code [Driver: usbstor, IRP_MJ_CREATE]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_CLOSE]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_READ]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_WRITE]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_POWER]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: usbstor, IRP_MJ_PNP]

Process: System Address: 0x89f941f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]

Process: System Address: 0x8a6971f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_CREATE]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_CLOSE]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_POWER]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: gxc108p, IRP_MJ_PNP]

Process: System Address: 0x8a6961f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CREATE]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_CLOSE]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_POWER]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: usbuhci, IRP_MJ_PNP]

Process: System Address: 0x8a5f51f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]

Process: System Address: 0x8a70a1f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]

Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]

Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]

Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]

Process: System Address: 0x89fd51f8 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]

Process: System Address: 0x8a5a5500 Size: 121

Object: Hidden Code [Driver: Rdbss, IRP_MJ_READ]

Process: System Address: 0x8a212dec Size: 11

Object: Hidden Code [Driver: Srv, IRP_MJ_READ]

Process: System Address: 0x89c95314 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]

Process: System Address: 0x8a1b3404 Size: 11

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]

Process: System Address: 0x89fb51f8 Size: 121

Object: Hidden Code [Driver: Npfsࠅఊ晤睤Internal Hig, IRP_MJ_READ]

Process: System Address: 0x8a018e8c Size: 11

Object: Hidden Code [Driver: Msfsࠅం扏楄鵐瀰訣ࠂఅ瑎獆ꆐ, IRP_MJ_READ]

Process: System Address: 0x8a017b1c Size: 11

Object: Hidden Code [Driver: Fs_Rec, IRP_MJ_READ]

Process: System Address: 0x8a015c2c Size: 11

Object: Hidden Code [Driver: Vo, IRP_MJ_CREATE]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_CLOSE]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_READ]

Process: System Address: 0x8a5f40ec Size: 11

Object: Hidden Code [Driver: Vo, IRP_MJ_QUERY_INFORMATION]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_SET_INFORMATION]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_QUERY_VOLUME_INFORMATION]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_DIRECTORY_CONTROL]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_FILE_SYSTEM_CONTROL]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_DEVICE_CONTROL]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_SHUTDOWN]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_LOCK_CONTROL]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_CLEANUP]

Process: System Address: 0x89ea3500 Size: 121

Object: Hidden Code [Driver: Vo, IRP_MJ_PNP]

Process: System Address: 0x89ea3500 Size: 121

Hidden Services

-------------------

Service Name: 847b4010

Image Path: C:\WINDOWS\System32\drivers\847b4010.sys

==EOF==

Root_Repeal_scan.txt

Root_Repeal_scan.txt

Link to post
Share on other sites

yes PLZ!!!! I am at wits end... still same situation... have prog failure updates to help narrow down prob...

...I have now lost my antivir scan ability. the program control center will open but I did a scan after a update this morning an it found 57 virus files. I checked to delete them. an it got swatted like all the other programs I have tried. I reopenned the control center but when I click scan... nadda. PC acts like I ddint click anything. No response to scan. I clicked the exe directly an I got the previous "permissions popup box".

I have tried ewido security suite, vipre antivir/malware, Avast, pyware doctor, an spyhunter, an another malwayre bytes install to a alt location on Hd... same problem.. no solution in sight..

PLZ HELP!!

Link to post
Share on other sites

Copy the contents of the code (dont include the word code) box below into a new notepad document (not wordpad or another text editor).

Click file> save as...> call it check.bat > file types *all files*> and save it to your desktop.

cd %windir%
For /F "TOKENS=*" %%g IN ('DIR /a/s/b/og scecli.dll,netlogon.dll,ntelogon.dll,eventlog.dll') Do @(
echo.%%~fg %%~zg
)>>chkit.txt
start notepad chkit.txt&exit

Run check.bat then post the text that will open please

Link to post
Share on other sites

this was all it showed when it finished...

C:\WINDOWS\system32\netlogon.dll 407040

C:\WINDOWS\system32\eventlog.dll 56320

C:\WINDOWS\system32\scecli.dll

C:\WINDOWS\system32\dllcache\netlogon.dll 407040

C:\WINDOWS\system32\dllcache\eventlog.dll 56320

C:\WINDOWS\system32\dllcache\scecli.dll 181248

Link to post
Share on other sites

I tried it again an got this...

C:\WINDOWS\system32\netlogon.dll 407040

C:\WINDOWS\system32\eventlog.dll 56320

C:\WINDOWS\system32\scecli.dll

C:\WINDOWS\system32\dllcache\netlogon.dll 407040

C:\WINDOWS\system32\dllcache\eventlog.dll 56320

C:\WINDOWS\system32\dllcache\scecli.dll 181248

C:\WINDOWS\system32\netlogon.dll 407040

C:\WINDOWS\system32\eventlog.dll 56320

C:\WINDOWS\system32\scecli.dll

C:\WINDOWS\system32\dllcache\netlogon.dll 407040

C:\WINDOWS\system32\dllcache\eventlog.dll 56320

C:\WINDOWS\system32\dllcache\scecli.dll 181248

Link to post
Share on other sites

ok, I never seen any log... where does it appear. I ran the program on my desktop. Halfway thru all my desktop icons flashed an it changed its name to combofix.exe from the one you provided. It said I had AVG sntivirus realtime scanner installed but this is incorrect. I had it an had to force uninstall it as it became locked the day my problems started. Also I can not reinstall AVg back now due ot a locked registry file regarding AVG.

I did continue with the scan tho, it scanned to Completed Stage_50. an found these an said it was deleteing them...

C:\WINDOWS\installer\d8b04f.msi

C:\WINDOWS\jestertb.dll

C:\WINDOWS\system32\cool.dll

C:\WINDOWS\system32\mfc45.dll

It then procedded to say. Rebooting please wait.

this lasted over some serious extended time... till i finally had to crash it out to get the system to try to shutdown by closing some of my system progs in alt+ctrl+delete menu... this crashed the system providing the system auto shutdown msg in 30secs... which counted down an things acted like it was closing.. but the window saying the msg stayed an nothing else ever occurred... I eventually had to forcepower the system of another bit of time later to get it to actually reboot.

When the system relogged it said I was no longer using internet explorer as my default explorer. Also no pages would display. I had to switch it to the internet explorer to make the internet work again to get back here to post this info.

If this helps I have a internet explorer folder in my program files... this I found odd.. as I was sure that exe was suppossed to be in the windows dir.

I updated to the newest updates for my system day before yeterday... but I am unsure if that was part of the changes that were suppossed to happen with the upgrade.

Hope this helps some... eagerly awaiting further input.

Link to post
Share on other sites

I did a scan with silent runner.vbs i found here. here is its start programs txt log...

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SpyZooka" = "C:\Program Files\SpyZooka\SpyZookaLdr.exe" ["BluePenguin Software Inc."]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" ["Safer-Networking Ltd."]

"UnHackMe Monitor" = "C:\Program Files\UnHackMe0\hackmon.exe" ["Greatis Software"]

"Registry Cleaner Scheduler" = ""C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup" ["CleanMyPC Software"]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18df081c-e8ad-4283-a596-fa578c2ebdc3}\(Default) = "AcroIEHelperStub"

-> {HKLM...CLSID} = "Adobe PDF Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll" ["Safer Networking Limited"]

{8b3868b4-eba8-48fa-a19b-e1dfb99066fa}\(Default) = "FCBHOBHO Class"

-> {HKLM...CLSID} = "BHO Class"

\InProcServer32\(Default) = "C:\Program Files\FlashCapture\FCBHO.dll" ["Dreamingsoft, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

-> {HKLM...CLSID} = "Groove GFS Browser Helper"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

-> {HKLM...CLSID} = "Groove Folder Synchronization"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

-> {HKLM...CLSID} = "Groove XML Icon Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"

-> {HKLM...CLSID} = "Window Washer Shredding Utility"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

-> {HKLM...CLSID} = "SimpleShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]

"{8D2223A2-B3C6-4e32-B096-CDD11F628C60}" = "NBHShellExt extension"

-> {HKLM...CLSID} = "NBHShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]

Link to post
Share on other sites

pardon... here is the complete scan results

"Silent Runners.vbs", revision 59, http://www.silentrunners.org/

Operating System: Windows XP

Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:

---------------------------------

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ {++}

"SpyZooka" = "C:\Program Files\SpyZooka\SpyZookaLdr.exe" ["BluePenguin Software Inc."]

"SpybotSD TeaTimer" = "C:\Program Files\Spybot - Search & Destroy2\TeaTimer.exe" ["Safer-Networking Ltd."]

"UnHackMe Monitor" = "C:\Program Files\UnHackMe0\hackmon.exe" ["Greatis Software"]

"Registry Cleaner Scheduler" = ""C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup" ["CleanMyPC Software"]

"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

{18df081c-e8ad-4283-a596-fa578c2ebdc3}\(Default) = "AcroIEHelperStub"

-> {HKLM...CLSID} = "Adobe PDF Link Helper"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll" ["Adobe Systems Incorporated"]

{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll" ["Safer Networking Limited"]

{8b3868b4-eba8-48fa-a19b-e1dfb99066fa}\(Default) = "FCBHOBHO Class"

-> {HKLM...CLSID} = "BHO Class"

\InProcServer32\(Default) = "C:\Program Files\FlashCapture\FCBHO.dll" ["Dreamingsoft, Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\

"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"

-> {HKLM...CLSID} = "HyperTerminal Icon Ext"

\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]

"{EFA24E62-B078-11d0-89E4-00C04FC9E26E}" = "History Band"

-> {HKLM...CLSID} = "History Band"

\InProcServer32\(Default) = "C:\WINDOWS\system32\shdocvw.dll" [MS]

"{72853161-30C5-4D22-B7F9-0BBC1D38A37E}" = "Groove GFS Browser Helper"

-> {HKLM...CLSID} = "Groove GFS Browser Helper"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}" = "Groove GFS Explorer Bar"

-> {HKLM...CLSID} = "Groove Folder Synchronization"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{A449600E-1DC6-4232-B948-9BD794D62056}" = "Groove GFS Stub Icon Handler"

-> {HKLM...CLSID} = "Groove GFS Stub Icon Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{6C467336-8281-4E60-8204-430CED96822D}" = "Groove GFS Context Menu Handler"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{387E725D-DC16-4D76-B310-2C93ED4752A0}" = "Groove XML Icon Handler"

-> {HKLM...CLSID} = "Groove XML Icon Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{16F3DD56-1AF5-4347-846D-7C10C4192619}" = "Groove Explorer Icon Overlay 3 (GFS Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 3 (GFS Folder)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC}" = "Groove Explorer Icon Overlay 2 (GFS Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2 (GFS Stub)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{2916C86E-86A6-43FE-8112-43ABE6BF8DCC}" = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 4 (GFS Unread Mark)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{99FD978C-D287-4F50-827F-B2C658EDA8E7}" = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 1 (GFS Unread Stub)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{920E6DB1-9907-4370-B3A0-BAFC03D81399}" = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

-> {HKLM...CLSID} = "Groove Explorer Icon Overlay 2.5 (GFS Unread Folder)"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"

-> {HKLM...CLSID} = "Outlook File Icon Extension"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\OLKFSTUB.DLL" [MS]

"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"

-> {HKLM...CLSID} = "Microsoft Office Outlook"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\MLSHEXT.DLL" [MS]

"{5858A72C-C2B4-4dd7-B2BF-B76DB1BD9F6C}" = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

-> {HKLM...CLSID} = "Microsoft Office OneNote Namespace Extension for Windows Desktop Search"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONFILTER.DLL" [MS]

"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"

-> {HKLM...CLSID} = (no title provided)

\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\Office12\msohevi.dll" [MS]

"{993BE281-6695-4BA5-8A2A-7AACBFAAB69E}" = "Microsoft Office Metadata Handler"

-> {HKLM...CLSID} = "Microsoft Office Metadata Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{C41662BB-1FA0-4CE0-8DC5-9B7F8279FF97}" = "Microsoft Office Thumbnail Handler"

-> {HKLM...CLSID} = "Microsoft Office Thumbnail Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\msoshext.dll" [MS]

"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

"{6EE51AA0-77A0-11D7-B4E1-000347126E46}" = "Window Washer Shredding Utility"

-> {HKLM...CLSID} = "Window Washer Shredding Utility"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]

"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"

-> {HKLM...CLSID} = "SimpleShlExt Class"

\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll" ["Advanced Micro Devices, Inc."]

"{8D2223A2-B3C6-4e32-B096-CDD11F628C60}" = "NBHShellExt extension"

-> {HKLM...CLSID} = "NBHShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]

"{09bffb91-ecda-4149-bcfd-d87a345c219e}" = "InCDShellExt extension"

-> {HKLM...CLSID} = "InCDShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\InCDshx.dll" ["Nero AG"]

"{97F68CE3-7146-45FF-BE24-D9A7DD7CB8A2}" = "NeroCoverEd Live Icons"

-> {HKLM...CLSID} = "NeroCoverEdLiveIcons Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

"{692eb3b0-d034-403e-b742-2407bd43bf9b}" = "InCDUdfPerm extension"

-> {HKLM...CLSID} = "InCDUdfPerm Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\InCDUP.dll" ["Nero AG"]

"{8932AEFE-9DB6-4f43-AFB2-5682F55E773A}" = "VPCHostCopyHook"

-> {HKLM...CLSID} = "VPCHostCopyHook"

\InProcServer32\(Default) = "C:\Program Files\Microsoft Virtual PC\VPCShExH.DLL" [MS]

"{32020A01-506E-484D-A2A8-BE3CF17601C3}" = "AlcoholShellEx"

-> {HKLM...CLSID} = "AlcoholShellEx"

\InProcServer32\(Default) = "C:\PROGRA~1\Alcohol Soft\Alcohol 120\AXShlEx.dll" ["Alcohol Soft Development Team"]

"{BD88A479-9623-4897-8546-BC62B9628F44}" = "SPTHandler"

-> {HKLM...CLSID} = "SPTHandler"

\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]

"{11016101-E366-4D22-BC06-4ADA335C892B}" = "IE History and Feeds Shell Data Source for Windows Search"

-> {HKLM...CLSID} = "IE History and Feeds Shell Data Source for Windows Search"

\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\

<<!>> "{D468BCE5-D18E-49A4-8EA7-34BD583659D5}" = "SpyZooka Service Hook"

-> {HKLM...CLSID} = "SpyZooka Service Hook"

\InProcServer32\(Default) = "C:\PROGRA~1\SpyZooka\spyguard.dll" ["BluePenguin Software Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\

"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

-> {HKLM...CLSID} = "WPDShServiceObj Class"

\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Aedebug\

<<!>> "Debugger" = "Drwtsn32 -p %ld -e %ld" [MS]

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\

<<!>> "BootExecute" = "autocheck autochk *"|"aswBoot.exe /A:"*" /L:"English" /KBD:2" [file not found]|"Partizan" ["Greatis Software"]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\

<<!>> AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

<<!>> avgrsstarter\DLLName = "avgrsstx.dll" [file not found]

<<!>> gotoassist\DLLName = "C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll" ["Citrix Online, a division of Citrix Systems, Inc."]

HKLM\SOFTWARE\Classes\PROTOCOLS\Filter\

<<!>> text/xml\CLSID = "{807563E5-5146-11D5-A672-00B0D022E945}"

-> {HKLM...CLSID} = "Microsoft Office InfoPath XML Mime Filter"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\

{f9db5320-233e-11d1-9f84-707f02c10627}\(Default) = "PDF Column Info"

-> {HKLM...CLSID} = "PDF Shell Extension"

\InProcServer32\(Default) = "C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\

cover designer\(Default) = "{73FCA462-9BD5-4065-A73F-A8E5F6904EF7}"

-> {HKLM...CLSID} = "NeroCoverEdContextMenu Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\Nero CoverDesigner\CoverEdExtension.dll" ["Nero AG"]

nbhshellext\(Default) = "{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"

-> {HKLM...CLSID} = "NBHShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]

sptcontmenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"

-> {HKLM...CLSID} = "SPTHandler"

\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]

Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"

-> {HKLM...CLSID} = "Window Washer Shredding Utility"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\

nbhshellext\(Default) = "{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"

-> {HKLM...CLSID} = "NBHShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]

Washer\(Default) = "{6EE51AA0-77A0-11D7-B4E1-000347126E46}"

-> {HKLM...CLSID} = "Window Washer Shredding Utility"

\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\Webroot Shared\ShellWash.dll" ["Webroot Software"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\

nbhshellext\(Default) = "{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"

-> {HKLM...CLSID} = "NBHShellExt Class"

\InProcServer32\(Default) = "C:\Program Files\Nero\Nero8\InCD\NBHShx.dll" ["Nero AG"]

sptcontmenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"

-> {HKLM...CLSID} = "SPTHandler"

\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]

WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"

-> {HKLM...CLSID} = "WinRAR"

\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" ["Alexander Roshal"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\

sptcontmenu\(Default) = "{BD88A479-9623-4897-8546-BC62B9628F44}"

-> {HKLM...CLSID} = "SPTHandler"

\InProcServer32\(Default) = "C:\Program Files\Spyware Terminator\sptcontmenu.dll" ["Crawler.com"]

XXX Groove GFS Context Menu Handler XXX\(Default) = "{6C467336-8281-4E60-8204-430CED96822D}"

-> {HKLM...CLSID} = "Groove GFS Context Menu Handler"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

Default executables:

--------------------

<<!>> HKLM\SOFTWARE\Classes\.com\(Default) = "ComFile"

Group Policies {GPedit.msc branch and setting}:

-----------------------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoLowDiskSpaceChecks" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"HonorAutoRunSetting" = (REG_DWORD) dword:0x00000001

{unrecognized setting}

"NoDrives" = (REG_DWORD) dword:0x00000000

{unrecognized setting}

HKCU\Software\Policies\Microsoft\Windows\System\

"DisableCMD" = (REG_DWORD) dword:0x00000000

{User Configuration|Administrative Templates|System|

Disable the command prompt}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) dword:0x00000001

{Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options|

Devices: Allow undock without having to log on}

Active Desktop and Wallpaper:

-----------------------------

Active Desktop may be disabled at this entry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

Displayed if Active Desktop enabled and wallpaper not set by Group Policy:

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\

"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Displayed if Active Desktop disabled and wallpaper not set by Group Policy:

HKCU\Control Panel\Desktop\

"Wallpaper" = "C:\Documents and Settings\Anthony\My Documents\My Pictures\Desktop Wallpaper\Tiled_bg_planet.bmp"

Windows Portable Device AutoPlay Handlers

-----------------------------------------

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\

alcoholautoplayv2.burndisc\

"Provider" = "Alcohol 120%"

"InvokeProgID" = "AlcoholAutoPlayV2"

"InvokeVerb" = "BurnDisc"

HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\BurnDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

alcoholautoplayv2.readdisc\

"Provider" = "Alcohol 120%"

"InvokeProgID" = "AlcoholAutoPlayV2"

"InvokeVerb" = "ReadDisc"

HKLM\SOFTWARE\Classes\AlcoholAutoPlayV2\shell\ReadDisc\command\(Default) = ""C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.exe" %1" ["Alcohol Soft Development Team"]

dmfmadfolder\

"Provider" = "Ulead DVD MovieFactory 5"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 5 Plus\Ulead DVD MovieFactory 5\DVDMF.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

MSWPDShellNamespaceHandler\

"Provider" = "@%SystemRoot%\System32\WPDShextRes.dll,-501"

"CLSID" = "{A55803CC-4D53-404c-8557-FD63DBA95D24}"

"InitCmdLine" = " "

-> {HKLM...CLSID} = "WPDShextAutoplay"

\LocalServer32\(Default) = "C:\WINDOWS\system32\WPDShextAutoplay.exe" [MS]

neroautoplay8audiotonerodigital\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "AudioToNeroDigital_PlayCDAudioOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\AudioToNeroDigital_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

neroautoplay8cdaudio\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "CDAudio_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CDAudio_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:AudioCD" ["Nero AG"]

neroautoplay8copycd\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "CopyCD_PlayMusicFilesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\CopyCD_PlayMusicFilesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:DiscCopy %L" ["Nero AG"]

neroautoplay8datadisc_cd\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "DataDisc_CD_HandleCDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_CD_HandleCDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:CD %L" ["Nero AG"]

neroautoplay8datadisc_dvd\

"Provider" = "Nero Express"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "DataDisc_DVD_HandleDVDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\DataDisc_DVD_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe -w /New:ISODisc /Media:DVD %L" ["Nero AG"]

neroautoplay8launchnerostartsmart\

"Provider" = "Nero StartSmart"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "LaunchNeroStartSmart_HandleDVDBurningOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\LaunchNeroStartSmart_HandleDVDBurningOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero StartSmart\NeroStartSmart.exe /AutoPlay" ["Nero AG"]

neroautoplay8ripcd\

"Provider" = "Nero Burning ROM"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "RipCD_PlayCDAudioOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\RipCD_PlayCDAudioOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Burning Rom\nero.exe /Dialog:SaveTracks %L" ["Nero AG"]

neroautoplay8transcodevideo\

"Provider" = "Nero Recode"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "TranscodeVideo_PlayDVDMovieOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\TranscodeVideo_PlayDVDMovieOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero Recode\Recode.exe /New:CopyDVDVideo" ["Nero AG"]

neroautoplay8videocapture\

"Provider" = "Nero Vision"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = ""C:\Program Files\Nero\Nero8\Nero Vision\NeroVision.exe" /New:VideoCapture"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

neroautoplay8viewphotos\

"Provider" = "Nero PhotoSnap Viewer"

"InvokeProgID" = "Nero.AutoPlay8"

"InvokeVerb" = "ViewPhotos_ShowPicturesOnArrival"

HKLM\SOFTWARE\Classes\Nero.AutoPlay8\shell\ViewPhotos_ShowPicturesOnArrival\command\(Default) = "C:\Program Files\Nero\Nero8\Nero PhotoSnap\PhotoSnapViewer.exe /" ["Nero AG"]

WinampMTPHandler\

"Provider" = "Winamp"

"ProgID" = "Shell.HWEventHandlerShellExecute"

"InitCmdLine" = "C:\Program Files\Winamp\winamp.exe"

HKLM\SOFTWARE\Classes\Shell.HWEventHandlerShellExecute\CLSID\(Default) = "{FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}"

-> {HKLM...CLSID} = "ShellExecute HW Event Handler"

\LocalServer32\(Default) = "rundll32.exe shell32.dll,SHCreateLocalServerRunDll {FFB8655F-81B9-4fce-B89C-9A6BA76D13E7}" [MS]

WinampPlayMediaOnArrival\

"Provider" = "Winamp"

"InvokeProgID" = "Winamp.File"

"InvokeVerb" = "Play"

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\command\(Default) = ""C:\Program Files\Winamp\winamp.exe" "%1"" ["Nullsoft"]

HKLM\SOFTWARE\Classes\Winamp.File\shell\Play\droptarget\CLSID = "{46986115-84D6-459c-8F95-52DD653E532E}"

-> {HKLM...CLSID} = (no title provided)

\LocalServer32\(Default) = ""C:\Program Files\Winamp\winamp.exe"" ["Nullsoft"]

Enabled Scheduled Tasks:

------------------------

"Ad-Aware Update (Daily)" -> launches: "C:\Program Files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe update all silent" [file not found]

"AppleSoftwareUpdate" -> launches: "C:\Program Files\Apple Software Update\SoftwareUpdate.exe -task" ["Apple Inc."]

"Malwarebytes' Scheduled Update for Anthony" -> launches: "C:\Program Files\Malwarebytes' Anti-Malware3\mbam.exe /runupdate" [file not found]

"RegCure Program Check" -> launches: "C:\Program Files\RegCure\RegCure.exe ShowReminders" [null data]

"RegCure" -> launches: "C:\Program Files\RegCure\RegCure.exe -t" [null data]

"SpyHunter Scanner" -> launches: "C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe -scan" [file not found]

"Uniblue DiskRescue 2009" -> launches: "C:\Program Files\Uniblue\DiskRescue\UBDiskRescue.exe -schedule C" ["Uniblue"]

"Uniblue SpeedUpMyPC Nag" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]

"Uniblue SpeedUpMyPC" -> launches: "C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s" [file not found]

"Uniblue SpyEraser" -> launches: "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe -s" [file not found]

Winsock2 Service Provider DLLs:

-------------------------------

Namespace Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}

000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}

0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:

%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13

%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:

------------------------------------

Explorer Bars

HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\

HKLM\SOFTWARE\Classes\CLSID\{2A541AE1-5BF6-4665-A8A3-CFA9672E4291}\(Default) = "Groove Folder Synchronization"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [MS]

HKLM\SOFTWARE\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"

Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]

InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKCU\Software\Microsoft\Internet Explorer\Extensions\

{43CF38F3-5AEC-45A3-AD31-04EB06E9C6CA}\

"ButtonText" = "Flash"

"CLSIDExtension" = "{F81D52BF-F2F1-4F49-BF5F-05664E803039}"

-> {HKLM...CLSID} = "IEButton Class"

\InProcServer32\(Default) = "C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll" ["UnH Solutions"]

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\

{09EA1F80-F40A-11D1-B792-444553540001}\

"ButtonText" = "Flash Saver"

"MenuText" = "Flash Saver"

"Script" = "C:\PROGRA~1\FLASHS~1.0\save.htm" [null data]

{2670000A-7350-4F3C-8081-5663EE0C6C49}\

"ButtonText" = "Send to OneNote"

"MenuText" = "S&end to OneNote"

"CLSIDExtension" = "{48E73304-E1D6-4330-914C-F5F514E3486C}"

-> {HKLM...CLSID} = "Send to OneNote from Internet Explorer button"

\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll" [MS]

{753BBC4B-CC73-4FB8-A5B5-CA09C804C1DD}\

"ButtonText" = "FlashCapture"

"Script" = "res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm" ["Dreamingsoft, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\

"ButtonText" = "Research"

{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}\

"MenuText" = "Spybot - Search && Destroy Configuration"

"CLSIDExtension" = "{53707962-6F74-2D53-2644-206D7942484F}"

-> {HKLM...CLSID} = "Spybot-S&D IE Protection"

\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy2\SDHelper.dll" ["Safer Networking Limited"]

{E2E2DD38-D088-4134-82B7-F2BA38496583}\

"MenuText" = "@xpsp3res.dll,-20001"

"Exec" = "%windir%\Network Diagnostic\xpnetdiag.exe" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\

"ButtonText" = "Messenger"

"MenuText" = "Windows Messenger"

"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points

------------------------------

C:\WINDOWS\INF\IERESET.INF (used to "Reset Web Settings")

Added lines (compared with English-language version):

[strings]: START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

[strings]: MS_START_PAGE_URL="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"

Missing lines (compared with English-language version):

[strings]: 2 lines

HKLM\SOFTWARE\Microsoft\Internet Explorer\AboutURLs\

<<H>> "InPrivate" = "res://ieframe.dll/inprivate.htm" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):

------------------------------------------------------------------

Java Quick Starter, JavaQuickStarterService, ""C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf"" ["Sun Microsystems, Inc."]

Machine Debug Manager, mdm, ""C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe"" [MS]

Nero BackItUp Scheduler 3, nero backitup scheduler 3, "C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe" ["Nero AG"]

Nero Registry InCD Service, neroregincdsrv, "C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe" ["Nero AG"]

PLFlash DeviceIoControl Service, plflash deviceiocontrol service, "C:\WINDOWS\system32\IoctlSvc.exe" ["Prolific Technology Inc."]

Spyware Terminator Realtime Shield Service, sp_rssrv, ""C:\Program Files\Spyware Terminator\sp_rsser.exe"" ["Crawler.com"]

Ulead Burning Helper, uleadburninghelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]

Uniblue DiskRescue, Uniblue DiskRescue, ""C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe" " ["Uniblue"]

Window Washer Engine, wwEngineSvc, "C:\Program Files\Webroot\Washer\WasherSvc.exe" ["Webroot Software, Inc."]

Print Monitors:

---------------

HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\

Dell 922 Port\Driver = "dlbtlmpm.DLL" [" "]

Send To Microsoft OneNote Monitor\Driver = "msonpmon.dll" [MS]

---------- (launch time: 2009-08-17 11:15:41)

<<!>>: Suspicious data at a malware launch point.

<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.

+ To see *everywhere* the script checks and *everything* it finds,

launch it from a command prompt or a shortcut with the -all parameter.

+ The search for DESKTOP.INI DLL launch points on all local fixed drives

took 73 seconds.

---------- (total run time: 102 seconds)

Link to post
Share on other sites

same problem again... ran scan. didnt show anything other than going to stage 50. changed to restarting.... an stayed that way for over 2hrs... I gave up an restarted the system.

Got any ideas, because I dont. this is without a doubt the oddest pc ...virus?? or adware??? I have ever had.

Link to post
Share on other sites

also, I did a search for combofix.... it found the folder that looks like a pc [the duplicate of my system I mentioned] and the combofix.exe under [documents and settings\administrator].

It found both... then kept REfinding both ...over and over. the scan continues.. an atm I have over 50 of both... an it just keeps finding it again.

Link to post
Share on other sites

Please download The Avenger2 by SwanDog46. http://swandog46.geekstogo.com/avenger.zip

Unzip avenger.exe to your desktop.

Copy the text in the following codebox by selecting all of it, and pressing (<Control> + C) or by right clicking and selecting "Copy" (dont include the word code)

Files to move:
c:\WINDOWS\system32\dllcache\scecli.dll | C:\WINDOWS\system32\scecli.dll

Now start The Avenger2 by double clicking avenger.exe on your desktop.

Read the prompt that appears, and press OK.

Paste the script into the textbox that appears, using (<Control> + V) or by right clicking and choosing "Paste".

(what you pasted in must be at the very top) Press the "Execute" button.

You will be presented with 2 confirmation prompts. Select yes on each. Your system will reboot.

Note: It is possible that Avenger will reboot your system TWICE.

Upon reboot, a command prompt window will appear on your screen for a few seconds, and then Avenger's log will open.

Please paste that log here in your next post.

Edit for typeo

Link to post
Share on other sites

Here is what came up upon reboot...

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

Error: could not open file "c:\WINDOWS\system32\dllcahe\scecli.dll" for move operation

File move operation "c:\WINDOWS\system32\dllcahe\scecli.dll|C:\WINDOWS\system32\scecli.dll" failed!

Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)

--> bad path / the parent directory does not exist

Completed script processing.

*******************

Finished! Terminate.

also... I have a [Windows - No Disk] window poped up. Not sure if its suppossed to do that using this program or not.

Which says...

Windows - No Disk

Exception Processing Message c0000013 Parameters 75b6bf7c 4 75b6bf7c 75b6bf7c

[Cancel] [Try Again] [Continue]

Link to post
Share on other sites

it came back with this attempt also. After a few clicks of continue it disappeared.

Here is the log from the latest scan...

Logfile of The Avenger Version 2.0, © by Swandog46

http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.

Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

No rootkits found!

File move operation "c:\WINDOWS\system32\dllcache\scecli.dll|C:\WINDOWS\system32\scecli.dll" completed successfully.

Completed script processing.

*******************

Finished! Terminate.

Link to post
Share on other sites

well after that seemed to do something I got hopeful an did a hijackthis reinstall an malwarebytes reinstall... I got Hijack this to do a full scan.. "will post MBAM log when/"if" it finishes.

Hijack this log....

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:06:59 PM, on 8/18/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Malwarebytes' Anti-Malware4\mbam.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.garfield.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: AcroIEHelperStub - {18df081c-e8ad-4283-a596-fa578c2ebdc3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - (no file)

O2 - BHO: FCBHOBHO Class - {8b3868b4-eba8-48fa-a19b-e1dfb99066fa} - C:\Program Files\FlashCapture\FCBHO.dll

O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"

O4 - HKLM\..\Run: [DLBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

O4 - HKCU\..\Run: [unHackMe Monitor] C:\Program Files\UnHackMe0\hackmon.exe

O4 - HKCU\..\Run: [Registry Cleaner Scheduler] "C:\Program Files\CleanMyPC\Registry Cleaner\RCHelper.exe" /startup

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')

O8 - Extra context menu item: &Save Flash In This Page - C:\PROGRA~1\FLASHS~1.0\save.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O8 - Extra context menu item: Save F&lash with FlashCapture - res://C:\Program Files\FlashCapture\FCIEXT.dll/FCIEXT.htm

O8 - Extra context menu item: Save Flash - res://C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210

O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm

O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1.0\save.htm

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: FlashCapture - {753BBC4B-CC73-4fb8-A5B5-CA09C804C1DD} - C:\Program Files\FlashCapture\FCIEXT.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: Flash - {43CF38F3-5AEC-45a3-AD31-04EB06E9C6CA} - C:\Program Files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll (HKCU)

O16 - DPF: {17492023-c23a-453e-a040-c7c580bbf700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2bc66f54-93a8-11d3-beb6-00105aa9b6ae} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1240717898421

O16 - DPF: {644e432f-49d3-41a1-8dd5-e099162eeec5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6e32070a-766d-4ee6-879c-dc1fa91d2fc3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1245856334609

O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab

O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=29223

O16 - DPF: {9c23d886-43cb-43de-b2db-112a68d7e10a} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader2.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)

O20 - Winlogon Notify: !saswinlogon - C:\WINDOWS\

O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)

O20 - Winlogon Notify: gotoassist - C:\Program Files\Citrix\GoToAssist\514\G2AWinLogon.dll

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe

O23 - Service: AVG8 WatchDog (avg8wd) - Unknown owner - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe (file missing)

O23 - Service: CSIScanner - Unknown owner - C:\Program Files\Prevx\prevx.exe (file missing)

O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe

O23 - Service: GoToAssist (gotoassist) - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe

O23 - Service: InstallDriver Table Manager (idrivert) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: InCD Helper (incdsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\InCDsrv.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: MBAMService - Unknown owner - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe (file missing)

O23 - Service: Nero BackItUp Scheduler 3 (nero backitup scheduler 3) - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe

O23 - Service: Nero Registry InCD Service (neroregincdsrv) - Nero AG - C:\Program Files\Nero\Nero8\InCD\NBHRegInCDSrv.exe

O23 - Service: NMIndexingService (nmindexingservice) - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

O23 - Service: PLFlash DeviceIoControl Service (plflash deviceiocontrol service) - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Prevx Agent (PREVXAgent) - Unknown owner - C:\Program Files\Prevx1\PXAgent.exe

O23 - Service: VIPRE Antivirus + Antispyware (sbamsvc) - Unknown owner - C:\Program Files\Sunbelt Software\VIPRE2\SBAMSvc.exe

O23 - Service: Ulead Burning Helper (uleadburninghelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

O23 - Service: Uniblue DiskRescue - Uniblue - C:\Program Files\Uniblue\DiskRescue\UBDiskRescueSrv.exe

O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe

--

End of file - 8383 bytes

Link to post
Share on other sites

Here is the new Combofix log....

ComboFix 09-08-18.04 - Anthony 08/19/2009 13:30.3.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2850 [GMT -4:00]

Running from: c:\documents and settings\Anthony\Desktop\Combo-Fix.exe

AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

AV: AVG Anti-Virus *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\Fonts\Pretendo.ttf

I:\Autorun.inf

Infected copy of c:\windows\system32\mspmsnsv.dll was found and disinfected

Restored copy from - c:\windows\system32\dllcache\mspmsnsv.dll

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ed}

-------\Legacy_{79007602-0cdb-4405-9dbf-1257bb3226ee}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}

-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}

((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))

.

2009-08-19 17:04 . 2009-08-19 17:28 -------- d-----w- c:\documents and settings\Anthony\Application Data\CheckPoint

2009-08-19 13:10 . 2009-08-19 17:28 96 ----a-w- c:\windows\system32\pdfl.dat

2009-08-19 13:10 . 2009-08-19 13:10 144 ----a-w- c:\windows\system32\lkfl.dat

2009-08-19 13:10 . 2009-08-19 13:10 80 ----a-w- c:\windows\system32\ibfl.dat

2009-08-19 13:09 . 2009-08-19 13:09 -------- d-----w- c:\program files\CheckPoint

2009-08-19 13:09 . 2009-08-19 17:08 4212 ---ha-w- c:\windows\system32\zllictbl.dat

2009-08-19 12:11 . 2009-08-19 12:11 -------- d-----w- c:\program files\Plus!

2009-08-19 12:11 . 2009-08-19 12:11 -------- d-----w- c:\program files\Pizza Frenzy

2009-08-19 12:03 . 2009-08-19 12:04 -------- d-----w- c:\program files\Spyware Doctor

2009-08-19 12:03 . 2009-08-19 12:03 -------- d-----w- c:\program files\Warcraft III

2009-08-19 12:02 . 2009-08-19 12:03 -------- d---a-w- c:\program files\Return to Castle Wolfenstein

2009-08-19 11:57 . 2009-08-19 12:02 -------- d-----w- c:\program files\PopCap Games

2009-08-19 11:52 . 2009-08-19 16:59 261696 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat

2009-08-19 11:45 . 2009-08-19 12:11 -------- d-----w- c:\program files\World of Warcraft

2009-08-19 04:57 . 2009-08-19 04:58 -------- d-----w- c:\program files\Insaniquarium Deluxe

2009-08-19 04:56 . 2009-08-19 04:57 -------- d-----w- c:\program files\EF2

2009-08-19 04:54 . 2009-08-19 04:56 -------- d-----w- c:\program files\Doom 3

2009-08-19 04:54 . 2009-08-19 04:54 -------- d-----w- c:\program files\Desktop Architect

2009-08-19 04:54 . 2009-08-19 04:54 -------- d-----w- c:\program files\Deep Space 3D Screensaver

2009-08-19 04:54 . 2009-08-19 04:54 -------- d-----w- c:\program files\Cycles3D

2009-08-19 04:38 . 2009-08-19 04:54 -------- d-----w- c:\program files\Bridge CommanderOnline

2009-08-19 04:16 . 2009-08-19 04:38 -------- d-----w- c:\program files\Bridge Commander

2009-08-19 02:27 . 2009-08-19 02:27 -------- d-----w- c:\program files\321Studios

2009-08-19 02:27 . 2009-08-19 02:27 -------- d-----w- c:\program files\7-Zip

2009-08-19 02:26 . 2009-08-19 02:27 -------- d-----w- C:\Games

2009-08-19 02:14 . 2009-07-28 20:33 55656 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2009-08-19 02:14 . 2009-03-30 14:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys

2009-08-19 02:14 . 2009-02-13 16:29 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys

2009-08-19 02:14 . 2009-02-13 16:17 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys

2009-08-19 02:14 . 2009-08-19 02:14 -------- d-----w- c:\program files\Avira

2009-08-19 02:14 . 2009-08-19 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira

2009-08-19 01:43 . 2009-08-03 17:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-08-19 01:43 . 2009-08-19 01:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware4

2009-08-19 01:43 . 2009-08-03 17:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-08-18 12:28 . 2009-08-19 17:29 -------- d-s---w- C:\ComboFix

2009-08-18 12:28 . 2009-08-18 20:09 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache

2009-08-17 21:27 . 2009-08-19 01:29 -------- d-----w- c:\program files\Dl_cats

2009-08-17 21:26 . 2004-08-23 14:42 131072 ----a-w- c:\windows\system32\dlbtsnls.dll

2009-08-17 21:26 . 2004-08-23 14:40 143360 ----a-w- c:\windows\system32\dlbtcoin.dll

2009-08-17 21:24 . 2004-11-09 18:10 573440 ----a-w- c:\windows\system32\dlbtjswr.dll

2009-08-17 21:24 . 2009-08-17 21:26 -------- d-----w- c:\program files\Dell Photo AIO Printer 922

2009-08-17 21:24 . 2004-11-09 17:59 405504 ----a-w- c:\windows\system32\dlbtutil.dll

2009-08-17 21:24 . 2003-10-07 15:56 983101 ----a-w- c:\windows\system32\dlbtgf.dll

2009-08-17 15:12 . 2009-08-18 20:09 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache

2009-08-17 13:57 . 2009-08-17 13:57 -------- d-----w- c:\documents and settings\Anthony\Application Data\AVG8

2009-08-17 00:33 . 2009-08-17 00:33 -------- d-----w- c:\documents and settings\Anthony\Links

2009-08-17 00:26 . 2009-08-17 00:26 -------- d--h--w- c:\windows\PIF

2009-08-16 22:14 . 2009-08-16 22:14 -------- d-----w- C:\309c77ad5dc3d046eb

2009-08-16 21:34 . 2009-08-18 20:09 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache

2009-08-16 02:44 . 2009-08-16 02:44 -------- d-----w- c:\program files\Western Digital

2009-08-16 02:43 . 2009-08-16 02:43 -------- d-----w- c:\program files\Western Digital Corporation

2009-08-15 19:14 . 2009-08-19 01:38 -------- d-sh--w- c:\documents and settings\Anthony\IECompatCache

2009-08-15 19:14 . 2009-08-19 01:38 -------- d-sh--w- c:\documents and settings\Anthony\PrivacIE

2009-08-15 19:13 . 2009-08-19 01:33 -------- d-sh--w- c:\documents and settings\Anthony\IETldCache

2009-08-15 18:33 . 2008-04-14 12:00 221184 ----a-w- c:\windows\system32\wmpns.dll

2009-08-15 18:24 . 2009-07-19 22:48 11067392 -c----w- c:\windows\system32\dllcache\ieframe.dll

2009-08-15 18:24 . 2009-07-03 17:09 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2009-08-15 18:24 . 2009-07-03 17:09 594432 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2009-08-15 18:24 . 2009-07-03 17:09 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2009-08-15 18:24 . 2009-07-03 17:09 1985536 -c----w- c:\windows\system32\dllcache\iertutil.dll

2009-08-15 18:24 . 2009-07-03 17:09 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2009-08-15 18:24 . 2009-08-15 18:24 -------- d-----w- c:\windows\ie8updates

2009-08-15 18:24 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll

2009-08-15 18:22 . 2009-08-15 18:24 -------- dc-h--w- c:\windows\ie8

2009-08-15 18:20 . 2009-08-15 18:20 -------- d-----w- c:\program files\MSXML 4.0

2009-08-15 15:45 . 2009-08-15 15:45 -------- d-----w- c:\program files\CleanMyPC

2009-08-15 15:01 . 2009-05-21 14:18 457064 ----a-w- c:\documents and settings\All Users\Application Data\iolo\IRestartStub.exe

2009-08-15 15:01 . 2009-08-15 15:01 -------- d-----w- c:\documents and settings\All Users\Application Data\iolo

2009-08-15 15:01 . 2009-08-15 15:01 -------- d-----w- c:\documents and settings\Anthony\Application Data\iolo

2009-08-15 14:27 . 2009-08-19 11:54 -------- d-----w- c:\program files\Spybot - Search & Destroy2

2009-08-15 13:35 . 2009-08-15 13:35 -------- d-----w- c:\program files\ESET

2009-08-15 13:31 . 2009-08-15 13:31 -------- d-----w- c:\documents and settings\Anthony\Application Data\Safer Networking

2009-08-15 13:31 . 2009-08-15 13:33 -------- d-----w- c:\program files\Safer Networking

2009-08-14 14:41 . 2009-08-14 14:41 139784 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-14 12:38 . 2009-08-14 12:38 -------- d-----w- c:\program files\CleanUp!

2009-08-12 17:09 . 2009-08-14 03:21 664 ----a-w- c:\windows\system32\d3d9caps.dat

2009-08-12 13:50 . 2009-08-12 13:50 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys

2009-08-12 13:50 . 2009-08-12 13:50 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys

2009-08-12 13:50 . 2009-08-12 13:53 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-08-12 13:46 . 2009-08-12 13:49 -------- d-----w- C:\DCE

2009-08-11 18:53 . 2009-08-14 14:08 -------- d-s---w- c:\documents and settings\Administrator\UserData

2009-08-11 14:48 . 2009-08-11 14:48 -------- d-----w- c:\program files\Nero

2009-08-10 19:46 . 2009-08-12 13:57 81984 ----a-w- c:\windows\system32\bdod.bin

2009-08-10 02:21 . 2009-08-10 02:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2009-08-09 21:04 . 2005-04-03 19:02 8944 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys

2009-08-09 20:51 . 2009-08-15 15:42 2 --shatw- c:\windows\winstart.bat

2009-08-09 20:51 . 2009-08-15 15:42 34760 ----a-w- c:\windows\system32\drivers\Partizan.sys

2009-08-09 20:51 . 2009-08-15 15:42 32480 ----a-w- c:\windows\system32\Partizan.exe

2009-08-09 20:36 . 2009-08-09 20:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX

2009-08-09 20:30 . 2009-08-09 20:30 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator

2009-08-09 20:10 . 2009-08-09 20:10 -------- d-----w- c:\documents and settings\Administrator\Application Data\Sunbelt

2009-08-08 15:00 . 2009-08-09 21:05 -------- d-----w- C:\VundoFix Backups

2009-08-08 05:37 . 2009-08-08 05:41 0 ----a-w- c:\windows\system32\SBRC.dat

2009-08-08 05:35 . 2009-05-13 21:30 69936 ----a-w- c:\windows\system32\drivers\sbapifs.sys

2009-08-08 05:35 . 2009-05-13 21:30 13360 ----a-w- c:\windows\system32\drivers\sbaphd.sys

2009-08-08 05:27 . 2009-08-08 05:29 -------- d-----w- c:\program files\RegCure

2009-08-08 04:42 . 2009-08-08 04:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Sunbelt

2009-08-08 04:42 . 2009-08-08 04:42 -------- d-----w- c:\documents and settings\Anthony\Application Data\Sunbelt

2009-08-08 04:41 . 2008-10-09 13:48 202928 ----a-w- c:\windows\system32\drivers\sbtis.sys

2009-08-08 02:30 . 2009-08-08 04:41 -------- d-----w- c:\program files\Sunbelt Software

2009-08-07 15:01 . 2009-08-07 15:01 -------- d-----w- c:\program files\Zone Labs

2009-08-07 15:00 . 2009-08-19 17:28 -------- d-----w- c:\windows\Internet Logs

2009-08-07 14:01 . 2009-08-08 05:39 -------- d-----w- c:\program files\Common Files\PC Tools

2009-08-07 13:38 . 2009-08-07 13:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes

2009-08-07 03:29 . 2009-08-19 02:03 -------- d-----w- c:\program files\Trend Micro

2009-08-07 01:48 . 2009-08-19 02:02 -------- d-----w- c:\program files\Spybot - Search & Destroy

2009-08-07 01:48 . 2009-08-19 02:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-08-07 00:54 . 2009-08-06 18:27 10520 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsstx.dll

2009-08-07 00:54 . 2009-08-06 18:27 76040 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgtdix.sys

2009-08-07 00:54 . 2009-08-06 18:27 12936 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrkx86.sys

2009-08-07 00:54 . 2009-08-06 18:27 97928 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgldx86.sys

2009-08-07 00:54 . 2009-08-06 18:27 26824 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgmfx86.sys

2009-08-07 00:54 . 2009-08-06 18:27 287000 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgrsx.exe

2009-08-07 00:50 . 2009-08-07 00:50 -------- d-----w- c:\documents and settings\Anthony\DoctorWeb

2009-08-06 19:29 . 2009-08-18 20:09 -------- d-----w- C:\!KillBox

2009-08-06 19:18 . 2009-08-06 18:27 1083160 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgupd.dll

2009-08-06 19:18 . 2009-08-06 18:27 443672 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgiproxy.exe

2009-08-06 19:18 . 2009-08-06 18:27 583960 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avginet.dll

2009-08-06 18:49 . 2009-08-08 05:27 -------- d-----w- c:\windows\RegCure

2009-08-06 18:48 . 2009-08-06 18:48 -------- d-----w- c:\documents and settings\Anthony\Local Settings\Application Data\Downloaded Installations

2009-08-06 18:45 . 2009-08-06 18:45 117760 ----a-w- c:\documents and settings\Anthony\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL

2009-08-06 18:44 . 2009-08-06 18:44 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com

2009-08-06 18:44 . 2009-08-06 18:44 -------- d-----w- c:\documents and settings\Anthony\Application Data\SUPERAntiSpyware.com

2009-08-06 18:27 . 2009-08-17 14:10 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-08-06 18:07 . 2009-08-06 18:11 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}(2)

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-19 17:38 . 2009-04-28 23:27 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP

2009-08-19 11:55 . 2009-04-26 04:29 140168 ----a-w- c:\documents and settings\Anthony\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-08-19 11:51 . 2009-04-26 06:39 -------- d-----w- c:\program files\PeerGuardian2

2009-08-19 02:59 . 2009-04-26 16:00 -------- d-----w- c:\program files\BearShare

2009-08-19 02:27 . 2009-04-26 04:59 -------- d-----w- c:\program files\Azureus

2009-08-18 20:09 . 2009-08-12 14:35 -------- d-----w- c:\program files\Prevx1

2009-08-18 20:09 . 2009-04-26 06:24 -------- d-----w- c:\documents and settings\Anthony\Application Data\Azureus

2009-08-14 14:34 . 2009-08-12 14:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Prevx

2009-08-12 14:35 . 2009-08-12 14:35 -------- d-----w- c:\documents and settings\Anthony\Application Data\Prevx

2009-08-11 14:44 . 2009-05-06 01:24 -------- d-----w- c:\program files\Activision

2009-08-10 03:03 . 2009-04-27 12:14 -------- d-----w- c:\program files\Enigma Software Group

2009-08-08 05:11 . 2009-06-10 14:44 -------- d-----w- c:\program files\PFConfig

2009-08-07 20:18 . 2009-04-26 14:54 -------- d-----w- c:\program files\Winamp

2009-08-07 00:35 . 2009-04-26 22:39 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard

2009-08-06 17:27 . 2009-05-16 00:31 -------- d-----w- c:\program files\Ahead

2009-08-06 17:27 . 2009-04-26 03:28 -------- d--h--w- c:\program files\InstallShield Installation Information

2009-08-05 21:32 . 2009-06-20 21:38 -------- d-----w- c:\program files\MilkShape 3D 1.8.4

2009-08-05 09:01 . 2008-04-14 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-29 04:37 . 2008-04-14 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll

2009-07-29 04:37 . 2008-04-14 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll

2009-07-22 22:34 . 2009-04-26 06:19 244 ----a-w- c:\windows\popcinfo.dat

2009-07-17 19:01 . 2008-04-14 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2009-07-15 23:23 . 2009-07-15 23:23 -------- d-----w- c:\program files\Utherverse Digital Inc

2009-07-14 03:43 . 2008-04-14 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll

2009-07-11 23:13 . 2009-06-24 16:30 -------- d-----w- c:\program files\BCS-TNG

2009-07-09 15:52 . 2009-07-09 15:52 59992 ----a-w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files\Kaspersky Internet Security 2010 9.0.0.463\English\setup.exe

2009-07-07 13:07 . 2009-07-07 13:05 -------- d-----w- c:\program files\Fog Lake Screensaver

2009-07-03 17:09 . 2008-04-14 12:00 915456 ----a-w- c:\windows\system32\wininet.dll

2009-06-30 03:14 . 2009-06-30 02:20 -------- d-----w- c:\program files\ABC Amber Sony Converter

2009-06-28 16:43 . 2009-06-28 16:43 -------- d-----w- c:\documents and settings\Anthony\Application Data\Jasc Software Inc

2009-06-28 16:43 . 2009-04-26 04:50 -------- d-----w- c:\program files\Jasc Software Inc

2009-06-28 16:30 . 2009-06-28 16:30 -------- d-----w- c:\program files\Common Files\SWF Studio

2009-06-26 16:50 . 2009-06-26 16:50 81920 ------w- c:\windows\system32\ieencode.dll

2009-06-26 00:25 . 2009-04-26 04:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help

2009-06-25 08:25 . 2008-04-14 12:00 730112 ----a-w- c:\windows\system32\lsasrv.dll

2009-06-25 08:25 . 2008-04-14 12:00 56832 ----a-w- c:\windows\system32\secur32.dll

2009-06-25 08:25 . 2008-04-14 12:00 54272 ----a-w- c:\windows\system32\wdigest.dll

2009-06-25 08:25 . 2008-04-14 12:00 301568 ----a-w- c:\windows\system32\kerberos.dll

2009-06-25 08:25 . 2008-04-14 12:00 147456 ----a-w- c:\windows\system32\schannel.dll

2009-06-25 08:25 . 2008-04-14 12:00 136192 ----a-w- c:\windows\system32\msv1_0.dll

2009-06-24 16:36 . 2009-04-26 04:42 -------- d-----w- c:\program files\MSBuild

2009-06-24 16:31 . 2009-06-24 16:28 -------- d-----w- c:\program files\Microsoft Visual Studio 8

2009-06-24 15:40 . 2009-06-24 15:40 -------- d-----w- c:\program files\Microsoft Visual Studio .NET 2003

2009-06-24 15:40 . 2009-04-26 04:42 -------- d-----w- c:\program files\Microsoft.NET

2009-06-24 11:18 . 2008-04-14 12:00 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys

2009-06-20 21:38 . 2009-06-20 21:38 -------- d-----w- c:\documents and settings\Anthony\Application Data\MilkShape 3D 1.x.x

2009-06-12 12:31 . 2008-04-14 12:00 80896 ----a-w- c:\windows\system32\tlntsess.exe

2009-06-12 12:31 . 2008-04-14 12:00 76288 ----a-w- c:\windows\system32\telnet.exe

2009-06-10 14:13 . 2008-04-14 12:00 84992 ----a-w- c:\windows\system32\avifil32.dll

2009-06-10 13:19 . 2009-04-26 02:22 2066432 ----a-w- c:\windows\system32\mstscax.dll

2009-06-10 10:00 . 2009-06-10 10:00 68392 ----a-w- c:\windows\system32\sbbd.exe

2009-06-10 06:14 . 2008-04-14 12:00 132096 ----a-w- c:\windows\system32\wkssvc.dll

2009-06-05 03:21 . 2009-06-05 03:21 63488 ----a-w- c:\windows\xobglu16.dll

2009-06-05 03:21 . 2009-06-05 03:21 113116 ----a-w- c:\windows\xobglu32.dll

2009-06-03 19:09 . 2008-04-14 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll

2009-05-29 17:25 . 2009-05-29 17:25 49152 ---ha-w- c:\documents and settings\Anthony\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll

2009-05-28 21:31 . 2009-07-09 21:42 38200 ----a-w- c:\documents and settings\Anthony\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe

2009-05-22 22:33 . 2002-10-04 02:35 217088 ------w- c:\windows\system32\SpaceBattleSS.scr

2005-02-01 00:38 . 2009-04-26 05:00 1340416 ----a-w- c:\program files\mplayerc.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\nbhshellext]

@="{8D2223A2-B3C6-4e32-B096-CDD11F628C60}"

[HKEY_CLASSES_ROOT\CLSID\{8D2223A2-B3C6-4e32-B096-CDD11F628C60}]

2008-02-28 18:04 97064 ------w- c:\program files\Nero\Nero8\InCD\NBHShx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Registry Cleaner Scheduler"="c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe" [2009-08-16 1401096]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Dell Photo AIO Printer 922"="c:\program files\Dell Photo AIO Printer 922\dlbtbmgr.exe" [2004-11-10 290816]

"DLBTCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll" [2004-11-09 69632]

"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-14 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gotoassist]

2009-05-16 01:27 10536 ----a-w- c:\program files\Citrix\GoToAssist\514\g2awinlogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]

BootExecute REG_MULTI_SZ autocheck autochk *\0aswBoot.exe /A:* /L:English /KBD:2\0Partizan

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lavasoft ad-aware service]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbamsvc]

@="Service"

[HKLM\~\startupfolder\c:^documents and settings^all users^start menu^programs^startup^adobe gamma loader.lnk]

backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Desktop Alert.lnk]

backup=c:\windows\pss\Desktop Alert.lnkCommon Startup

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDAgent

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitDefender Antiphishing Helper

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eerbb

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HijackThis startup scan

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\malwarebytes' anti-malware

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\monopod

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter Security Suite

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpeedUpMyPC

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue SpyEraser

HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\windows resurections

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=

"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=

"c:\\Program Files\\Common Files\\Desktop Alert\\TrueWeather.exe"=

"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

"c:\\Program Files\\World of Warcraft\\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe"=

"c:\\Program Files\\Curse\\CurseClient.exe"=

"c:\\Program Files\\World of Warcraft\\Launcher.exe"=

"c:\\Program Files\\BearShare\\BearShare.exe"=

"c:\\Program Files\\Raven\\Star Trek Voyager Elite Force\\stvoyHM.exe"=

"c:\\WINDOWS\\system32\\dlbtcoms.exe"=

"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

"53000:TCP"= 53000:TCP:Azureus

"6889:UDP"= 6889:UDP:Azureus3

R0 gxc108p;gxc108p;c:\windows\system32\drivers\gxc108p.sys [4/26/2009 6:40 PM 5248]

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [8/12/2009 9:50 AM 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [8/12/2009 9:50 AM 27656]

R1 PrevxTdi;PREVX Tdi filter;c:\windows\system32\drivers\pxtdi.sys [8/12/2009 10:35 AM 18560]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [8/8/2009 1:35 AM 13360]

R1 sbtis;sbtis;c:\windows\system32\drivers\sbtis.sys [8/8/2009 12:41 AM 202928]

R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/18/2009 10:14 PM 108289]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/18/2009 9:43 PM 19096]

S0 avgrkx86;avgrkx86.sys; [x]

S0 cerc6;cerc6; [x]

S0 fith;fith; [x]

S0 fssvvigd;fssvvigd; [x]

S0 gsfl;gsfl; [x]

S0 gxc108b;gxc108b; [x]

S0 ilgeyrra;ilgeyrra; [x]

S0 kfzaocai;kfzaocai; [x]

S0 pctcore;PCTools KDS; [x]

S0 pletnup;pletnup; [x]

S0 qihwewl;qihwewl; [x]

S0 wkapbfet;wkapbfet; [x]

S0 xpfcw;xpfcw; [x]

S0 yflbyg;yflbyg; [x]

S1 847b4010;847b4010;c:\windows\system32\drivers\847b4010.sys --> c:\windows\system32\drivers\847b4010.sys [?]

S1 avgldx86;AVG AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys --> c:\windows\system32\Drivers\avgldx86.sys [?]

S1 avgtdix;AVG8 Network Redirector;c:\windows\system32\Drivers\avgtdix.sys --> c:\windows\system32\Drivers\avgtdix.sys [?]

S1 saskutil;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]

S2 avg8wd;AVG8 WatchDog; [x]

S2 CSIScanner;CSIScanner; [x]

S2 lavasoft ad-aware service;Lavasoft Ad-Aware Service; [x]

S2 MBAMService;MBAMService; [x]

S2 neroregincdsrv;Nero Registry InCD Service;c:\program files\Nero\Nero8\InCD\NBHRegInCDSrv.exe [2/28/2008 2:04 PM 53032]

S2 sbamsvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE2\SBAMSvc.exe [6/10/2009 6:00 AM 980264]

S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [8/8/2009 1:35 AM 69936]

S2 Uniblue DiskRescue;Uniblue DiskRescue;c:\program files\Uniblue\DiskRescue\UBDiskRescueSrv.exe [9/10/2008 11:22 AM 229648]

S2 wwEngineSvc;Window Washer Engine;c:\program files\Webroot\Washer\WasherSvc.exe [4/29/2009 10:30 AM 598856]

S2 ytjuy;ytjuy;c:\windows\System32\svchost.exe -k netsvcs [4/14/2008 8:00 AM 14336]

S3 ATE_PROCMON;ATE_PROCMON;\??\c:\program files\Anti Trojan Elite\ATEPMon.sys --> c:\program files\Anti Trojan Elite\ATEPMon.sys [?]

S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [4/25/2009 11:45 PM 84992]

S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [8/9/2009 4:51 PM 34760]

S3 PrevxEmulator;PREVX Emulator Driver;c:\windows\system32\drivers\PxEmu.sys [8/12/2009 10:35 AM 100864]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bdx REG_MULTI_SZ scan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs

ytjuy

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

2009-08-17 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2009-08-19 c:\windows\Tasks\Malwarebytes' Scheduled Update for Anthony.job

- c:\program files\Malwarebytes' Anti-Malware4\mbam.exe [2009-08-19 17:36]

2009-08-19 c:\windows\Tasks\RegCure Program Check.job

- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-08-08 c:\windows\Tasks\RegCure.job

- c:\program files\RegCure\RegCure.exe [2007-10-16 08:20]

2009-04-28 c:\windows\Tasks\Uniblue DiskRescue 2009.job

- c:\program files\Uniblue\DiskRescue\UBDiskRescue.exe [2008-09-10 15:22]

.

- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{0f147d1d-5b44-4a4d-bc33-96dac3c7ed6e} - (no file)

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)

Notify-!saswinlogon - (no file)

Notify-avgrsstarter - avgrsstx.dll

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.garfield.com/

uLocal Page = \blank.htm

uInternet Settings,ProxyServer = http=localhost:7171

uInternet Settings,ProxyOverride = *.local

IE: &Save Flash In This Page - c:\progra~1\FLASHS~1.0\save.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000

IE: Save F&lash with FlashCapture - c:\program files\FlashCapture\FCIEXT.dll/FCIEXT.htm

IE: Save Flash - c:\program files\UnH Solutions\Flash Saving Plugin\FlashSButton.dll/210

DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab

DPF: {9c23d886-43cb-43de-b2db-112a68d7e10a} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-08-19 13:38

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

DLBTCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1801674531-117609710-682003330-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{ce5f7860-a768-c560-221e-1a5b3c465976}*]

@Allowed: (Read) (RestrictedCode)

@Allowed: (Read) (RestrictedCode)

"abeljbjlnmhmbjbggjidahpnbiallpedae"=hex:61,62,63,63,6f,6e,6e,64,6e,63,64,65,

6d,6b,6d,70,66,67,68,69,65,6e,6e,6f,63,6a,64,61,6a,66,6e,6d,61,68,00,77

"bbeljbjlnmhmbjbggjpbjhkahkfblldkogdn"=hex:61,62,6e,61,61,70,6d,66,65,61,61,61,

61,70,6a,6a,62,6f,69,61,6d,6f,6a,66,6c,68,66,6e,6a,62,66,61,6a,67,00,77

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(924)

c:\windows\system32\Ati2evxx.dll

c:\program files\Citrix\GoToAssist\514\G2AWinLogon.dll

- - - - - - - > 'explorer.exe'(3708)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\program files\Nero\Nero8\InCD\NBHShx.dll

c:\program files\Nero\Nero8\InCD\NBHStr.dll

c:\program files\Common Files\Nero\Shared\NL3\AdvrCntr3.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

c:\windows\system32\WPDShServiceObj.dll

c:\windows\system32\PortableDeviceApi.dll

c:\program files\Microsoft Virtual PC\VPCShExH.DLL

c:\windows\system32\PortableDeviceTypes.dll

c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll

c:\program files\Microsoft Office\Office12\1033\GrooveIntlResource.dll

c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll

c:\program files\ATI Technologies\ATI.ACE\Core-Static\atiamenu.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Avira\AntiVir Desktop\avguard.exe

c:\windows\system32\wscntfy.exe

c:\program files\Dell Photo AIO Printer 922\dlbtbmon.exe

.

**************************************************************************

.

Completion time: 2009-08-19 13:42 - machine was rebooted

ComboFix-quarantined-files.txt 2009-08-19 17:42

Pre-Run: 101,004,386,304 bytes free

Post-Run: 100,921,860,096 bytes free

410

Malwarebytes is still running , but I will post its results as soon as its done.

Link to post
Share on other sites

Malwarebytes' Anti-Malware 1.40

Database version: 2657

Windows 5.1.2600 Service Pack 3

8/19/2009 3:31:55 PM

mbam-log-2009-08-19 (15-31-55).txt

Scan type: Full Scan (C:\|I:\|)

Objects scanned: 316265

Time elapsed: 1 hour(s), 42 minute(s), 10 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{EB1BBEA0-F3F9-4ACC-97B7-A9282FC22426}\RP246\A0090745.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Update note... I now have a new Internet Explorer icon on my desktop; should I use this one instead of the default?

Link to post
Share on other sites

"internet explorer folder in my program files... this I found odd"

Thats normal, You can set any browser you like as default browser.

What antivirus did you choose ?

It will need to be disabled for the script below.

Launch Notepad (Important, not wordpad or other third party text editor), and copy and paste the contents

of the code box below into a new text file. (dont include the word code)

Save it as file name: cfscript.txt

driver::
cerc6
fith
fssvvigd
gsfl
gxc108b
ilgeyrra
kfzaocai
pletnup
qihwewl
wkapbfet
xpfcw
yflbyg
847b4010
ytjuy
NetSvc::
ytjuy
Rootkit::
c:\windows\system32\drivers\847b4010.sys

CFScript.gif

As in the picture above drag and drop cfscript.txt onto combofix.exe

when it is finished a text will open, post it.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.