Post by: Flim on November 11, 2009, 08:13:29 PM
I've run most of the tools including ComboFix, that I first used quite a while back and have run again recently. SuperAntiSpyware didn't find much, RootRepeal didn't find anything and an online ESET scan found a few threats that have been cleaned up. Basically nothing major.
SysProt and GMer have identified hidden processes and hooks that I know don't belong and I don't know which order to tackle them in and don't want to screw it up. I'd sure appreciate some help dealing with them. I've got OTL logs from the 8th and ESET, SysProt and GMer logs from today if anyone has time to look at them.
Thanks,
Flim
Post by: guestolo on November 11, 2009, 08:20:07 PM
Post by: Flim on November 11, 2009, 08:43:07 PM
Here's ESET
C:\AppsNoInstall\xmplay34\Skins\EyePhone.xmpskin probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\B4BD\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe.vir a variant of Win32/Adware.ADON application cleaned by deleting - quarantined
C:\WINDOWS\system32\ActiveScan\pskavs.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
Here's SysProt (just the hidden items)
SysProt AntiRootkit v1.0.1.0
by swatkat
********************************************************************************
**********
********************************************************************************
**********
No Hidden Processes found
********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: spfw.sys
Service Name: ---
Module Base: B9EA7000
Module End: B9FA7000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Service Name: ---
Module Base: B80AA000
Module End: B80E1000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AB22B000
Module End: AB243000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5DC000
Module End: BA5DE000
Hidden: Yes
********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: AB4DDC50
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwClose
Address: AB4C2C70
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwConnectPort
Address: AB4E1370
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateFile
Address: AB4BEFE0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateKey
Address: AB4CA280
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateProcess
Address: AB4D64A0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateProcessEx
Address: AB4D6DA0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateSection
Address: AB4BDD90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateSymbolicLinkObject
Address: AB4CA030
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateThread
Address: AB4D4F60
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDebugActiveProcess
Address: AB4E4E00
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDeleteFile
Address: AB4C8D10
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDeleteKey
Address: AB4CBAF0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDeleteValueKey
Address: AB4D2590
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwEnumerateKey
Address: B9EC6CA2
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spfw.sys
Function Name: ZwEnumerateValueKey
Address: B9EC7030
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spfw.sys
Function Name: ZwLoadDriver
Address: AB4D3DA0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwMakeTemporaryObject
Address: AB4C98A0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenFile
Address: AB4C1C90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenKey
Address: AB4CB1B0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenProcess
Address: AB4D8E90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenSection
Address: AB4BE600
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenThread
Address: AB4D8250
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwProtectVirtualMemory
Address: AB4DEF90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueryDirectoryFile
Address: AB4C3A90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueryKey
Address: AB4CD940
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueryValueKey
Address: AB4CE190
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueueApcThread
Address: AB4DD0C0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRenameKey
Address: AB4D1780
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwReplaceKey
Address: AB4CF6F0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRequestPort
Address: AB4E3610
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRequestWaitReplyPort
Address: AB4E3930
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRestoreKey
Address: AB4D0F10
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSaveKey
Address: AB4CFE70
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSaveKeyEx
Address: AB4D06C0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSecureConnectPort
Address: AB4E1F50
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetContextThread
Address: AB4DC630
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetInformationDebugObject
Address: AB4E53F0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetInformationFile
Address: AB4C4DE0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetSystemInformation
Address: AB4D33B0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetValueKey
Address: AB4CEA10
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSuspendProcess
Address: AB4DB380
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSuspendThread
Address: AB4DBCB0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSystemDebugControl
Address: AB4E4640
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwTerminateProcess
Address: AB4D9980
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwTerminateThread
Address: AB4DA810
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwUnloadDriver
Address: AB4D4720
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwWriteVirtualMemory
Address: AB4DE4A0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found
********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A3F4500
Hooking Module: _unknown_
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EA8000
Hooking Module: spfw.sys
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F51F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AE1E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AE1E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AE1E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AE1E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AE1E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AE1E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0851F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8ABE4258
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8ABE4258
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8ABE4258
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8ABE4258
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8ABE4258
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AD711F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: B807A740
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B807AC64
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B807AAA6
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B807A84C
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_READ
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_POWER
Jump To: B9EAFE1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EC4514
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EEBB1C
Hooking Module: spfw.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AD841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AD841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AD841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AD841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AD841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AD841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F31F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F31F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F31F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F31F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F31F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F31F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AD661F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AD661F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AD661F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AD661F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8AD661F8
Hooking Module: _unknown_
Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AD661F8
Hooking Module: _unknown_
********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: BNMC01:1028
Remote Address: BNMV01:MICROSOFT-DS
Type: TCP
Process: System
State: ESTABLISHED
Local Address: BNMC01:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: BNMC01:5152
Remote Address: LOCALHOST:1044
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT
Local Address: BNMC01:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING
Local Address: BNMC01:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING
Local Address: BNMC01:3390
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: BNMC01:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: BNMC01:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING
Local Address: BNMC01:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING
Local Address: BNMC01:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BNMC01:138
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: BNMC01:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA
Local Address: BNMC01:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BNMC01:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BNMC01:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA
Local Address: BNMC01:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: BNMC01:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA
Local Address: BNMC01:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA
********************************************************************************
**********
********************************************************************************
**********
No hidden files/folders found
Here's GMer (I had to run it in Safemode to get it to complete)
GMER 1.0.15.15220 - http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-11-11 16:13:34
Windows 5.1.2600 Service Pack 2
Running: ftw126s4.exe; Driver: C:\Temp\TempSys\ffldqpob.sys
---- System - GMER 1.0.15 ----
SSDT spgt.sys ZwCreateKey [0xF74D70E0]
SSDT spgt.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spgt.sys ZwEnumerateValueKey [0xF74F6030]
SSDT spgt.sys ZwOpenKey [0xF74D70C0]
SSDT spgt.sys ZwQueryKey [0xF74F6108]
SSDT spgt.sys ZwQueryValueKey [0xF74F5F88]
SSDT spgt.sys ZwSetValueKey [0xF74F619A]
INT 0x62 ? 8AEFFBF8
INT 0x63 ? 8AD98BF8
INT 0x83 ? 8AD98BF8
INT 0x94 ? 8AD98BF8
INT 0xB4 ? 8AEFFBF8
INT 0xB4 ? 8AEFFBF8
INT 0xB4 ? 8AD98BF8
INT 0xB4 ? 8AEFFBF8
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AEFE1F8
Device \Driver\USBSTOR \Device\0000008e 8AD321F8
Device \Driver\sptd \Device\3114432250 spgt.sys
Device \Driver\usbuhci \Device\USBPDO-0 8ACC01F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF721F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AF721F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AF721F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AF721F8
Device \Driver\usbuhci \Device\USBPDO-1 8ACC01F8
Device \Driver\usbehci \Device\USBPDO-2 8ADA71F8
Device \Driver\usbuhci \Device\USBPDO-3 8ACC01F8
Device \Driver\usbuhci \Device\USBPDO-4 8ACC01F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF001F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
Device \Driver\USBSTOR \Device\000000a3 8AD321F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF001F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
Device \Driver\Cdrom \Device\CdRom0 8AD5D1F8
Device \Driver\USBSTOR \Device\000000a4 8AD321F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AF001F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdePort0 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdePort1 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdePort2 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AEFF1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8AF001F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
Device \Driver\Ftdisk \Device\HarddiskVolume5 8AF001F8
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
Device \Driver\PCI_PNP9750 \Device\0000005e spgt.sys
Device \Driver\PCI_PNP9750 \Device\0000005e spgt.sys
Device \Driver\usbuhci \Device\USBFDO-0 8ACC01F8
Device \Driver\usbuhci \Device\USBFDO-1 8ACC01F8
Device \Driver\usbuhci \Device\USBFDO-2 8ACC01F8
Device \Driver\usbuhci \Device\USBFDO-3 8ACC01F8
Device \Driver\usbehci \Device\USBFDO-4 8ADA71F8
Device \Driver\Ftdisk \Device\FtControl 8AF001F8
Device \Driver\USBSTOR \Device\0000008a 8AD321F8
Device \Driver\USBSTOR \Device\0000008b 8AD321F8
Device \Driver\USBSTOR \Device\0000008c 8AD321F8
Device \Driver\USBSTOR \Device\0000008d 8AD321F8
Device \Driver\asfn81dq \Device\Scsi\asfn81dq1 8ACC1500
Device \FileSystem\Fastfat \Fat 8AB4F500
Device \FileSystem\Fastfat \Fat B9C061F9
Device \FileSystem\Cdfs \Cdfs 8ABBE1F8
Device \Driver\atapi -> \Driver\atapi \Device\Harddisk0\DR0 8AEFF1F8
---- EOF - GMER 1.0.15 ----
[quote name=\'guestolo\' post=\'466244\' date=\'Nov 11 2009, 05:20 PM\']Go ahead and post the most recent logs you have[/quote]
Post by: guestolo on November 11, 2009, 09:06:07 PM
can you delete OTL.txt and Extras.txt on your desktop
In addition:
Again open OTL.exe, Put a tick in Use Safelist under "Extra Registry" if it is not selected
Then run a fresh Scan
Afterwards, post the new logs>>Both OTL.txt and Extras.txt
Post by: Flim on November 11, 2009, 10:06:39 PM
"Method not implemented"
I use NoScript but thetechguide is allowed and I have now added intellitxt and it still didn't work.
Tried once with both logs and once with one log.
This one has no log included.
I'm using the "Add Reply" button to post
Post by: guestolo on November 11, 2009, 10:18:08 PM
Then in the same reply box, Upload OTL.txt
Use the Browse....>>UPLOAD buttons on the bottom right of a reply box
Post by: Flim on November 11, 2009, 10:35:07 PM
There is a weird character in the first line of the Alternate Data Streams info in the OTL file.
here's the Extras -
OTL Extras logfile created on: 11/11/2009 6:36:15 PM - Run 2
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\B4BD\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 94.66 Gb Total Space | 31.43 Gb Free Space | 33.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 203.43 Gb Total Space | 24.30 Gb Free Space | 11.95% Space Free | Partition Type: NTFS
Drive F: | 230.85 Gb Total Space | 68.72 Gb Free Space | 29.77% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive O: | 465.76 Gb Total Space | 245.08 Gb Free Space | 52.62% Space Free | Partition Type: NTFS
Drive P: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Q: | 152.66 Gb Total Space | 101.93 Gb Free Space | 66.77% Space Free | Partition Type: NTFS
Drive R: | 931.51 Gb Total Space | 507.73 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
Drive S: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive T: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive U: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive V: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive X: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Y: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Computer Name: BNMC01
Current User Name: B4BD
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard
[color=\"#E56717\"]========== Extra Registry (SafeList) ==========[/color]
[color=\"#E56717\"]========== File Associations ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
[color=\"#E56717\"]========== Shell Spawning ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with PhotoLine 32...] -- "C:\Program Files\PhotoLine\PhotoLine.exe" -browse "%L" (Computerinsel GmbH)
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Generate MD5 Signatures] -- "C:\Program Files\Michael K. Weise\mkw Audio Compression Toolkit\mkwACT.exe" (Michael K. Weise)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [Mp3tag] -- "C:\Program Files\Mp3tag\Mp3tag.exe" "/fp:%1" (Florian Heidenreich)
Directory [open_x2] -- "C:\Program Files\xplorer2_lite\xplorer2_lite.exe" /1 /M /T "%1" (ZabKat)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [QCD.add] -- "c:\program files\quintessential player\qcdplayer.exe" /ddeexec (Quinnware)
Directory [QCD.load] -- "c:\program files\quintessential player\qcdplayer.exe" /ddeexec (Quinnware)
Directory [QCD.play] -- "c:\program files\quintessential player\qcdplayer.exe" /ddeexec (Quinnware)
Directory [View_Directory] -- viewdir.bat "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found
[color=\"#E56717\"]========== Security Center Settings ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3776:UDP" = 3776:UDP:*:Enabled:Media Center Extender Service
"3390:TCP" = 3390:TCP:*:Enabled:Remote Media Center Experience
"9000:TCP" = 9000:TCP:*:Enabled:SqueezeCenter 9000 tcp
"3483:UDP" = 3483:UDP:*:Enabled:SqueezeCenter 3483 udp
"3483:TCP" = 3483:TCP:*:Enabled:SqueezeCenter 3483 tcp
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
[color=\"#E56717\"]========== Authorized Applications List ==========[/color]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Media Center Diagnostic Kit\MCDiag.exe" = C:\Program Files\Media Center Diagnostic Kit\MCDiag.exe:*:Enabled:Media Center Diagnostic Tool -- (Microsoft Corp.)
"C:\Program Files\Media Center Diagnostic Kit\MCEHostRemote.exe" = C:\Program Files\Media Center Diagnostic Kit\MCEHostRemote.exe:*:Enabled:Media Center Scripting Host -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe" = C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations -- (Big Huge Games, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\Ikernel.exe" = C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\Ikernel.exe:*:Enabled:HPMVInstall -- (InstallShield Software Corporation)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe:*:Enabled:HPMVMonitor -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASSelector.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASSelector.exe:*:Enabled:HPMVSelector -- (Hewlett-Packard Company)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASDriveMapper.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASDriveMapper.exe:*:Enabled:HPMVDriveMapper -- (Hewlett-Packard Company)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPEZBkup.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPEZBkup.exe:*:Enabled:HPEasyBackup -- (Hewlett Packard)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVCheck.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVCheck.exe:*:Enabled:HPMVCheck -- (Hewlett-Packard Company)
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Disabled:Yahoo! Music Engine -- File not found
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\WINDOWS\ehome\ehshell.exe" = C:\WINDOWS\ehome\ehshell.exe:LocalSubNet:Enabled:Media Center -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\WINDOWS\system32\LMabcoms.exe" = C:\WINDOWS\system32\LMabcoms.exe:*:Enabled:Lexmark Enhanced TCP/IP -- ( )
"C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe" = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe:*:Enabled:Notmad Xtreamer -- (Red Chair Software, Inc.)
"C:\Program Files\Red Chair Software\Audigen Explorer\audmgr.exe" = C:\Program Files\Red Chair Software\Audigen Explorer\audmgr.exe:*:Enabled:Audigen Xtreamer -- (Red Chair Software, Inc.)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\..]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\..\..]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\..\..\Programmi]
[color=\"#E56717\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)
"{049885D8-22B9-C209-A00C-E43A8E3F0B79}" = CCC Help Danish
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{068502DA-6979-4D9A-BBE1-C3AD0FF11F19}" = Video\Ulead DVD MovieFactory 3 SE
"{072D42BE-96CD-FB75-A339-0ED0F76A9C61}" = Catalyst Control Center Localization Swedish
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{0A21D2E9-F8A2-4CF9-88D7-E04A1C4C90AE}" = DaemonScript
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0D70917A-C58F-4220-9DB7-54309302881E}" = MasterCook Deluxe 8
"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis
"{0FE7A7B0-B912-411D-8207-0B5BFEB04B7A}" = Picture Converter
"{1037CF8F-A226-A3BA-2D05-F34950395CB9}" = Catalyst Control Center Localization Chinese Standard
"{107254A0-0ADF-11D4-9397-00D0B7020B38}" =
"{10CE1EA2-12E9-11D3-825E-00C04F6843FE}" = Microsoft Office Sounds
"{11B05D68-6054-4B2B-7776-A22592D837E8}" = Catalyst Control Center Localization German
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{12453E04-9738-4D16-8408-D726532C2C69}" = ASUS VGA Driver
"{13333239-0A15-4855-BEEB-0232DAA5B7EA}" = BlackBerry Desktop Software 5.0.1
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{1531DDE3-DD8B-C078-3CA2-4F278C8A7E6A}" = CCC Help Portuguese
"{17800CFC-97EC-40A5-AB42-A8B66DC74D77}" = EGS Recipe Center
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{1A24A727-0470-7601-2370-233735A0E8EF}" = Catalyst Control Center Localization Norwegian
"{1AB88B2D-BA3B-FEC3-EDB1-6688CB217E2C}" = Catalyst Control Center Localization Czech
"{1ACE5DBB-AA0D-480D-BEE2-C988672CE50B}" = WillExpert
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1E9A9E08-0366-45EE-9B66-51852F8D9812}" = Open Workbench
"{1EC60864-A294-44BF-984A-3E8867D74EA2}" = Adobe After Effects 6.0
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}" = QuickTax 2007
"{23FE964A-853B-4176-86D7-9E18B5CA1FC0}" = Media Center Extender
"{255D5C51-2A30-43A9-84D9-7C2CCBA51B70}" = D-Link DHP-300 Utility
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(tm) 6 Update 15
"{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java(tm) 6 Update 13
"{26B6423F-0E8A-2213-C8AD-16DD1E39D919}" = Catalyst Control Center Localization Greek
"{2CC982C0-7EAE-11D4-ACC3-0050568AD318}" = Avery DesignPro 3.5
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2EC973B4-B580-573E-58C1-15A6261E5F95}" = Catalyst Control Center Localization Turkish
"{2FDF1E49-B487-01CD-458E-5F51555B2232}" = Catalyst Control Center Localization Chinese Traditional
"{3392F26F-0D1D-451F-8527-4820D1960235}" = Sony DVD Architect Studio 4.5
"{347D1603-FA83-4B2C-B504-8BC1FF59DB50}" = Digital Photography Winter Fun Pack
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359FCAA7-B544-4147-AE3B-8C8A526E2427}" = Sony Image Data Suite
"{37ED8114-95B4-4603-B58B-5E315DFB38C2}" = Sony Vegas Movie Studio 8.0
"{3C3EB82B-1E0E-486A-A72F-011D196054BB}" = DVRMSToolbox
"{40D388F5-803F-616A-521D-005BC0BD9496}" = CCC Help Russian
"{428102E6-8A39-48B9-8389-847F5A44A600}" = MSXML 4.0
"{429232EE-1406-FE49-2B82-DFA6234249D2}" = Catalyst Control Center Graphics Full New
"{44FFF4AC-F56C-4457-AE63-C69ADAC1F6FC}" = QuickTax Tracker
"{47E0D551-C96E-403C-A230-982A78C9D48C}" = Media Center Playlist Editor
"{4893A35F-0A23-48EC-8E74-24969244D6F2}" = Catalyst Control Center - Branding
"{4A220461-26FD-E792-F134-54FE095E5C67}" = ccc-utility
"{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}" = Windows 7 Upgrade Advisor
"{4BFE3B58-DE4A-7505-B2ED-1C581889DE8B}" = CCC Help English
"{4C7A2608-9B04-72EF-5BC1-815885E8093E}" = CCC Help Dutch
"{4EAB28B6-12F8-5F07-9857-4C84815DD36F}" = CCC Help Czech
"{4FF32AC7-667A-4F5F-B847-FB673D4B6F57}" = XML Notepad 2007
"{502506C0-2EFC-4590-A6B0-1A73BFD894BA}_is1" = Picture Ripper 4
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{51F30BA1-6032-ADC9-0F1D-8DCB8F4BEE35}" = CCC Help Finnish
"{53337CA9-E9A4-4C59-9D1C-D980EF9BF0C2}" = QuickTax 2004
"{54BB0384-1C33-488F-A95B-877E480D3EDC}" = MSXML 4.0
"{5762563F-B31B-4091-A80C-828C60DE5BE0}" = Handbrake
"{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}" = Oxsemi Uploader
"{57E0CF08-9A6E-F140-D69F-1BEBC2AD5C66}" = Catalyst Control Center Localization French
"{580183A6-FF92-11D5-9294-0050BA073EEC}" = Presto! PageManager 6
"{59975E1A-7F44-827D-A294-0C946F96E26A}" = CCC Help Greek
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{5B9AF72D-593E-6D89-7E35-C79D58A04E9B}" = CCC Help Norwegian
"{5F457DDF-B768-434C-8802-9BB3B383B1E8}" = MasterCook 7
"{609B6317-7014-A779-C58D-864F12BA6339}" = CCC Help Spanish
"{61995288-920E-46AF-88C1-E1FF4F25613B}" = Videoraptor
"{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack
"{6249C22D-E6A8-407B-BA8B-40298848ED94}" = OmniPage SE
"{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis True Image Home
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{63DC3499-A635-43c3-826C-E41851A6DDB0}" = Media Center Diagnostic Kit
"{6404709D-1338-87EE-0E6A-05BEADD5AD9D}" = Catalyst Control Center Localization Korean
"{670A8412-8080-78BD-8DBE-E68A3FB313D3}" = CCC Help Japanese
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{68B18535-773E-DF4D-5213-624AAE7068BA}" = CCC Help Chinese Traditional
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A69D94E-C569-4154-9643-72E94D1DDFDA}" = XPS Essentials Pack
"{6D655EE6-0D2D-DEA2-695D-EA749918CFB6}" = Catalyst Control Center Localization Polish
"{6F05A311-B2AB-5514-4A20-1A0C98131F36}" = CCC Help Hungarian
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{750365ED-CB2F-317F-E8B7-2429A9AEF210}" = Catalyst Control Center Localization Italian
"{75217611-047C-3C46-69CC-9E810B0FD7A4}" = ccc-core-preinstall
"{77E70C3C-DBB9-4C47-8663-1E1F81FEC623}" = Logitech QuickCam
"{78AD4938-7EE6-4DC0-A5BC-3AF82750A617}" = QuickTax Tracker
"{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}" = Sentinel System Driver
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DC265E8-1558-43D4-807B-31205936DCF1}" = BartPE Add-on for Acronis True Image 11 Home
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7EC1397D-006B-9901-DED7-1937F7690388}" = CCC Help Turkish
"{82DFB569-F78E-47BB-B252-45B4AA45CA86}" = SafeMedia Add-on for Acronis True Image 11 Home
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006
"{84B57E13-6093-47EE-5BA1-415410E12374}" = CCC Help Polish
"{863DC643-4D85-4736-985C-2EE9465C74EA}" = DVR 2 WMV
"{8689A5F3-BEEC-407D-A6EB-B79F636229A3}" = Media Center Alarm Clock
"{872FB0A8-1F51-51A5-A1EE-DFC1F996FCEC}" = Catalyst Control Center Localization Thai
"{899DD617-BC45-488B-08F7-EDAAB945BB87}" = Catalyst Control Center Localization Japanese
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B6A5274-219B-912E-A87C-6F30EA87F55E}" = CCC Help French
"{8D5AC6EF-B91C-4E03-99DE-C72536BB381F}" = TweakMCE
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{90ECE9AF-27D0-D9D2-4D0B-E68916E19BF8}" = Catalyst Control Center Localization Finnish
"{9158ED68-0310-0EFA-26FD-589A14F6C4D6}" = CCC Help Chinese Standard
"{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}" = Adobe Illustrator CS
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{98FD8BB5-59A9-4163-883C-2997F7BB59D9}" = Microsoft Video Screensaver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D18F7F8-B984-4249-8512-CC621BC59F12}" = Microsoft Location Finder
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A50885B4-2D9B-4DC7-961D-2661B3A037F0}" = Quicken 2006
"{A7050037-F0EA-4BAB-BCD5-FC05507D6147}" = Alt-Tab Task Switcher Powertoy for Windows XP
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)
"{A8E51420-13A4-6888-6F65-A82E53FA7045}" = CCC Help Italian
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA0D2D5F-612B-45D3-8759-DA87206E5CC9}" = QuickTax 2008
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AEB95804-A937-49E6-940A-37A606C16D5D}" = DeLorme Street Atlas USA 2009 Plus
"{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1A9CD45-A702-4E3B-91ED-8CD562869901}" = DWG TrueView 2008
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B3CC991E-191A-443A-B09F-08327482920E}" = Pure Motion EditStudio 5
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B4E96960-5F6B-48B9-A5BD-6A5A9BB4F027}" = Avery Wizard 3.1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B86C2C71-9EE8-4BB8-FC60-EEEAF205B849}" = Catalyst Control Center Localization Danish
"{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}" = Free DWG Viewer 5.4
"{B8D0BC3E-67DF-48A3-ACC9-EEAA8DBFBF29}" = QuickTax 2005
"{BA3C8C28-C096-450B-B78C-5EA939A073D4}" = Software Virtualization Trinket
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BCE36DA3-853A-7F6D-0041-118BFC0A3607}" = CCC Help Thai
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BDF820F3-79A6-4ACF-B910-43B26BB894CC}" = Microsoft Network Monitor 3.1
"{C035D435-3B6D-542C-3B12-9D7B35B1F02D}" = Catalyst Control Center Localization Dutch
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C11525CF-1BE3-4F24-AF7F-92B381475E18}" = DVDInfoPro
"{C1C910A7-0B89-4260-8845-FE221D9285E8}_is1" = PC Chrono 1.1.0.6
"{C39DE425-6CCF-4B12-A101-3CB5CF3AF3AD}" = Slideshow Generator Powertoy for Windows XP
"{C51DD70F-B9DD-AD9A-9800-93A58C429CD1}" = Catalyst Control Center Graphics Full Existing
"{C6399072-505F-7C3E-6C42-8F0A678E2F17}" = Catalyst Control Center Localization Russian
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CC147B6B-B7EB-46AC-8649-A7DA3A76B0EC}" = BitDefender Deployment Tool
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D159031E-628A-63C6-529A-AC5A95620ECC}" = CCC Help Swedish
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{D4292B37-6E88-A90C-B249-419417755D83}" = Catalyst Control Center Core Implementation
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D88A2FDD-4C42-2DC8-879B-3E3B17DE7A98}" = CCC Help Korean
"{D898657E-139C-3E71-053F-4423BCBF0205}" = Catalyst Control Center Localization Hungarian
"{D9261CAB-3E1D-423C-9DD6-2001056DA292}" = Manual CanoScan 5000,5000F,8000F
"{D944236D-7992-41D6-8257-930B5832F1CC}" = Creative Zen Micro
"{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}" = Canon PhotoRecord
"{D9CDB463-BB48-4B80-B1B6-5B940A4621E0}" = AutoStreamer
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{E064390A-2F64-4195-9A55-30D4B20B865A}" = WDCSAM Driver
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E40CE517-0D42-4198-96B4-C8232B257EB5}" = Data Lifeguard Diagnostic for Windows
"{E5090856-6E87-4AE1-B6FE-DD4149CB097A}" = LogViewer
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E6C48B74-26ED-4EF8-A04C-42AFDE5E1CA3}" = Intel® PRO Network Connections
"{E7F6A8E5-43A6-2B4F-EF63-5C669ABF5D49}" = Catalyst Control Center Localization Portuguese
"{F2568881-E34D-454C-8DEB-8B5D9D581472}" = HP Media Vault
"{F325206F-FC38-4B53-BD8B-DC7BD37986EC}" = LoriotPro V4
"{F44900CB-5BAF-7A35-74BF-D9BE40CB1F81}" = CCC Help German
"{F51B2470-17F0-6230-5658-B9B4D9FDF750}" = ccc-core-static
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F55B25A7-9D43-AD4F-B70B-AAB9C7FA1BA8}" = Skins
"{F6AA40E1-75DE-7AC4-F39D-75D6EDEE8C36}" = Catalyst Control Center Localization Spanish
"{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote
"{F843C6A3-224D-4615-94F8-3C461BD9AEA0}" = Jasc Paint Shop Pro 9
"{F850707C-B6A0-4B56-8709-F89CF8F9AC6D}" = Eraser
"{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}" = QuickTax 2006
"{FC66E05E-8D39-47A6-8D07-759F33727EB0}" = Opera 10.00
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FEB350BF-C090-3927-9F07-AFC93659F5FC}" = Catalyst Control Center Graphics Light
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FF8967A4-4726-4614-B6C1-B2E047EC6F70}" = DeLorme Phone Data 2009
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Agnitum Outpost Firewall Pro" = Agnitum Outpost Firewall Pro
"Agnitum Outpost Firewall Pro_is1" = Outpost Firewall Pro 2009
"All ATI Software" = ATI - Software Uninstall Utility
"Amor Screen Capture_is1" = Amor Screen Capture 1.8.3
"AntiFreeze_is1" = AntiFreeze 1.01
"Any Video Converter_is1" = Any Video Converter 2.6.3
"Apex Video Converter Super_is1" = Apex Video Converter Super 5.99
"ASAPI Update" = ASAPI Update
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"Aspi setup_is1" = Aspi setup
"ATI Display Driver" = ATI Display Driver
"AU7_is1" = Advanced Uninstaller PRO 2006 - version 7
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.7 (Unicode)
"Audacity_is1" = Audacity 1.2.6
"Audigen Explorer" = Audigen Explorer (remove only)
"Audio Convertor Plus_is1" = Audio Convertor Plus version 2.18
"AudioFilesGDSIndexer_is1" = Audio Files GDS Indexer 1.1
"AudioShell_is1" = AudioShell 1.3.5
"Aurora Media Workshop_is1" = Aurora Media Workshop 3.3.16
"AVG9Uninstall" = AVG Free 9.0
"AviSynth" = AviSynth 2.5
"BlackBerry_{13333239-0A15-4855-BEEB-0232DAA5B7EA}" = BlackBerry Desktop Software 5.0.1
"BlindWrite 6_is1" = BlindWrite 6
"BSPlayer1" = BSPlayer
"CamStudio" = CamStudio
"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4
"CANONBJ_Deinstall_CNMCP6d.DLL" = Canon PIXMA iP5000
"CCleaner" = CCleaner
"CD Catalog Expert_is1" = CD Catalog Expert 9.23.7.1025
"CDWinder" = CDWinder 5.0.2
"Chandler" = Chandler 0.7.5.1
"ColorImpact2_is1" = ColorImpact version 2.4
"Concord Telephony Translation" = Concord Telephony Translation
"CopernicDesktopSearch2" = Copernic Desktop Search 2
"CoreFLAC Audio Decoder+Source Filter" = CoreFLAC Audio Decoder+Source Filter (remove only)
"Creative Jukebox Driver" = Creative Jukebox Driver
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"CreativePainter" = Creative Painter
"Crimson Editor" = Crimson Editor (remove only)
"CSVed" = CSVed 1.3.9
"CTIAPI32" = CTIAPI32 (remove only)
"CtiLogC" = CtiLogC (remove only)
"DaemonUI" = DaemonUI 2.03
"Daniusoft WMA MP3 Converter_is1" = Daniusoft WMA MP3 Converter(Build 2.1.2)
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"Delta SP_is1" = Delta SP 1.62
"DemoForgeSSaver10_is1" = DemoForge Screen Saver 1.2
"dMC CD Audio" = dMC CD Audio
"DreamAqua" = Dream Aquarium
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Region+CSS Free_is1" = DVD Region+CSS Free 5.9.7.5
"DWG TrueView 2008" = DWG TrueView 2008
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-PrintToolBox" = Canon Utilities Easy-PrintToolBox
"EHome Devices" = Media Center Extender
"ElectricSheep" = ElectricSheep 2.6.6
"eMule" = eMule
"EPIM Synchronizer" = EPIM Synchronizer
"ESET Online Scanner" = ESET Online Scanner v3
"eSpeak_is1" = eSpeak version 1.40.01
"eSpeakEdit_is1" = eSpeakEdit version 1.40.01
"EssentialPIM Pro" = EssentialPIM Pro
"Everything" = Everything 1.2.1.371
"Feurio" = Feurio! CD-Writer
"File & Folder Lister_is1" = File & Folder Lister 2.00
"FileZilla Server" = FileZilla Server (remove only)
"Fireplace by PES" = Fireplace by PES Screen Saver
"FLVPlayer" = FLV Player 1.3.3
"foobar2000" = foobar2000 v0.9.4.4
"FoxyTunesForFirefox" = FoxyTunes for Firefox
"Freecorder_1.0" = Freecorder 2.3 (with Skype Call Recording)
"FreeUndelete" = FreeUndelete
"FTP Commander" = FTP Commander
"GNU Aspell_is1" = GNU Aspell 0.50-3
"Google Updater" = Google Updater
"GPL Ghostscript 8.57" = GPL Ghostscript 8.57
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"Gravity_is1" = Gravity version 2.7
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"H_Shooter_Parade.scr" = H_Shooter_Parade ScreenSaver
"Handbrake" = Handbrake 0.9.2
"Hauppauge WinTV" = Hauppauge WinTV
"Hauppauge WinTV Radio" = Hauppauge WinTV Radio
"Hauppauge WinTV TV Services" = Hauppauge WinTV TV Services
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn (Remove Only)
"InstallShield_{0D70917A-C58F-4220-9DB7-54309302881E}" = MasterCook Deluxe 8
"InstallShield_{255D5C51-2A30-43A9-84D9-7C2CCBA51B70}" = D-Link DHP-300 Utility
"InstallShield_{44FFF4AC-F56C-4457-AE63-C69ADAC1F6FC}" = QuickTax Tracker
"InstallShield_{5F457DDF-B768-434C-8802-9BB3B383B1E8}" = MasterCook 7
"InstallShield_{78AD4938-7EE6-4DC0-A5BC-3AF82750A617}" = QuickTax Tracker
"Intelore - RAR Password Recovery" = RAR Password Recovery v1.1 RC16 (remove only)
"IsoBuster_is1" = IsoBuster 2.4
"Jaikoz" = Jaikoz
"Jasc Paint Shop Pro 9.01 - (9.0.1.1)" = Jasc Paint Shop Pro 9.01 - (9.0.1.1)
"Jasc Paint Shop Pro 9.01 Patch" = Jasc Paint Shop Pro 9.01 Patch
"Javvin Network Protocols Map Screensaver_is1" = Javvin Network Protocols Map Screensaver 1.0
"JC&MB Quicknote_is1" = Quicknote 5.4
"JetBee_is1" = JetBee FREE 4.0.7 (build 330)
"Juice" = Juice 2.2
"jv16 PowerTools_is1" = jv16 PowerTools 1.2
"Karen's Countdown Timer II" = Karen's Countdown Timer II
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"KC Softwares VideoInspector_is1" = KC Softwares VideoInspector
"Kirby Alarm Pro_is1" = Kirby Alarm Pro v4.45
"Kirby Alarm_is1" = Kirby Alarm v2.11
"Kiwi Log Viewer" = Kiwi Log Viewer 2.0.26
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.0.5 (Full)
"KookieJar6_is1" = Kookie Jar 6.3
"KT_AEdiX_Suite_2_is1" = AEdiX Suite
"Lexmark_HostCD" = Lexmark Software Uninstall
"m05 SurveillanceSaver" = m05 SurveillanceSaver 1.0
"M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player_is1" = M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player v 1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Matrix Y2K Website Studio 2005_is1" = Matrix Y2K Website Studio 2005.SE
"Media Center Solitaire" = Media Center Solitaire
"MediaCoder" = MediaCoder 0.6.0
"MediaCoder Audio Edition" = MediaCoder Audio Edition 0.6.1
"MediaMan" = MediaMan
"MediaMonkey_is1" = MediaMonkey 3.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Minute Timer" = Minute Timer (remove only)
"Miro" = Miro
"mkwACT" = mkw Audio Compression Toolkit
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"Mp3tag" = Mp3tag v2.42
"Mpeg2Decoder_is1" = Mpeg2Decoder 1.3
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MVApplication1" = SureThing CD Labeler Deluxe 4
"MySiriusStudio" = My Sirius Studio
"nanoPEG-Editor 2.2 Hauppauge Edition_is1" = nanoPEG-Editor 2.2 Hauppauge Edition
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero PhotoShow Express" = Nero PhotoShow Express
"NeroVision!UninstallKey" = Nero Digital
"NetLimiter 2 Monitor" = NetLimiter 2 Monitor (remove only)
"NetTools_is1" = NetTools 4.5
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NMIX!UninstallKey" = NeroMIX
"NMPUninstallKey" = Nero Media Player
"Note-It_is1" = Note-It v4.5
"Notmad Explorer" = Notmad Explorer (remove only)
"NTFS Undelete_is1" = NTFS Undelete v0.93
"NVDA" = NVDA 0.6p3.1
"Othello" = Othello v3.0
"PageNest_is1" = PageNest
"Panda ActiveScan" = Panda ActiveScan
"PaperlessPrinter_is1" = PaperlessPrinter version 3.0
"Pegtop Smoodoo" = Pegtop Smoodoo
"Pegtop WaterWall" = Pegtop WaterWall
"PhotoFiltre" = PhotoFiltre
"PhotoLine 32_is1" = PhotoLine 32, Version 12.01
"Pidgin" = Pidgin
"PopCap Browser Plugin" = PopCap Browser Plugin
"Primetime Podcast Receiver" = Podcast Receiver
"PSPad editor_is1" = PSPad editor
"QuickPar" = QuickPar 0.9
"QuicktimeAlt_is1" = QuickTime Alternative 1.44
"Quintessential Player" = Quintessential Player
"RealAlt_is1" = Real Alternative 1.38
"Registrar_is1" = Registrar Registry Manager 6.02
"Replay_Screencast_1.0" = Replay Screencast 1.21
"Revo Uninstaller" = Revo Uninstaller 1.83
"RiseOfNationsExpansion 1.0" = Rise of Nations
"Riva FLV Encoder 2.0_is1" = Riva FLV Encoder 2.0
"RogueScanner GUI_is1" = Network Chemistry RogueScanner GUI
"Scott's Wallpaper Switcher_is1" = Scott's Wallpaper Switcher v 1.1
"Secunia PSI" = Secunia PSI
"SequoiaView" = SequoiaView
"SereneScreen Marine Aquarium 2 + Time" = SereneScreen Marine Aquarium 2 + Time
"ShowAnalyzer_is1" = ShowAnalyzer
"Smart Flash Recovery_is1" = Smart Flash Recovery v3.3
"SoftCuisine 2_is1" = SoftCuisine 2.1
"SolSuite_is1" = SolSuite 2007 v7.10
"Songbird-release-1146" = Songbird 1.2.0 (Build 1146)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.3.1
"SpeedFan" = SpeedFan (remove only)
"ST6UNST #1" = TVShowExport
"Stellarium_is1" = Stellarium 0.9.0
"Streamripper" = Streamripper (Remove only)
"SUPER ©" = SUPER © Version 2009.bld.36 (June 10, 2009)
"SyncNotes_is1" = SyncNotes 1.3
"SysInfo" = Creative System Information
"Tag&Rename_is1" = Tag&Rename 3.4.6
"Task Coach_is1" = Task Coach 0.71.3
"The Sudoku Challenge Collection" = The Sudoku Challenge Collection
"TimeLeft_is1" = TimeLeft 3 Freeware edition
"TreeSize Professional_is1" = TreeSize Professional 4.0.2
"TrueCrypt" = TrueCrypt
"TVersity Codec Pack" = TVersity Codec Pack 1.1
"TweakNow PowerPack 2009_is1" = TweakNow PowerPack 2009
"TweakNow WinSecret Professional_is1" = TweakNow WinSecret Professional
"UBCD4Win_is1" = UBCD4Win 3.50
"UltraISO_is1" = UltraISO V7.6 ME
"uniCSVed" = uniCSVed 1.1
"Uninstall National Geographic Maps" = National Geographic Maps (Any files created by the program will be left on your system.)
"uniquemagicmp3taggerappid_is1" = Magic MP3 Tagger 2.2.4d
"Video Edit Magic 4_is1" = Video Edit Magic 4.15
"Vidmex" = Vidmex 1.3
"Vim 7.2" = Vim 7.2 (self-installing)
"vixy converter BETA_is1" = vixy converter uninstall
"VLC media player" = VLC media player 1.0.1
"WallpaperToy" = Wallpaper Changer for Windows XP
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WhoCrashed_is1" = WhoCrashed 1.01
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows Media Recorder" = Windows Media Recorder
"Windows XP Media Center Edition Screen Saver Screen Saver" = Windows XP Media Center Edition Screen Saver Screen Saver
"WinFF_is1" = WinFF 1.0.4
"WinPcapInst" = WinPcap 4.1 beta5
"WinRAR archiver" = WinRAR archiver
"WinX 3GP 3G2 PDA MP4 Video Converter_is1" = version 3.5
"WinXMedia DVD MPEG/AVI/Audio Converter" = WinXMedia DVD MPEG/AVI/Audio Converter 3.5
"Wireshark" = Wireshark 1.2.1
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xint by xtort.net ©_is1" = xint v4.3 by xtort.net ©
"XP SysPad V7.9.5 by xtort.net ©_is1" = XP SysPad V7.9.5 by xtort.net ©
"xplorer2l" = xplorer² lite
"XpsEP" = XPS Essentials Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"xqdcXSP_is1" = Xteq-dotec X-Setup Pro 6.6.300.Final1
"yPlay_is1" = yPlay
"Ziepod_is1" = Ziepod version 1.0
[color=\"#E56717\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D025345-1033-4F35-A5CE-68CDCDE6CC03}" = Evernote
"AlexWarp" = AlexWarp
"Eraser" = Eraser
"LastPass" = LastPass (uninstall only)
"uTorrent" = µTorrent
"WinDirStat" = WinDirStat 1.1.2
"XBMC" = XBMC Media Center
[color=\"#E56717\"]========== Last 10 Event Log Errors ==========[/color]
[ Application Events ]
Error - 02/11/2009 1:45:05 AM | Computer Name = BNMC01 | Source = Application Error | ID = 1000
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x000294e7.
Error - 02/11/2009 1:45:13 AM | Computer Name = BNMC01 | Source = Media Center Receiver | ID = 4
Description = TV tuner malfunction. (0x80004005) Hauppauge WinTV 885 BDA Tuner/Demod
Error - 02/11/2009 1:47:16 AM | Computer Name = BNMC01 | Source = Application Error | ID = 1004
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x000294e7.
Error - 02/11/2009 10:01:25 AM | Computer Name = BNMC01 | Source = VBRuntime | ID = 1
Description = The VB Application identified by the event source logged this Application
MSICUU: Thread ID: 700 ,Logged: Failed: C:\Program Files\Windows Installer Clean
Up\msizap.exe TW! {56BED62F-278A-407B-8BCD-E645EC96D2ED}
Error - 02/11/2009 10:01:56 AM | Computer Name = BNMC01 | Source = VBRuntime | ID = 1
Description = The VB Application identified by the event source logged this Application
MSICUU: Thread ID: 700 ,Logged: Failed: C:\Program Files\Windows Installer Clean
Up\msizap.exe TW! {48A669A9-76FA-4CA8-BFD5-00C125AC4166}
Error - 02/11/2009 12:33:16 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1000
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00010a19.
Error - 02/11/2009 12:34:04 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1000
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00037521.
Error - 02/11/2009 11:17:54 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1004
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00010a19.
Error - 02/11/2009 11:19:01 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1004
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00037521.
[ System Events ]
Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31
Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31
Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31
Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31
Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Aspi32 AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SandBox
Tcpip
truecrypt
Error - 11/11/2009 8:08:01 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 11/11/2009 8:08:01 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 11/11/2009 8:13:15 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
Error - 11/11/2009 8:13:51 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
Error - 11/11/2009 8:14:02 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
< End of report >
Post by: guestolo on November 12, 2009, 09:01:51 PM
Quote
I have Hidden Kernel Modules that don't look rightWhich are you talking about, I mostly see ones related to Outpost Firewall and Daemon Tools
You still appear to have DaemonUI installed, not sure if you got rid of Daemon Tools however
Please don't run Older versions of ComboFix, but do the following
Delete your copy of ComboFix
Then redownload a fresh copy from one of these locations:
[color=\"#0000FF\"]Link 1[/color] (http://\"http://www.forospyware.com/sUBs/ComboFix.exe\")
[color=\"#0000FF\"]Link 2[/color] (http://\"http://subs.geekstogo.com/ComboFix.exe\")
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]
Run it and post the new log that opens
In addition, you have Malwarebytes AntiMalware installed
Run it>>Check for Updates, do a "Quick Scan'
Remove anything found and post it's log too
Post by: Flim on November 13, 2009, 12:41:44 AM
You still appear to have DaemonUI installed, not sure if you got rid of Daemon Tools however[/quote]
Thanks for all the help guestolo - I really appreciate it
The 2 things that caught my eye were:
"Kernel Modules:
Module Name: spfw.sys"
It changes its' name everytime it loads, as in sp??.sys and hooks all over the place - couldn't figure out what it is for sure
"Module Name: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Service Name: ---"
Just don't like the look of it the way it has no name or information associated with it
I've used Daemontools for a long time - it's really handy, but it seems to make it hard to clean up things and it appears to cause problems getting to safe mode sometimes. I finished the removal I think before I ran the 2 logs below. Any reason not to put it back in? Or is there a better tool like it?
Here's the ComboFix log - (and I'd really like to figure out why Kerio and Sunbelt still show up when they were a) upgraded and
/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> uninstalled years ago and I've tried to track them down and get rid of all their parts several times)ComboFix 09-11-13.04 - B4BD 12/11/2009 20:50.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2701 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Kerio Personal Firewall *enabled* {A990EAA7-8941-4621-BC27-4F16261D3180}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Sunbelt Personal Firewall *disabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.
((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-12 02:32 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-12 01:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 14:00 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-12 12:37 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-09 06:24 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-09 06:06 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-14 05:04 . 2006-06-22 03:02 -------- d-----w- c:\program files\Thumbs7
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-09 2016536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]
c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]
--- Other Services/Drivers In Memory ---
*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-11-12 21:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0841F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8b0841f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hahdeppddjlnhgph"=hex:69,61,68,65,6e,66,6f,6d,68,6b,65,65,6c,6c,6e,67,66,6d,
00,00
"jaidfafppidcifadppoc"=hex:6f,61,65,65,68,6c,67,67,66,70,6f,69,61,6b,61,6c,6d,
62,66,66,6e,6f,6e,6a,65,6d,68,6b,62,6f,00,77
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1972)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(3460)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
.
Completion time: 2009-11-12 21:05
ComboFix-quarantined-files.txt 2009-11-13 05:05
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-02 04:14
ComboFix3.txt 2009-11-02 01:22
ComboFix4.txt 2009-11-01 21:29
ComboFix5.txt 2009-11-13 04:49
Pre-Run: 33,594,671,104 bytes free
Post-Run: 33,622,949,888 bytes free
- - End Of File - - 1B85BA58A6265D1C88E0A39DA9FE8B43
And here's the MBAM Log -
Malwarebytes' Anti-Malware 1.41
Database version: 3159
Windows 5.1.2600 Service Pack 2
12/11/2009 9:18:48 PM
mbam-log-2009-11-12 (21-18-48).txt
Scan type: Quick Scan
Objects scanned: 171303
Time elapsed: 5 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Post by: guestolo on November 13, 2009, 09:34:07 AM
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Post by: Flim on November 13, 2009, 11:19:38 PM
Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 2
[color=\"red\"]Out of date service pack!![/color]
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Free 9.0
ESET Online Scanner v3
BitDefender Deployment Tool
Agnitum Outpost Firewall Pro
Outpost Firewall Pro 2009
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Secunia PSI
Gmer
Sophos Anti-Rootkit 1.3.1
HijackThis 2.0.2
CCleaner
Java(tm) 6 Update 15
Java(tm) 6 Update 13
[color=\"red\"]Out of date Java installed![/color]
Adobe Flash Player 10
Adobe Reader 8.1.6
[color=\"red\"]Out of date Adobe Reader installed![/color]
``````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)
`````````End of Log```````````
Security Centre Says:
"At Least one of the firewall programs installed on this computer is currently ON..."
Post by: guestolo on November 14, 2009, 02:44:59 AM
1) Right-click on My Computer
2) Click on Manage
3) Click on the plus sign(+) next to Services and Applications in the left-hand column
4) Click on Services
5) Find the service called Windows Management Instrumentation, right-click on it, and choose Stop.
6) Open My Computer
7) Double-click on Drive C (or whatever drive Windows is installed on)
8) Double-click on the Windows folder
9) Double-click on System32
10) Double-click on WBEM
11) Right-click on the Repository folder and click Delete and remove it
12) Close the My Computer windows and return to the Windows services screen using steps 1 - 4 shown above
13) Find the service called Windows Management Instrumentation, right-click on it, and choose Start. Restarting this service will rebuild the repository folder information.
14) Restart your computer
Once the computer has restarted, open Windows Security Center
and see if the reference to Kerio is gone
Post by: Flim on November 14, 2009, 09:56:10 AM
I ran a SysProt report (below) and we seem to have got rid of
"Module Name: \SystemRoot\System32\Drivers\aenbh6wo.SYS"
but I see that sptd.sys is still there. I've run all the Daemon Tools related uninstall routines earlier. Is the sp??.sys file the outpost hooker?
SysProt Log here
SysProt AntiRootkit v1.0.1.0
by swatkat
********************************************************************************
**********
********************************************************************************
**********
No Hidden Processes found
********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: spyn.sys
Service Name: ---
Module Base: B9EA7000
Module End: B9FA7000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AB7C6000
Module End: AB7DE000
Hidden: Yes
Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA66E000
Module End: BA670000
Hidden: Yes
********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: ABA78C50
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwClose
Address: ABA5DC70
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwConnectPort
Address: ABA7C370
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateFile
Address: ABA59FE0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateKey
Address: ABA65280
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateProcess
Address: ABA714A0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateProcessEx
Address: ABA71DA0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateSection
Address: ABA58D90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateSymbolicLinkObject
Address: ABA65030
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwCreateThread
Address: ABA6FF60
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDebugActiveProcess
Address: ABA7FE00
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDeleteFile
Address: ABA63D10
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDeleteKey
Address: ABA66AF0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwDeleteValueKey
Address: ABA6D590
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwEnumerateKey
Address: B9EC6CA2
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spyn.sys
Function Name: ZwEnumerateValueKey
Address: B9EC7030
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spyn.sys
Function Name: ZwLoadDriver
Address: ABA6EDA0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwMakeTemporaryObject
Address: ABA648A0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenFile
Address: ABA5CC90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenKey
Address: ABA661B0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenProcess
Address: ABA73E90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenSection
Address: ABA59600
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwOpenThread
Address: ABA73250
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwProtectVirtualMemory
Address: ABA79F90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueryDirectoryFile
Address: ABA5EA90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueryKey
Address: ABA68940
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueryValueKey
Address: ABA69190
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwQueueApcThread
Address: ABA780C0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRenameKey
Address: ABA6C780
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwReplaceKey
Address: ABA6A6F0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRequestPort
Address: ABA7E610
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRequestWaitReplyPort
Address: ABA7E930
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwRestoreKey
Address: ABA6BF10
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSaveKey
Address: ABA6AE70
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSaveKeyEx
Address: ABA6B6C0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSecureConnectPort
Address: ABA7CF50
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetContextThread
Address: ABA77630
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetInformationDebugObject
Address: ABA803F0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetInformationFile
Address: ABA5FDE0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetSystemInformation
Address: ABA6E3B0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSetValueKey
Address: ABA69A10
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSuspendProcess
Address: ABA76380
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSuspendThread
Address: ABA76CB0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwSystemDebugControl
Address: ABA7F640
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwTerminateProcess
Address: ABA74980
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwTerminateThread
Address: ABA75810
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwUnloadDriver
Address: ABA6F720
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
Function Name: ZwWriteVirtualMemory
Address: ABA794A0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys
********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found
********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0831F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0831F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0831F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0831F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0831F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0831F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F61F8
Hooking Module: _unknown_
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EA8000
Hooking Module: spyn.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A398368
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AE4E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AE4E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AE4E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AE4E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AE4E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AE4E1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A8EB500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A8EB500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A8EB500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A8EB500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8A8EB500
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8ADAD1F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: B821B740
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B821BC64
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B821BAA6
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B821B84C
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8ADC11F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8ADC11F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8ADC11F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8ADC11F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8ADC11F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8ADC11F8
Hooking Module: _unknown_
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_READ
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_POWER
Jump To: B9EAFE1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EC4514
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EEBB1C
Hooking Module: spyn.sys
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F41F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F41F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F41F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F41F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F41F8
Hooking Module: _unknown_
Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F41F8
Hooking Module: _unknown_
Post by: guestolo on November 14, 2009, 03:12:18 PM
This may have been installed with Daemon tools
But Daemon tools won't remove it when uninstalled, because other software may need the use of sptd.sys
We can remove it if you want, but it may break some programs performance, or may not
I more concerned about something in your ComboFix log
Can you again delete your copy of ComboFix, and download a fresh copy, it's important to have the latest copy
Run a fresh scan with it
NOTE: Don't let Outpost firewall interfere, you may have to exit it before running combofix
Post by: Flim on November 14, 2009, 03:49:56 PM
I wouldn't mind having a go. I don't like the way it interferes in Safe Mode and I think it may contribute to me not being able to get SP3 to work.
Here's CF Log - (I exited/stopped the Outpost service altogether)
ComboFix 09-11-15.01 - B4BD 14/11/2009 12:28.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2702 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.
2009-11-14 16:21 . 2009-11-09 17:51 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-14 16:21 . 2009-11-09 17:51 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-14 16:21 . 2009-11-09 17:51 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-14 16:21 . 2009-10-18 17:48 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-14 16:21 . 2009-11-09 17:51 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-14 16:21 . 2009-10-24 07:05 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-14 14:12 . 2009-11-14 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-14 14:37 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-14 16:22 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 20:25 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-14 16:05 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-14 14:00 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-09 06:24 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-13_05.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 18:57 . 2009-11-14 18:57 16384 c:\windows\Temp\Perflib_Perfdata_8fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]
c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-11-14 12:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0841F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8b0841f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hahdeppddjlnhgph"=hex:69,61,68,65,6e,66,6f,6d,68,6b,65,65,6c,6c,6e,67,66,6d,
00,00
"jaidfafppidcifadppoc"=hex:6f,61,65,65,68,6c,67,67,66,70,6f,69,61,6b,61,6c,6d,
62,66,66,6e,6f,6e,6a,65,6d,68,6b,62,6f,00,77
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1976)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
.
Completion time: 2009-11-14 12:43
ComboFix-quarantined-files.txt 2009-11-14 20:43
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-13 05:05
ComboFix3.txt 2009-11-02 04:14
ComboFix4.txt 2009-11-02 01:22
ComboFix5.txt 2009-11-14 20:27
Pre-Run: 34,962,481,152 bytes free
Post-Run: 34,914,930,688 bytes free
- - End Of File - - E1413F11FBCAF95273B40A1AFF470223
Post by: guestolo on November 14, 2009, 04:46:24 PM
click the downloaded file to run the scan (a window will open briefly, then close).
The scan will create a mbr.log on your desktop - please copy/paste those contents in your next reply.
Post by: Flim on November 14, 2009, 07:24:07 PM
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Post by: guestolo on November 14, 2009, 07:54:26 PM
Don't use anything else than notepad or the script will not work
[color=\"#0000FF\"]KillAll::
RegNull::
[HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]
Registry::
[-HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]
[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript
(http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif)
Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can I see that log again
Post by: Flim on November 14, 2009, 09:25:27 PM
I just let everything keep going. After reboot the firewall started up again - I OK'd the popups while I suspended Outpost and let it finish. I noticed on the way by (I was on a phone call while it was running) that one of the windows I ok'd was to do with pev.cfxe
Here's the log -
ComboFix 09-11-15.01 - B4BD 14/11/2009 17:25.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2711 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\B4BD\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.
2009-11-14 16:21 . 2009-11-09 17:51 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-14 16:21 . 2009-11-09 17:51 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-14 16:21 . 2009-11-09 17:51 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-14 16:21 . 2009-10-18 17:48 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-14 16:21 . 2009-11-09 17:51 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-14 16:21 . 2009-10-24 07:05 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-14 14:12 . 2009-11-14 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-14 14:37 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-14 16:22 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 01:21 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-15 00:54 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-14 16:05 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-09 06:24 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-13_05.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 01:40 . 2009-11-15 01:40 16384 c:\windows\temp\Perflib_Perfdata_8a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]
c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-11-14 17:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0841F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8b0841f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(2008)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-11-14 17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 01:51
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-14 20:43
ComboFix3.txt 2009-11-13 05:05
ComboFix4.txt 2009-11-02 04:14
ComboFix5.txt 2009-11-15 01:23
Pre-Run: 34,928,881,664 bytes free
Post-Run: 34,871,250,944 bytes free
- - End Of File - - F7F7BCA5B08FBCD3F22102AA9B92F09E
Post by: guestolo on November 14, 2009, 09:33:46 PM
But the same scanner used by Gmer says it's clean
Can you do the following
mbr.exe MUST be on your desktop to complete the following.
Highlight and copy the following bolded blue command.
[color=\"#4169E1\"]"%userprofile%\desktop\mbr.exe" -f[/color]
Click Start>Run, paste the command in the Run dialog then hit enter.
After the fix runs please reboot the computer.
Please post the log it produces
Post by: Flim on November 14, 2009, 09:52:36 PM
Post by: Flim on November 14, 2009, 11:00:01 PM
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
Post by: guestolo on November 14, 2009, 11:14:55 PM
That looks fine
Let's do the following
Can you exit out of Outpost Firewall, by right clicking it's icon by the clock and choose to Exit
Then run the following:
Go to START>>RUN>>
Copy/paste the following command, then click OK
[color=\"#FF0000\"]combofix /u[/color]
This wiill uninstall Combofix and it's components
Next: If you still want to remove remnants of Sptd from Daemon tools
Right click on MyComputer icon and select Properties
Hardware>Device Manager>View>"Show Hidden devices"
Expand on "Non Plug and Play Drivers"
Look for sptd
right click on it and choose "Uninstall"
Follow the prompts and reboot when required
Back in Windows
download [color=\"red\"]SystemLook[/color] from one of the links below and save it to your Desktop.
[color=\"blue\"]Download Mirror #1[/color] (http://\"http://jpshortstuff.247fixes.com/SystemLook.exe\")
[color=\"blue\"]Download Mirror #2[/color] (http://\"http://images.malwareremoval.com/jpshortstuff/SystemLook.exe\")[/b]
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:Code: [Select]
:filefind
sptd.sys
:regfind
sptd - Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Post by: Flim on November 14, 2009, 11:58:13 PM
When i went into device manager catchme was there with the yellow asteric. Is this what you were expecting? I've stopped here for now.
Post by: guestolo on November 15, 2009, 12:01:45 AM
Quote
Before I get too far - I ran the combofix uninstall - it ran a full scan, produced a report and left the executable on the desktop. PEV.exe also crashed again.Chances are Outpost is still interfering
Quote
When i went into device manager catchme was there with the yellow asteric. Is this what you were expecting? I've stopped here for now.
You can right click on "catchme" in device manager and choose Uninstall
Don't reboot at the prompt
Then look for "sptd" and choose uninstall, follow the prompts and reboot when required
Then carry on with the rest of the instructions
Post by: Flim on November 15, 2009, 12:41:59 AM
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 21:33 on 14/11/2009 by B4BD (Administrator - Elevation successful)
========== filefind ==========
Searching for "sptd.sys"
C:\WINDOWS\system32\drivers\sptd.sys --a--- 717296 bytes [14:35 16/01/2008] [02:53 02/09/2008] (Unable to calculate MD5)
========== regfind ==========
Searching for "sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\0000\Control]
"ActiveService"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\Enum]
"0"="Root\LEGACY_SPTD\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000]
"Service"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\0000\Control]
"ActiveService"="sptd"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
"ImagePath"="System32\Drivers\sptd.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Enum]
"0"="Root\LEGACY_SPTD\0000"
-=End Of File=-
Post by: guestolo on November 15, 2009, 12:57:52 AM
- Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote pleaseQuote
:Processes
explorer.exe
:Files
C:\WINDOWS\system32\drivers\sptd.sys
:Reg
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\sptd]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd]
:Commands
[EmptyTemp]
[Start Explorer]
[Reboot] - Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
- Let the program run unhindered, reboot the PC when it is done
On startup, Allow OTL to run if prompted
please post the log that OTL produces
A copy of this log can also be found in
C:\_OTL\Moved Files folder
Post by: Flim on November 15, 2009, 02:28:05 AM
All processes killed
========== PROCESSES ==========
Process explorer.exe killed successfully!
========== FILES ==========
C:\WINDOWS\system32\drivers\sptd.sys moved successfully.
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_SPTD\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System\sptd\ deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_SPTD\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Eventlog\System\sptd\ deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SPTD\ not found.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\System\sptd\ not found.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\ scheduled to be deleted on reboot.
========== COMMANDS ==========
[EMPTYTEMP]
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: All Users
User: B4BD
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 376858 bytes
->Java cache emptied: 3441647 bytes
->FireFox cache emptied: 901644 bytes
->Google Chrome cache emptied: 43139149 bytes
->Opera cache emptied: 601678 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 65536 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 32835 bytes
->FireFox cache emptied: 13570837 bytes
User: MCX1
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
RecycleBin emptied: 0 bytes
Total Files Cleaned = 59.25 mb
OTL by OldTimer - Version 3.1.4.0 log created on 11142009_231802
Files\Folders moved on Reboot...
Registry entries deleted on Reboot...
Registry key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sptd\ deleted successfully.
Registry delete failed. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sptd\ scheduled to be deleted on reboot.
Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\ not found.
Post by: guestolo on November 15, 2009, 10:53:42 AM
Quote
I wouldn't mind having a go. I don't like the way it interferes in Safe Mode and I think it may contribute to me not being able to get SP3 to work.
Can you get to safe mode?
Not sure what you mean about SP3, what is the problem?
I see this in your OTL.txt log
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
Possibly, you are controlling this not to run with some program installed
Can we remove it and get rid of it another way
Double click on OTL.exe to run it
- Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote pleaseQuote
:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-] - Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
Afterwards, run a fresh scan with OTL and post it's new log that opens
Post by: Flim on November 15, 2009, 11:40:42 AM
Not sure what you mean about SP3, what is the problem?[/quote]
Yes I can usually get to Safe Mode, but it always asked about loading spdt before we removed it. Haven't tried since yet.
Haven't ever been able to get SP3 to work. Tried numerous times and have had varying results, but the last few tries the install halts when it's trying to reload after the first restart and hangs at the driver loading. I try every few months to see if anythings has changed.
I have been uninstalling a few apps to clean up the list of ones I don't use. I restarted so that I could follow your new instructions and when the desktop started to load, OTL loaded and halted the rest of the loading. I closed it without doing anything and everything carried on normally. Anything you want to run before we proceed?
I have to go out for a few hours. Will be back at it later.
Thanks for your help>
Post by: guestolo on November 15, 2009, 11:43:05 AM
Are you saying you didn't follow that instruction?
Just run a fresh scan with OTL.exe and post it's new log
Post by: Flim on November 15, 2009, 03:58:12 PM
I didn't run the fix because I wasn't sure about the OTL situation. It had already booted after the last run and didn't request another run then so I wanted to check.
Anyway, here's the log from a fresh scan -
OTL logfile created on: 15/11/2009 12:43:51 PM - Run 3
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\B4BD\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 94.66 Gb Total Space | 32.21 Gb Free Space | 34.02% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 203.43 Gb Total Space | 24.25 Gb Free Space | 11.92% Space Free | Partition Type: NTFS
Drive F: | 230.85 Gb Total Space | 68.72 Gb Free Space | 29.77% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive O: | 465.76 Gb Total Space | 211.62 Gb Free Space | 45.44% Space Free | Partition Type: NTFS
Drive P: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Q: | 152.66 Gb Total Space | 101.93 Gb Free Space | 66.77% Space Free | Partition Type: NTFS
Drive R: | 931.51 Gb Total Space | 507.73 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
Drive S: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive T: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive U: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive V: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive X: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Y: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Computer Name: BNMC01
Current User Name: B4BD
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan
[color=\"#E56717\"]========== Processes (SafeList) ==========[/color]
PRC - [2009/11/14 08:21:11 | 02,020,120 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgtray.exe
PRC - [2009/11/14 08:21:10 | 00,600,344 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgnsx.exe
PRC - [2009/11/11 05:33:41 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009/11/08 07:26:24 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
PRC - [2009/10/18 09:48:30 | 01,055,000 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgchsvx.exe
PRC - [2009/10/18 09:48:30 | 00,502,040 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgrsx.exe
PRC - [2009/10/18 09:48:28 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe
PRC - [2009/10/18 09:48:28 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/18 09:48:28 | 00,702,744 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgcsrvx.exe
PRC - [2009/10/18 09:48:27 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe
PRC - [2009/09/23 16:41:30 | 01,270,080 | ---- | M] (Agnitum Ltd.) -- C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe
PRC - [2009/09/23 16:40:50 | 01,338,560 | ---- | M] (Agnitum Ltd.) -- C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe
PRC - [2009/08/31 11:25:16 | 00,623,960 | ---- | M] (Research In Motion Limited) -- C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
PRC - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2009/03/15 12:00:34 | 00,031,744 | ---- | M] (NirSoft) -- C:\AppsNoInstall\volumouse\volumouse.exe
PRC - [2009/03/12 11:53:46 | 00,483,422 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2009/03/12 11:53:46 | 00,254,036 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe
PRC - [2008/10/30 23:00:00 | 00,266,752 | ---- | M] () -- C:\AppsNoInstall\notepad2\Notepad2.exe
PRC - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
PRC - [2007/10/30 19:11:48 | 00,909,208 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
PRC - [2007/10/30 19:07:40 | 00,140,568 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
PRC - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
PRC - [2007/10/30 19:06:42 | 02,595,616 | ---- | M] (Acronis) -- C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
PRC - [2007/06/13 02:23:07 | 01,033,216 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/10/18 20:05:26 | 00,204,288 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\wmpnscfg.exe
PRC - [2005/12/12 14:03:54 | 00,417,855 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
PRC - [2005/12/12 14:02:24 | 00,176,193 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
PRC - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
PRC - [2004/08/10 04:00:00 | 00,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe
PRC - [2002/03/19 16:30:00 | 00,045,632 | ---- | M] () -- C:\WINDOWS\system32\TaskSwitch.exe
[color=\"#E56717\"]========== Modules (SafeList) ==========[/color]
MOD - [2009/11/08 07:26:24 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
MOD - [2009/03/15 12:00:00 | 00,007,168 | ---- | M] (NirSoft) -- C:\AppsNoInstall\volumouse\vlmshlp.dll
MOD - [2006/08/25 08:45:56 | 01,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
MOD - [2004/08/10 04:00:00 | 00,185,856 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wbem\framedyn.dll
MOD - [2004/08/10 04:00:00 | 00,025,088 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\mslbui.dll
[color=\"#E56717\"]========== Win32 Services (SafeList) ==========[/color]
SRV - File not found -- -- (FirebirdServerMAGIXInstance)
SRV - [2009/10/18 09:48:28 | 00,906,520 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgemc.exe -- (avg9emc)
SRV - [2009/10/18 09:48:27 | 00,285,392 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\Program Files\AVG\AVG9\avgwdsvc.exe -- (avg9wd)
SRV - [2009/09/23 16:40:50 | 01,338,560 | ---- | M] (Agnitum Ltd.) -- C:\Program Files\Agnitum\Outpost Firewall Pro\acs.exe -- (acssrv)
SRV - [2009/07/25 04:23:10 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009/04/19 20:03:33 | 00,069,632 | ---- | M] (Adobe Systems) -- C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe -- (Adobe LM Service)
SRV - [2009/03/26 05:19:12 | 00,183,280 | ---- | M] (Google) -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009/03/12 11:53:46 | 00,254,036 | ---- | M] (IDT, Inc.) -- c:\Program Files\IDT\IntelXPV_v103\WDM\stacsv.exe -- (STacSV)
SRV - [2009/03/05 20:46:56 | 00,133,104 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Update\GoogleUpdate.exe -- (gupdate1c99e16a3dd4ece)
SRV - [2009/03/03 02:19:28 | 00,691,200 | ---- | M] (FileZilla Project) -- C:\Apps\FileZilla Server\FileZilla Server.exe -- (FileZilla Server)
SRV - [2008/12/23 07:35:20 | 00,117,264 | ---- | M] (CACE Technologies, Inc.) -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2008/09/01 11:53:13 | 00,380,536 | ---- | M] (Emsi Software GmbH) -- c:\program files\a-squared free\a2service.exe -- (a2free)
SRV - [2008/07/29 21:10:04 | 00,046,104 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe -- (FontCache3.0.0.0)
SRV - [2008/07/29 19:24:50 | 00,881,664 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe -- (idsvc)
SRV - [2008/07/29 19:16:38 | 00,132,096 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe -- (NetTcpPortSharing)
SRV - [2008/07/25 11:17:02 | 00,069,632 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe -- (clr_optimization_v2.0.50727_32)
SRV - [2008/07/25 11:16:40 | 00,034,312 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- (aspnet_state)
SRV - [2008/06/24 05:58:41 | 00,557,056 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe -- (Ati HotKey Poller)
SRV - [2008/06/03 19:33:35 | 00,654,848 | ---- | M] (Macrovision Europe Ltd.) -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008/05/15 11:58:12 | 00,823,296 | ---- | M] (Hauppauge Computer Works) -- C:\Program Files\WinTV\HCWTVServer.exe -- (HauppaugeTVServer)
SRV - [2008/04/15 16:59:38 | 00,071,096 | ---- | M] () -- C:\Program Files\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU)
SRV - [2007/10/30 19:51:44 | 00,492,720 | ---- | M] () -- C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe -- (TryAndDecideService)
SRV - [2007/10/30 19:07:38 | 00,427,288 | ---- | M] (Acronis) -- C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe -- (AcrSch2Svc)
SRV - [2007/10/25 14:27:54 | 00,266,240 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\installer\WLSetupSvc.exe -- (WLSetupSvc)
SRV - [2007/10/18 10:31:54 | 00,098,328 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Live\Messenger\usnsvc.exe -- (usnjsvc)
SRV - [2007/09/10 23:45:04 | 00,124,832 | ---- | M] () -- C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe -- (AdobeActiveFileMonitor6.0)
SRV - [2007/02/27 20:53:58 | 00,020,480 | ---- | M] ( ) -- c:\Program Files\DVRMSToolbox\DVRMSFileWatcherService.exe -- (DVRMSFileWatcherService)
SRV - [2006/10/18 20:05:24 | 00,913,408 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Windows Media Player\WMPNetwk.exe -- (WMPNetworkSvc)
SRV - [2006/10/09 15:16:56 | 00,237,568 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehrecvr.exe -- (ehRecvr)
SRV - [2006/09/13 13:25:56 | 00,491,520 | ---- | M] (Locktime Software) -- C:\Program Files\NetLimiter 2 Monitor\nlsvc.exe -- (nlsvc)
SRV - [2006/06/14 13:10:04 | 00,495,616 | ---- | M] ( ) -- C:\WINDOWS\System32\LMabcoms.exe -- (lmab_device)
SRV - [2005/12/12 14:02:24 | 00,176,193 | ---- | M] (American Power Conversion Corporation) -- C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe -- (APC UPS Service)
SRV - [2005/10/20 19:55:50 | 00,096,256 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\McrdSvc.exe -- (McrdSvc)
SRV - [2005/10/20 19:55:40 | 00,028,160 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\RMSvc.exe -- (RMSvc)
SRV - [2005/09/07 18:18:34 | 00,049,336 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe -- (ehMonitor)
SRV - [2005/08/07 04:54:00 | 00,167,936 | ---- | M] () -- C:\Program Files\CyberLink\Shared Files\RichVideo.exe -- (RichVideo)
SRV - [2005/08/05 13:56:32 | 00,102,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\ehome\ehSched.exe -- (ehSched)
SRV - [2004/10/22 02:24:18 | 00,073,728 | ---- | M] (Macrovision Corporation) -- C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004/08/10 04:00:00 | 00,038,912 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll -- (helpsvc)
SRV - [2003/11/12 04:48:20 | 00,049,152 | ---- | M] (Ulead Systems, Inc.) -- C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe -- (UleadBurningHelper)
SRV - [2003/07/28 12:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
[color=\"#E56717\"]========== Standard Registry (SafeList) ==========[/color]
[color=\"#E56717\"]========== Internet Explorer ==========[/color]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Secondary_Page_URL = [binary data]
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Extensions Off Page = about:NoAdd-ons
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 (http://\"http://go.microsoft.com/fwlink/?LinkId=54896\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Security Risk Page = about:SecurityRisk
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 (http://\"http://go.microsoft.com/fwlink/?LinkId=69157\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm\")
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm (http://\"http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Page_Transitions = 1
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch (http://\"http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch\")
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
[color=\"#E56717\"]========== FireFox ==========[/color]
FF - prefs.js..browser.search.selectedEngine: "Google"
FF - HKLM\software\mozilla\Firefox\Extensions\\{400F0BDB-6C49-43A4-BE1F-76D7327A604D}: C:\Program Files\Common Files\fluxDVD\Download Manager\Mozilla [2007/12/28 07:07:30 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b}: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ [2009/06/04 05:31:00 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\Java\jre6\lib\deploy\jqs\ff [2009/01/09 09:42:58 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{3f963a5b-e555-4543-90e2-c3908898db71}: C:\Program Files\AVG\AVG9\Firefox [2009/11/09 19:10:09 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009/11/11 05:33:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009/11/11 05:33:45 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Components: C:\Program Files\Mozilla Thunderbird\components [2009/08/20 20:50:21 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Thunderbird 2.0.0.23\extensions\\Plugins: C:\Program Files\Mozilla Thunderbird\plugins [2008/12/28 08:25:14 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Thunderbird\Extensions\\[email protected]: C:\Program Files\ESET\Mozilla Thunderbird
[2008/08/02 09:58:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions
[2008/08/02 09:58:21 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\{3550f703-e582-4d05-9a08-453d09bdfdc6}
[2008/06/14 04:04:01 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[2008/09/11 20:36:56 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\[email protected]
[2009/07/05 20:52:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\[email protected]
[2008/04/04 20:54:26 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Extensions\[email protected]
[2009/02/21 21:53:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\extensions
[2009/02/21 21:17:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\extensions\[email protected]
[2009/02/21 21:53:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions
[2006/02/13 20:44:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{0cdfdd5e-eea6-45ff-b035-81243cf02efb}
[2006/02/13 20:44:41 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{3143B27B-F7DE-49d8-BF08-C2E4DEA71DBB}
[2006/02/13 20:42:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{44851136-3425-48cc-a957-5a29b9396a5f}
[2006/02/13 20:44:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{8803789a-23eb-44b4-bd48-6762fd320242}
[2006/02/01 19:52:16 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{904524FC-3F89-11DA-8BDE-F66BAD1E3F3A}
[2006/02/01 19:53:04 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{9f08cb5a-76b1-4bcf-aff9-90e1a5d60b1e}
[2006/02/13 20:45:00 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\{a81bafeb-b6ed-4501-aa17-15a2b3857e56}
[2009/02/21 21:17:08 | 00,000,000 | ---D | M] -- C:\Documents and Settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\extensions\[email protected]
[2009/11/15 06:39:01 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2009/11/11 05:33:40 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
[2007/04/18 18:21:48 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
[2007/08/14 19:39:39 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
[2007/10/11 07:13:45 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
[2009/01/08 11:42:34 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
[2009/01/09 09:43:12 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
[2009/03/28 05:24:09 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
[2009/10/08 19:31:08 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
[2009/11/11 05:33:40 | 00,023,512 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\browserdirprovider.dll
[2009/11/11 05:33:40 | 00,137,176 | ---- | M] (Mozilla Foundation) -- C:\Program Files\Mozilla Firefox\components\brwsrcmp.dll
[2007/04/10 16:21:08 | 00,163,256 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\np-mswmp.dll
[2007/08/07 13:35:32 | 00,049,152 | ---- | M] (Adobe Systems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\np32dsw.dll
[2007/03/02 05:17:24 | 00,095,200 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPAPIX.dll
[2009/07/25 04:23:01 | 00,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeploytk.dll
[2007/07/26 15:03:34 | 00,717,312 | ---- | M] (DivX,Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdivx32.dll
[2007/09/05 15:03:36 | 00,098,304 | ---- | M] (DivX, Inc) -- C:\Program Files\Mozilla Firefox\plugins\npDivxPlayerPlugin.dll
[2007/01/17 03:18:04 | 00,095,200 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPFluxBrowserHelper.dll
[2008/12/28 08:25:14 | 00,072,960 | ---- | M] (Foxit Software Company) -- C:\Program Files\Mozilla Firefox\plugins\npFoxitReaderPlugin.dll
[2007/03/20 05:24:22 | 00,099,224 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\NPMPDRM.dll
[2009/11/11 05:33:42 | 00,064,984 | ---- | M] (mozilla.org) -- C:\Program Files\Mozilla Firefox\plugins\npnul32.dll
[2007/03/22 18:23:30 | 00,017,248 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL
[2004/12/14 01:19:18 | 00,057,344 | ---- | M] (Adobe Systems Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll
[2005/04/06 23:52:20 | 00,139,305 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
[2007/09/12 18:36:23 | 00,151,552 | ---- | M] (PopCap Games) -- C:\Program Files\Mozilla Firefox\plugins\nppopcaploader.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
[2007/06/14 05:07:26 | 00,131,072 | ---- | M] (Apple Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
[2005/04/06 23:39:02 | 00,081,967 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
[2007/03/09 10:35:00 | 00,365,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\npupd62.dll
[2006/02/23 07:16:00 | 00,034,048 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\upd62i9x.dll
[2006/02/23 07:16:00 | 00,045,056 | ---- | M] () -- C:\Program Files\Mozilla Firefox\plugins\upd62int.dll
[2009/06/16 23:35:40 | 00,001,538 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\amazon-en-GB.xml
[2009/06/16 23:35:40 | 00,002,193 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\answers.xml
[2009/06/16 23:35:40 | 00,000,947 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\chambers-en-GB.xml
[2009/06/16 23:35:40 | 00,001,534 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\creativecommons.xml
[2009/06/16 23:35:40 | 00,000,769 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\eBay-en-GB.xml
[2009/06/16 23:35:40 | 00,002,371 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\google.xml
[2009/06/16 23:35:40 | 00,001,178 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\wikipedia.xml
[2009/06/16 23:35:40 | 00,000,831 | ---- | M] () -- C:\Program Files\Mozilla Firefox\searchplugins\yahoo-en-GB.xml
O1 HOSTS File: (27 bytes) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (AVG Safe Search) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (AVG Technologies CZ, s.r.o.)
O2 - BHO: (LastPass Browser Helper Object) - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - C:\Documents and Settings\B4BD\Application Data\LastPass\LPBar.dll ()
O2 - BHO: (Java(tm) Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O3 - HKLM\..\Toolbar: (LastPass Toolbar) - {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - C:\Documents and Settings\B4BD\Application Data\LastPass\LPBar.dll ()
O4 - HKLM..\Run: [Acronis Scheduler2 Service] C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe (Acronis)
O4 - HKLM..\Run: [AcronisTimounterMonitor] C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe (Acronis)
O4 - HKLM..\Run: [AVG9_TRAY] C:\Program Files\AVG\AVG9\avgtray.exe (AVG Technologies CZ, s.r.o.)
O4 - HKLM..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe (Research In Motion Limited)
O4 - HKLM..\Run: [CoolSwitch] C:\WINDOWS\system32\TaskSwitch.exe ()
O4 - HKLM..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe (Intel Corporation)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [Malwarebytes Anti-Malware (reboot)] C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe (Malwarebytes Corporation)
O4 - HKLM..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [OutpostMonitor] C:\Program Files\Agnitum\Outpost Firewall Pro\op_mon.exe (Agnitum Ltd.)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TrueImageMonitor.exe] C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe (Acronis)
O4 - HKCU..\Run: [$Volumouse$] C:\AppsNoInstall\volumouse\volumouse.exe (NirSoft)
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe (Microsoft Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk = C:\Program Files\APC\APC PowerChute Personal Edition\Display.exe (American Power Conversion Corporation)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled [2009/11/11 15:30:58 | 00,000,000 | -H-D | M]
O4 - Startup: C:\Documents and Settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled [2007/03/03 08:22:54 | 00,000,000 | -H-D | M]
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: dontdisplaylastusername = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticecaption =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: legalnoticetext =
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: shutdownwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: undockwithoutlogon = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DisableRegistryTools = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsMenu = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoSMMyPictures = 01 00 00 00 [binary data]
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoRecentDocsHistory = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoStartBanner = 1
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoLowDiskSpaceChecks = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O8 - Extra context menu item: Add to Evernote - C:\Program Files\Evernote\Evernote3\enbar.dll (Evernote Corporation)
O9 - Extra Button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall Pro\ie_bar.dll (Agnitum Ltd.)
O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL (Microsoft Corporation)
O9 - Extra Button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (Microsoft Corporation)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} http://download.microsoft.com/download/e/4.../OGAControl.cab (http://\"http://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab\") (Office Genuine Advantage Validation Tool)
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} http://www.creative.com/su/ocx/15031/CTSUEng.cab (http://\"http://www.creative.com/su/ocx/15031/CTSUEng.cab\") (Creative Software AutoUpdate)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://fpdownload.macromedia.com/get/shock...director/sw.cab (http://\"http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab\") (Shockwave ActiveX Control)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\") (Windows Genuine Advantage Validation Tool)
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} http://office.microsoft.com/officeupdate/content/opuc3.cab (http://\"http://office.microsoft.com/officeupdate/content/opuc3.cab\") (Office Update Installation Engine)
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} http://catalog.update.microsoft.com/v7/sit...b?1211239737950 (http://\"http://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1211239737950\") (MUCatalogWebControl Class)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} http://www.update.microsoft.com/windowsupd...b?1229314090703 (http://\"http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229314090703\") (WUWebControl Class)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} http://www.update.microsoft.com/microsoftu...b?1217687312828 (http://\"http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1217687312828\") (MUWebControl Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab\") (Java Plug-in 1.6.0_15)
O16 - DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} http://office.microsoft.com/officeupdate/content/opuc4.cab (http://\"http://office.microsoft.com/officeupdate/content/opuc4.cab\") (Office Update Installation Engine)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab\") (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (http://\"http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab\") (Java Plug-in 1.6.0_15)
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} http://www.creative.com/su/ocx/15034/CTPID.cab (http://\"http://www.creative.com/su/ocx/15034/CTPID.cab\") (Creative Software AutoUpdate Support Package)
O18 - Protocol\Handler\AutorunsDisabled - No CLSID value found
O18 - Protocol\Handler\AutorunsDisabled\intu-qt2007 {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - C:\Program Files\QuickTax 2007\ic2007pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\AutorunsDisabled\intu-qt2008 {05E53CE9-66C8-4a9e-A99F-FDB7A8E7B596} - C:\Program Files\QuickTax 2008\ic2008pp.dll (Intuit Canada, a general partnership/une société en nom collectif.)
O18 - Protocol\Handler\http\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\http\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\https\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ipp - No CLSID value found
O18 - Protocol\Handler\ipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll (AVG Technologies CZ, s.r.o.)
O18 - Protocol\Handler\livecall {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp - No CLSID value found
O18 - Protocol\Handler\msdaipp\0x00000001 {E1D2BF42-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\msdaipp\oledb {E1D2BF40-A96B-11d1-9C6B-0000F875AC61} - C:\Program Files\Common Files\System\Ole DB\MSDAIPP.DLL (Microsoft Corporation)
O18 - Protocol\Handler\ms-itss {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll (Microsoft Corporation)
O18 - Protocol\Handler\msnim {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll (Microsoft Corporation)
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O18 - Protocol\Filter\text/xml {807553E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - C:\WINDOWS\System32\avgrsstx.dll (AVG Technologies CZ, s.r.o.)
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O30 - LSA: Authentication Packages - (relog_ap) - C:\WINDOWS\System32\relog_ap.dll (Acronis)
O31 - SafeBoot: AlternateShell - cmd.exe
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/23 14:59:37 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck) - File not found
O34 - HKLM BootExecute: (autochk) - C:\WINDOWS\System32\autochk.exe (Microsoft Corporation)
O34 - HKLM BootExecute: (*) - File not found
O35 - comfile [open] -- "%1" %* File not found
O35 - exefile [open] -- "%1" %* File not found
[color=\"#E56717\"]========== Files/Folders - Created Within 14 Days ==========[/color]
[2009/11/14 23:18:02 | 00,000,000 | ---D | C] -- C:\_OTL
[2009/11/14 21:47:16 | 00,000,000 | ---D | C] -- C:\ComboFix
[2009/11/14 17:34:55 | 00,000,000 | ---D | C] -- C:\WINDOWS\temp
[2009/11/11 06:23:08 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Research In Motion
[2009/11/09 06:23:10 | 00,000,000 | ---D | C] -- C:\rsit
[2009/11/08 22:42:31 | 00,806,985 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwtvwnd.dll
[2009/11/08 22:42:31 | 00,294,968 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwpnp32.dll
[2009/11/08 22:42:31 | 00,213,066 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwdvbsubtitles.ax
[2009/11/08 22:42:31 | 00,204,871 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\HCWPsiParser.ax
[2009/11/08 22:42:31 | 00,176,197 | ---- | C] (Hauppauge Computer Works Inc.) -- C:\WINDOWS\System32\hcwmux.ax
[2009/11/08 22:42:31 | 00,118,851 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwNowNext.ax
[2009/11/08 22:42:31 | 00,106,559 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwTVDlg.dll
[2009/11/08 22:42:31 | 00,106,552 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwi2c32.dll
[2009/11/08 22:42:31 | 00,094,208 | ---- | C] (Hauppuage Computer Works) -- C:\WINDOWS\System32\hcwsstereo.ax
[2009/11/08 22:42:31 | 00,090,190 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\Bt848WST.DLL
[2009/11/08 22:42:31 | 00,081,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwSplit.ax
[2009/11/08 22:42:31 | 00,081,920 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwNull.ax
[2009/11/08 22:42:31 | 00,073,728 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwSnap.ax
[2009/11/08 22:42:31 | 00,073,728 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwFRead.ax
[2009/11/08 22:42:31 | 00,069,632 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwPP2PP.ocx
[2009/11/08 22:42:31 | 00,065,536 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwdlg.ocx
[2009/11/08 22:42:31 | 00,057,344 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwFWrit.ax
[2009/11/08 22:42:31 | 00,053,248 | ---- | C] (DScaler Project, see http://www.dscaler.org/) (http://\"http://www.dscaler.org/)\") -- C:\WINDOWS\System32\HCWdlace.ax
[2009/11/08 22:42:31 | 00,036,921 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwutl32.dll
[2009/11/08 22:42:31 | 00,030,720 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwWinTVCI.dll
[2009/11/08 22:42:31 | 00,011,264 | ---- | C] (Hauppauge Computer Works) -- C:\WINDOWS\System32\hcwhook.dll
[2009/11/08 22:42:07 | 00,393,216 | ---- | C] (Snowbound Software Corporation (www.Snowbnd.com)) -- C:\WINDOWS\System32\hcwsnbd9.dll
[2009/11/08 21:36:39 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Documents\WinTV
[2009/11/08 07:38:52 | 00,000,000 | ---D | C] -- C:\Fix
[2009/11/08 07:26:23 | 00,528,896 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
[2009/11/05 06:18:37 | 00,096,256 | ---- | C] (Hauppauge Computer Works, Inc.) -- C:\WINDOWS\System32\hcwcp.ax.hcw
[2009/11/03 20:33:01 | 00,000,000 | ---D | C] -- C:\found.000
[2009/11/03 06:35:52 | 00,000,000 | ---D | C] -- C:\MGtools
[2009/11/03 05:38:44 | 00,472,064 | ---- | C] ( ) -- C:\Documents and Settings\B4BD\Desktop\RootRepeal.exe
[2009/11/02 19:30:16 | 00,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2009/11/02 19:29:48 | 00,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2009/11/02 19:29:48 | 00,000,000 | ---D | C] -- C:\Documents and Settings\B4BD\Application Data\SUPERAntiSpyware.com
[2009/11/02 05:57:24 | 00,000,000 | ---D | C] -- C:\Program Files\Windows Installer Clean Up
[2009/11/01 13:50:28 | 00,000,000 | ---D | C] -- C:\Hauppauge
[2008/01/04 14:36:51 | 00,094,208 | ---- | C] (VSO Software) -- C:\Documents and Settings\B4BD\Application Data\ezplay.sys
[2008/01/04 14:36:27 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\B4BD\Application Data\pcouffin.sys
[2008/01/04 14:36:24 | 02,279,464 | ---- | C] (VSO Software SARL) -- C:\Program Files\PcSetup.exe
[2007/04/05 06:18:52 | 00,348,160 | ---- | C] ( ) -- C:\WINDOWS\System32\lexlog.dll
[2007/04/05 06:18:17 | 00,987,136 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabusb1.dll
[2007/04/05 06:18:17 | 00,671,744 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabpmui.dll
[2007/04/05 06:18:16 | 00,569,344 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabiobj.dll
[2007/04/05 06:18:16 | 00,409,600 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabinpa.dll
[2007/04/05 06:18:15 | 01,196,032 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabserv.dll
[2007/04/05 06:18:15 | 00,163,840 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabprox.dll
[2007/04/05 06:18:15 | 00,114,688 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabpplc.dll
[2007/04/05 06:18:14 | 01,052,672 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabip1.dll
[2007/04/05 06:18:14 | 00,557,056 | ---- | C] ( ) -- C:\WINDOWS\System32\LMablmpm.dll
[2007/04/05 06:18:14 | 00,532,480 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabpar1.dll
[2007/04/05 06:18:13 | 00,610,304 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabcomc.dll
[2007/04/05 06:18:13 | 00,421,888 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabcomm.dll
[2007/04/05 06:18:13 | 00,335,872 | ---- | C] ( ) -- C:\WINDOWS\System32\LMabhcp.dll
[color=\"#E56717\"]========== Files - Modified Within 14 Days ==========[/color]
[2009/11/15 12:35:00 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009/11/15 12:34:58 | 00,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2009/11/15 12:34:49 | 34,875,47392 | -HS- | M] () -- C:\hiberfil.sys
[2009/11/15 12:32:00 | 22,020,096 | ---- | M] () -- C:\Documents and Settings\B4BD\ntuser.dat
[2009/11/15 12:31:36 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\B4BD\ntuser.ini
[2009/11/15 08:46:52 | 45,159,593 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\incavi.avm
[2009/11/15 08:46:37 | 00,092,923 | ---- | M] () -- C:\WINDOWS\System32\drivers\Avg\microavi.avg
[2009/11/15 07:08:46 | 00,003,003 | ---- | M] () -- C:\WINDOWS\win.ini
[2009/11/15 07:08:46 | 00,000,020 | ---- | M] () -- C:\WINDOWS\PM20.INI
[2009/11/14 21:58:50 | 00,000,277 | ---- | M] () -- C:\WINDOWS\system.ini
[2009/11/14 21:20:04 | 00,102,660 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\SystemLook.exe
[2009/11/14 17:43:14 | 00,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2009/11/14 17:19:43 | 03,559,909 | R--- | M] () -- C:\Documents and Settings\B4BD\Desktop\ComboFix.exe
[2009/11/14 16:17:33 | 00,077,312 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\mbr.exe
[2009/11/14 06:19:26 | 00,012,598 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2009/11/14 01:47:57 | 00,260,608 | ---- | M] () -- C:\WINDOWS\PEV.exe
[2009/11/13 20:05:23 | 00,843,167 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\SecurityCheck.exe
[2009/11/12 05:59:25 | 00,001,840 | -H-- | M] () -- E:\Data\Default.rdp
[2009/11/11 09:20:49 | 00,291,840 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\ftw126s4.exe
[2009/11/11 06:51:33 | 00,001,736 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/11/11 06:42:25 | 00,000,256 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\pool.bin
[2009/11/11 06:08:05 | 03,762,218 | -H-- | M] () -- C:\Documents and Settings\B4BD\Local Settings\Application Data\IconCache.db
[2009/11/10 06:29:46 | 00,001,843 | ---- | M] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
[2009/11/09 21:23:22 | 00,000,174 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\Fix2.url
[2009/11/09 21:22:39 | 00,000,144 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\Fix1.url
[2009/11/09 09:51:39 | 00,360,584 | ---- | M] (AVG Technologies CZ, s.r.o.) -- C:\WINDOWS\System32\drivers\avgtdix.sys
[2009/11/09 06:18:17 | 00,001,489 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV Radio.lnk
[2009/11/08 22:44:36 | 00,006,542 | ---- | M] () -- C:\WINDOWS\HCWPNP.INI
[2009/11/08 22:42:32 | 00,004,161 | ---- | M] () -- C:\WINDOWS\ODBCINST.INI
[2009/11/08 22:42:32 | 00,000,717 | ---- | M] () -- C:\WINDOWS\ODBC.INI
[2009/11/08 22:42:11 | 00,000,645 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\WinTV.lnk
[2009/11/08 07:26:24 | 00,528,896 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\B4BD\Desktop\OTL.exe
[2009/11/05 06:18:26 | 00,000,489 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Install WinTV 7 CD 1.2a.lnk
[2009/11/04 20:35:54 | 00,001,555 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\CCleaner.lnk
[2009/11/04 08:23:51 | 00,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2009/11/03 06:40:43 | 00,197,676 | ---- | M] () -- C:\MGlogs.zip
[2009/11/03 05:41:39 | 00,000,015 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\settings.dat
[2009/11/01 22:01:09 | 00,000,674 | ---- | M] () -- C:\Documents and Settings\B4BD\Desktop\Shortcut to HijackThis.exe.lnk
[2009/11/01 16:35:55 | 00,000,156 | ---- | M] () -- C:\WINDOWS\Twunk001.MTX
[2009/11/01 16:35:55 | 00,000,005 | ---- | M] () -- C:\WINDOWS\Twain001.Mtx
[color=\"#E56717\"]========== Files Created - No Company Name ==========[/color]
[2009/11/14 21:20:04 | 00,102,660 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\SystemLook.exe
[2009/11/14 17:23:16 | 00,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2009/11/14 17:17:59 | 03,559,909 | R--- | C] () -- C:\Documents and Settings\B4BD\Desktop\ComboFix.exe
[2009/11/14 16:17:33 | 00,077,312 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\mbr.exe
[2009/11/13 20:05:21 | 00,843,167 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\SecurityCheck.exe
[2009/11/11 16:15:34 | 34,875,47392 | -HS- | C] () -- C:\hiberfil.sys
[2009/11/11 09:20:48 | 00,291,840 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\ftw126s4.exe
[2009/11/11 06:23:09 | 00,001,736 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Desktop Manager.lnk
[2009/11/10 06:36:50 | 00,000,725 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Search Everything.lnk
[2009/11/10 06:29:45 | 00,001,843 | ---- | C] () -- C:\Documents and Settings\All Users\Start Menu\Programs\Startup\APC UPS Status.lnk
[2009/11/10 05:43:20 | 00,000,256 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\pool.bin
[2009/11/09 21:22:48 | 00,000,174 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Fix2.url
[2009/11/09 21:22:20 | 00,000,144 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Fix1.url
[2009/11/08 22:46:05 | 00,001,489 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV Radio.lnk
[2009/11/08 22:43:17 | 00,046,680 | ---- | C] () -- C:\WINDOWS\System32\HCWTVServer.tlb
[2009/11/08 22:42:31 | 00,413,696 | ---- | C] () -- C:\WINDOWS\System32\HCWChMgr.ocx
[2009/11/08 22:42:31 | 00,163,840 | ---- | C] () -- C:\WINDOWS\System32\hcwChDB.dll
[2009/11/08 22:42:31 | 00,023,304 | ---- | C] () -- C:\WINDOWS\System32\HcwChDB.tlb
[2009/11/08 22:42:11 | 00,000,645 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\WinTV.lnk
[2009/11/08 22:41:31 | 00,006,542 | ---- | C] () -- C:\WINDOWS\HCWPNP.INI
[2009/11/05 06:18:37 | 00,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll.hcw
[2009/11/05 06:18:26 | 00,000,489 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Install WinTV 7 CD 1.2a.lnk
[2009/11/03 06:37:07 | 00,197,676 | ---- | C] () -- C:\MGlogs.zip
[2009/11/03 05:39:26 | 00,000,015 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\settings.dat
[2009/11/01 22:01:09 | 00,000,674 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Shortcut to HijackThis.exe.lnk
[2009/11/01 17:48:01 | 00,001,473 | ---- | C] () -- C:\Documents and Settings\B4BD\Desktop\Media Center.lnk
[2009/09/03 05:49:04 | 00,017,664 | ---- | C] () -- C:\WINDOWS\System32\drivers\OXUDIDRV_X32.sys
[2009/08/20 17:36:39 | 00,168,448 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2009/08/20 17:36:38 | 00,000,038 | ---- | C] () -- C:\WINDOWS\avisplitter.ini
[2009/08/20 17:36:33 | 00,085,504 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2009/08/20 17:36:33 | 00,000,547 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll.manifest
[2009/07/06 18:52:57 | 00,037,728 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\Comma Separated Values (Windows).ADR
[2009/06/30 05:05:56 | 00,000,032 | ---- | C] () -- C:\WINDOWS\gca631.INI
[2009/05/12 21:28:34 | 00,066,048 | ---- | C] () -- C:\WINDOWS\System32\hcwxds.dll
[2009/05/09 06:43:00 | 00,000,010 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2009/02/20 06:13:54 | 00,872,448 | ---- | C] () -- C:\Documents and Settings\B4BD\Local Settings\Application Data\filesync.metadata
[2009/01/15 08:00:34 | 00,000,772 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\KiwiLogFileViewer.ini
[2009/01/15 08:00:34 | 00,000,000 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\KiwiLogFileViewer.ini
[2009/01/11 21:50:03 | 00,000,038 | ---- | C] () -- C:\WINDOWS\camcodec100.ini
[2009/01/09 15:25:19 | 00,000,012 | ---- | C] () -- C:\WINDOWS\dirsaver.ini
[2008/12/23 07:33:18 | 00,053,299 | ---- | C] () -- C:\WINDOWS\System32\pthreadVC.dll
[2008/11/25 21:20:43 | 00,000,035 | ---- | C] () -- C:\WINDOWS\dice.ini
[2008/11/24 06:26:59 | 00,000,247 | ---- | C] () -- C:\WINDOWS\phedit.ini
[2008/11/15 09:50:34 | 00,001,293 | ---- | C] () -- C:\WINDOWS\MultiTimer.ini
[2008/11/03 06:04:53 | 00,000,026 | ---- | C] () -- C:\WINDOWS\COOWIZCK.INI
[2008/11/03 06:03:56 | 00,000,042 | ---- | C] () -- C:\WINDOWS\coowiz20.ini
[2008/10/02 02:53:12 | 00,528,384 | ---- | C] () -- C:\WINDOWS\System32\BladeEnc.dll
[2008/10/02 02:53:12 | 00,120,832 | ---- | C] () -- C:\WINDOWS\System32\ShnDll32.dll
[2008/08/15 21:31:27 | 00,000,018 | ---- | C] () -- C:\WINDOWS\phsrch5.ini
[2008/06/30 07:30:48 | 00,000,703 | ---- | C] () -- C:\WINDOWS\NewsRover.INI
[2008/06/10 21:05:07 | 00,000,023 | ---- | C] () -- C:\Documents and Settings\B4BD\Local Settings\Application Data\kodakpcd.ini
[2008/05/29 21:00:11 | 00,000,549 | ---- | C] () -- C:\WINDOWS\gmer.ini
[2008/05/29 21:00:04 | 00,819,200 | ---- | C] () -- C:\WINDOWS\gmer.dll
[2008/04/26 06:08:22 | 00,120,376 | ---- | C] () -- C:\WINDOWS\System32\rrsec.dll
[2008/04/10 19:00:08 | 00,000,032 | ---- | C] () -- C:\WINDOWS\CD_Start.INI
[2008/03/26 03:27:37 | 00,000,525 | ---- | C] () -- C:\WINDOWS\my.ini
[2008/01/27 11:57:45 | 00,061,440 | ---- | C] () -- C:\WINDOWS\System32\cygz.dll
[2008/01/27 11:57:45 | 00,007,196 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AAC.ini
[2008/01/27 11:57:45 | 00,006,490 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PSP.ini
[2008/01/27 11:57:45 | 00,005,028 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP2_AAC.ini
[2008/01/27 11:57:45 | 00,004,296 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Zune.ini
[2008/01/27 11:57:45 | 00,003,045 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPod.ini
[2008/01/27 11:57:45 | 00,002,956 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PMP.ini
[2008/01/27 11:57:45 | 00,002,910 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_3GP_AMR.ini
[2008/01/27 11:57:45 | 00,002,516 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_PPC.ini
[2008/01/27 11:57:45 | 00,002,175 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_iPhone.ini
[2008/01/27 11:57:45 | 00,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QVGA_AAC.ini
[2008/01/27 11:57:45 | 00,001,964 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP2_QCIF_AAC.ini
[2008/01/27 11:57:45 | 00,001,878 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_Xbox.ini
[2008/01/27 11:57:45 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AMR.ini
[2008/01/27 11:57:45 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QCIF_AAC.ini
[2008/01/27 11:57:45 | 00,001,739 | ---- | C] () -- C:\WINDOWS\System32\INI_Pro_AppleTV.ini
[2008/01/27 11:57:45 | 00,000,036 | ---- | C] () -- C:\WINDOWS\System32\INI_Add_mfra.ini
[2008/01/27 11:57:44 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AMR.ini
[2008/01/27 11:57:44 | 00,001,814 | ---- | C] () -- C:\WINDOWS\System32\INI_QT_3GPP_QVGA_AAC.ini
[2008/01/19 08:10:04 | 00,000,068 | ---- | C] () -- C:\WINDOWS\xpsyspad.ini
[2008/01/04 14:36:51 | 00,007,861 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\ezplay.cat
[2008/01/04 14:36:51 | 00,001,103 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\ezplay.inf
[2008/01/04 14:36:51 | 00,000,125 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\ezplay.ini
[2008/01/04 14:36:27 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\pcouffin.cat
[2008/01/04 14:36:27 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\B4BD\Application Data\pcouffin.inf
[2007/12/31 07:15:22 | 00,028,672 | ---- | C] () -- C:\WINDOWS\System32\M05.Support.Mjpeg.dll
[2007/11/28 21:09:20 | 00,001,024 | RH-- | C] () -- C:\WINDOWS\System32\NTIDIB4.dll
[2007/10/08 18:27:58 | 00,237,568 | ---- | C] () -- C:\WINDOWS\System32\lame_enc.dll
[2007/10/08 18:13:37 | 00,029,696 | ---- | C] () -- C:\WINDOWS\System32\unsxkic.dll
[2007/10/08 18:13:37 | 00,027,650 | ---- | C] () -- C:\WINDOWS\System32\s3pitwa.dll
[2007/10/08 18:13:37 | 00,026,626 | ---- | C] () -- C:\WINDOWS\System32\tapiinh.dll
[2007/09/17 07:04:54 | 00,394,240 | ---- | C] () -- C:\WINDOWS\System32\Smab.dll
[2007/09/17 07:04:51 | 00,027,648 | ---- | C] () -- C:\WINDOWS\System32\AVSredirect.dll
[2007/08/20 16:26:52 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dtu100.dll.manifest
[2007/08/20 16:26:52 | 00,000,416 | ---- | C] () -- C:\WINDOWS\System32\dpl100.dll.manifest
[2007/08/15 14:33:14 | 03,596,288 | ---- | C] () -- C:\WINDOWS\System32\qt-dx331.dll
[2007/08/15 14:30:26 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\DivXWMPExtType.dll
[2007/07/29 06:12:55 | 00,000,081 | ---- | C] () -- C:\WINDOWS\USRWIZ.INI
[2007/06/10 20:20:12 | 00,004,053 | ---- | C] () -- C:\WINDOWS\32bifax.ini
[2007/05/10 20:25:42 | 00,881,664 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2007/05/10 20:25:42 | 00,205,824 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2007/04/15 10:01:04 | 00,000,219 | ---- | C] () -- C:\WINDOWS\ngmap.ini
[2007/04/14 13:44:17 | 00,000,080 | ---- | C] () -- C:\WINDOWS\encore_launcher.ini
[2007/03/24 21:08:49 | 00,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2007/03/05 20:14:27 | 00,000,000 | ---- | C] () -- C:\WINDOWS\pp.ini
[2007/03/05 13:34:28 | 00,693,792 | ---- | C] () -- C:\WINDOWS\System32\OGACheckControl.DLL
[2007/02/18 07:57:03 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2007/02/18 06:57:10 | 00,000,823 | ---- | C] () -- C:\WINDOWS\tsc.ini
[2007/02/18 06:57:09 | 00,071,749 | ---- | C] () -- C:\WINDOWS\hcextoutput.dll
[2007/02/18 06:56:29 | 00,000,170 | ---- | C] () -- C:\WINDOWS\GetServer.ini
[2007/02/11 05:19:33 | 00,001,178 | ---- | C] () -- C:\WINDOWS\ARCHPR.INI
[2007/01/12 20:10:40 | 00,172,056 | ---- | C] () -- C:\WINDOWS\System32&
Post by: guestolo on November 15, 2009, 04:14:44 PM
It is probably also the reason we were seeing infected MBR in ComboFix
Quote
I have been uninstalling a few apps to clean up the list of ones I don't use.What other applications did you remove beside Daemon tools?
I'm getting confused as to where we stand right now
Don't do nothing else for now but the below
Can you do the following:
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:Code: [Select]
:reg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] - Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Post by: Flim on November 15, 2009, 04:43:44 PM
Here's scan log-
SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 13:30 on 15/11/2009 by B4BD (Administrator - Elevation successful)
========== reg ==========
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Acronis Scheduler2 Service"=""C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe""
"AcronisTimounterMonitor"=""C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe""
"AVG9_TRAY"="C:\PROGRA~1\AVG\AVG9\avgtray.exe"
"BlackBerryAutoUpdate"="C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background"
"CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe"
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe"
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe"
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe"
"Malwarebytes Anti-Malware (reboot)"=""C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript"
"OutpostFeedBack"=""C:\Program Files\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup"
"OutpostMonitor"=""C:\PROGRA~1\Agnitum\OUTPOS~1\op_mon.exe" /tray /noservice"
"SysTrayApp"="%ProgramFiles%\IDT\WDM\sttray.exe"
"TrueImageMonitor.exe"=""C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
-=End Of File=-
Post by: guestolo on November 15, 2009, 05:08:32 PM
Can you do the following:
Right click on Outpost Firewall icon by the clock and select
Firewall Policy
Then choose Disable
This should stop Outpost from interfering
Then run the following again, if you couldn't run it earlier
START>>RUN
Copy/paste the following then hit OK
combofix /u
Afterwards
We need to update a couple of your programs to ensure we plug some security holes malware can exploit
Open Adobe Reader, click on HELP>>Check for Updates
Update the software
Afterwards: Close down all browser windows
Access your Add and Remove Programs
uninstall both the following:
Javaâ„¢ 6 Update 15
Javaâ„¢ 6 Update 13
We'll update these in a bit
Come back here
Double click on OTL.exe to run it
- Under the [color=\"#0000FF\"]Custom Scans/Fixes[/color] box at the bottom, copy/paste in the following in the quote box below. don't include the word Quote pleaseQuote
:Reg
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Malwarebytes Anti-Malware (reboot)"=- - Then click the [color=\"#FF0000\"]Run Fix[/color] button at the top
- Let the program run unhindered, reboot the PC when it is done
On startup, Allow OTL to run if prompted
please post the log that OTL produces
A copy of this log can also be found in
C:\_OTL\Moved Files folder
You can reenable Outpost protection
Quote
I deleted some media converter programs and time management tools that I haven't used. Let me know if you need a list.Yes please, I want to ensure there are no leftovers in OTL log
Do you know the programs off hand?
We'll update Sun Java next step
Just do the above for now
Post by: Flim on November 15, 2009, 05:53:05 PM
Then run the following again, if you couldn't run it earlier
START>>RUN
Copy/paste the following then hit OK
combofix /u[/quote]
ComboFix didn't uninstall again. I had to use "suspend protection" to get Outpost to stop asking.
I'm updating Reader right now. Do you want the ComboFix log?
Post by: guestolo on November 15, 2009, 05:56:42 PM
Post by: Flim on November 15, 2009, 05:58:57 PM
Here's the programs I removed
My Sirius Studio
Presto! PageManager 6
Replay Screencast 1.21
Scott's Wallpaper Switcher v 1.1
Software Virtualization Trinket
Task Coach 0.71.3
version 3.5 (which as also Winxmedia converter - was in here twice)
WinXMedia DVD MPEG/AVI/Audio Converter 3.5
Here's the last CF Log
ComboFix 09-11-15.01 - B4BD 15/11/2009 14:28.6.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2511 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
Command switches used :: /u
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.
((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.
2009-11-15 07:18 . 2009-11-15 07:18 -------- d-----w- C:\_OTL
2009-11-14 16:21 . 2009-11-09 17:51 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-14 16:21 . 2009-11-09 17:51 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-14 16:21 . 2009-11-09 17:51 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-14 16:21 . 2009-10-18 17:48 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-14 16:21 . 2009-11-09 17:51 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-14 16:21 . 2009-10-24 07:05 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-14 14:12 . 2009-11-14 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-15 13:17 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-15 16:46 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 22:25 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-15 15:40 . 2007-01-06 00:43 -------- d-----w- c:\program files\WinXMedia
2009-11-15 15:08 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-15 14:59 . 2007-09-19 05:18 -------- d-----w- c:\program files\Sirius
2009-11-15 00:54 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-14 16:05 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-11-13_05.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 20:35 . 2009-11-15 20:35 16384 c:\windows\temp\Perflib_Perfdata_8d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]
c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]
c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp
R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;
S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]
--- Other Services/Drivers In Memory ---
*Deregistered* - mbr
*Deregistered* - PROCEXP113
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]
2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net (http://\"http://www.gmer.net\")
Rootkit scan 2009-11-15 14:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'lsass.exe'(1956)
c:\windows\system32\relog_ap.dll
- - - - - - - > 'explorer.exe'(2696)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
.
Completion time: 2009-11-15 14:43
ComboFix-quarantined-files.txt 2009-11-15 22:43
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-15 06:02
ComboFix3.txt 2009-11-15 04:51
ComboFix4.txt 2009-11-15 01:51
ComboFix5.txt 2009-11-15 22:26
Pre-Run: 34,553,495,552 bytes free
Post-Run: 34,497,843,200 bytes free
- - End Of File - - ADEFF2D621F920CE9BE0E6C4F9DE4E8E
Post by: guestolo on November 15, 2009, 06:01:24 PM
Please complete the rest of the instructions from my last reply
Don't worry about uninstalling ComboFix for now
Post by: Flim on November 15, 2009, 06:09:44 PM
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-\ deleted successfully.
Registry value HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\\Malwarebytes Anti-Malware (reboot) deleted successfully.
OTL by OldTimer - Version 3.1.4.0 log created on 11152009_150040
Post by: guestolo on November 15, 2009, 06:21:19 PM
Quote
Here's the OTL Log. And by the way, I didn't download a new Combofix when I ran the last one in case that's an issue.No, that's ok
We're just about done here, just a couple more steps
Stay with me, I want to try installing SP3 later, don't try yet
[color=\"blue\"]Updating Java:[/color]
- Download the latest version of Java Runtime Environment (JRE) 6 (http://\"http://java.sun.com/javase/downloads/index.jsp\").
- Scroll down to where it says "JRE 6 Update 17".
- Click the "Download" button to the right.
- In the Window that opens, select Windows, beside PLATFORM:>>Check the "agree" box and click Continue.
- Click on the link to download Windows Offline Installation and save to your desktop.
- Then from your desktop double click on jre-6u17-windows-i586.exe that you downloaded, to install the newest version.
After installation, simply open the Java icon in Control Panel
Under Advanced tab, expand Miscellaneous, untick "Java Quick Starter" if selected
Apply and Ok it, then exit the Java control panel
A reboot will be required to properly disable the Quick Starter service
We'll reboot later
After you have installed the latest version of Java
I want to see one more log from ComboFix
Navigate to the following folder
C:\Qoobox>>this is created by ComboFix
Inside that folder look for this file
ComboFix-quarantined-files.txt
Can you post the contents
I just want to check to see that ComboFix didn't remove a file related to Outpost
Post by: Flim on November 15, 2009, 06:41:25 PM
Here's the log you requested.
2009-11-15 01:24:57 . 2009-11-15 01:24:57 0 ----a-w- C:\Qoobox\Quarantine\catchme.txt
2009-11-01 20:38:08 . 2009-11-01 20:38:08 1,548 ----a-w- C:\Qoobox\Quarantine\Registry_backups\AddRemove-Audio Record Wizard_is1.reg.dat
2009-11-01 20:37:44 . 2009-11-01 20:37:44 4,212 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-AutorunsDisabled.reg.dat
2009-11-01 20:09:03 . 2009-11-15 22:26:34 510 ----a-w- C:\Qoobox\Quarantine\catchme.log
2009-01-26 23:37:48 . 2009-01-26 23:37:48 1,592 ----a-w- C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2009-01-26 23:28:42 . 2009-11-15 22:35:53 19,831 ----a-w- C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-25 14:16:29 . 2008-11-25 14:23:39 75 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\mp3codec32win.dll.vir
2008-01-04 22:36:27 . 2008-01-04 22:36:51 87,608 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\B4BD\Application Data\inst.exe.vir
2007-02-18 14:56:25 . 2007-02-18 14:56:25 286,720 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\PATCH.EXE.vir
2006-05-19 13:34:19 . 2006-03-21 03:23:12 23,040 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\kb913800.exe.vir
Post by: Flim on November 15, 2009, 06:52:41 PM
Post by: guestolo on November 15, 2009, 07:05:27 PM
Go ahead and delete ComboFix on your desktop and cfscript.txt
Delete SystemLook.exe and it's text file systemlook.txt on desktop
Delete MBR.exe on desktop
Delete ComboFix related folder
C:\Qoobox
and it's text files created in the C:\ folder
ComboFix091101.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt
ComboFix5.txt
You can also delete OTL.exe on desktop and it's folder
C:\_OTL
Please download [color=\"blue\"]OTC.exe[/color] (http://\"http://oldtimer.geekstogo.com/OTC.exe\") by OldTimer:
- Save it to your Desktop.
- Double click OTC.exe.
- Click the CleanUp! button.
- If you are prompted to Reboot during the cleanup, select Yes.
- The tool will delete itself once it finishes.
Prepare your computer for SP3
You have CCleaner installed, can you open it and use "Run Cleaner" to clean temp files, etc
Run Disk Defragmenter on your C: drive
START>>All Programs>>Accessories>>System tools>>Disk Defragmenter
Select C: drive and then Defragment
Let this finish, when done, you can defragment any other Volume you wish, but I'm more concerned about C: at the moment
When finished
Reboot the computer
I suggest that you try the complete Network install of SP3
If you have High speed internet, it shouldn't take too long to download
Go to the following link:
http://www.microsoft.com/downloads/details...;displaylang=en (http://\"http://www.microsoft.com/downloads/details.aspx?FamilyId=5B33B5A8-5E76-401F-BE08-1E1555D4F3D4&displaylang=en\")
Select the Download button and save the installer to your desktop, don't install yet
Instead: Temporarily disable Outpost and AVG protections so they won't interfere with this install
With AVG, do the following
# Click on Open AVG Interface.
# Double click on Resident Shield
# Deselect the option to "Enable Resident Shield."
# Save changes, and exit the application.
Now try installing Service pack 3 from the installer on desktop
Follow the prompts, reboot when required
When done, enable protections with Outpost and AVG
Come back here and let me know how things are running
Post by: Flim on November 15, 2009, 08:07:15 PM
I did.
I'm going to also make another disk image before I install SP3, I've found it the simplest way to get back to work if it fails.[/quote]
Post by: Flim on November 16, 2009, 11:08:54 AM
Before I get into that I wanted to mention that the last couple of days (since before I installed a few apps) I've noticed an Install shield process running after bootup all the time - IDriverT.exe. Can't find where it loads from yet.
SP3 - I downloaded the fullfile version (I already had a copy but thought we'd go fresh) and followed all the other steps and ran the installer. It ran for a while and ran into problems while copying the new files into the system directories with an "Access Denied" screen - no more info than that. Then a window saying the install didn't complete and it was going to undo the changes. After that it says the install didn't complete and XP has been partially updated and may not work properly. Exit that and the system reboots.
The install extracted the install files to a temp directory on one of my removable drives I noticed (I've noticed that happening with some installers for a while). I thought that might be an issue so just to be sure I shut down and disconnected all that kind of stuff, started up again and had another try at installing SP3. Got the same result.
I'm now running back on my image from before the SP installs. I made an image of the disk after those attempts for reference. I can mount them and get at files easy enough.
Here is a segment of the updspapi.log. Didn't put it all in here as it's the same stuff happening over and over with all the files. This just shows what is going on before, during and after the errors occur.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\wuauserv.dl_" to "C:\WINDOWS\system32\wuauserv.dll" via temporary file "C:\WINDOWS\system32\SET128E.tmp".
#W190 File "C:\WINDOWS\system32\SET128E.tmp" marked to be moved to "C:\WINDOWS\system32\wuauserv.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\wscsvc.dl_" to "C:\WINDOWS\system32\wscsvc.dll" via temporary file "C:\WINDOWS\system32\SET1291.tmp".
#W190 File "C:\WINDOWS\system32\SET1291.tmp" marked to be moved to "C:\WINDOWS\system32\wscsvc.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\wscntfy.ex_" to "C:\WINDOWS\system32\wscntfy.exe" via temporary file "C:\WINDOWS\system32\SET1292.tmp".
#W190 File "C:\WINDOWS\system32\SET1292.tmp" marked to be moved to "C:\WINDOWS\system32\wscntfy.exe" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\winhttp.dl_" to "C:\WINDOWS\system32\winhttp.dll" via temporary file "C:\WINDOWS\system32\SET1296.tmp".
#W190 File "C:\WINDOWS\system32\SET1296.tmp" marked to be moved to "C:\WINDOWS\system32\winhttp.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\sbeio.dl_" to "C:\WINDOWS\system32\sbeio.dll" via temporary file "C:\WINDOWS\system32\SET12AA.tmp".
#W190 File "C:\WINDOWS\system32\SET12AA.tmp" marked to be moved to "C:\WINDOWS\system32\sbeio.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\msctfime.im_" to "C:\WINDOWS\system32\msctfime.ime" via temporary file "C:\WINDOWS\system32\SET12C6.tmp".
#W190 File "C:\WINDOWS\system32\SET12C6.tmp" marked to be moved to "C:\WINDOWS\system32\msctfime.ime" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\encapi.dl_" to "C:\WINDOWS\system32\encapi.dll" via temporary file "C:\WINDOWS\system32\SET12F2.tmp".
#W190 File "C:\WINDOWS\system32\SET12F2.tmp" marked to be moved to "C:\WINDOWS\system32\encapi.dll" on next reboot.
#-336 Copying file "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\ip\tabletoc.dl_" to "C:\WINDOWS\system32\Setup\tabletoc.dll" via temporary file "C:\WINDOWS\system32\Setup\SET1353.tmp".
#W190 File "C:\WINDOWS\system32\Setup\SET1353.tmp" marked to be moved to "C:\WINDOWS\system32\Setup\tabletoc.dll" on next reboot.
#E008 Setting registry value HKCR\.xbm\PersistentHandler
#E033 Error 5: Access is denied.
#E065 Parsing AddReg section [Product.Add.Reg] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
#E064 Parsing install section [ProductInstall.GlobalRegistryChanges.Install] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
#E008 Setting registry value HKCR\.xbm\PersistentHandler
#E033 Error 5: Access is denied.
#E065 Parsing AddReg section [Product.Add.Reg] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
#E064 Parsing install section [ProductInstall.GlobalRegistryChanges.Install] in "f:\eebc62828ee80c1a3dd9fbb8fd7700\i386\update\update.inf" failed. Error 5: Access is denied.
[2009/11/16 04:31:25 2056.1]
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msader15.dll" to "c:\program files\common files\system\ado\msader15.dll" via temporary file "c:\program files\common files\system\ado\SET1413.tmp".
#W190 File "c:\program files\common files\system\ado\SET1413.tmp" marked to be moved to "c:\program files\common files\system\ado\msader15.dll" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado15.dll" to "c:\program files\common files\system\ado\msado15.dll" via temporary file "c:\program files\common files\system\ado\SET1414.tmp".
#W190 File "c:\program files\common files\system\ado\SET1414.tmp" marked to be moved to "c:\program files\common files\system\ado\msado15.dll" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado20.tlb" to "c:\program files\common files\system\ado\msado20.tlb" via temporary file "c:\program files\common files\system\ado\SET1415.tmp".
#W190 File "c:\program files\common files\system\ado\SET1415.tmp" marked to be moved to "c:\program files\common files\system\ado\msado20.tlb" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado21.tlb" to "c:\program files\common files\system\ado\msado21.tlb" via temporary file "c:\program files\common files\system\ado\SET1416.tmp".
#W190 File "c:\program files\common files\system\ado\SET1416.tmp" marked to be moved to "c:\program files\common files\system\ado\msado21.tlb" on next reboot.
#-336 Copying file "C:\WINDOWS\$NtServicePackUninstall$\msado25.tlb" to "c:\program files\common files\system\ado\msado25.tlb" via temporary file "c:\program files\common files\system\ado\SET1417.tmp".
Post by: guestolo on November 16, 2009, 02:32:15 PM
Quote
It ran for a while and ran into problems while copying the new files into the system directories with an "Access Denied" screen - no more info than thatThanks for the info
Quote
The install extracted the install files to a temp directory on one of my removable drives I noticed (I've noticed that happening with some installers for a while). I thought that might be an issue so just to be sure I shut down and disconnected all that kind of stuff, started up again and had another try at installing SP3. Got the same result.My bad, I should of asked you to remove any removeable devices from the computer before you started the installation
Can you try the following
Run CCleaner again removing temp files, etc...
Afterwards
I'm concerned about the following entry
Code: [Select]
#E008 Setting registry value HKCR\.xbm\PersistentHandler
#E033 Error 5: Access is denied.Since you have a backup from Acronis>>by the way, I have it installed on my laptop
Can you go to START>>RUN>>Type in regedit
Then hit OK
Navigate to the following key
HKEY_CLASSES_ROOT\.xbm\PersistentHandler
In the registry editor
Right click on PersistentHandler and select Permissions
Under Group or user names
ensure that Administrators is highlighted
Under Permissions for Administrators, make sure that the Allow check box for the following entries are selected
[color=\"#4169E1\"]Full Control
Read[/color]
Click Apply, and then click OK.
Do the same for it's parent key HKEY_CLASSES_ROOT\.xbm
If it's not set this way
Exit the registry editor
Disconnect all external removeable devices from your computer
Temporarily disable protections from Outpost and AVG
Then try the SP3 install again, if no luck, we can try some other steps
Post by: Flim on November 16, 2009, 11:28:58 PM
HKEY_CLASSES_ROOT\.xbm\PersistentHandler
Do the same for it's parent key HKEY_CLASSES_ROOT\.xbm[/quote]
HKEY_CLASSES_ROOT\.xbm\PersistentHandler - SubKey Does not exist
Only key under \.xbm is - \OpenWithProgIds that contains only the value name "Opera.Image"
Post by: guestolo on November 16, 2009, 11:41:21 PM
Set to Allow for Administrators in the registry
For both Full Control and Read?
Post by: Flim on November 16, 2009, 11:48:43 PM
Set to Allow for Administrators in the registry
For both Full Control and Read?[/quote]
Ya sorry. I wasn't but it is now. The System user is not checked for allow or deny
Should I go ahead with the install?
Post by: guestolo on November 16, 2009, 11:56:03 PM
Administrators shoud be ticked to ALLOW for "Full Control" and "Read"
System should be ticked ALLOW for "Full Control" and "Read"
If not, set them both that way then reboot the computer
Then try the install again
Post by: Flim on November 17, 2009, 07:49:52 AM
Windows update has 18 new updates now. I guess new versions apply now of a bunch of these that look familiar. I'll go ahead and put them in.
Post by: Flim on November 17, 2009, 10:09:39 PM
Anyway. I guess we've got it beat. Thanks again, I learned a lot too.
Post by: guestolo on November 17, 2009, 10:59:02 PM
A short explanation,
Quote
Related to Macrovision Corporation. Note: Located in \%Program Files%\Common Files\InstallShield\Driver\1150\Intel 32\
A legit service, could be used by HP/Compaq products, etc. for proper installation of their programs I assume
By no means am I an expert on it
I wouldn't use SC to delete the service, just keep it disabled for now, if you find you have problems with any kind of HP products, Or other software updating you'll know why
May also be used by some third party Video/Audio software
Besides that, everything else running well, we'll lock this up and consider it resolved
Keep me informed please
I know/hope you will
/biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />P.s. Eset nailed a legit file by Panda as malware, it's a false positive
But you can remove Panda Online scanner from Add/Remove programs
You can also remove Eset, or run Eset occassionally, just to double check your own AV installed