Author Topic: I have Hidden Kernel Modules that don't look right (Read 5979 times)

Flim · « **on:** November 11, 2009, 08:13:29 PM »

I've been trying to clean up some issues on my system for a while and using some of the tools that I've seen suggested on this and other forums. I've been making some progress but am learning that it works better if you have just a bit more knowledge and do things in the right order. I've reached the stage where my system is much quicker and there's less going on but there's issues.

I've run most of the tools including ComboFix, that I first used quite a while back and have run again recently. SuperAntiSpyware didn't find much, RootRepeal didn't find anything and an online ESET scan found a few threats that have been cleaned up. Basically nothing major.

SysProt and GMer have identified hidden processes and hooks that I know don't belong and I don't know which order to tackle them in and don't want to screw it up. I'd sure appreciate some help dealing with them. I've got OTL logs from the 8th and ESET, SysProt and GMer logs from today if anyone has time to look at them.

Thanks,
Flim

guestolo · « **Reply #1 on:** November 11, 2009, 08:20:07 PM »

Go ahead and post the most recent logs you have

Flim · « **Reply #2 on:** November 11, 2009, 08:43:07 PM »

Thanks!

Here's ESET

C:\AppsNoInstall\xmplay34\Skins\EyePhone.xmpskin probably a variant of Win32/Agent trojan cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Documents and Settings\B4BD\Application Data\AD ON Multimedia\eBay Shortcuts\eBayShortcuts.exe.vir a variant of Win32/Adware.ADON application cleaned by deleting - quarantined
C:\WINDOWS\system32\ActiveScan\pskavs.dll probably a variant of Win32/Agent trojan cleaned by deleting - quarantined

Here's SysProt (just the hidden items)

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

No Hidden Processes found

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: spfw.sys
Service Name: ---
Module Base: B9EA7000
Module End: B9FA7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Service Name: ---
Module Base: B80AA000
Module End: B80E1000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AB22B000
Module End: AB243000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA5DC000
Module End: BA5DE000
Hidden: Yes

********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: AB4DDC50
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwClose
Address: AB4C2C70
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwConnectPort
Address: AB4E1370
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateFile
Address: AB4BEFE0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateKey
Address: AB4CA280
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateProcess
Address: AB4D64A0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateProcessEx
Address: AB4D6DA0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateSection
Address: AB4BDD90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateSymbolicLinkObject
Address: AB4CA030
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateThread
Address: AB4D4F60
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDebugActiveProcess
Address: AB4E4E00
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDeleteFile
Address: AB4C8D10
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDeleteKey
Address: AB4CBAF0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDeleteValueKey
Address: AB4D2590
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwEnumerateKey
Address: B9EC6CA2
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spfw.sys

Function Name: ZwEnumerateValueKey
Address: B9EC7030
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spfw.sys

Function Name: ZwLoadDriver
Address: AB4D3DA0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwMakeTemporaryObject
Address: AB4C98A0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenFile
Address: AB4C1C90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenKey
Address: AB4CB1B0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenProcess
Address: AB4D8E90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenSection
Address: AB4BE600
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenThread
Address: AB4D8250
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwProtectVirtualMemory
Address: AB4DEF90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueryDirectoryFile
Address: AB4C3A90
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueryKey
Address: AB4CD940
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueryValueKey
Address: AB4CE190
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueueApcThread
Address: AB4DD0C0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRenameKey
Address: AB4D1780
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwReplaceKey
Address: AB4CF6F0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRequestPort
Address: AB4E3610
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRequestWaitReplyPort
Address: AB4E3930
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRestoreKey
Address: AB4D0F10
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSaveKey
Address: AB4CFE70
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSaveKeyEx
Address: AB4D06C0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSecureConnectPort
Address: AB4E1F50
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetContextThread
Address: AB4DC630
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetInformationDebugObject
Address: AB4E53F0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetInformationFile
Address: AB4C4DE0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetSystemInformation
Address: AB4D33B0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetValueKey
Address: AB4CEA10
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSuspendProcess
Address: AB4DB380
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSuspendThread
Address: AB4DBCB0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSystemDebugControl
Address: AB4E4640
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwTerminateProcess
Address: AB4D9980
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwTerminateThread
Address: AB4DA810
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwUnloadDriver
Address: AB4D4720
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwWriteVirtualMemory
Address: AB4DE4A0
Driver Base: AB4BD000
Driver End: AB56A000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A3F4500
Hooking Module: _unknown_

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EA8000
Hooking Module: spfw.sys

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F51F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AE1E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AE1E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AE1E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AE1E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AE1E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AE1E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0851F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8ABE4258
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8ABE4258
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8ABE4258
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8ABE4258
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8ABE4258
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AD711F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: B807A740
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B807AC64
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B807AAA6
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B807A84C
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_READ
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_POWER
Jump To: B9EAFE1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EC4514
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: \Driver\PCI_PNP0670
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EEBB1C
Hooking Module: spfw.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AD841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AD841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AD841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AD841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AD841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AD841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F31F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F31F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F31F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F31F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F31F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F31F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AD661F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AD661F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AD661F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AD661F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8AD661F8
Hooking Module: _unknown_

Hooked Module: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AD661F8
Hooking Module: _unknown_

********************************************************************************
**********
********************************************************************************
**********
Ports:
Local Address: BNMC01:1028
Remote Address: BNMV01:MICROSOFT-DS
Type: TCP
Process: System
State: ESTABLISHED

Local Address: BNMC01:NETBIOS-SSN
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BNMC01:5152
Remote Address: LOCALHOST:1044
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: CLOSE_WAIT

Local Address: BNMC01:5152
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\Program Files\Java\jre6\bin\jqs.exe
State: LISTENING

Local Address: BNMC01:1025
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\alg.exe
State: LISTENING

Local Address: BNMC01:3390
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BNMC01:3389
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BNMC01:MICROSOFT-DS
Remote Address: 0.0.0.0:0
Type: TCP
Process: System
State: LISTENING

Local Address: BNMC01:EPMAP
Remote Address: 0.0.0.0:0
Type: TCP
Process: C:\WINDOWS\system32\svchost.exe
State: LISTENING

Local Address: BNMC01:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BNMC01:138
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BNMC01:NETBIOS-NS
Remote Address: NA
Type: UDP
Process: System
State: NA

Local Address: BNMC01:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BNMC01:1900
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BNMC01:123
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\svchost.exe
State: NA

Local Address: BNMC01:4500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: BNMC01:500
Remote Address: NA
Type: UDP
Process: C:\WINDOWS\system32\lsass.exe
State: NA

Local Address: BNMC01:MICROSOFT-DS
Remote Address: NA
Type: UDP
Process: System
State: NA

********************************************************************************
**********
********************************************************************************
**********
No hidden files/folders found

Here's GMer (I had to run it in Safemode to get it to complete)

GMER 1.0.15.15220 - http://www.gmer.net
Rootkit scan 2009-11-11 16:13:34
Windows 5.1.2600 Service Pack 2
Running: ftw126s4.exe; Driver: C:\Temp\TempSys\ffldqpob.sys

---- System - GMER 1.0.15 ----

SSDT spgt.sys ZwCreateKey [0xF74D70E0]
SSDT spgt.sys ZwEnumerateKey [0xF74F5CA2]
SSDT spgt.sys ZwEnumerateValueKey [0xF74F6030]
SSDT spgt.sys ZwOpenKey [0xF74D70C0]
SSDT spgt.sys ZwQueryKey [0xF74F6108]
SSDT spgt.sys ZwQueryValueKey [0xF74F5F88]
SSDT spgt.sys ZwSetValueKey [0xF74F619A]

INT 0x62 ? 8AEFFBF8
INT 0x63 ? 8AD98BF8
INT 0x83 ? 8AD98BF8
INT 0x94 ? 8AD98BF8
INT 0xB4 ? 8AEFFBF8
INT 0xB4 ? 8AEFFBF8
INT 0xB4 ? 8AD98BF8
INT 0xB4 ? 8AEFFBF8

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8AEFE1F8
Device \Driver\USBSTOR \Device\0000008e 8AD321F8
Device \Driver\sptd \Device\3114432250 spgt.sys
Device \Driver\usbuhci \Device\USBPDO-0 8ACC01F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AF721F8
Device \Driver\dmio \Device\DmControl\DmConfig 8AF721F8
Device \Driver\dmio \Device\DmControl\DmPnP 8AF721F8
Device \Driver\dmio \Device\DmControl\DmInfo 8AF721F8
Device \Driver\usbuhci \Device\USBPDO-1 8ACC01F8
Device \Driver\usbehci \Device\USBPDO-2 8ADA71F8
Device \Driver\usbuhci \Device\USBPDO-3 8ACC01F8
Device \Driver\usbuhci \Device\USBPDO-4 8ACC01F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 8AF001F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\USBSTOR \Device\000000a3 8AD321F8
Device \Driver\Ftdisk \Device\HarddiskVolume2 8AF001F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\Cdrom \Device\CdRom0 8AD5D1F8
Device \Driver\USBSTOR \Device\000000a4 8AD321F8
Device \Driver\Ftdisk \Device\HarddiskVolume3 8AF001F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdePort0 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdePort1 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdePort2 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 8AEFF1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8AEFF1F8
Device \Driver\Ftdisk \Device\HarddiskVolume4 8AF001F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\Ftdisk \Device\HarddiskVolume5 8AF001F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)

Device \Driver\PCI_PNP9750 \Device\0000005e spgt.sys
Device \Driver\PCI_PNP9750 \Device\0000005e spgt.sys
Device \Driver\usbuhci \Device\USBFDO-0 8ACC01F8
Device \Driver\usbuhci \Device\USBFDO-1 8ACC01F8
Device \Driver\usbuhci \Device\USBFDO-2 8ACC01F8
Device \Driver\usbuhci \Device\USBFDO-3 8ACC01F8
Device \Driver\usbehci \Device\USBFDO-4 8ADA71F8
Device \Driver\Ftdisk \Device\FtControl 8AF001F8
Device \Driver\USBSTOR \Device\0000008a 8AD321F8
Device \Driver\USBSTOR \Device\0000008b 8AD321F8
Device \Driver\USBSTOR \Device\0000008c 8AD321F8
Device \Driver\USBSTOR \Device\0000008d 8AD321F8
Device \Driver\asfn81dq \Device\Scsi\asfn81dq1 8ACC1500
Device \FileSystem\Fastfat \Fat 8AB4F500
Device \FileSystem\Fastfat \Fat B9C061F9
Device \FileSystem\Cdfs \Cdfs 8ABBE1F8
Device \Driver\atapi -> \Driver\atapi \Device\Harddisk0\DR0 8AEFF1F8

---- EOF - GMER 1.0.15 ----

[quote name=\'guestolo\' post=\'466244\' date=\'Nov 11 2009, 05:20 PM\']Go ahead and post the most recent logs you have[/quote]

guestolo · « **Reply #3 on:** November 11, 2009, 09:06:07 PM »

I need a little bit more info
can you delete OTL.txt and Extras.txt on your desktop

In addition:
Again open OTL.exe, Put a tick in Use Safelist under "Extra Registry" if it is not selected
Then run a fresh Scan
Afterwards, post the new logs>>Both OTL.txt and Extras.txt

Flim · « **Reply #4 on:** November 11, 2009, 10:06:39 PM »

I am suddenly having problems posting.

"Method not implemented"

I use NoScript but thetechguide is allowed and I have now added intellitxt and it still didn't work.

Tried once with both logs and once with one log.

This one has no log included.

I'm using the "Add Reply" button to post

guestolo · « **Reply #5 on:** November 11, 2009, 10:18:08 PM »

in a reply, copy/paste Extras.txt, you should have no problem with it

Then in the same reply box, Upload OTL.txt
Use the Browse....>>UPLOAD buttons on the bottom right of a reply box

Flim · « **Reply #6 on:** November 11, 2009, 10:35:07 PM »

I've been fighting with the OTL one - let's see what happens.
There is a weird character in the first line of the Alternate Data Streams info in the OTL file.

here's the Extras -

OTL Extras logfile created on: 11/11/2009 6:36:15 PM - Run 2
OTL by OldTimer - Version 3.1.4.0 Folder = C:\Documents and Settings\B4BD\Desktop
Windows XP Media Center Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy

2.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 100.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 100.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 94.66 Gb Total Space | 31.43 Gb Free Space | 33.20% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 203.43 Gb Total Space | 24.30 Gb Free Space | 11.95% Space Free | Partition Type: NTFS
Drive F: | 230.85 Gb Total Space | 68.72 Gb Free Space | 29.77% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
Drive H: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
I: Drive not present or media not loaded
Drive O: | 465.76 Gb Total Space | 245.08 Gb Free Space | 52.62% Space Free | Partition Type: NTFS
Drive P: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Q: | 152.66 Gb Total Space | 101.93 Gb Free Space | 66.77% Space Free | Partition Type: NTFS
Drive R: | 931.51 Gb Total Space | 507.73 Gb Free Space | 54.51% Space Free | Partition Type: NTFS
Drive S: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive T: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive U: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive V: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive X: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS
Drive Y: | 465.15 Gb Total Space | 40.83 Gb Free Space | 8.78% Space Free | Partition Type: NTFS

Computer Name: BNMC01
Current User Name: B4BD
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Standard

[color=\"#E56717\"]========== Extra Registry (SafeList) ==========[/color]

[color=\"#E56717\"]========== File Associations ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.chm [@ = chm.file] -- "%SYSTEMROOT%\hh.exe" %1
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[HKEY_CURRENT_USER\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

[color=\"#E56717\"]========== Shell Spawning ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %* File not found
chm.file [open] -- "%SYSTEMROOT%\hh.exe" %1 File not found
cmdfile [open] -- "%1" %* File not found
comfile [open] -- "%1" %* File not found
exefile [open] -- "%1" %* File not found
htmlfile [edit] -- Reg Error: Key error.
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
https [open] -- "C:\Program Files\Mozilla Firefox\firefox.exe" -requestPending -osint -url "%1" (Mozilla Corporation)
piffile [open] -- "%1" %* File not found
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1" File not found
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S File not found
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 File not found
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [Browse with PhotoLine 32...] -- "C:\Program Files\PhotoLine\PhotoLine.exe" -browse "%L" (Computerinsel GmbH)
Directory [cmd] -- cmd.exe /k "cd %L" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [Generate MD5 Signatures] -- "C:\Program Files\Michael K. Weise\mkw Audio Compression Toolkit\mkwACT.exe" (Michael K. Weise)
Directory [MediaMonkey.1Play] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" "%1" (Ventis Media Inc.)
Directory [MediaMonkey.2PlayNext] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /NEXT "%1" (Ventis Media Inc.)
Directory [MediaMonkey.3Enqueue] -- "C:\Program Files\MediaMonkey\MediaMonkey.exe" /ADD "%1" (Ventis Media Inc.)
Directory [Mp3tag] -- "C:\Program Files\Mp3tag\Mp3tag.exe" "/fp:%1" (Florian Heidenreich)
Directory [open_x2] -- "C:\Program Files\xplorer2_lite\xplorer2_lite.exe" /1 /M /T "%1" (ZabKat)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Directory [QCD.add] -- "c:\program files\quintessential player\qcdplayer.exe" /ddeexec (Quinnware)
Directory [QCD.load] -- "c:\program files\quintessential player\qcdplayer.exe" /ddeexec (Quinnware)
Directory [QCD.play] -- "c:\program files\quintessential player\qcdplayer.exe" /ddeexec (Quinnware)
Directory [View_Directory] -- viewdir.bat "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe" File not found

[color=\"#E56717\"]========== Security Center Settings ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 1
"FirewallDisableNotify" = 1
"UpdatesDisableNotify" = 1
"AntiVirusOverride" = 0
"FirewallOverride" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:*:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:*:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:*:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:*:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 0
"DisableNotifications" = 0
"DoNotAllowExceptions" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"3776:UDP" = 3776:UDP:*:Enabled:Media Center Extender Service
"3390:TCP" = 3390:TCP:*:Enabled:Remote Media Center Experience
"9000:TCP" = 9000:TCP:*:Enabled:SqueezeCenter 9000 tcp
"3483:UDP" = 3483:UDP:*:Enabled:SqueezeCenter 3483 udp
"3483:TCP" = 3483:TCP:*:Enabled:SqueezeCenter 3483 tcp
"10243:TCP" = 10243:TCP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10280:UDP" = 10280:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10281:UDP" = 10281:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10282:UDP" = 10282:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10283:UDP" = 10283:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service
"10284:UDP" = 10284:UDP:LocalSubNet:Enabled:Windows Media Player Network Sharing Service

[color=\"#E56717\"]========== Authorized Applications List ==========[/color]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\Media Center Diagnostic Kit\MCDiag.exe" = C:\Program Files\Media Center Diagnostic Kit\MCDiag.exe:*:Enabled:Media Center Diagnostic Tool -- (Microsoft Corp.)
"C:\Program Files\Media Center Diagnostic Kit\MCEHostRemote.exe" = C:\Program Files\Media Center Diagnostic Kit\MCEHostRemote.exe:*:Enabled:Media Center Scripting Host -- (Microsoft Corporation)
"C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe" = C:\Program Files\Microsoft Games\Rise of Nations\thrones.exe:*:Enabled:Rise of Nations -- (Big Huge Games, Inc.)
"%windir%\Network Diagnostic\xpnetdiag.exe" = %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000 -- (Microsoft Corporation)
"C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\Ikernel.exe" = C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\Ikernel.exe:*:Enabled:HPMVInstall -- (InstallShield Software Corporation)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVTray.exe:*:Enabled:HPMVMonitor -- (Hewlett-Packard)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASSelector.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASSelector.exe:*:Enabled:HPMVSelector -- (Hewlett-Packard Company)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASDriveMapper.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\NASDriveMapper.exe:*:Enabled:HPMVDriveMapper -- (Hewlett-Packard Company)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPEZBkup.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPEZBkup.exe:*:Enabled:HPEasyBackup -- (Hewlett Packard)
"C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVCheck.exe" = C:\Program Files\Hewlett-Packard\HP Media Vault\Utilities\HPMVCheck.exe:*:Enabled:HPMVCheck -- (Hewlett-Packard Company)
"C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe" = C:\Program Files\Yahoo!\Yahoo! Music Engine\YahooMusicEngine.exe:*:Disabled:Yahoo! Music Engine -- File not found
"C:\Program Files\Messenger\msmsgs.exe" = C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger -- (Microsoft Corporation)
"C:\WINDOWS\ehome\ehshell.exe" = C:\WINDOWS\ehome\ehshell.exe:LocalSubNet:Enabled:Media Center -- (Microsoft Corporation)
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" = C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger -- (Microsoft Corporation)
"C:\WINDOWS\system32\LMabcoms.exe" = C:\WINDOWS\system32\LMabcoms.exe:*:Enabled:Lexmark Enhanced TCP/IP -- ( )
"C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe" = C:\Program Files\Red Chair Software\Notmad Explorer\notmgr.exe:*:Enabled:Notmad Xtreamer -- (Red Chair Software, Inc.)
"C:\Program Files\Red Chair Software\Audigen Explorer\audmgr.exe" = C:\Program Files\Red Chair Software\Audigen Explorer\audmgr.exe:*:Enabled:Audigen Xtreamer -- (Red Chair Software, Inc.)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\..]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\..\..]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\..\..\Programmi]

[color=\"#E56717\"]========== HKEY_LOCAL_MACHINE Uninstall List ==========[/color]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{00010409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Professional
"{00040409-78E1-11D2-B60F-006097C998E7}" = Microsoft Office 2000 SR-1 Disc 2
"{01501EBA-EC35-4F9F-8889-3BE346E5DA13}" = MSXML4 Parser
"{03CAB33F-D1C2-48C6-8766-DAE84DFC25FE}" = Microsoft Sync Framework Services v1.0 (x86)
"{049885D8-22B9-C209-A00C-E43A8E3F0B79}" = CCC Help Danish
"{055EE59D-217B-43A7-ABFF-507B966405D8}" = ATI Catalyst Control Center
"{068502DA-6979-4D9A-BBE1-C3AD0FF11F19}" = Video\Ulead DVD MovieFactory 3 SE
"{072D42BE-96CD-FB75-A339-0ED0F76A9C61}" = Catalyst Control Center Localization Swedish
"{08094E03-AFE4-4853-9D31-6D0743DF5328}" = QuickTime
"{0A21D2E9-F8A2-4CF9-88D7-E04A1C4C90AE}" = DaemonScript
"{0AB76F69-E761-4CFA-B9B0-A1906B4E9E4B}" = WD Diagnostics
"{0D70917A-C58F-4220-9DB7-54309302881E}" = MasterCook Deluxe 8
"{0F9196C6-58B4-445B-B56E-B1200FECC151}" = Microsoft Bootvis
"{0FE7A7B0-B912-411D-8207-0B5BFEB04B7A}" = Picture Converter
"{1037CF8F-A226-A3BA-2D05-F34950395CB9}" = Catalyst Control Center Localization Chinese Standard
"{107254A0-0ADF-11D4-9397-00D0B7020B38}" =
"{10CE1EA2-12E9-11D3-825E-00C04F6843FE}" = Microsoft Office Sounds
"{11B05D68-6054-4B2B-7776-A22592D837E8}" = Catalyst Control Center Localization German
"{121634B0-2F4B-11D3-ADA3-00C04F52DD52}" = Windows Installer Clean Up
"{12453E04-9738-4D16-8408-D726532C2C69}" = ASUS VGA Driver
"{13333239-0A15-4855-BEEB-0232DAA5B7EA}" = BlackBerry Desktop Software 5.0.1
"{14291118-0C19-45EA-A4FA-5C1C0F5FDE09}" = Primo
"{1531DDE3-DD8B-C078-3CA2-4F278C8A7E6A}" = CCC Help Portuguese
"{17800CFC-97EC-40A5-AB42-A8B66DC74D77}" = EGS Recipe Center
"{184E7118-0295-43C4-B72C-1D54AA75AAF7}" = Windows Live Mail
"{1A24A727-0470-7601-2370-233735A0E8EF}" = Catalyst Control Center Localization Norwegian
"{1AB88B2D-BA3B-FEC3-EDB1-6688CB217E2C}" = Catalyst Control Center Localization Czech
"{1ACE5DBB-AA0D-480D-BEE2-C988672CE50B}" = WillExpert
"{1CB92574-96F2-467B-B793-5CEB35C40C29}" = Image Resizer Powertoy for Windows XP
"{1E9A9E08-0366-45EE-9B66-51852F8D9812}" = Open Workbench
"{1EC60864-A294-44BF-984A-3E8867D74EA2}" = Adobe After Effects 6.0
"{2227E1FA-01F5-483C-AB0E-2A308E900B3D}" = InterVideo FilterSDK for Hauppauge
"{22EC35BD-F8F2-45EB-8DCB-1C7FB65D0A71}" = QuickTax 2007
"{23FE964A-853B-4176-86D7-9E18B5CA1FC0}" = Media Center Extender
"{255D5C51-2A30-43A9-84D9-7C2CCBA51B70}" = D-Link DHP-300 Utility
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java(tm) 6 Update 15
"{26A24AE4-039D-4CA4-87B4-2F83216013F0}" = Java(tm) 6 Update 13
"{26B6423F-0E8A-2213-C8AD-16DD1E39D919}" = Catalyst Control Center Localization Greek
"{2CC982C0-7EAE-11D4-ACC3-0050568AD318}" = Avery DesignPro 3.5
"{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}" = Creative MediaSource
"{2EC973B4-B580-573E-58C1-15A6261E5F95}" = Catalyst Control Center Localization Turkish
"{2FDF1E49-B487-01CD-458E-5F51555B2232}" = Catalyst Control Center Localization Chinese Traditional
"{3392F26F-0D1D-451F-8527-4820D1960235}" = Sony DVD Architect Studio 4.5
"{347D1603-FA83-4B2C-B504-8BC1FF59DB50}" = Digital Photography Winter Fun Pack
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{359FCAA7-B544-4147-AE3B-8C8A526E2427}" = Sony Image Data Suite
"{37ED8114-95B4-4603-B58B-5E315DFB38C2}" = Sony Vegas Movie Studio 8.0
"{3C3EB82B-1E0E-486A-A72F-011D196054BB}" = DVRMSToolbox
"{40D388F5-803F-616A-521D-005BC0BD9496}" = CCC Help Russian
"{428102E6-8A39-48B9-8389-847F5A44A600}" = MSXML 4.0
"{429232EE-1406-FE49-2B82-DFA6234249D2}" = Catalyst Control Center Graphics Full New
"{44FFF4AC-F56C-4457-AE63-C69ADAC1F6FC}" = QuickTax Tracker
"{47E0D551-C96E-403C-A230-982A78C9D48C}" = Media Center Playlist Editor
"{4893A35F-0A23-48EC-8E74-24969244D6F2}" = Catalyst Control Center - Branding
"{4A220461-26FD-E792-F134-54FE095E5C67}" = ccc-utility
"{4B719A70-F14A-4f5c-90B5-346B24B7FFF1}" = Windows 7 Upgrade Advisor
"{4BFE3B58-DE4A-7505-B2ED-1C581889DE8B}" = CCC Help English
"{4C7A2608-9B04-72EF-5BC1-815885E8093E}" = CCC Help Dutch
"{4EAB28B6-12F8-5F07-9857-4C84815DD36F}" = CCC Help Czech
"{4FF32AC7-667A-4F5F-B847-FB673D4B6F57}" = XML Notepad 2007
"{502506C0-2EFC-4590-A6B0-1A73BFD894BA}_is1" = Picture Ripper 4
"{508CE775-4BA4-4748-82DF-FE28DA9F03B0}" = Windows Live Messenger
"{51F30BA1-6032-ADC9-0F1D-8DCB8F4BEE35}" = CCC Help Finnish
"{53337CA9-E9A4-4C59-9D1C-D980EF9BF0C2}" = QuickTax 2004
"{54BB0384-1C33-488F-A95B-877E480D3EDC}" = MSXML 4.0
"{5762563F-B31B-4091-A80C-828C60DE5BE0}" = Handbrake
"{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}" = Oxsemi Uploader
"{57E0CF08-9A6E-F140-D69F-1BEBC2AD5C66}" = Catalyst Control Center Localization French
"{580183A6-FF92-11D5-9294-0050BA073EEC}" = Presto! PageManager 6
"{59975E1A-7F44-827D-A294-0C946F96E26A}" = CCC Help Greek
"{5A0C892E-FD1C-4203-941E-0956AED20A6A}" = APC PowerChute Personal Edition
"{5B9AF72D-593E-6D89-7E35-C79D58A04E9B}" = CCC Help Norwegian
"{5F457DDF-B768-434C-8802-9BB3B383B1E8}" = MasterCook 7
"{609B6317-7014-A779-C58D-864F12BA6339}" = CCC Help Spanish
"{61995288-920E-46AF-88C1-E1FF4F25613B}" = Videoraptor
"{621FCD24-4498-4324-A81E-07D331376EDF}" = PixiePack Codec Pack
"{6249C22D-E6A8-407B-BA8B-40298848ED94}" = OmniPage SE
"{633A06C3-B709-479A-AAB3-5EE94AD9EE4B}" = Acronis True Image Home
"{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}" = Windows Genuine Advantage v1.3.0254.0
"{63DC3499-A635-43c3-826C-E41851A6DDB0}" = Media Center Diagnostic Kit
"{6404709D-1338-87EE-0E6A-05BEADD5AD9D}" = Catalyst Control Center Localization Korean
"{670A8412-8080-78BD-8DBE-E68A3FB313D3}" = CCC Help Japanese
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD
"{6855CCDD-BDF9-48E4-B80A-80DFB96FE36C}" = CmdHere Powertoy For Windows XP
"{68B18535-773E-DF4D-5213-624AAE7068BA}" = CCC Help Chinese Traditional
"{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}" = Windows Media Player Firefox Plugin
"{6A69D94E-C569-4154-9643-72E94D1DDFDA}" = XPS Essentials Pack
"{6D655EE6-0D2D-DEA2-695D-EA749918CFB6}" = Catalyst Control Center Localization Polish
"{6F05A311-B2AB-5514-4A20-1A0C98131F36}" = CCC Help Hungarian
"{716E0306-8318-4364-8B8F-0CC4E9376BAC}" = MSXML 4.0 SP2 Parser and SDK
"{750365ED-CB2F-317F-E8B7-2429A9AEF210}" = Catalyst Control Center Localization Italian
"{75217611-047C-3C46-69CC-9E810B0FD7A4}" = ccc-core-preinstall
"{77E70C3C-DBB9-4C47-8663-1E1F81FEC623}" = Logitech QuickCam
"{78AD4938-7EE6-4DC0-A5BC-3AF82750A617}" = QuickTax Tracker
"{791CAF6C-90A3-11D4-8306-00D0B72E1DB9}" = Sentinel System Driver
"{7B63B2922B174135AFC0E1377DD81EC2}" = DivX Codec
"{7DC265E8-1558-43D4-807B-31205936DCF1}" = BartPE Add-on for Acronis True Image 11 Home
"{7E265513-8CDA-4631-B696-F40D983F3B07}_is1" = CDBurnerXP
"{7EC1397D-006B-9901-DED7-1937F7690388}" = CCC Help Turkish
"{82DFB569-F78E-47BB-B252-45B4AA45CA86}" = SafeMedia Add-on for Acronis True Image 11 Home
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{83ED1E80-A1B7-4226-BCF1-AC4A88151A6B}" = Microsoft Streets & Trips 2006
"{84B57E13-6093-47EE-5BA1-415410E12374}" = CCC Help Polish
"{863DC643-4D85-4736-985C-2EE9465C74EA}" = DVR 2 WMV
"{8689A5F3-BEEC-407D-A6EB-B79F636229A3}" = Media Center Alarm Clock
"{872FB0A8-1F51-51A5-A1EE-DFC1F996FCEC}" = Catalyst Control Center Localization Thai
"{899DD617-BC45-488B-08F7-EDAAB945BB87}" = Catalyst Control Center Localization Japanese
"{89B078C4-50B0-453E-BF53-3A7E6A0D85FA}" = Windows Support Tools
"{89DE67AD-08B8-4699-A55D-CA5C0AF82BF3}" = ATI AVIVO Codecs
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Graphics Media Accelerator Driver
"{8ADFC4160D694100B5B8A22DE9DCABD9}" = DivX Player
"{8B6A5274-219B-912E-A87C-6F30EA87F55E}" = CCC Help French
"{8D5AC6EF-B91C-4E03-99DE-C72536BB381F}" = TweakMCE
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90510409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Visio Professional 2003
"{90ECE9AF-27D0-D9D2-4D0B-E68916E19BF8}" = Catalyst Control Center Localization Finnish
"{9158ED68-0310-0EFA-26FD-589A14F6C4D6}" = CCC Help Chinese Standard
"{91A4AD99-69CE-4745-97B7-0E0DFBECFDE5}" = Adobe Illustrator CS
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{9862B19F-4CAD-4EED-920F-2F378D84393F}" = ATI Parental Control & Encoder
"{98736A65-3C79-49EC-B7E9-A3C77774B0E6}" = Google SketchUp 6
"{98E8A2EF-4EAE-43B8-A172-74842B764777}" = InterVideo WinDVD 4
"{98FD8BB5-59A9-4163-883C-2997F7BB59D9}" = Microsoft Video Screensaver
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9D18F7F8-B984-4249-8512-CC621BC59F12}" = Microsoft Location Finder
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{A49F249F-0C91-497F-86DF-B2585E8E76B7}" = Microsoft Visual C++ 2005 Redistributable
"{A50885B4-2D9B-4DC7-961D-2661B3A037F0}" = Quicken 2006
"{A7050037-F0EA-4BAB-BCD5-FC05507D6147}" = Alt-Tab Task Switcher Powertoy for Windows XP
"{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}" = Windows Live installer
"{A8BD5A60-E843-46DC-8271-ABF20756BE0F}" = Microsoft Sync Framework Runtime v1.0 (x86)
"{A8E51420-13A4-6888-6F65-A82E53FA7045}" = CCC Help Italian
"{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper
"{AA0D2D5F-612B-45D3-8759-DA87206E5CC9}" = QuickTax 2008
"{AC76BA86-1033-0000-7760-000000000002}" = Adobe Acrobat 7.0 Professional
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AC76BA86-7AD7-5464-3428-800000000003}" = Spelling Dictionaries Support For Adobe Reader 8
"{AEB95804-A937-49E6-940A-37A606C16D5D}" = DeLorme Street Atlas USA 2009 Plus
"{AFDFC350-C142-4790-BE12-8357AECD028F}" = SyncToy 2.0 (x86)
"{B13A7C41581B411290FBC0395694E2A9}" = DivX Converter
"{B1A9CD45-A702-4E3B-91ED-8CD562869901}" = DWG TrueView 2008
"{B37C842A-B624-46B8-A727-654E72F1C91A}" = Calculator Powertoy for Windows XP
"{B3CC991E-191A-443A-B09F-08327482920E}" = Pure Motion EditStudio 5
"{B3D8B2F8-3C2C-45BC-933E-8B60E78F6684}" = Google SketchUp 6
"{B4E96960-5F6B-48B9-A5BD-6A5A9BB4F027}" = Avery Wizard 3.1
"{B7050CBDB2504B34BC2A9CA0A692CC29}" = DivX Web Player
"{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer
"{B86C2C71-9EE8-4BB8-FC60-EEEAF205B849}" = Catalyst Control Center Localization Danish
"{B8B4D43C-EAA0-4EEC-B93E-D4D012316286}" = Free DWG Viewer 5.4
"{B8D0BC3E-67DF-48A3-ACC9-EEAA8DBFBF29}" = QuickTax 2005
"{BA3C8C28-C096-450B-B78C-5EA939A073D4}" = Software Virtualization Trinket
"{BAF78226-3200-4DB4-BE33-4D922A799840}" = Windows Presentation Foundation
"{BB85ED9C-AFC9-43BD-B8DC-258C3C7DF72E}" = HP Software Update
"{BCE36DA3-853A-7F6D-0041-118BFC0A3607}" = CCC Help Thai
"{BCE46757-7674-4416-BEDB-68205A60409E}" = Canon CanoScan Toolbox 4.1
"{BDF820F3-79A6-4ACF-B910-43B26BB894CC}" = Microsoft Network Monitor 3.1
"{C035D435-3B6D-542C-3B12-9D7B35B1F02D}" = Catalyst Control Center Localization Dutch
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C11525CF-1BE3-4F24-AF7F-92B381475E18}" = DVDInfoPro
"{C1C910A7-0B89-4260-8845-FE221D9285E8}_is1" = PC Chrono 1.1.0.6
"{C39DE425-6CCF-4B12-A101-3CB5CF3AF3AD}" = Slideshow Generator Powertoy for Windows XP
"{C51DD70F-B9DD-AD9A-9800-93A58C429CD1}" = Catalyst Control Center Graphics Full Existing
"{C6399072-505F-7C3E-6C42-8F0A678E2F17}" = Catalyst Control Center Localization Russian
"{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}" = ClearType Tuning Control Panel Applet
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CC016F21-3970-11DE-B878-005056806466}" = Google Earth
"{CC147B6B-B7EB-46AC-8649-A7DA3A76B0EC}" = BitDefender Deployment Tool
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{D050D7362D214723AD585B541FFB6C11}" = DivX Content Uploader
"{D159031E-628A-63C6-529A-AC5A95620ECC}" = CCC Help Swedish
"{D3EE034D-5B92-4A55-AA02-2E6D0A6A96EE}" = Windows Resource Kit Tools - SubInAcl.exe
"{D4292B37-6E88-A90C-B249-419417755D83}" = Catalyst Control Center Core Implementation
"{D5068583-D569-468B-9755-5FBF5848F46F}" = Sony Picture Utility
"{D642E38E-0D24-486C-9A2D-E316DD696F4B}" = Microsoft XML Parser
"{D88A2FDD-4C42-2DC8-879B-3E3B17DE7A98}" = CCC Help Korean
"{D898657E-139C-3E71-053F-4423BCBF0205}" = Catalyst Control Center Localization Hungarian
"{D9261CAB-3E1D-423C-9DD6-2001056DA292}" = Manual CanoScan 5000,5000F,8000F
"{D944236D-7992-41D6-8257-930B5832F1CC}" = Creative Zen Micro
"{D958FAC4-BAE0-4B1D-A42E-DE9BFDE7DDEE}" = Canon PhotoRecord
"{D9CDB463-BB48-4B80-B1B6-5B940A4621E0}" = AutoStreamer
"{DABF43D9-1104-4764-927B-5BED1274A3B0}" = Runtime
"{E064390A-2F64-4195-9A55-30D4B20B865A}" = WDCSAM Driver
"{E38C00D0-A68B-4318-A8A6-F7D4B5B1DF0E}" = Windows Media Encoder 9 Series
"{E3A5A8AB-58F6-45FF-AFCB-C9AE18C05001}" = IDT Audio
"{E40CE517-0D42-4198-96B4-C8232B257EB5}" = Data Lifeguard Diagnostic for Windows
"{E5090856-6E87-4AE1-B6FE-DD4149CB097A}" = LogViewer
"{E6B87DC4-2B3D-4483-ADFF-E483BF718991}" = OpenOffice.org 3.1
"{E6C48B74-26ED-4EF8-A04C-42AFDE5E1CA3}" = Intel® PRO Network Connections
"{E7F6A8E5-43A6-2B4F-EF63-5C669ABF5D49}" = Catalyst Control Center Localization Portuguese
"{F2568881-E34D-454C-8DEB-8B5D9D581472}" = HP Media Vault
"{F325206F-FC38-4B53-BD8B-DC7BD37986EC}" = LoriotPro V4
"{F44900CB-5BAF-7A35-74BF-D9BE40CB1F81}" = CCC Help German
"{F51B2470-17F0-6230-5658-B9B4D9FDF750}" = ccc-core-static
"{F54AC413-D2C6-4A24-B324-370C223C6250}" = Adobe Photoshop Elements 6.0
"{F55B25A7-9D43-AD4F-B70B-AAB9C7FA1BA8}" = Skins
"{F6AA40E1-75DE-7AC4-F39D-75D6EDEE8C36}" = Catalyst Control Center Localization Spanish
"{F761359C-9CED-45AE-9A51-9D6605CD55C4}" = Evernote
"{F843C6A3-224D-4615-94F8-3C461BD9AEA0}" = Jasc Paint Shop Pro 9
"{F850707C-B6A0-4B56-8709-F89CF8F9AC6D}" = Eraser
"{FAFDA89B-1031-4BDB-8619-DE20CBDEDF32}" = QuickTax 2006
"{FC66E05E-8D39-47A6-8D07-759F33727EB0}" = Opera 10.00
"{FCE65C4E-B0E8-4FBD-AD16-EDCBE6CD591F}" = HighMAT Extension to Microsoft Windows XP CD Writing Wizard
"{FEB350BF-C090-3927-9F07-AFC93659F5FC}" = Catalyst Control Center Graphics Light
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"{FF8967A4-4726-4614-B6C1-B2E047EC6F70}" = DeLorme Phone Data 2009
"Adobe Acrobat 7.0 Professional" = Adobe Acrobat 7.1.0 Professional
"Adobe Flash Player ActiveX" = Adobe Flash Player 10 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe SVG Viewer" = Adobe SVG Viewer 3.0
"Agnitum Outpost Firewall Pro" = Agnitum Outpost Firewall Pro
"Agnitum Outpost Firewall Pro_is1" = Outpost Firewall Pro 2009
"All ATI Software" = ATI - Software Uninstall Utility
"Amor Screen Capture_is1" = Amor Screen Capture 1.8.3
"AntiFreeze_is1" = AntiFreeze 1.01
"Any Video Converter_is1" = Any Video Converter 2.6.3
"Apex Video Converter Super_is1" = Apex Video Converter Super 5.99
"ASAPI Update" = ASAPI Update
"Aspell English Dictionary_is1" = Aspell English Dictionary-0.50-2
"Aspi setup_is1" = Aspi setup
"ATI Display Driver" = ATI Display Driver
"AU7_is1" = Advanced Uninstaller PRO 2006 - version 7
"Audacity 1.3 Beta (Unicode)_is1" = Audacity 1.3.7 (Unicode)
"Audacity_is1" = Audacity 1.2.6
"Audigen Explorer" = Audigen Explorer (remove only)
"Audio Convertor Plus_is1" = Audio Convertor Plus version 2.18
"AudioFilesGDSIndexer_is1" = Audio Files GDS Indexer 1.1
"AudioShell_is1" = AudioShell 1.3.5
"Aurora Media Workshop_is1" = Aurora Media Workshop 3.3.16
"AVG9Uninstall" = AVG Free 9.0
"AviSynth" = AviSynth 2.5
"BlackBerry_{13333239-0A15-4855-BEEB-0232DAA5B7EA}" = BlackBerry Desktop Software 5.0.1
"BlindWrite 6_is1" = BlindWrite 6
"BSPlayer1" = BSPlayer
"CamStudio" = CamStudio
"CamStudio Lossless Codec_is1" = CamStudio Lossless Codec v1.4
"CANONBJ_Deinstall_CNMCP6d.DLL" = Canon PIXMA iP5000
"CCleaner" = CCleaner
"CD Catalog Expert_is1" = CD Catalog Expert 9.23.7.1025
"CDWinder" = CDWinder 5.0.2
"Chandler" = Chandler 0.7.5.1
"ColorImpact2_is1" = ColorImpact version 2.4
"Concord Telephony Translation" = Concord Telephony Translation
"CopernicDesktopSearch2" = Copernic Desktop Search 2
"CoreFLAC Audio Decoder+Source Filter" = CoreFLAC Audio Decoder+Source Filter (remove only)
"Creative Jukebox Driver" = Creative Jukebox Driver
"Creative Removable Disk Manager" = Creative Removable Disk Manager
"CreativePainter" = Creative Painter
"Crimson Editor" = Crimson Editor (remove only)
"CSVed" = CSVed 1.3.9
"CTIAPI32" = CTIAPI32 (remove only)
"CtiLogC" = CtiLogC (remove only)
"DaemonUI" = DaemonUI 2.03
"Daniusoft WMA MP3 Converter_is1" = Daniusoft WMA MP3 Converter(Build 2.1.2)
"DECCHECK" = Microsoft Windows XP Video Decoder Checkup Utility
"Delta SP_is1" = Delta SP 1.62
"DemoForgeSSaver10_is1" = DemoForge Screen Saver 1.2
"dMC CD Audio" = dMC CD Audio
"DreamAqua" = Dream Aquarium
"DVD Decrypter" = DVD Decrypter (Remove Only)
"DVD Region+CSS Free_is1" = DVD Region+CSS Free 5.9.7.5
"DWG TrueView 2008" = DWG TrueView 2008
"Easy-PhotoPrint" = Canon Utilities Easy-PhotoPrint
"Easy-PrintToolBox" = Canon Utilities Easy-PrintToolBox
"EHome Devices" = Media Center Extender
"ElectricSheep" = ElectricSheep 2.6.6
"eMule" = eMule
"EPIM Synchronizer" = EPIM Synchronizer
"ESET Online Scanner" = ESET Online Scanner v3
"eSpeak_is1" = eSpeak version 1.40.01
"eSpeakEdit_is1" = eSpeakEdit version 1.40.01
"EssentialPIM Pro" = EssentialPIM Pro
"Everything" = Everything 1.2.1.371
"Feurio" = Feurio! CD-Writer
"File & Folder Lister_is1" = File & Folder Lister 2.00
"FileZilla Server" = FileZilla Server (remove only)
"Fireplace by PES" = Fireplace by PES Screen Saver
"FLVPlayer" = FLV Player 1.3.3
"foobar2000" = foobar2000 v0.9.4.4
"FoxyTunesForFirefox" = FoxyTunes for Firefox
"Freecorder_1.0" = Freecorder 2.3 (with Skype Call Recording)
"FreeUndelete" = FreeUndelete
"FTP Commander" = FTP Commander
"GNU Aspell_is1" = GNU Aspell 0.50-3
"Google Updater" = Google Updater
"GPL Ghostscript 8.57" = GPL Ghostscript 8.57
"GPL Ghostscript Fonts" = GPL Ghostscript Fonts
"Gravity_is1" = Gravity version 2.7
"GTK 2.0" = GTK+ Runtime 2.12.8 rev a (remove only)
"H_Shooter_Parade.scr" = H_Shooter_Parade ScreenSaver
"Handbrake" = Handbrake 0.9.2
"Hauppauge WinTV" = Hauppauge WinTV
"Hauppauge WinTV Radio" = Hauppauge WinTV Radio
"Hauppauge WinTV TV Services" = Hauppauge WinTV TV Services
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie8" = Windows Internet Explorer 8
"ImgBurn" = ImgBurn (Remove Only)
"InstallShield_{0D70917A-C58F-4220-9DB7-54309302881E}" = MasterCook Deluxe 8
"InstallShield_{255D5C51-2A30-43A9-84D9-7C2CCBA51B70}" = D-Link DHP-300 Utility
"InstallShield_{44FFF4AC-F56C-4457-AE63-C69ADAC1F6FC}" = QuickTax Tracker
"InstallShield_{5F457DDF-B768-434C-8802-9BB3B383B1E8}" = MasterCook 7
"InstallShield_{78AD4938-7EE6-4DC0-A5BC-3AF82750A617}" = QuickTax Tracker
"Intelore - RAR Password Recovery" = RAR Password Recovery v1.1 RC16 (remove only)
"IsoBuster_is1" = IsoBuster 2.4
"Jaikoz" = Jaikoz
"Jasc Paint Shop Pro 9.01 - (9.0.1.1)" = Jasc Paint Shop Pro 9.01 - (9.0.1.1)
"Jasc Paint Shop Pro 9.01 Patch" = Jasc Paint Shop Pro 9.01 Patch
"Javvin Network Protocols Map Screensaver_is1" = Javvin Network Protocols Map Screensaver 1.0
"JC&MB Quicknote_is1" = Quicknote 5.4
"JetBee_is1" = JetBee FREE 4.0.7 (build 330)
"Juice" = Juice 2.2
"jv16 PowerTools_is1" = jv16 PowerTools 1.2
"Karen's Countdown Timer II" = Karen's Countdown Timer II
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"KC Softwares VideoInspector_is1" = KC Softwares VideoInspector
"Kirby Alarm Pro_is1" = Kirby Alarm Pro v4.45
"Kirby Alarm_is1" = Kirby Alarm v2.11
"Kiwi Log Viewer" = Kiwi Log Viewer 2.0.26
"KLiteCodecPack_is1" = K-Lite Codec Pack 5.0.5 (Full)
"KookieJar6_is1" = Kookie Jar 6.3
"KT_AEdiX_Suite_2_is1" = AEdiX Suite
"Lexmark_HostCD" = Lexmark Software Uninstall
"m05 SurveillanceSaver" = m05 SurveillanceSaver 1.0
"M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player_is1" = M4a/Flac/Ogg/Ape/Mpc Tag Support Plugin for Media Player v 1.1
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Matrix Y2K Website Studio 2005_is1" = Matrix Y2K Website Studio 2005.SE
"Media Center Solitaire" = Media Center Solitaire
"MediaCoder" = MediaCoder 0.6.0
"MediaCoder Audio Edition" = MediaCoder Audio Edition 0.6.1
"MediaMan" = MediaMan
"MediaMonkey_is1" = MediaMonkey 3.1
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Minute Timer" = Minute Timer (remove only)
"Miro" = Miro
"mkwACT" = mkw Audio Compression Toolkit
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"Mozilla Thunderbird (2.0.0.23)" = Mozilla Thunderbird (2.0.0.23)
"Mp3tag" = Mp3tag v2.42
"Mpeg2Decoder_is1" = Mpeg2Decoder 1.3
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MVApplication1" = SureThing CD Labeler Deluxe 4
"MySiriusStudio" = My Sirius Studio
"nanoPEG-Editor 2.2 Hauppauge Edition_is1" = nanoPEG-Editor 2.2 Hauppauge Edition
"Nero - Burning Rom!UninstallKey" = Nero OEM
"Nero PhotoShow Express" = Nero PhotoShow Express
"NeroVision!UninstallKey" = Nero Digital
"NetLimiter 2 Monitor" = NetLimiter 2 Monitor (remove only)
"NetTools_is1" = NetTools 4.5
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"NMIX!UninstallKey" = NeroMIX
"NMPUninstallKey" = Nero Media Player
"Note-It_is1" = Note-It v4.5
"Notmad Explorer" = Notmad Explorer (remove only)
"NTFS Undelete_is1" = NTFS Undelete v0.93
"NVDA" = NVDA 0.6p3.1
"Othello" = Othello v3.0
"PageNest_is1" = PageNest
"Panda ActiveScan" = Panda ActiveScan
"PaperlessPrinter_is1" = PaperlessPrinter version 3.0
"Pegtop Smoodoo" = Pegtop Smoodoo
"Pegtop WaterWall" = Pegtop WaterWall
"PhotoFiltre" = PhotoFiltre
"PhotoLine 32_is1" = PhotoLine 32, Version 12.01
"Pidgin" = Pidgin
"PopCap Browser Plugin" = PopCap Browser Plugin
"Primetime Podcast Receiver" = Podcast Receiver
"PSPad editor_is1" = PSPad editor
"QuickPar" = QuickPar 0.9
"QuicktimeAlt_is1" = QuickTime Alternative 1.44
"Quintessential Player" = Quintessential Player
"RealAlt_is1" = Real Alternative 1.38
"Registrar_is1" = Registrar Registry Manager 6.02
"Replay_Screencast_1.0" = Replay Screencast 1.21
"Revo Uninstaller" = Revo Uninstaller 1.83
"RiseOfNationsExpansion 1.0" = Rise of Nations
"Riva FLV Encoder 2.0_is1" = Riva FLV Encoder 2.0
"RogueScanner GUI_is1" = Network Chemistry RogueScanner GUI
"Scott's Wallpaper Switcher_is1" = Scott's Wallpaper Switcher v 1.1
"Secunia PSI" = Secunia PSI
"SequoiaView" = SequoiaView
"SereneScreen Marine Aquarium 2 + Time" = SereneScreen Marine Aquarium 2 + Time
"ShowAnalyzer_is1" = ShowAnalyzer
"Smart Flash Recovery_is1" = Smart Flash Recovery v3.3
"SoftCuisine 2_is1" = SoftCuisine 2.1
"SolSuite_is1" = SolSuite 2007 v7.10
"Songbird-release-1146" = Songbird 1.2.0 (Build 1146)
"Sophos-AntiRootkit" = Sophos Anti-Rootkit 1.3.1
"SpeedFan" = SpeedFan (remove only)
"ST6UNST #1" = TVShowExport
"Stellarium_is1" = Stellarium 0.9.0
"Streamripper" = Streamripper (Remove only)
"SUPER Â©" = SUPER Â© Version 2009.bld.36 (June 10, 2009)
"SyncNotes_is1" = SyncNotes 1.3
"SysInfo" = Creative System Information
"Tag&Rename_is1" = Tag&Rename 3.4.6
"Task Coach_is1" = Task Coach 0.71.3
"The Sudoku Challenge Collection" = The Sudoku Challenge Collection
"TimeLeft_is1" = TimeLeft 3 Freeware edition
"TreeSize Professional_is1" = TreeSize Professional 4.0.2
"TrueCrypt" = TrueCrypt
"TVersity Codec Pack" = TVersity Codec Pack 1.1
"TweakNow PowerPack 2009_is1" = TweakNow PowerPack 2009
"TweakNow WinSecret Professional_is1" = TweakNow WinSecret Professional
"UBCD4Win_is1" = UBCD4Win 3.50
"UltraISO_is1" = UltraISO V7.6 ME
"uniCSVed" = uniCSVed 1.1
"Uninstall National Geographic Maps" = National Geographic Maps (Any files created by the program will be left on your system.)
"uniquemagicmp3taggerappid_is1" = Magic MP3 Tagger 2.2.4d
"Video Edit Magic 4_is1" = Video Edit Magic 4.15
"Vidmex" = Vidmex 1.3
"Vim 7.2" = Vim 7.2 (self-installing)
"vixy converter BETA_is1" = vixy converter uninstall
"VLC media player" = VLC media player 1.0.1
"WallpaperToy" = Wallpaper Changer for Windows XP
"Wdf01005" = Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
"WhoCrashed_is1" = WhoCrashed 1.01
"WIC" = Windows Imaging Component
"Windows Media Encoder 9" = Windows Media Encoder 9 Series
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows Media Recorder" = Windows Media Recorder
"Windows XP Media Center Edition Screen Saver Screen Saver" = Windows XP Media Center Edition Screen Saver Screen Saver
"WinFF_is1" = WinFF 1.0.4
"WinPcapInst" = WinPcap 4.1 beta5
"WinRAR archiver" = WinRAR archiver
"WinX 3GP 3G2 PDA MP4 Video Converter_is1" = version 3.5
"WinXMedia DVD MPEG/AVI/Audio Converter" = WinXMedia DVD MPEG/AVI/Audio Converter 3.5
"Wireshark" = Wireshark 1.2.1
"WMCSetup" = Windows Media Connect
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"WMV9_VCM" = Microsoft Windows Media Video 9 VCM
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"xint by xtort.net Â©_is1" = xint v4.3 by xtort.net Â©
"XP SysPad V7.9.5 by xtort.net Â©_is1" = XP SysPad V7.9.5 by xtort.net Â©
"xplorer2l" = xplorerÂ² lite
"XpsEP" = XPS Essentials Pack 1.0
"XpsEPSC" = XML Paper Specification Shared Components Pack 1.0
"xqdcXSP_is1" = Xteq-dotec X-Setup Pro 6.6.300.Final1
"yPlay_is1" = yPlay
"Ziepod_is1" = Ziepod version 1.0

[color=\"#E56717\"]========== HKEY_CURRENT_USER Uninstall List ==========[/color]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{0D025345-1033-4F35-A5CE-68CDCDE6CC03}" = Evernote
"AlexWarp" = AlexWarp
"Eraser" = Eraser
"LastPass" = LastPass (uninstall only)
"uTorrent" = ÂµTorrent
"WinDirStat" = WinDirStat 1.1.2
"XBMC" = XBMC Media Center

[color=\"#E56717\"]========== Last 10 Event Log Errors ==========[/color]

[ Application Events ]
Error - 02/11/2009 1:45:05 AM | Computer Name = BNMC01 | Source = Application Error | ID = 1000
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x000294e7.

Error - 02/11/2009 1:45:13 AM | Computer Name = BNMC01 | Source = Media Center Receiver | ID = 4
Description = TV tuner malfunction. (0x80004005) Hauppauge WinTV 885 BDA Tuner/Demod

Error - 02/11/2009 1:47:16 AM | Computer Name = BNMC01 | Source = Application Error | ID = 1004
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x000294e7.

Error - 02/11/2009 10:01:25 AM | Computer Name = BNMC01 | Source = VBRuntime | ID = 1
Description = The VB Application identified by the event source logged this Application
MSICUU: Thread ID: 700 ,Logged: Failed: C:\Program Files\Windows Installer Clean
Up\msizap.exe TW! {56BED62F-278A-407B-8BCD-E645EC96D2ED}

Error - 02/11/2009 10:01:56 AM | Computer Name = BNMC01 | Source = VBRuntime | ID = 1
Description = The VB Application identified by the event source logged this Application
MSICUU: Thread ID: 700 ,Logged: Failed: C:\Program Files\Windows Installer Clean
Up\msizap.exe TW! {48A669A9-76FA-4CA8-BFD5-00C125AC4166}

Error - 02/11/2009 12:33:16 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1000
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00010a19.

Error - 02/11/2009 12:34:04 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1000
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00037521.

Error - 02/11/2009 11:17:54 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1004
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00010a19.

Error - 02/11/2009 11:19:01 PM | Computer Name = BNMC01 | Source = Application Error | ID = 1004
Description = Faulting application ehrecvr.exe, version 5.1.2715.3011, faulting
module ntdll.dll, version 5.1.2600.3520, fault address 0x00037521.

[ System Events ]
Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The DHCP Client service depends on the NetBios over Tcpip service
which failed to start because of the following error: %%31

Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The DNS Client service depends on the TCP/IP Protocol Driver service
which failed to start because of the following error: %%31

Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The TCP/IP NetBIOS Helper service depends on the AFD service which
failed to start because of the following error: %%31

Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 11/11/2009 8:06:53 PM | Computer Name = BNMC01 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
AFD Aspi32 AvgLdx86 AvgMfx86 AvgTdiX Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SandBox
Tcpip
truecrypt

Error - 11/11/2009 8:08:01 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/11/2009 8:08:01 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/11/2009 8:13:15 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service StiSvc with
arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}

Error - 11/11/2009 8:13:51 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 11/11/2009 8:14:02 PM | Computer Name = BNMC01 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

< End of report >

guestolo · « **Reply #7 on:** November 12, 2009, 09:01:51 PM »

Quote

I have Hidden Kernel Modules that don't look right

Which are you talking about, I mostly see ones related to Outpost Firewall and Daemon Tools
You still appear to have DaemonUI installed, not sure if you got rid of Daemon Tools however

Please don't run Older versions of ComboFix, but do the following
Delete your copy of ComboFix
Then redownload a fresh copy from one of these locations:

[color=\"#0000FF\"]Link 1[/color]
[color=\"#0000FF\"]Link 2[/color]
[color=\"#FF0000\"]Save it ONLY to your Desktop[/color]

Run it and post the new log that opens
In addition, you have Malwarebytes AntiMalware installed
Run it>>Check for Updates, do a "Quick Scan'
Remove anything found and post it's log too

Flim · « **Reply #8 on:** November 13, 2009, 12:41:44 AM »

[quote name=\'guestolo\' post=\'466279\' date=\'Nov 12 2009, 06:01 PM\']Which are you talking about, I mostly see ones related to Outpost Firewall and Daemon Tools
You still appear to have DaemonUI installed, not sure if you got rid of Daemon Tools however[/quote]

Thanks for all the help guestolo - I really appreciate it

The 2 things that caught my eye were:

"Kernel Modules:
Module Name: spfw.sys"

It changes its' name everytime it loads, as in sp??.sys and hooks all over the place - couldn't figure out what it is for sure

"Module Name: \SystemRoot\System32\Drivers\aenbh6wo.SYS
Service Name: ---"

Just don't like the look of it the way it has no name or information associated with it

I've used Daemontools for a long time - it's really handy, but it seems to make it hard to clean up things and it appears to cause problems getting to safe mode sometimes. I finished the removal I think before I ran the 2 logs below. Any reason not to put it back in? Or is there a better tool like it?

Here's the ComboFix log - (and I'd really like to figure out why Kerio and Sunbelt still show up when they were a) upgraded and

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' /> uninstalled years ago and I've tried to track them down and get rid of all their parts several times)

ComboFix 09-11-13.04 - B4BD 12/11/2009 20:50.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2701 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Kerio Personal Firewall *enabled* {A990EAA7-8941-4621-BC27-4F16261D3180}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
FW: Sunbelt Personal Firewall *disabled* {BFD080F6-3BF0-40E1-9507-9CA969C35870}
.

((((((((((((((((((((((((( Files Created from 2009-10-13 to 2009-11-13 )))))))))))))))))))))))))))))))
.

2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-12 02:32 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-12 01:31 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-12 14:00 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-12 12:37 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-09 06:24 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-09 06:06 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-14 05:04 . 2006-06-22 03:02 -------- d-----w- c:\program files\Thumbs7
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-09 2016536]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]

c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;

S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MBR
*NewlyCreated* - PROCEXP113
*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-12 21:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0841F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8b0841f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hahdeppddjlnhgph"=hex:69,61,68,65,6e,66,6f,6d,68,6b,65,65,6c,6c,6e,67,66,6d,
00,00
"jaidfafppidcifadppoc"=hex:6f,61,65,65,68,6c,67,67,66,70,6f,69,61,6b,61,6c,6d,
62,66,66,6e,6f,6e,6a,65,6d,68,6b,62,6f,00,77

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1972)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3460)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
.
Completion time: 2009-11-12 21:05
ComboFix-quarantined-files.txt 2009-11-13 05:05
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-02 04:14
ComboFix3.txt 2009-11-02 01:22
ComboFix4.txt 2009-11-01 21:29
ComboFix5.txt 2009-11-13 04:49

Pre-Run: 33,594,671,104 bytes free
Post-Run: 33,622,949,888 bytes free

- - End Of File - - 1B85BA58A6265D1C88E0A39DA9FE8B43

And here's the MBAM Log -

Malwarebytes' Anti-Malware 1.41
Database version: 3159
Windows 5.1.2600 Service Pack 2

12/11/2009 9:18:48 PM
mbam-log-2009-11-12 (21-18-48).txt

Scan type: Quick Scan
Objects scanned: 171303
Time elapsed: 5 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

guestolo · « **Reply #9 on:** November 13, 2009, 09:34:07 AM »

Download Security Check by screen317 from here or here.

Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Can you also let me know what Windows Security Center in Control Panel reports under Firewall

Flim · « **Reply #10 on:** November 13, 2009, 11:19:38 PM »

Here is the Checkup Report

Results of screen317's Security Check version 0.99.0
Windows XP Service Pack 2
[color=\"red\"]Out of date service pack!![/color]
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
AVG Free 9.0
ESET Online Scanner v3
BitDefender Deployment Tool
Agnitum Outpost Firewall Pro
Outpost Firewall Pro 2009
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
Secunia PSI
Gmer
Sophos Anti-Rootkit 1.3.1
HijackThis 2.0.2
CCleaner
Java(tm) 6 Update 15
Java(tm) 6 Update 13
[color=\"red\"]Out of date Java installed![/color]
Adobe Flash Player 10
Adobe Reader 8.1.6
[color=\"red\"]Out of date Adobe Reader installed![/color]
``````````````````````````````
Process Check:
objlist.exe by Laurent
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
AVG avgemc.exe
AVG avgemc.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

Security Centre Says:

"At Least one of the firewall programs installed on this computer is currently ON..."

guestolo · « **Reply #11 on:** November 14, 2009, 02:44:59 AM »

Try the following, see if it's any help
1) Right-click on My Computer

2) Click on Manage

3) Click on the plus sign(+) next to Services and Applications in the left-hand column

4) Click on Services

5) Find the service called Windows Management Instrumentation, right-click on it, and choose Stop.

6) Open My Computer

7) Double-click on Drive C (or whatever drive Windows is installed on)

Double-click on the Windows folder

9) Double-click on System32

10) Double-click on WBEM

11) Right-click on the Repository folder and click Delete and remove it

12) Close the My Computer windows and return to the Windows services screen using steps 1 - 4 shown above

13) Find the service called Windows Management Instrumentation, right-click on it, and choose Start. Restarting this service will rebuild the repository folder information.

14) Restart your computer

Once the computer has restarted, open Windows Security Center
and see if the reference to Kerio is gone

Flim · « **Reply #12 on:** November 14, 2009, 09:56:10 AM »

Thanks - That got Outpost recognised by Security Centre as the only firewall. Had to shut down Outpost and Security Centre manually to stop WMI. After I deleted the repository I went back to restart WMI and it was already running!

I ran a SysProt report (below) and we seem to have got rid of
"Module Name: \SystemRoot\System32\Drivers\aenbh6wo.SYS"
but I see that sptd.sys is still there. I've run all the Daemon Tools related uninstall routines earlier. Is the sp??.sys file the outpost hooker?

SysProt Log here

SysProt AntiRootkit v1.0.1.0
by swatkat

********************************************************************************
**********
********************************************************************************
**********

No Hidden Processes found

********************************************************************************
**********
********************************************************************************
**********
Kernel Modules:
Module Name: spyn.sys
Service Name: ---
Module Base: B9EA7000
Module End: B9FA7000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: AB7C6000
Module End: AB7DE000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BA66E000
Module End: BA670000
Hidden: Yes

********************************************************************************
**********
********************************************************************************
**********
SSDT:
Function Name: ZwAssignProcessToJobObject
Address: ABA78C50
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwClose
Address: ABA5DC70
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwConnectPort
Address: ABA7C370
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateFile
Address: ABA59FE0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateKey
Address: ABA65280
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateProcess
Address: ABA714A0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateProcessEx
Address: ABA71DA0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateSection
Address: ABA58D90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateSymbolicLinkObject
Address: ABA65030
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwCreateThread
Address: ABA6FF60
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDebugActiveProcess
Address: ABA7FE00
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDeleteFile
Address: ABA63D10
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDeleteKey
Address: ABA66AF0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwDeleteValueKey
Address: ABA6D590
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwEnumerateKey
Address: B9EC6CA2
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spyn.sys

Function Name: ZwEnumerateValueKey
Address: B9EC7030
Driver Base: B9EA7000
Driver End: B9FA7000
Driver Name: spyn.sys

Function Name: ZwLoadDriver
Address: ABA6EDA0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwMakeTemporaryObject
Address: ABA648A0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenFile
Address: ABA5CC90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenKey
Address: ABA661B0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenProcess
Address: ABA73E90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenSection
Address: ABA59600
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwOpenThread
Address: ABA73250
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwProtectVirtualMemory
Address: ABA79F90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueryDirectoryFile
Address: ABA5EA90
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueryKey
Address: ABA68940
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueryValueKey
Address: ABA69190
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwQueueApcThread
Address: ABA780C0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRenameKey
Address: ABA6C780
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwReplaceKey
Address: ABA6A6F0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRequestPort
Address: ABA7E610
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRequestWaitReplyPort
Address: ABA7E930
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwRestoreKey
Address: ABA6BF10
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSaveKey
Address: ABA6AE70
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSaveKeyEx
Address: ABA6B6C0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSecureConnectPort
Address: ABA7CF50
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetContextThread
Address: ABA77630
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetInformationDebugObject
Address: ABA803F0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetInformationFile
Address: ABA5FDE0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetSystemInformation
Address: ABA6E3B0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSetValueKey
Address: ABA69A10
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSuspendProcess
Address: ABA76380
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSuspendThread
Address: ABA76CB0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwSystemDebugControl
Address: ABA7F640
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwTerminateProcess
Address: ABA74980
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwTerminateThread
Address: ABA75810
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwUnloadDriver
Address: ABA6F720
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

Function Name: ZwWriteVirtualMemory
Address: ABA794A0
Driver Base: ABA58000
Driver End: ABB05000
Driver Name: \SystemRoot\system32\DRIVERS\SandBox.sys

********************************************************************************
**********
********************************************************************************
**********
No Kernel Hooks found

********************************************************************************
**********
********************************************************************************
**********
IRP Hooks:
Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0831F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0831F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0831F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0831F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0831F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\atapi.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0831F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\dmio.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F61F8
Hooking Module: _unknown_

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_READ
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_POWER
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: \Driver\sptd
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EA8000
Hooking Module: spyn.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_READ
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_WRITE
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_POWER
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8A398368
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8AE4E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8AE4E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8AE4E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8AE4E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8AE4E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbuhci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8AE4E1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\ftdisk.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0841F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8A8EB500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8A8EB500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8A8EB500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8A8EB500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\netbt.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: 8A8EB500
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_READ
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_WRITE
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\cdrom.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8ADAD1F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: B821B740
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B821BC64
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B821BAA6
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\tcpip.sys
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B821B84C
Hooking Module: C:\WINDOWS\system32\drivers\afwcore.sys

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8ADC11F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8ADC11F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8ADC11F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8ADC11F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8ADC11F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\DRIVERS\usbehci.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8ADC11F8
Hooking Module: _unknown_

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CREATE
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CREATE_NAMED_PIPE
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CLOSE
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_READ
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_WRITE
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_EA
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_EA
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_FLUSH_BUFFERS
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_VOLUME_INFORMATION
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_DIRECTORY_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_FILE_SYSTEM_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SHUTDOWN
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_LOCK_CONTROL
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CLEANUP
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_CREATE_MAILSLOT
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_SECURITY
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_SECURITY
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_POWER
Jump To: B9EAFE1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: B9EC4514
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_DEVICE_CHANGE
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_QUERY_QUOTA
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: \Driver\PCI_PNP2488
Hooked IRP: IRP_MJ_SET_QUOTA
Jump To: B9EEBB1C
Hooking Module: spyn.sys

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CREATE
Jump To: 8B0F41F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_CLOSE
Jump To: 8B0F41F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_DEVICE_CONTROL
Jump To: 8B0F41F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_INTERNAL_DEVICE_CONTROL
Jump To: 8B0F41F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_POWER
Jump To: 8B0F41F8
Hooking Module: _unknown_

Hooked Module: C:\WINDOWS\system32\drivers\sbp2port.sys
Hooked IRP: IRP_MJ_SYSTEM_CONTROL
Jump To: 8B0F41F8
Hooking Module: _unknown_

guestolo · « **Reply #13 on:** November 14, 2009, 03:12:18 PM »

sp??.sys is most likely hooked with SPTD.sys
This may have been installed with Daemon tools
But Daemon tools won't remove it when uninstalled, because other software may need the use of sptd.sys

We can remove it if you want, but it may break some programs performance, or may not

I more concerned about something in your ComboFix log
Can you again delete your copy of ComboFix, and download a fresh copy, it's important to have the latest copy
Run a fresh scan with it
NOTE: Don't let Outpost firewall interfere, you may have to exit it before running combofix

Flim · « **Reply #14 on:** November 14, 2009, 03:49:56 PM »

[quote name=\'guestolo\' post=\'466302\' date=\'Nov 14 2009, 12:12 PM\']We can remove it if you want, but it may break some programs performance, or may not[/quote]

I wouldn't mind having a go. I don't like the way it interferes in Safe Mode and I think it may contribute to me not being able to get SP3 to work.

Here's CF Log - (I exited/stopped the Outpost service altogether)

ComboFix 09-11-15.01 - B4BD 14/11/2009 12:28.2.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2702 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2009-10-14 to 2009-11-14 )))))))))))))))))))))))))))))))
.

2009-11-14 16:21 . 2009-11-09 17:51 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-14 16:21 . 2009-11-09 17:51 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-14 16:21 . 2009-11-09 17:51 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-14 16:21 . 2009-10-18 17:48 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-14 16:21 . 2009-11-09 17:51 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-14 16:21 . 2009-10-24 07:05 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-14 14:12 . 2009-11-14 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-14 14:37 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-14 16:22 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-14 20:25 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-14 16:05 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-14 14:00 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-09 06:24 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_05.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-14 18:57 . 2009-11-14 18:57 16384 c:\windows\Temp\Perflib_Perfdata_8fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]

c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;

S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr
*Deregistered* - PROCEXP113

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 12:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0841F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8b0841f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"hahdeppddjlnhgph"=hex:69,61,68,65,6e,66,6f,6d,68,6b,65,65,6c,6c,6e,67,66,6d,
00,00
"jaidfafppidcifadppoc"=hex:6f,61,65,65,68,6c,67,67,66,70,6f,69,61,6b,61,6c,6d,
62,66,66,6e,6f,6e,6a,65,6d,68,6b,62,6f,00,77

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1976)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(2664)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
.
Completion time: 2009-11-14 12:43
ComboFix-quarantined-files.txt 2009-11-14 20:43
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-13 05:05
ComboFix3.txt 2009-11-02 04:14
ComboFix4.txt 2009-11-02 01:22
ComboFix5.txt 2009-11-14 20:27

Pre-Run: 34,962,481,152 bytes free
Post-Run: 34,914,930,688 bytes free

- - End Of File - - E1413F11FBCAF95273B40A1AFF470223

guestolo · « **Reply #15 on:** November 14, 2009, 04:46:24 PM »

Download [color=\"#0000FF\"]Gmer's mbr.exe[/color] to your desktop

click the downloaded file to run the scan (a window will open briefly, then close).
The scan will create a mbr.log on your desktop - please copy/paste those contents in your next reply.

Flim · « **Reply #16 on:** November 14, 2009, 07:24:07 PM »

MBR log -

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

guestolo · « **Reply #17 on:** November 14, 2009, 07:54:26 PM »

Copy ALL the BLUE text below and Paste to notepad
Don't use anything else than notepad or the script will not work

[color=\"#0000FF\"]KillAll::

RegNull::
[HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]

Registry::
[-HKEY_USERS\S-1-5-21-3994270617-2529867172-3576088430-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E929811-4D96-5148-50D2-98D81071B5A9}*]

[/color]
Save this as txtfile on your desktop, with the exact name of
CFScript

Drag CFScript.txt into ComboFix.exe
Combofix will start>>Follow the prompts
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When finished, it shall produce a log for you with the same name C:\ComboFix.txt..
Can I see that log again

Flim · « **Reply #18 on:** November 14, 2009, 09:25:27 PM »

During execution a crash message popped up "PEV.exe has encountered a problem...."

I just let everything keep going. After reboot the firewall started up again - I OK'd the popups while I suspended Outpost and let it finish. I noticed on the way by (I was on a phone call while it was running) that one of the windows I ok'd was to do with pev.cfxe

Here's the log -

ComboFix 09-11-15.01 - B4BD 14/11/2009 17:25.3.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.2.1033.18.3326.2711 [GMT -8:00]
Running from: c:\documents and settings\B4BD\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\B4BD\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: Outpost Firewall Pro *enabled* {8A20CA2A-9E02-4A64-923B-0A38208EB7FD}
.

((((((((((((((((((((((((( Files Created from 2009-10-15 to 2009-11-15 )))))))))))))))))))))))))))))))
.

2009-11-14 16:21 . 2009-11-09 17:51 4026136 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgui.exe
2009-11-14 16:21 . 2009-11-09 17:51 2016536 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtray.exe
2009-11-14 16:21 . 2009-11-09 17:51 1257240 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgfrw.exe
2009-11-14 16:21 . 2009-10-18 17:48 600344 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgnsx.exe
2009-11-14 16:21 . 2009-11-09 17:51 3963672 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgcorex.dll
2009-11-14 16:21 . 2009-10-24 07:05 496920 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgchjwx.dll
2009-11-14 14:12 . 2009-11-14 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2009-11-11 14:48 . 2009-11-11 14:47 2124089 ----a-w- c:\temp\pictures.zip
2009-11-11 14:23 . 2009-11-11 14:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Research In Motion
2009-11-09 17:50 . 2009-10-18 17:48 610072 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgiproxy.exe
2009-11-09 14:23 . 2009-11-09 14:24 -------- d-----w- C:\rsit
2009-11-09 06:42 . 2008-05-30 01:00 806985 ----a-w- c:\windows\system32\hcwtvwnd.dll
2009-11-09 06:42 . 2008-05-09 05:13 294968 ----a-w- c:\windows\system32\hcwpnp32.dll
2009-11-09 06:42 . 2008-04-22 22:53 163840 ----a-w- c:\windows\system32\hcwChDB.dll
2009-11-09 06:42 . 2008-03-26 22:54 30720 ----a-w- c:\windows\system32\hcwWinTVCI.dll
2009-11-09 06:42 . 2008-03-12 01:36 106552 ----a-w- c:\windows\system32\hcwi2c32.dll
2009-11-09 06:42 . 2004-06-08 08:03 36921 ----a-w- c:\windows\system32\hcwutl32.dll
2009-11-09 06:42 . 2004-01-26 22:49 90190 ----a-w- c:\windows\system32\Bt848WST.DLL
2009-11-09 06:42 . 2003-11-07 20:45 106559 ----a-w- c:\windows\system32\hcwTVDlg.dll
2009-11-09 06:42 . 1999-04-28 00:26 11264 ----a-w- c:\windows\system32\hcwhook.dll
2009-11-09 06:42 . 2001-07-19 16:44 393216 ----a-w- c:\windows\system32\hcwsnbd9.dll
2009-11-08 15:38 . 2009-11-14 14:37 -------- d-----w- C:\Fix
2009-11-04 04:33 . 2009-11-04 04:33 -------- d-----w- C:\found.000
2009-11-03 14:37 . 2009-11-03 14:40 197676 ----a-w- C:\MGlogs.zip
2009-11-03 14:35 . 2009-11-03 14:40 -------- d-----w- C:\MGtools
2009-11-03 03:30 . 2009-11-03 03:30 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-11-03 03:29 . 2009-11-11 21:38 -------- d-----w- c:\documents and settings\B4BD\Application Data\SUPERAntiSpyware.com
2009-11-02 13:57 . 2009-11-02 13:57 3584 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-11-02 13:57 . 2009-11-02 13:57 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-11-01 21:50 . 2009-11-09 05:32 -------- d-----w- C:\Hauppauge
2009-10-31 15:27 . 2009-01-28 19:52 142337 ----a-w- c:\windows\system32\Wait.exe
2009-10-31 15:27 . 2009-11-09 13:55 -------- d-----w- c:\program files\WinTV
2009-10-31 15:16 . 2009-11-11 21:39 363088 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-10-25 18:46 . 2009-10-25 18:46 -------- d-----w- c:\documents and settings\B4BD\Application Data\AVG9
2009-10-24 16:08 . 2009-10-24 16:12 -------- d-----w- C:\I386
2009-10-24 07:06 . 2009-10-24 07:05 360584 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgtdix.sys
2009-10-24 07:04 . 2009-10-18 17:48 842520 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.exe
2009-10-24 07:04 . 2009-10-24 07:04 1657112 ----a-w- c:\documents and settings\All Users\Application Data\avg9\update\backup\avgupd.dll
2009-10-23 04:23 . 2009-10-23 04:23 -------- d-----w- c:\program files\Microsoft Windows 7 Upgrade Advisor
2009-10-18 17:49 . 2009-10-20 03:13 -------- d-----w- C:\$AVG
2009-10-18 17:48 . 2009-11-09 17:51 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2009-10-18 17:48 . 2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2009-10-18 17:48 . 2009-10-18 17:48 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-10-18 17:48 . 2009-10-18 17:48 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-10-18 17:48 . 2009-11-14 16:22 -------- d-----w- c:\windows\system32\drivers\Avg
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\program files\AVG
2009-10-18 17:48 . 2009-10-18 17:48 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-11-15 01:21 . 2009-02-20 04:46 -------- d-----w- c:\program files\Everything
2009-11-15 00:54 . 2006-02-20 14:24 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-11-14 16:05 . 2009-01-08 19:57 1 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-11 21:38 . 2006-02-16 04:53 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-11-11 17:36 . 2007-08-08 03:35 -------- d-----w- c:\program files\ESET
2009-11-11 14:22 . 2009-07-10 13:45 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-11-11 14:13 . 2006-02-07 05:19 -------- d-----w- c:\documents and settings\B4BD\Application Data\AdobeUM
2009-11-10 14:32 . 2006-10-09 21:22 -------- d-----w- c:\program files\TimeLeft3
2009-11-10 14:30 . 2008-12-04 15:11 -------- d-----w- c:\program files\StationRipper
2009-11-10 14:29 . 2009-08-16 16:58 -------- d-----w- c:\program files\r2 Studios
2009-11-09 06:24 . 2005-12-23 23:15 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-11-08 22:51 . 2007-09-19 05:21 -------- d-----w- c:\program files\Yahoo!
2009-11-08 22:51 . 2007-09-19 05:22 -------- d-----w- c:\documents and settings\All Users\Application Data\YAHOO
2009-11-05 07:33 . 2009-06-06 18:53 -------- d-----w- c:\program files\TweakNow PowerPack 2009
2009-11-05 06:56 . 2007-03-02 13:45 -------- d-----w- c:\program files\WhatsRunning
2009-11-03 13:08 . 2007-11-21 05:35 -------- d-----w- c:\program files\EarthTime
2009-11-03 13:08 . 2007-01-06 01:01 -------- d-----w- c:\program files\Aurora Media Workshop
2009-11-02 13:56 . 2008-03-24 13:45 -------- d-----w- c:\program files\MSECache
2009-11-02 05:38 . 2009-06-12 05:26 -------- d-----w- c:\program files\Common Files\Roxio Shared
2009-11-02 05:09 . 2009-04-11 18:13 -------- d-----w- c:\program files\AML Registry Cleaner
2009-11-02 04:39 . 2007-06-12 15:16 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G5
2009-11-02 04:38 . 2007-10-09 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\River Past G4
2009-11-02 00:50 . 2009-01-15 16:06 -------- d-----w- c:\program files\Kiwi CatTools3
2009-11-02 00:50 . 2007-05-28 15:10 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-11-02 00:49 . 2009-10-01 12:44 -------- d-----w- c:\program files\Syslogd
2009-10-31 05:22 . 2008-03-16 03:13 492164 ------w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\ISSetup.dll
2009-10-31 05:22 . 2008-03-16 03:13 460248 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\setup.exe
2009-10-31 05:22 . 2008-03-16 03:13 164784 ----a-w- c:\documents and settings\B4BD\Application Data\InstallShield Installation Information\{0D025345-1033-4F35-A5CE-68CDCDE6CC03}\_Setup.dll
2009-10-25 21:03 . 2009-08-04 15:26 -------- d-----w- c:\documents and settings\B4BD\Application Data\vlc
2009-10-25 15:44 . 2009-04-18 13:53 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-25 15:43 . 2009-08-23 14:08 4045528 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-10-23 03:23 . 2008-03-02 18:02 -------- d-----w- c:\documents and settings\B4BD\Application Data\Canon
2009-10-20 13:03 . 2009-09-24 12:51 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-10-20 03:40 . 2007-10-18 13:06 -------- d-----w- c:\program files\SmartWhois
2009-10-18 17:54 . 2005-12-24 02:23 213936 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-10-12 17:22 . 2009-10-12 17:22 -------- d-----w- c:\program files\DemoForge
2009-10-09 03:30 . 2006-06-21 14:29 -------- d-----w- c:\program files\Java
2009-10-09 03:29 . 2009-10-09 03:29 152576 ----a-w- c:\documents and settings\B4BD\Application Data\Sun\Java\jre1.6.0_15\lzma.dll
2009-10-04 22:25 . 2009-02-26 15:03 -------- d-----w- c:\program files\Opera
2009-09-22 05:05 . 2009-09-22 05:05 -------- d-----w- c:\program files\JRE
2009-09-22 05:04 . 2009-01-08 19:46 -------- d-----w- c:\program files\OpenOffice.org 3
2009-09-21 03:50 . 2009-07-06 04:52 -------- d-----w- c:\program files\Songbird
2009-09-14 18:44 . 2008-07-15 05:31 256792 ----a-w- c:\windows\system32\drivers\afwcore.sys
2009-09-10 21:54 . 2009-04-18 13:53 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-10 21:53 . 2009-04-18 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-03 13:27 . 2009-09-03 13:27 10134 ----a-r- c:\documents and settings\B4BD\Application Data\Microsoft\Installer\{57A5EB05-1B4C-4133-9315-5ECDFC01C0F4}\ARPPRODUCTICON.exe
2009-08-29 00:36 . 2008-04-26 15:56 714112 ----a-w- c:\windows\system32\drivers\SandBox.sys
2009-08-18 04:27 . 2009-08-18 04:27 686080 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\pdfimport.uno.dll
2009-08-18 04:27 . 2009-08-18 04:27 568832 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcp90.dll
2009-08-18 04:27 . 2009-08-18 04:27 655872 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcr90.dll
2009-08-18 04:27 . 2009-08-18 04:27 583168 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\xpdfimport.exe
2009-08-18 04:27 . 2009-08-18 04:27 224768 ----a-w- c:\documents and settings\B4BD\Application Data\OpenOffice.org\3\user\uno_packages\cache\uno_packages\56F.tmp_\sun-pdfimport.oxt\msvcm90.dll
2007-04-11 20:12 . 2008-01-04 22:36 2279464 ----a-w- c:\program files\PcSetup.exe
2006-02-23 15:16 . 2007-06-24 14:50 34048 ----a-w- c:\program files\mozilla firefox\plugins\upd62i9x.dll
2006-02-23 15:16 . 2007-06-24 14:50 45056 ----a-w- c:\program files\mozilla firefox\plugins\upd62int.dll
2006-05-03 09:06 . 2009-08-17 05:09 163328 --sh--r- c:\windows\system32\flvDX.dll
2007-02-21 10:47 . 2009-08-17 05:09 31232 --sh--r- c:\windows\system32\msfDX.dll
2008-03-16 12:30 . 2009-08-17 05:09 216064 --sh--r- c:\windows\system32\nbDX.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-11-13_05.01.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-11-15 01:40 . 2009-11-15 01:40 16384 c:\windows\temp\Perflib_Perfdata_8a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"$Volumouse$"="c:\appsnoinstall\volumouse\volumouse.exe" [2009-03-15 31744]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-12 483422]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2009-11-14 2020120]
"Acronis Scheduler2 Service"="c:\program files\Common Files\Acronis\Schedule2\schedhlp.exe" [2007-10-31 140568]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2007-10-31 909208]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2007-10-31 2595616]
"CoolSwitch"="c:\windows\system32\taskswitch.exe" [2002-03-20 45632]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"OutpostMonitor"="c:\progra~1\Agnitum\OUTPOS~1\op_mon.exe" [2009-09-24 1270080]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"OutpostFeedBack"="c:\program files\Agnitum\Outpost Firewall Pro\feedback.exe" [2009-09-23 436552]

c:\documents and settings\B4BD\Start Menu\Programs\Startup\AutorunsDisabled
TimeLeft.lnk - c:\program files\TimeLeft3\TimeLeft3\TimeLeft.exe [2006-12-9 1026560]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
APC UPS Status.lnk - c:\program files\APC\APC PowerChute Personal Edition\Display.exe [2007-9-15 221247]

c:\documents and settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2009-4-19 25214]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyPictures"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-10-18 17:48 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"<NO NAME>"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCDiag.exe"=
"c:\\Program Files\\Media Center Diagnostic Kit\\MCEHostRemote.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\InstallShield\\engine\\6\\Intel 32\\Ikernel.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVTray.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASSelector.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\NASDriveMapper.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPEZBkup.exe"=
"c:\\Program Files\\Hewlett-Packard\\HP Media Vault\\Utilities\\HPMVCheck.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Engine\\YahooMusicEngine.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\WINDOWS\\system32\\LMabcoms.exe"=
"c:\\Program Files\\Red Chair Software\\Notmad Explorer\\notmgr.exe"=
"c:\\Program Files\\Red Chair Software\\Audigen Explorer\\audmgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"9000:TCP"= 9000:TCP:SqueezeCenter 9000 tcp
"3483:UDP"= 3483:UDP:SqueezeCenter 3483 udp
"3483:TCP"= 3483:TCP:SqueezeCenter 3483 tcp

R1 Asapi;Asapi;c:\windows\system32\drivers\asapi.sys [21/06/2006 7:12 PM 11264]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [18/10/2009 9:48 AM 333192]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [18/10/2009 9:48 AM 360584]
R1 oxfwlf;oxfwlf;c:\windows\system32\drivers\OxFWLF.sys [02/12/2003 10:47 AM 12616]
R1 SandBox;SandBox;c:\windows\system32\drivers\SandBox.sys [26/04/2008 7:56 AM 714112]
R2 acssrv;Agnitum Client Security Service;c:\progra~1\Agnitum\OUTPOS~1\acs.exe [26/04/2008 7:56 AM 1338560]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [18/10/2009 9:48 AM 906520]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [18/10/2009 9:48 AM 285392]
R3 afw;Agnitum firewall driver;c:\windows\system32\drivers\afw.sys [26/04/2008 7:56 AM 31128]
R3 afwcore;afwcore;c:\windows\system32\drivers\afwcore.sys [14/07/2008 9:31 PM 256792]
R3 HCW85BDA;Hauppauge WinTV 885 Video Capture;c:\windows\system32\drivers\HCW85BDA.sys [12/05/2009 9:28 PM 1432960]
R3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [07/09/2006 8:16 PM 10112]
S3 ASWFilt;ASWFilt;c:\windows\system32\Filt\ASWFilt.dll [26/04/2008 7:56 AM 33920]
S3 DVRMSFileWatcherService;DVRMSFileWatcherService;c:\program files\DVRMSToolbox\DVRMSFileWatcherService.exe [27/02/2007 8:53 PM 20480]
S3 ehMonitor;Media Center Monitor Service;c:\program files\Media Center Diagnostic Kit\Tests\Bin\ehMonitor.exe [07/09/2005 6:18 PM 49336]
S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;

S3 HauppaugeTVServer;HauppaugeTVServer;c:\progra~1\WinTV\HCWTVS~1.EXE [08/11/2009 10:43 PM 823296]
S3 IAMTXP;Driver for Intel® Active Management Technology - KCS;c:\windows\system32\drivers\IAMTXP.sys [23/12/2005 3:17 PM 38528]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [23/12/2008 7:35 AM 50704]
S3 OXUDIDRV;OXUDIDRV;c:\windows\system32\drivers\OXUDIDRV_X32.sys [03/09/2009 5:49 AM 17664]
S3 OxUSBLF;Oxsemi USB filter driver;c:\windows\system32\drivers\OxUSBLF.sys [31/05/2005 2:39 PM 7808]
S3 PSI;PSI;c:\windows\system32\drivers\psi_mf.sys [24/03/2009 3:03 AM 7808]
S3 QCPro;Logitech QuickCam Pro USB(PID_D001);c:\windows\system32\drivers\p35u.sys [12/11/2006 8:34 AM 116448]
S3 rspSanity;rspSanity;c:\windows\system32\drivers\rspSanity32.sys [17/06/2009 10:22 PM 30136]
S4 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;c:\program files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [10/09/2007 11:45 PM 124832]
S4 gupdate1c99e16a3dd4ece;Google Update Service (gupdate1c99e16a3dd4ece);c:\program files\Google\Update\GoogleUpdate.exe [05/03/2009 8:47 PM 133104]

--- Other Services/Drivers In Memory ---

*Deregistered* - mbr

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\AutorunsDisabled\{621FCD24-4498-4324-A81E-07D331376EDF}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder

2009-07-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-29 13:19]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2009-07-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-06 04:46]

2008-12-08 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\B4BD\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-02 14:13]
.
.
------- Supplementary Scan -------
.
uStart Page = file:///C:/Documents%20and%20Settings/B4BD/Application%20Data/LastPass/iehome.html
IE: Add to Evernote - c:\program files\Evernote\Evernote3\enbar.dll/2000
TCP: {241E0D44-3E60-4164-9E31-0D7447F037D1} = 208.67.222.222,208.67.220.220
Handler: AutorunsDisabled\intu-qt2007 - {026BF40D-BA05-467b-9F1F-AD0D7A3F5F11} - c:\program files\QuickTax 2007\ic2007pp.dll
FF - ProfilePath - c:\documents and settings\B4BD\Application Data\Mozilla\Firefox\Profiles\ypiv51q7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-11-14 17:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0841F8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\atapi -> 0x8b0841f8
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(2008)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3092)
c:\windows\system32\WININET.dll
c:\appsnoinstall\volumouse\vlmshlp.dll
c:\windows\system32\ieframe.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTJBNS2.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTIntrfc.dll
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\CTConfig.DLL
c:\program files\Creative\Creative Zen Micro\Zen Micro Media Explorer\JBNSRES.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\idt\intelxpv_v103\wdm\STacSV.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\APC\APC PowerChute Personal Edition\mainserv.exe
c:\program files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\windows\system32\wscntfy.exe
c:\program files\APC\APC PowerChute Personal Edition\apcsystray.exe
.
**************************************************************************
.
Completion time: 2009-11-14 17:51 - machine was rebooted
ComboFix-quarantined-files.txt 2009-11-15 01:51
ComboFix091101.txt 2009-11-01 20:39
ComboFix2.txt 2009-11-14 20:43
ComboFix3.txt 2009-11-13 05:05
ComboFix4.txt 2009-11-02 04:14
ComboFix5.txt 2009-11-15 01:23

Pre-Run: 34,928,881,664 bytes free
Post-Run: 34,871,250,944 bytes free

- - End Of File - - F7F7BCA5B08FBCD3F22102AA9B92F09E

guestolo · « **Reply #19 on:** November 14, 2009, 09:33:46 PM »

I'm a little concerned that Combofix acknowledges that the MBR is infected
But the same scanner used by Gmer says it's clean

Can you do the following
mbr.exe MUST be on your desktop to complete the following.

Highlight and copy the following bolded blue command.

[color=\"#4169E1\"]"%userprofile%\desktop\mbr.exe" -f[/color]

Click Start>Run, paste the command in the Run dialog then hit enter.

After the fix runs please reboot the computer.

Please post the log it produces

News:

Author Topic: I have Hidden Kernel Modules that don't look right (Read 5979 times)