Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32/Rootkit.Podnuha.trojan (Please Help)


  • This topic is locked This topic is locked
23 replies to this topic

#1 fdsaurbo

fdsaurbo

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 04 January 2009 - 06:35 PM

Listed as and Alcohol 120% browser helper object but is a trojan - picked up during a Christmas screensaver install on 12/25/2008 at 12:48pm (pbhne.dll)...
No program or method I've tried has been able to remove this .dll / Please Help!

C:\\WINDOWS\system32\pbhne.dll
Probably a variant of the Win32/Rootkit.Podnuha.trojan
Runs under explorer.EXE



DDS (Version 1.1.0) - NTFSx86
Run by Owner at 18:19:44.00 on Sun 01/04/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.61 [GMT -5:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = https://remoteaccess.worthingtonindustries.com/my.logon.php3
uSearch Page = hxxp://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
uDefault_Page_URL = about:blank
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uSearch Bar = hxxp://www.dogpile.com
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
uCustomizeSearch = hxxp://www.dogpile.com
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: {3d213d2a-d46e-4300-b1ca-7443086bfc1d} - c:\windows\system32\pbhne.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [CursorFX] "c:\program files\stardock\cursorfx\CursorFX.exe"
mRun: [hpsysdrv] c:\windows\system\hpsysdrv.exe
mRun: [Recguard] c:\windows\sminst\RECGUARD.EXE
mRun: [VTTimer] VTTimer.exe
mRun: [HPHUPD05] "c:\program files\hp\{45b6180b-dcab-4093-8ee8-6164457517f0}\hphupd05.exe"
mRun: [HPHmon05] c:\windows\system32\hphmon05.exe
mRun: [KBD] c:\hp\kbd\KBD.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
dRunOnce: [RunNarrator] Narrator.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
uPolicies-explorer: MemCheckBoxInRunDlg = 1 (0x1)
uPolicies-explorer: NoStrCmpLogical = 1 (0x1)
mPolicies-explorer: NoChangeAnimation = 1 (0x1)
mPolicies-explorer: NoStrCmpLogical = 1 (0x1)
IE: &AOL Toolbar search
IE: &MSN Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\canon\easy-webprint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\canon\easy-webprint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\canon\easy-webprint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\canon\easy-webprint\Resource.dll/RC_Print.html
IE: Open in new background tab
IE: Open in new foreground tab
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\microsoft office\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: turbotax.com
Notify: igfxcui - igfxsrvc.dll
Notify: MCPClient - c:\progra~1\common~1\stardock\mcpstub.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
SSODL: 0aMCPClient - {F5DF91F9-15E9-416B-A7C3-7519B11ECBFC} - c:\program files\common files\stardock\MCPCore.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {03A80B1D-5C6A-42c2-9DFB-81B6005D8023} - No File

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\tabhjx2r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thewbalchannel.com/
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\tabhjx2r.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\itiva\itiva media accelerator\npima.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

============= SERVICES / DRIVERS ===============

R0 gsjdynca;gsjdynca;c:\windows\system32\drivers\gsjdynca.sys [2004-2-4 23424]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [2008-1-22 27008]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-1-2 10752]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2008-11-21 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2008-11-21 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2008-11-21 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2008-11-21 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2008-11-21 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2008-11-21 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2008-11-21 115752]

=============== Created Last 30 ================

2009-01-04 15:55 <DIR> --d----- c:\docume~1\owner\applic~1\Malwarebytes
2009-01-04 15:55 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-01-04 15:55 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 15:55 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-04 15:55 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-02 23:20 <DIR> --d----- c:\program files\Trend Micro
2009-01-02 14:27 10,752 a------- c:\windows\system32\drivers\urfltw2k.sys
2008-12-30 23:34 <DIR> --d----- c:\docume~1\owner\applic~1\True Sword
2008-12-30 23:34 <DIR> --d----- c:\program files\True Sword 5
2008-12-30 14:35 <DIR> --d----- c:\program files\AVG
2008-12-30 13:36 <DIR> --d----- c:\program files\Panda Security
2008-12-30 13:28 <DIR> --d----- c:\documents and settings\owner\.housecall6.6
2008-12-30 12:53 432 a------- c:\windows\system32\iolo.ini
2008-12-30 12:53 406 a------- c:\windows\system32\ioloBootDefrag.cfg
2008-12-30 12:50 118,784 a------- c:\windows\system32\iavlsp.dll
2008-12-30 12:35 74,703 a------- c:\windows\system32\mfc45.dll
2008-12-30 12:34 <DIR> --d----- c:\docume~1\owner\applic~1\iolo
2008-12-30 12:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\iolo
2008-12-26 15:41 <DIR> --d-h--- c:\windows\PIF
2008-12-26 15:35 8,628,774 a------- c:\windows\system32\xa6975328.exe
2008-12-26 15:35 8,628,774 a------- c:\windows\system32\xa6974093.exe
2008-12-25 12:48 95,744 a------- c:\windows\system32\pbhne.dll
2008-12-24 23:37 511 a------- c:\windows\Snowflake Screen Saver Audio Files.dat
2008-12-24 23:37 376 a------- c:\windows\Snowflake Screen Saver Captions.dat
2008-12-24 23:37 82 a------- c:\windows\top-windows-downloads.url
2008-12-24 23:37 74 a------- c:\windows\xm.url
2008-12-24 23:37 307,200 -------- c:\windows\Setup1.exe
2008-12-24 23:37 73,216 a------- c:\windows\ST6UNST.EXE
2008-12-15 19:23 <DIR> --d----- c:\program files\Microsoft Visual Studio 8
2008-12-13 22:48 <DIR> --d----- c:\windows\system32\novell
2008-12-13 22:48 823,296 -------- c:\windows\system32\ccsw32.dll
2008-12-13 22:47 <DIR> --d----- c:\windows\system32\nls
2008-12-13 22:44 <DIR> --d----- C:\Novell
2008-12-12 16:47 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-07 14:17 57,344 a------- c:\windows\system32\Wnaspint.dll
2008-12-07 14:17 32,768 a------- c:\windows\system32\Wnaspi32.dll
2008-12-07 14:17 <DIR> --d----- c:\program files\Acoustica MP3 CD Burner
2008-12-07 14:17 <DIR> --d----- c:\docume~1\owner\applic~1\Acoustica
2008-12-07 11:57 <DIR> --d----- c:\program files\MP3 CD Converter Professional

==================== Find3M ====================

2008-12-02 21:21 47,360 ac------ c:\windows\system32\drivers\pcouffin.sys
2008-12-02 21:21 47,360 ac------ c:\docume~1\owner\applic~1\pcouffin.sys
2008-12-02 21:21 87,608 a------- c:\docume~1\owner\applic~1\inst.exe
2008-11-10 05:43 410,984 a------- c:\windows\system32\deploytk.dll
2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-16 14:06 268,648 a------- c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 a------- c:\windows\system32\muweb.dll
2007-01-06 11:34 87,608 ac------ c:\docume~1\owner\applic~1\ezpinst.exe
2006-11-02 21:13 92,064 ac------ c:\documents and settings\owner\mqdmmdm.sys
2006-11-02 21:13 79,328 ac------ c:\documents and settings\owner\mqdmserd.sys
2006-11-02 21:13 5,936 ac------ c:\documents and settings\owner\mqdmwhnt.sys
2006-11-02 21:13 66,656 ac------ c:\documents and settings\owner\mqdmbus.sys
2006-11-02 21:13 25,600 ac------ c:\documents and settings\owner\usbsermptxp.sys
2006-11-02 21:13 22,768 ac------ c:\documents and settings\owner\usbsermpt.sys
2006-11-02 21:13 9,232 ac------ c:\documents and settings\owner\mqdmmdfl.sys
2006-11-02 21:13 6,208 ac------ c:\documents and settings\owner\mqdmcmnt.sys
2006-11-02 21:13 4,048 ac------ c:\documents and settings\owner\mqdmcr.sys
2005-03-10 22:27 0 ac-sh--- c:\windows\sminst\HPCD.sys
2008-09-01 12:28 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008090120080902\index.dat

============= FINISH: 18:20:27.64 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 18 January 2009 - 12:43 AM

Hi fdsaurbo
Welcome to Bleeping Computer.
I'm maranatha and I will be handling your log to help you get cleaned up. I am a student here at BC so all my posts will be checked by one of our experts, so there may be a slight delay between posts.

Please respond to this post if you still require help.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#3 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 20 January 2009 - 11:16 PM

I've disabled the thing in IE Browser add-on settings, but it still resides in my computer. Should I worry about it?! Should I just pretend it doesn't exist?

#4 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 21 January 2009 - 10:21 PM

Hi

Should I worry about it?! Should I just pretend it doesn't exist?

We will get rid of it, I also see other possible problems.

I will get back to you ASAP.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#5 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 22 January 2009 - 12:08 AM

Thanks!.........I'll keep in touch to follow your lead......

#6 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 22 January 2009 - 11:38 PM

Hi fdsaurbo
Is this the screen saver you are speeking of?
Snowflake Screen Saver

There are a number of files we need to scan.

Please do the following.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page: one at a time
    • c:\windows\system32\xa6975328.exe
    c:\windows\system32\xa6974093.exe
    c:\windows\system32\drivers\gsjdynca.sys
    c:\windows\Setup1.exe

  • Click on the submit button
  • Please post the results in your next reply.
Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#7 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 24 January 2009 - 12:06 AM

They found nothing in all the above files
however, when I scanned
C:\windows\system32\pbhne.dll - I got
A-Squared
Found Rootkit.Win32.Podnuha!IK
AntiVir
Found RKIT/Podnuha.bje
ArcaVir
Found Trojan.Rootkit.Podnuha.Bje
Avast
Found Win32:Rootkit-gen
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Spy.BZub.NIP
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found Adware.Bho.327
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Rootkit.Win32.Podnuha.bje
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Rootkit.Win32.Podnuha.bje
NOD32
Found Win32/Rootkit.Podnuha
Norman Virus Control
Found nothing
Panda Antivirus
Found Trj/Downloader.MDW
Sophos Antivirus
Found Mal/Generic-A
VirusBuster
Found nothing
VBA32
Found Rootkit.Win32.Podnuha.bje

#8 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 25 January 2009 - 11:24 AM

Hi fdsaurbo

That infection comes back as a backdoor Trojan.
Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, collect confidential data and information from the computer, log activity on the computer and more.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would suggest you disconnect this PC from the Internet immediately, change all passwords using a Non-infected computer (Not this one) and refrain from any credit card or financial dealings until clean. If you do any financial dealings with this computer Contact any credit card or banks for possible fraud on your account.


Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#9 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 27 January 2009 - 09:45 PM

I'd first like to kill it. If then I password protect the PC and install a good multi directional firewall, won't that disable any unauthorized activity on the PC?!

#10 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 27 January 2009 - 10:59 PM

Hi
Ok we'll clean it. And run a few scans to make sure it is as clean as we can make it.

A good firewall will help and make sure you always use a strong password, that includes letters, numbers and symbols at least 10 characters long.

Wait until we find you clean to do this.

I'll be back ASAP with the next steps.

maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#11 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 28 January 2009 - 07:46 AM

Hi fdsaurbo

Please do the following.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.
  • Close all open programs and windows
  • Double click combofix.exe and follow the prompts.
  • Vista users right click Combofix.exe and select Run As Administrator.
  • When finished, it shall produce a log for you. Post the Combofix log
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

**NOTE - Allow ComboFix to update if prompted.

Please post the Combofix log and a new Hijackthis log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#12 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 28 January 2009 - 10:14 PM

Here is the COMBOFIX LOG (I will attach the HJT log next)

ComboFix 09-01-21.04 - Owner 2009-01-28 21:57:25.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.101 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Owner\Application Data\inst.exe
c:\windows\msvrc20.dll
c:\windows\system32\guard.tmp
c:\windows\system32\mfc45.dll
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FREEZESCREENSAVER
-------\Service_FreezeScreenSaver


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-29 )))))))))))))))))))))))))))))))
.

2009-01-28 16:40 . 2009-01-28 16:40 <DIR> d-------- c:\program files\Hasbro Interactive
2009-01-26 20:09 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Common Files\Sony Shared
2009-01-26 15:29 . 2009-01-26 15:29 <DIR> d-------- c:\program files\THQ
2009-01-25 21:23 . 2009-01-25 21:26 <DIR> d-------- c:\program files\RamBooster 2.0
2009-01-18 13:19 . 2009-01-18 13:19 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-17 00:54 . 2009-01-17 00:54 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-17 00:53 . 2009-01-17 00:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-17 00:53 . 2009-01-17 00:53 1,409 --a------ c:\windows\QTFont.for
2009-01-17 00:52 . 2009-01-17 00:52 <DIR> d-------- c:\program files\Apple Software Update
2009-01-17 00:52 . 2009-01-17 00:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-17 00:50 . 2009-01-17 00:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sony Setup
2009-01-17 00:49 . 2009-01-17 00:49 <DIR> d-------- c:\program files\Sony Setup
2009-01-13 21:52 . 2009-01-24 23:14 2,112 --a------ C:\bar.emf
2009-01-11 14:34 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-11 14:34 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-11 14:33 . 2008-04-13 14:45 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys
2009-01-11 14:33 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2009-01-11 14:33 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-01-11 14:32 . 2008-04-13 14:40 149,376 --a--c--- c:\windows\system32\dllcache\tffsport.sys
2009-01-11 14:32 . 2008-04-13 20:12 82,944 --a--c--- c:\windows\system32\dllcache\tp4mon.exe
2009-01-11 14:32 . 2008-04-13 14:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-01-11 14:32 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-01-11 14:31 . 2008-04-13 14:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-01-11 14:31 . 2008-04-13 14:36 16,000 --a--c--- c:\windows\system32\dllcache\smbbatt.sys
2009-01-11 14:31 . 2008-04-13 14:45 11,520 --a--c--- c:\windows\system32\dllcache\scsiscan.sys
2009-01-11 14:31 . 2008-04-13 14:40 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys
2009-01-11 14:31 . 2008-04-13 14:36 6,912 --a--c--- c:\windows\system32\dllcache\smbclass.sys
2009-01-11 14:30 . 2008-04-13 20:10 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll
2009-01-11 14:30 . 2008-04-13 20:10 211,584 --a--c--- c:\windows\system32\dllcache\perm2dll.dll
2009-01-11 14:30 . 2008-04-13 20:12 159,232 --a--c--- c:\windows\system32\dllcache\ptpusd.dll
2009-01-11 14:30 . 2008-04-13 14:40 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys
2009-01-11 14:30 . 2008-04-13 20:12 29,696 --a--c--- c:\windows\system32\dllcache\rw450ext.dll
2009-01-11 14:30 . 2008-04-13 14:44 28,032 --a--c--- c:\windows\system32\dllcache\perm3.sys
2009-01-11 14:30 . 2008-04-13 14:44 27,904 --a--c--- c:\windows\system32\dllcache\perm2.sys
2009-01-11 14:30 . 2008-04-13 20:12 27,648 --a--c--- c:\windows\system32\dllcache\rw430ext.dll
2009-01-11 14:30 . 2008-04-13 14:41 17,664 --a--c--- c:\windows\system32\dllcache\ppa3.sys
2009-01-11 14:30 . 2008-04-13 14:40 8,832 --a--c--- c:\windows\system32\dllcache\powerfil.sys
2009-01-11 14:30 . 2008-04-13 14:40 6,016 --a--c--- c:\windows\system32\dllcache\qic157.sys
2009-01-11 14:29 . 2008-04-13 14:46 49,024 --a--c--- c:\windows\system32\dllcache\mstape.sys
2009-01-11 14:29 . 2008-04-13 14:54 28,672 --a--c--- c:\windows\system32\dllcache\nscirda.sys
2009-01-11 14:28 . 2008-04-13 20:11 253,952 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2009-01-11 14:28 . 2008-04-13 20:11 48,640 --a--c--- c:\windows\system32\dllcache\kdsui.dll
2009-01-11 14:28 . 2008-04-13 14:40 34,688 --a--c--- c:\windows\system32\dllcache\lbrtfdc.sys
2009-01-11 14:28 . 2008-04-13 14:41 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys
2009-01-11 14:28 . 2008-04-13 14:54 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-01-11 14:28 . 2008-04-13 14:40 7,040 --a--c--- c:\windows\system32\dllcache\ltotape.sys
2009-01-11 14:27 . 2008-04-13 20:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2009-01-11 14:27 . 2008-04-13 14:54 88,192 --a--c--- c:\windows\system32\dllcache\irda.sys
2009-01-11 14:27 . 2008-04-13 20:11 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2009-01-11 14:27 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-11 14:27 . 2008-04-13 20:09 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-01-11 14:26 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2009-01-11 14:26 . 2008-04-13 14:45 59,136 --a--c--- c:\windows\system32\dllcache\gckernel.sys
2009-01-11 14:26 . 2008-04-13 14:40 28,288 --a--c--- c:\windows\system32\dllcache\grserial.sys
2009-01-11 14:26 . 2008-04-13 20:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-01-11 14:26 . 2008-04-13 14:36 20,352 --a--c--- c:\windows\system32\dllcache\hidbatt.sys
2009-01-11 14:26 . 2008-04-13 14:41 18,560 --a--c--- c:\windows\system32\dllcache\i2omp.sys
2009-01-11 14:26 . 2008-04-13 14:45 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
2009-01-11 14:26 . 2008-04-13 14:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-01-11 14:26 . 2008-04-13 14:41 8,576 --a--c--- c:\windows\system32\dllcache\i2omgmt.sys
2009-01-11 14:25 . 2008-04-13 14:39 206,976 --a--c--- c:\windows\system32\dllcache\dot4.sys
2009-01-11 14:25 . 2008-04-13 20:12 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-01-11 14:24 . 2008-04-13 20:11 249,856 --a--c--- c:\windows\system32\dllcache\ctmasetp.dll
2009-01-11 14:24 . 2008-04-13 14:36 13,952 --a--c--- c:\windows\system32\dllcache\cmbatt.sys
2009-01-11 14:24 . 2008-04-13 14:36 10,240 --a--c--- c:\windows\system32\dllcache\compbatt.sys
2009-01-11 14:24 . 2008-04-13 14:40 8,320 --a--c--- c:\windows\system32\dllcache\dlttape.sys
2009-01-11 14:23 . 2008-04-13 20:11 121,856 --a--c--- c:\windows\system32\dllcache\camext30.dll
2009-01-11 14:23 . 2008-04-13 14:40 8,192 --a--c--- c:\windows\system32\dllcache\changer.sys
2009-01-11 14:22 . 2008-04-13 14:36 14,208 --a--c--- c:\windows\system32\dllcache\battc.sys
2009-01-11 14:22 . 2008-04-13 14:46 13,696 --a--c--- c:\windows\system32\dllcache\avcstrm.sys
2009-01-11 14:21 . 2008-04-13 14:40 12,288 --a--c--- c:\windows\system32\dllcache\4mmdat.sys
2009-01-05 17:33 . 2009-01-05 17:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2009-01-04 22:37 . 2009-01-04 22:37 <DIR> d-------- c:\program files\Windows Defender
2009-01-04 15:55 . 2009-01-04 15:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 15:55 . 2009-01-04 15:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-04 15:55 . 2009-01-04 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 15:55 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 15:55 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 23:20 . 2009-01-02 23:20 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 14:27 . 2008-01-22 15:11 10,752 --a------ c:\windows\system32\drivers\urfltw2k.sys
2008-12-30 23:34 . 2009-01-11 21:10 <DIR> d-------- c:\program files\True Sword 5
2008-12-30 23:34 . 2008-12-30 23:34 <DIR> d-------- c:\documents and settings\Owner\Application Data\True Sword
2008-12-30 21:35 . 2008-12-30 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-30 14:35 . 2008-12-30 14:35 <DIR> d-------- c:\program files\AVG
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Ericsson
2008-12-30 13:28 . 2008-12-30 13:35 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6
2008-12-30 12:53 . 2008-12-30 12:53 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\iolo
2008-12-30 12:53 . 2008-12-30 12:53 432 --a------ c:\windows\system32\iolo.ini
2008-12-30 12:53 . 2008-12-30 12:53 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2008-12-30 12:50 . 2008-12-30 12:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\iolo
2008-12-30 12:50 . 2008-11-12 16:05 118,784 --a------ c:\windows\system32\iavlsp.dll
2008-12-30 12:34 . 2008-12-30 12:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\iolo
2008-12-30 12:34 . 2008-12-30 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\iolo

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 02:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 02:03 --------- d-----w c:\program files\Sony Ericsson
2009-01-27 01:47 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-27 01:43 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-26 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-26 15:59 --------- d-----w c:\program files\Common Files\Teleca Shared
2009-01-26 15:59 --------- d-----w c:\documents and settings\Owner\Application Data\Teleca
2009-01-26 04:25 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-24 19:28 --------- d-----w c:\program files\Acoustica MP3 CD Burner
2009-01-21 04:25 --------- d-----w c:\documents and settings\Owner\Application Data\Vso
2009-01-18 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-17 05:54 --------- d-----w c:\program files\QuickTime
2009-01-17 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-12 02:10 --------- d-----w c:\program files\support.com
2009-01-12 02:10 --------- d-----w c:\program files\MP3 CD Converter Professional
2009-01-12 02:10 --------- d-----w c:\program files\Microsoft Visual Studio 8
2009-01-12 02:10 --------- d-----w c:\program files\Canon
2009-01-04 22:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-04 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 01:20 --------- d-----w c:\documents and settings\Logan's\Application Data\InstallShield Installation Information
2009-01-02 22:25 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-12-31 18:09 --------- d-----w c:\program files\Microsoft Works
2008-12-31 17:59 --------- d-----w c:\documents and settings\Owner\Application Data\HouseCall 6.6
2008-12-30 23:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 17:57 --------- d-----w c:\program files\Common Files\MotiveBrowser
2008-12-25 04:38 73,216 ----a-w c:\windows\ST6UNST.EXE
2008-12-25 04:38 307,200 ------w c:\windows\Setup1.exe
2008-12-25 02:38 --------- d-----w c:\program files\Google
2008-12-16 00:26 --------- d-----w c:\program files\MSBuild
2008-12-13 16:48 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 01:36 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-07 19:17 --------- d-----w c:\documents and settings\Owner\Application Data\Acoustica
2008-12-07 17:38 --------- d-----w c:\program files\Java
2008-12-04 12:18 43,520 ----a-w c:\windows\system32\drivers\fetnd5bv.sys
2008-12-03 04:56 --------- d-----w c:\documents and settings\All Users\Application Data\vsosdk
2008-12-03 03:21 --------- d-----w c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-03 02:35 --------- d-----w c:\program files\NCH Software
2008-12-03 02:21 47,360 -c--a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-03 02:21 47,360 -c--a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-12-03 02:21 --------- d-----w c:\program files\vso
2008-11-30 17:11 --------- d-----w c:\program files\Garmin GPS Plugin
2007-01-06 16:34 87,608 -c--a-w c:\documents and settings\Owner\Application Data\ezpinst.exe
2006-11-03 02:13 92,064 -c--a-w c:\documents and settings\Owner\mqdmmdm.sys
2006-11-03 02:13 9,232 -c--a-w c:\documents and settings\Owner\mqdmmdfl.sys
2006-11-03 02:13 79,328 -c--a-w c:\documents and settings\Owner\mqdmserd.sys
2006-11-03 02:13 66,656 -c--a-w c:\documents and settings\Owner\mqdmbus.sys
2006-11-03 02:13 6,208 -c--a-w c:\documents and settings\Owner\mqdmcmnt.sys
2006-11-03 02:13 5,936 -c--a-w c:\documents and settings\Owner\mqdmwhnt.sys
2006-11-03 02:13 4,048 -c--a-w c:\documents and settings\Owner\mqdmcr.sys
2006-11-03 02:13 25,600 -c--a-w c:\documents and settings\Owner\usbsermptxp.sys
2006-11-03 02:13 22,768 -c--a-w c:\documents and settings\Owner\usbsermpt.sys
2005-03-11 03:27 0 -csha-w c:\windows\SMINST\HPCD.sys
2008-09-01 17:28 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D213D2A-D46E-4300-B1CA-7443086BFC1D}]
2008-12-25 12:48 95744 --a------ c:\windows\system32\pbhne.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]
"RamBooster"="c:\program files\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *SsiEfr.eSsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dora Fairytale Adventures Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dora Fairytale Adventures Registration.lnk
backup=c:\windows\pss\Dora Fairytale Adventures Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced WindowsCare V2 Pro]
--a--c--- 2006-11-21 19:19 2507776 c:\program files\IObit\Advanced WindowsCare V2 Pro\Awc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2006-12-09 08:59 498688 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
-----c--- 2003-07-23 11:41 65536 c:\program files\HP DVD\Umbrella\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a--c--- 2007-03-04 22:08 1891416 c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxMediaDB9"=3 (0x3)
"Roxio UPnP Renderer 9"=3 (0x3)
"FreezeScreenSaver"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 gsjdynca;gsjdynca;c:\windows\system32\drivers\gsjdynca.sys [2004-02-04 23424]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [2008-01-22 27008]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-01-02 10752]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2008-11-21 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2008-11-21 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2008-11-21 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2008-11-21 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2008-11-21 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2008-11-21 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2008-11-21 115752]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\SETUP.EXE
\Shell\configure\command - G:\SETUP.EXE
\Shell\install\command - G:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-01-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{03A80B1D-5C6A-42c2-9DFB-81B6005D8023} - (no file)
Notify-WRNotifier - (no file)
MSConfigStartUp-DMXLauncher - c:\program files\Roxio\Media Experience\DMXLauncher.exe
MSConfigStartUp-Motive SmartBridge - c:\progra~1\VERIZO~1\HELPSU~1\SMARTB~1\MotiveSB.exe
MSConfigStartUp-NBJ - c:\program files\Ahead\Nero BackItUp\NBJ.exe
MSConfigStartUp-RoxioDragToDisc - c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
MSConfigStartUp-RoxWatchTray - c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
MSConfigStartUp-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
MSConfigStartUp-NWTRAY - NWTRAY.EXE


.
------- Supplementary Scan -------
.
uStart Page = https://remoteaccess.worthingtonindustries.com/my.logon.php3
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search
IE: &MSN Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open in new background tab
IE: Open in new foreground tab
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tabhjx2r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thewbalchannel.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tabhjx2r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-28 22:03:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-828053248-281033357-1048750513-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\COMMON~1\stardock\SDMCP.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-28 22:07:04 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-29 03:07:00

Pre-Run: 47,816,294,400 bytes free
Post-Run: 47,712,362,496 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=,1,2,3,4
350 --- E O F --- 2009-01-26 16:03:42

#13 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 28 January 2009 - 10:17 PM

Here's My HJT Log....THanks
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:15:09 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Stardock\CursorFX\CursorFX.exe
C:\Program Files\RamBooster 2.0\Rambooster.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://remoteaccess.worthingtonindustries.com/my.logon.php3
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ms101.mysearch.com/sa/srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {3D213D2A-D46E-4300-B1CA-7443086BFC1D} - C:\WINDOWS\system32\pbhne.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CursorFX] "C:\Program Files\Stardock\CursorFX\CursorFX.exe"
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://remoteaccess.worthingtonindustries....,2008,0122,2009
O16 - DPF: {37DF41B2-61DB-4CAC-A755-CFB3C7EE7F40} -
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - C:\DOCUME~1\Owner\LOCALS~1\Temp\IXP000.TMP\InstallerControl.cab
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://remoteaccess.worthingtonindustries....,2008,0122,2001
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} -
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} -
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://remoteaccess.worthingtonindustries....,2008,0122,2005
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://remoteaccess.worthingtonindustries....,2008,0122,2004
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe

--
End of file - 7239 bytes

#14 maranatha

maranatha

    Whats That !


  • Malware Response Team
  • 1,229 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Seattle Washington
  • Local time:09:49 PM

Posted 29 January 2009 - 07:34 AM

Hi fdsaurbo

Please do the following.

Highlight and copy the contents of the code box below and paste it into a blank Notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

File::
c:\windows\system32\pbhne.dll
c:\windows\system32\drivers\gsjdynca.sys

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"FreezeScreenSaver"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3D213D2A-D46E-4300-B1CA-7443086BFC1D}]

Driver::
gsjdynca

Please post the Combofix log.

Thanks
maranatha

Windows7 Professional 64 Bit

 

I'm going in the wrong direction to be in a hurry!


unite_mo.jpg


My help is always free, But I do accept donations.
Donate Here


#15 fdsaurbo

fdsaurbo
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 29 January 2009 - 11:26 PM

Here is the Combofix log.......Looks like you've zapped it?! :thumbsup:

ComboFix 09-01-21.04 - Owner 2009-01-29 23:13:25.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.447.188 [GMT -5:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\drivers\gsjdynca.sys
c:\windows\system32\pbhne.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\gsjdynca.sys
c:\windows\system32\pbhne.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_GSJDYNCA
-------\Service_gsjdynca


((((((((((((((((((((((((( Files Created from 2008-12-28 to 2009-01-30 )))))))))))))))))))))))))))))))
.

2009-01-29 23:11 . 2009-01-29 23:12 <DIR> d-------- C:\32788R22FWJFW
2009-01-28 16:40 . 2009-01-28 16:40 <DIR> d-------- c:\program files\Hasbro Interactive
2009-01-26 20:09 . 2009-01-26 20:09 <DIR> d-------- c:\program files\Common Files\Sony Shared
2009-01-26 15:29 . 2009-01-26 15:29 <DIR> d-------- c:\program files\THQ
2009-01-25 21:23 . 2009-01-25 21:26 <DIR> d-------- c:\program files\RamBooster 2.0
2009-01-18 13:19 . 2009-01-18 13:19 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-01-17 00:54 . 2009-01-17 00:54 <DIR> d-------- c:\program files\Common Files\Apple
2009-01-17 00:53 . 2009-01-17 00:53 54,156 --ah----- c:\windows\QTFont.qfn
2009-01-17 00:53 . 2009-01-17 00:53 1,409 --a------ c:\windows\QTFont.for
2009-01-17 00:52 . 2009-01-17 00:52 <DIR> d-------- c:\program files\Apple Software Update
2009-01-17 00:52 . 2009-01-17 00:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2009-01-17 00:50 . 2009-01-17 00:50 <DIR> d-------- c:\documents and settings\Owner\Application Data\Sony Setup
2009-01-17 00:49 . 2009-01-17 00:49 <DIR> d-------- c:\program files\Sony Setup
2009-01-13 21:52 . 2009-01-24 23:14 2,112 --a------ C:\bar.emf
2009-01-11 14:34 . 2008-04-13 20:12 116,224 --a--c--- c:\windows\system32\dllcache\xrxwiadr.dll
2009-01-11 14:34 . 2008-04-13 20:12 18,944 --a--c--- c:\windows\system32\dllcache\xrxscnui.dll
2009-01-11 14:33 . 2008-04-13 14:45 31,744 --a--c--- c:\windows\system32\dllcache\wceusbsh.sys
2009-01-11 14:33 . 2008-04-13 14:36 8,832 --a--c--- c:\windows\system32\dllcache\wmiacpi.sys
2009-01-11 14:33 . 2008-04-13 20:12 8,192 --a--c--- c:\windows\system32\dllcache\wshirda.dll
2009-01-11 14:32 . 2008-04-13 14:40 149,376 --a--c--- c:\windows\system32\dllcache\tffsport.sys
2009-01-11 14:32 . 2008-04-13 20:12 82,944 --a--c--- c:\windows\system32\dllcache\tp4mon.exe
2009-01-11 14:32 . 2008-04-13 14:45 60,032 --a--c--- c:\windows\system32\dllcache\usbaudio.sys
2009-01-11 14:32 . 2008-04-13 14:45 32,128 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-01-11 14:31 . 2008-04-13 14:40 43,904 --a--c--- c:\windows\system32\dllcache\sbp2port.sys
2009-01-11 14:31 . 2008-04-13 14:36 16,000 --a--c--- c:\windows\system32\dllcache\smbbatt.sys
2009-01-11 14:31 . 2008-04-13 14:45 11,520 --a--c--- c:\windows\system32\dllcache\scsiscan.sys
2009-01-11 14:31 . 2008-04-13 14:40 7,552 --a--c--- c:\windows\system32\dllcache\sonyait.sys
2009-01-11 14:31 . 2008-04-13 14:36 6,912 --a--c--- c:\windows\system32\dllcache\smbclass.sys
2009-01-11 14:30 . 2008-04-13 20:10 259,328 --a--c--- c:\windows\system32\dllcache\perm3dd.dll
2009-01-11 14:30 . 2008-04-13 20:10 211,584 --a--c--- c:\windows\system32\dllcache\perm2dll.dll
2009-01-11 14:30 . 2008-04-13 20:12 159,232 --a--c--- c:\windows\system32\dllcache\ptpusd.dll
2009-01-11 14:30 . 2008-04-13 14:40 79,104 --a--c--- c:\windows\system32\dllcache\rocket.sys
2009-01-11 14:30 . 2008-04-13 20:12 29,696 --a--c--- c:\windows\system32\dllcache\rw450ext.dll
2009-01-11 14:30 . 2008-04-13 14:44 28,032 --a--c--- c:\windows\system32\dllcache\perm3.sys
2009-01-11 14:30 . 2008-04-13 14:44 27,904 --a--c--- c:\windows\system32\dllcache\perm2.sys
2009-01-11 14:30 . 2008-04-13 20:12 27,648 --a--c--- c:\windows\system32\dllcache\rw430ext.dll
2009-01-11 14:30 . 2008-04-13 14:41 17,664 --a--c--- c:\windows\system32\dllcache\ppa3.sys
2009-01-11 14:30 . 2008-04-13 14:40 8,832 --a--c--- c:\windows\system32\dllcache\powerfil.sys
2009-01-11 14:30 . 2008-04-13 14:40 6,016 --a--c--- c:\windows\system32\dllcache\qic157.sys
2009-01-11 14:29 . 2008-04-13 14:46 49,024 --a--c--- c:\windows\system32\dllcache\mstape.sys
2009-01-11 14:29 . 2008-04-13 14:54 28,672 --a--c--- c:\windows\system32\dllcache\nscirda.sys
2009-01-11 14:28 . 2008-04-13 20:11 253,952 --a--c--- c:\windows\system32\dllcache\kdsusd.dll
2009-01-11 14:28 . 2008-04-13 20:11 48,640 --a--c--- c:\windows\system32\dllcache\kdsui.dll
2009-01-11 14:28 . 2008-04-13 14:40 34,688 --a--c--- c:\windows\system32\dllcache\lbrtfdc.sys
2009-01-11 14:28 . 2008-04-13 14:41 26,112 --a--c--- c:\windows\system32\dllcache\memstpci.sys
2009-01-11 14:28 . 2008-04-13 14:54 22,016 --a--c--- c:\windows\system32\dllcache\msircomm.sys
2009-01-11 14:28 . 2008-04-13 14:40 7,040 --a--c--- c:\windows\system32\dllcache\ltotape.sys
2009-01-11 14:27 . 2008-04-13 20:12 151,552 --a--c--- c:\windows\system32\dllcache\irftp.exe
2009-01-11 14:27 . 2008-04-13 14:54 88,192 --a--c--- c:\windows\system32\dllcache\irda.sys
2009-01-11 14:27 . 2008-04-13 20:11 28,160 --a--c--- c:\windows\system32\dllcache\irmon.dll
2009-01-11 14:27 . 2008-04-13 14:39 14,592 --a--c--- c:\windows\system32\dllcache\kbdhid.sys
2009-01-11 14:27 . 2008-04-13 20:09 6,144 --a--c--- c:\windows\system32\dllcache\kbd106.dll
2009-01-11 14:26 . 2008-04-13 20:11 702,845 --a--c--- c:\windows\system32\dllcache\i81xdnt5.dll
2009-01-11 14:26 . 2008-04-13 14:45 59,136 --a--c--- c:\windows\system32\dllcache\gckernel.sys
2009-01-11 14:26 . 2008-04-13 14:40 28,288 --a--c--- c:\windows\system32\dllcache\grserial.sys
2009-01-11 14:26 . 2008-04-13 20:11 21,504 --a--c--- c:\windows\system32\dllcache\hidserv.dll
2009-01-11 14:26 . 2008-04-13 14:36 20,352 --a--c--- c:\windows\system32\dllcache\hidbatt.sys
2009-01-11 14:26 . 2008-04-13 14:41 18,560 --a--c--- c:\windows\system32\dllcache\i2omp.sys
2009-01-11 14:26 . 2008-04-13 14:45 10,624 --a--c--- c:\windows\system32\dllcache\gameenum.sys
2009-01-11 14:26 . 2008-04-13 14:45 10,368 --a--c--- c:\windows\system32\dllcache\hidusb.sys
2009-01-11 14:26 . 2008-04-13 14:41 8,576 --a--c--- c:\windows\system32\dllcache\i2omgmt.sys
2009-01-11 14:25 . 2008-04-13 14:39 206,976 --a--c--- c:\windows\system32\dllcache\dot4.sys
2009-01-11 14:25 . 2008-04-13 20:12 20,992 --a--c--- c:\windows\system32\dllcache\dshowext.ax
2009-01-11 14:24 . 2008-04-13 20:11 249,856 --a--c--- c:\windows\system32\dllcache\ctmasetp.dll
2009-01-11 14:24 . 2008-04-13 14:36 13,952 --a--c--- c:\windows\system32\dllcache\cmbatt.sys
2009-01-11 14:24 . 2008-04-13 14:36 10,240 --a--c--- c:\windows\system32\dllcache\compbatt.sys
2009-01-11 14:24 . 2008-04-13 14:40 8,320 --a--c--- c:\windows\system32\dllcache\dlttape.sys
2009-01-11 14:23 . 2008-04-13 20:11 121,856 --a--c--- c:\windows\system32\dllcache\camext30.dll
2009-01-11 14:23 . 2008-04-13 14:40 8,192 --a--c--- c:\windows\system32\dllcache\changer.sys
2009-01-11 14:22 . 2008-04-13 14:36 14,208 --a--c--- c:\windows\system32\dllcache\battc.sys
2009-01-11 14:22 . 2008-04-13 14:46 13,696 --a--c--- c:\windows\system32\dllcache\avcstrm.sys
2009-01-11 14:21 . 2008-04-13 14:40 12,288 --a--c--- c:\windows\system32\dllcache\4mmdat.sys
2009-01-05 17:33 . 2009-01-05 17:33 3,751,995 --a------ c:\windows\system32\GPhotos.scr
2009-01-04 22:37 . 2009-01-04 22:37 <DIR> d-------- c:\program files\Windows Defender
2009-01-04 15:55 . 2009-01-04 15:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-04 15:55 . 2009-01-04 15:55 <DIR> d-------- c:\documents and settings\Owner\Application Data\Malwarebytes
2009-01-04 15:55 . 2009-01-04 15:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-04 15:55 . 2008-12-03 19:52 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-04 15:55 . 2008-12-03 19:52 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-02 23:20 . 2009-01-02 23:20 <DIR> d-------- c:\program files\Trend Micro
2009-01-02 14:27 . 2008-01-22 15:11 10,752 --a------ c:\windows\system32\drivers\urfltw2k.sys
2008-12-30 23:34 . 2009-01-11 21:10 <DIR> d-------- c:\program files\True Sword 5
2008-12-30 23:34 . 2008-12-30 23:34 <DIR> d-------- c:\documents and settings\Owner\Application Data\True Sword
2008-12-30 21:35 . 2008-12-30 21:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ESET
2008-12-30 14:35 . 2008-12-30 14:35 <DIR> d-------- c:\program files\AVG
2008-12-30 14:01 . 2008-12-30 14:01 <DIR> d-------- c:\documents and settings\Administrator\Application Data\Sony Ericsson
2008-12-30 13:28 . 2008-12-30 13:35 <DIR> d-------- c:\documents and settings\Owner\.housecall6.6
2008-12-30 12:53 . 2008-12-30 12:53 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\iolo
2008-12-30 12:53 . 2008-12-30 12:53 432 --a------ c:\windows\system32\iolo.ini
2008-12-30 12:53 . 2008-12-30 12:53 406 --a------ c:\windows\system32\ioloBootDefrag.cfg
2008-12-30 12:50 . 2008-12-30 12:50 <DIR> d-------- c:\documents and settings\LocalService\Application Data\iolo
2008-12-30 12:50 . 2008-11-12 16:05 118,784 --a------ c:\windows\system32\iavlsp.dll
2008-12-30 12:34 . 2008-12-30 12:53 <DIR> d-------- c:\documents and settings\Owner\Application Data\iolo
2008-12-30 12:34 . 2008-12-30 13:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\iolo
2008-12-26 15:41 . 2008-12-26 15:41 <DIR> d--h----- c:\windows\PIF
2008-12-26 15:35 . 2008-12-26 15:35 8,628,774 --a------ c:\windows\system32\xa6975328.exe
2008-12-26 15:35 . 2008-12-26 15:35 8,628,774 --a------ c:\windows\system32\xa6974093.exe
2008-12-24 23:37 . 2008-12-24 23:38 307,200 --------- c:\windows\Setup1.exe
2008-12-24 23:37 . 2008-12-24 23:38 73,216 --a------ c:\windows\ST6UNST.EXE
2008-12-24 23:37 . 2008-12-24 23:39 511 --a------ c:\windows\Snowflake Screen Saver Audio Files.dat
2008-12-24 23:37 . 2008-12-24 23:39 376 --a------ c:\windows\Snowflake Screen Saver Captions.dat
2008-12-24 23:37 . 2008-12-24 23:39 82 --a------ c:\windows\top-windows-downloads.url
2008-12-24 23:37 . 2008-12-24 23:39 74 --a------ c:\windows\xm.url
2008-12-18 23:15 . 2009-01-11 20:16 1,917 --a------ c:\windows\imsins.BAK
2008-12-15 19:23 . 2009-01-11 21:10 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-12-13 22:48 . 2008-12-13 22:48 <DIR> d-------- c:\windows\system32\novell
2008-12-13 22:48 . 2007-06-04 11:36 823,296 --------- c:\windows\system32\ccsw32.dll
2008-12-13 22:47 . 2009-01-25 19:20 <DIR> d-------- c:\windows\system32\nls
2008-12-13 22:44 . 2008-12-13 22:44 <DIR> d-------- C:\Novell
2008-12-07 14:17 . 2009-01-24 14:28 <DIR> d-------- c:\program files\Acoustica MP3 CD Burner
2008-12-07 14:17 . 2008-12-07 14:17 <DIR> d-------- c:\documents and settings\Owner\Application Data\Acoustica
2008-12-07 14:17 . 2007-08-07 11:32 57,344 --a------ c:\windows\system32\Wnaspint.dll
2008-12-07 14:17 . 2007-08-07 10:58 32,768 --a------ c:\windows\system32\Wnaspi32.dll
2008-12-07 11:57 . 2009-01-11 21:10 <DIR> d-------- c:\program files\MP3 CD Converter Professional
2008-12-07 11:57 . 2008-12-30 18:32 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-02 23:56 . 2008-12-02 23:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-02 21:35 . 2008-12-02 21:35 <DIR> d-------- c:\program files\NCH Software
2008-12-02 21:35 . 2008-12-02 22:21 <DIR> d-------- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-12-02 21:21 . 2004-05-04 11:53 1,645,320 --a------ c:\windows\gdiplus.dll
2008-12-02 21:21 . 2006-09-29 11:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-02 21:21 . 2006-09-29 11:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-02 21:21 . 2006-09-29 11:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-02 21:21 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-27 02:03 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 02:03 --------- d-----w c:\program files\Sony Ericsson
2009-01-27 01:47 --------- d-----w c:\documents and settings\All Users\Application Data\BVRP Software
2009-01-27 01:43 --------- d-----w c:\documents and settings\Owner\Application Data\uTorrent
2009-01-26 16:01 --------- d-----w c:\documents and settings\All Users\Application Data\Sony Ericsson
2009-01-26 15:59 --------- d-----w c:\program files\Common Files\Teleca Shared
2009-01-26 15:59 --------- d-----w c:\documents and settings\Owner\Application Data\Teleca
2009-01-26 04:25 --------- d-----w c:\documents and settings\Owner\Application Data\Move Networks
2009-01-21 04:25 --------- d-----w c:\documents and settings\Owner\Application Data\Vso
2009-01-18 18:21 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-01-17 05:54 --------- d-----w c:\program files\QuickTime
2009-01-17 05:54 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-01-12 02:10 --------- d-----w c:\program files\support.com
2009-01-12 02:10 --------- d-----w c:\program files\Canon
2009-01-04 22:02 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-01-04 21:25 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-03 01:20 --------- d-----w c:\documents and settings\Logan's\Application Data\InstallShield Installation Information
2009-01-02 22:25 --------- d-----w c:\documents and settings\Owner\Application Data\U3
2008-12-31 18:09 --------- d-----w c:\program files\Microsoft Works
2008-12-31 17:59 --------- d-----w c:\documents and settings\Owner\Application Data\HouseCall 6.6
2008-12-28 17:57 --------- d-----w c:\program files\Common Files\MotiveBrowser
2008-12-25 02:38 --------- d-----w c:\program files\Google
2008-12-16 00:26 --------- d-----w c:\program files\MSBuild
2008-12-13 16:48 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 01:36 --------- d-----w c:\program files\Windows Media Connect 2
2008-12-07 17:38 --------- d-----w c:\program files\Java
2008-12-04 12:18 43,520 ----a-w c:\windows\system32\drivers\fetnd5bv.sys
2008-12-03 02:21 47,360 -c--a-w c:\windows\system32\drivers\pcouffin.sys
2008-12-03 02:21 47,360 -c--a-w c:\documents and settings\Owner\Application Data\pcouffin.sys
2008-12-03 02:21 --------- d-----w c:\program files\vso
2008-11-30 17:11 --------- d-----w c:\program files\Garmin GPS Plugin
2007-01-06 16:34 87,608 -c--a-w c:\documents and settings\Owner\Application Data\ezpinst.exe
2006-11-03 02:13 92,064 -c--a-w c:\documents and settings\Owner\mqdmmdm.sys
2006-11-03 02:13 9,232 -c--a-w c:\documents and settings\Owner\mqdmmdfl.sys
2006-11-03 02:13 79,328 -c--a-w c:\documents and settings\Owner\mqdmserd.sys
2006-11-03 02:13 66,656 -c--a-w c:\documents and settings\Owner\mqdmbus.sys
2006-11-03 02:13 6,208 -c--a-w c:\documents and settings\Owner\mqdmcmnt.sys
2006-11-03 02:13 5,936 -c--a-w c:\documents and settings\Owner\mqdmwhnt.sys
2006-11-03 02:13 4,048 -c--a-w c:\documents and settings\Owner\mqdmcr.sys
2006-11-03 02:13 25,600 -c--a-w c:\documents and settings\Owner\usbsermptxp.sys
2006-11-03 02:13 22,768 -c--a-w c:\documents and settings\Owner\usbsermpt.sys
2005-03-11 03:27 0 -csha-w c:\windows\SMINST\HPCD.sys
2008-09-01 17:28 32,768 -csha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090120080902\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-28_22.05.31.53 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-30 04:18:46 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_c0.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"CursorFX"="c:\program files\Stardock\CursorFX\CursorFX.exe" [2008-07-07 416768]
"RamBooster"="c:\program files\RamBooster 2.0\Rambooster.exe" [2005-11-17 561664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2003-11-03 221184]
"HPHUPD05"="c:\program files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [2003-08-21 49152]
"HPHmon05"="c:\windows\System32\hphmon05.exe" [2003-08-21 483328]
"KBD"="c:\hp\KBD\KBD.EXE" [2005-02-02 61440]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"VTTimer"="VTTimer.exe" [2005-03-08 c:\windows\system32\VTTimer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-13 c:\windows\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoChangeAnimation"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"MemCheckBoxInRunDlg"= 1 (0x1)
"NoStrCmpLogical"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
2005-01-31 14:13 49152 c:\progra~1\COMMON~1\stardock\MCPStub.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
2005-12-06 21:16 176128 c:\progra~1\Stardock\OBJECT~1\WINDOW~1\WbSrv.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *SsiEfr.eSsiEfr.e

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^Dora Fairytale Adventures Registration.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\Dora Fairytale Adventures Registration.lnk
backup=c:\windows\pss\Dora Fairytale Adventures Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced WindowsCare V2 Pro]
--a--c--- 2006-11-21 19:19 2507776 c:\program files\IObit\Advanced WindowsCare V2 Pro\Awc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a--c--- 2006-12-09 08:59 498688 c:\program files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 19:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDTray]
-----c--- 2003-07-23 11:41 65536 c:\program files\HP DVD\Umbrella\DVDTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gStart]
--a--c--- 2007-03-04 22:08 1891416 c:\garmin\gStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a--c--- 2004-07-27 15:50 221184 c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a--c--- 2004-07-27 15:50 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-09-06 15:09 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RoxMediaDB9"=3 (0x3)
"Roxio UPnP Renderer 9"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Anti-Virus 7.0.1.321\\English\\setup.exe"=
"c:\\Program Files\\Itiva\\Itiva Media Accelerator\\ItivaMediaAccelerator.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Documents and Settings\\Owner\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [2008-01-22 27008]
R4 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [2009-01-02 10752]
S3 s0016bus;Sony Ericsson Device 0016 driver (WDM);c:\windows\system32\drivers\s0016bus.sys [2008-11-21 89256]
S3 s0016mdfl;Sony Ericsson Device 0016 USB WMC Modem Filter;c:\windows\system32\drivers\s0016mdfl.sys [2008-11-21 15016]
S3 s0016mdm;Sony Ericsson Device 0016 USB WMC Modem Driver;c:\windows\system32\drivers\s0016mdm.sys [2008-11-21 120744]
S3 s0016mgmt;Sony Ericsson Device 0016 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s0016mgmt.sys [2008-11-21 114216]
S3 s0016nd5;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (NDIS);c:\windows\system32\drivers\s0016nd5.sys [2008-11-21 25512]
S3 s0016obex;Sony Ericsson Device 0016 USB WMC OBEX Interface;c:\windows\system32\drivers\s0016obex.sys [2008-11-21 110632]
S3 s0016unic;Sony Ericsson Device 0016 USB Ethernet Emulation SEMC0016 (WDM);c:\windows\system32\drivers\s0016unic.sys [2008-11-21 115752]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - GSJDYNCA

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\SETUP.EXE
\Shell\configure\command - G:\SETUP.EXE
\Shell\install\command - G:\SETUP.EXE
.
Contents of the 'Scheduled Tasks' folder

2009-01-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 19:20]

2009-01-29 c:\windows\Tasks\Spybot - Search & Destroy - Scheduled Task.job
- c:\program files\Spybot - Search & Destroy\SpybotSD.exe [2008-01-28 11:43]
.
.
------- Supplementary Scan -------
.
uStart Page = https://remoteaccess.worthingtonindustries.com/my.logon.php3
uDefault_Search_URL = hxxp://srch-qus10.hpwis.com/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://ms101.mysearch.com/sa/srchlft.html
mWindow Title =
uInternet Connection Wizard,ShellNext = iexplore
IE: &AOL Toolbar search
IE: &MSN Search
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
IE: Open in new background tab
IE: Open in new foreground tab
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java
DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE}
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tabhjx2r.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.thewbalchannel.com/
FF - plugin: c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\tabhjx2r.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp071101000055.dll
FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
FF - plugin: c:\program files\Itiva\Itiva Media Accelerator\npima.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 23:19:31
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-828053248-281033357-1048750513-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\progra~1\COMMON~1\Stardock\mcpstub.dll
c:\progra~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\progra~1\COMMON~1\stardock\SDMCP.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-29 23:23:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-30 04:23:04
ComboFix2.txt 2009-01-29 03:23:01
ComboFix3.txt 2009-01-29 03:07:06

Pre-Run: 47,829,921,792 bytes free
Post-Run: 47,815,516,160 bytes free

Current=3 Default=3 Failed=2 LastKnownGood=1 Sets=,1,2,3,4
364 --- E O F --- 2009-01-30 02:40:08




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users