Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Please Help! Serious Infection!


  • This topic is locked This topic is locked
7 replies to this topic

#1 modano182

modano182

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 15 January 2009 - 04:31 AM

Hi Everyone,

My computer will not start explorer when I log into windows. I run Windows XP home edition. I have to manually open programs using Task Manager. I have a trojan horse infection that I am unable to delete by the name of C:\WINDOWS\system32\drivers\flpydisk.sys

I ran HiJackThis and this is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:07 PM, on 1/15/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Documents and Settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Documents and Settings\Tim\Desktop\HiJackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.;*.local
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: (no name) - `= - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - blank (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: metaspinner media GmbH - {12FC9A49-CFE0-49AA-BE9E-8F4EEAFC9443} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O2 - BHO: mysidesearch search enhancer - {DD0EDD7C-0441-ADAA-28B2-77673897F3F9} - C:\WINDOWS\system32\tsrvdsfgql.dll
O2 - BHO: (no name) - = - (no file)
O2 - BHO: (no name) -  - (no file)
O2 - BHO: (no name) - = - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BVRPLiveUpdate] C:\Program Files\Avanquest update\Engine\Setup.exe -s /PATCH,/SRCUPDATEC:\DOCUME~1\ALLUSE~1\APPLIC~1\SONYER~1\SONYER~1\LIVEUP~1\LISTOF~1.DAT
O4 - HKLM\..\RunOnce: [*Restore] C:\WINDOWS\system32\restore\rstrui.exe -i
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files\Registry Mechanic\RegMech.exe /S
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Doyles Room Poker - {725E77D3-B919-4eef-8EEE-D09DE618B6C1} - C:\Microgaming\Poker\DoylesRoomMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://global.acer.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/supergerball/miniclipGameLoader.dll
O16 - DPF: {29D73455-3ADA-49BB-9067-44822F6728F5} - http://www.joga.com/activex/uploadactx.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - http://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1135236093593
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/vir...l/installer.exe
O16 - DPF: {DA80E089-4648-43D5-93B4-7F37917084E6} (CacheManager.CacheManagerCtrl) - http://www.candystand.com/games/gtauto/act...acheManager.CAB
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: MsgPlusLoader.dll,avgrsstx.dll
O20 - Winlogon Notify: winykd32 - winykd32.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ms-java - Unknown owner - C:\WINDOWS\Driver\i386\ms-java.exe (file missing)
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ReaConverter scheduler service (rcp_service) - ReaSoft - C:\Program Files\ReaConverter 5.5 Pro\rcp_scheduler.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 12790 bytes


PLEASE HELP ME SOMEONE!!!

Thanks in advance!

Tim.

Edited by modano182, 15 January 2009 - 05:51 PM.


BC AdBot (Login to Remove)

 


#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:59 PM

Posted 16 January 2009 - 09:48 AM

Hello Tim and welcome to BleepingComputer,

Please read [url="http://"http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]this tutorial[/url] carefully to download ComboFix from one of the locations specified, and save it to your Desktop.
Double click the ComboFix icon to run it.
If ComboFix askes you to install the Recovery Console, please do so..
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you.
Once the Recovery Console is installed, continue with the malware scan.

Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 modano182

modano182
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 19 January 2009 - 11:06 PM

Hi Thunder,

Thanks for your reply.

Here is the Combo Fix Log as requested.



ComboFix 09-01-19.03 - Tim 2009-01-20 14:09:33.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.451 [GMT 10.5:30]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Chris\Application Data\DriveCleaner Free
c:\documents and settings\Chris\Application Data\DriveCleaner Free\Logs\update.log
c:\documents and settings\Chris\Application Data\install.dat
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\banner16642.html
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\banner19275.html
c:\documents and settings\Chris\Local Settings\Temporary Internet Files\banner22513.html
c:\documents and settings\Tim\err.log
c:\program files\Adssite Games Collection
c:\program files\Adssite Games Collection\BattlesOfHelicopters.exe
c:\program files\Adssite Games Collection\BobAndBill.exe
c:\program files\Adssite Games Collection\CrazyBlocks.exe
c:\program files\Adssite Games Collection\Lines.exe
c:\program files\Adssite Games Collection\uninstall.exe
c:\program files\Adssite Games Collection\VideoPool.exe
c:\program files\Common Files\{26291~1
c:\program files\Microsoft Common
c:\program files\winupdates
c:\program files\winupdates\a.zip
C:\resycled
c:\windows\ads.js
c:\windows\didduid.ini
c:\windows\Downloaded Program Files\setup.inf
c:\windows\Fonts\acrsecB.fon
c:\windows\Fonts\acrsecI.fon
c:\windows\local.html
c:\windows\onlineshopping.ico
c:\windows\system32\components
c:\windows\system32\components\flx0.dll
c:\windows\system32\components\flx1.dll
c:\windows\system32\components\flx10.dll
c:\windows\system32\components\flx11.dll
c:\windows\system32\components\flx12.dll
c:\windows\system32\components\flx13.dll
c:\windows\system32\components\flx14.dll
c:\windows\system32\components\flx15.dll
c:\windows\system32\components\flx16.dll
c:\windows\system32\components\flx17.dll
c:\windows\system32\components\flx18.dll
c:\windows\system32\components\flx19.dll
c:\windows\system32\components\flx2.dll
c:\windows\system32\components\flx20.dll
c:\windows\system32\components\flx21.dll
c:\windows\system32\components\flx22.dll
c:\windows\system32\components\flx23.dll
c:\windows\system32\components\flx24.dll
c:\windows\system32\components\flx25.dll
c:\windows\system32\components\flx26.dll
c:\windows\system32\components\flx27.dll
c:\windows\system32\components\flx28.dll
c:\windows\system32\components\flx29.dll
c:\windows\system32\components\flx3.dll
c:\windows\system32\components\flx30.dll
c:\windows\system32\components\flx31.dll
c:\windows\system32\components\flx32.dll
c:\windows\system32\components\flx33.dll
c:\windows\system32\components\flx34.dll
c:\windows\system32\components\flx35.dll
c:\windows\system32\components\flx36.dll
c:\windows\system32\components\flx37.dll
c:\windows\system32\components\flx38.dll
c:\windows\system32\components\flx39.dll
c:\windows\system32\components\flx4.dll
c:\windows\system32\components\flx40.dll
c:\windows\system32\components\flx41.dll
c:\windows\system32\components\flx42.dll
c:\windows\system32\components\flx43.dll
c:\windows\system32\components\flx44.dll
c:\windows\system32\components\flx45.dll
c:\windows\system32\components\flx46.dll
c:\windows\system32\components\flx47.dll
c:\windows\system32\components\flx48.dll
c:\windows\system32\components\flx49.dll
c:\windows\system32\components\flx5.dll
c:\windows\system32\components\flx50.dll
c:\windows\system32\components\flx51.dll
c:\windows\system32\components\flx52.dll
c:\windows\system32\components\flx53.dll
c:\windows\system32\components\flx54.dll
c:\windows\system32\components\flx55.dll
c:\windows\system32\components\flx56.dll
c:\windows\system32\components\flx57.dll
c:\windows\system32\components\flx58.dll
c:\windows\system32\components\flx59.dll
c:\windows\system32\components\flx6.dll
c:\windows\system32\components\flx60.dll
c:\windows\system32\components\flx61.dll
c:\windows\system32\components\flx62.dll
c:\windows\system32\components\flx63.dll
c:\windows\system32\components\flx64.dll
c:\windows\system32\components\flx65.dll
c:\windows\system32\components\flx66.dll
c:\windows\system32\components\flx67.dll
c:\windows\system32\components\flx68.dll
c:\windows\system32\components\flx69.dll
c:\windows\system32\components\flx7.dll
c:\windows\system32\components\flx70.dll
c:\windows\system32\components\flx71.dll
c:\windows\system32\components\flx8.dll
c:\windows\system32\components\flx9.dll
c:\windows\system32\MabryObj.dll
c:\windows\system32\mysidesearch_sidebar_uninstall.exe
c:\windows\system32\uuddc32.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MS-JAVA
-------\Legacy_XPROTECTOR
-------\Service_Ms-java


((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-17 00:20 . 2009-01-17 00:20 <DIR> d-------- c:\documents and settings\Andrea\Application Data\Malwarebytes
2009-01-16 18:10 . 2009-01-16 18:10 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
2009-01-16 18:10 . 2009-01-16 18:10 <DIR> d-------- c:\documents and settings\Tim\Application Data\Audacity
2009-01-16 09:37 . 2009-01-16 09:37 <DIR> d-------- c:\documents and settings\Tim\Application Data\Malwarebytes
2009-01-16 09:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 09:36 . 2009-01-16 09:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 09:36 . 2009-01-16 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 09:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 09:17 . 2009-01-16 09:17 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-15 18:16 . 2009-01-15 18:15 140,288 --a------ c:\program files\virus cleaner.exe
2009-01-09 17:57 . 2009-01-09 17:57 <DIR> d-------- c:\documents and settings\Tim\Application Data\U3
2009-01-08 10:56 . 2009-01-08 10:56 65 --a------ c:\windows\system32\BD7420.dat
2009-01-07 19:54 . 2009-01-07 19:54 <DIR> d-------- c:\documents and settings\Default\Application Data\U3
2009-01-07 11:53 . 2009-01-07 11:53 <DIR> d--hs---- C:\FOUND.018
2009-01-06 15:03 . 2009-01-06 15:03 <DIR> d--hs---- C:\FOUND.017
2009-01-02 15:11 . 2009-01-02 15:11 <DIR> d--hs---- C:\FOUND.016
2008-12-28 00:08 . 2008-12-28 00:08 <DIR> d--hs---- C:\FOUND.015
2008-12-23 20:59 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-23 20:59 . 2008-12-23 20:59 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-23 20:59 . 2008-12-23 20:59 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2008-12-23 20:51 . 2008-12-23 20:52 1,107,296 --a------ c:\windows\system32\WdfCoInstaller01007.dll
2008-12-23 20:51 . 2008-12-23 20:52 22,368 --a------ c:\windows\system32\drivers\ggsemc.sys
2008-12-23 20:51 . 2008-12-23 20:52 10,976 --a------ c:\windows\system32\drivers\ggflt.sys
2008-12-23 20:13 . 2008-12-23 20:13 <DIR> d-------- c:\documents and settings\Default\Application Data\Sony
2008-12-23 20:13 . 2008-12-23 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2008-12-23 20:07 . 2008-12-23 20:07 <DIR> d-------- c:\program files\Avanquest update
2008-12-23 20:07 . 2008-12-23 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-23 20:06 . 2008-12-23 20:06 <DIR> d-------- c:\program files\Sony Ericsson
2008-12-23 20:06 . 2008-12-23 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-12-23 20:05 . 2008-12-23 20:06 <DIR> d-------- c:\documents and settings\Default\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 10:59 6,656 ----a-w c:\windows\system32\drivers\flpydisk.sys
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-13 01:51 --------- d-----w c:\program files\iTunes
2008-12-13 01:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 01:50 --------- d-----w c:\program files\QuickTime
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 02:31 --------- d-----w c:\program files\Ableton
2008-12-10 01:36 58,904 ----a-w c:\windows\system32\azipcontmn.dll
2008-12-05 05:45 27,904 ----a-w c:\windows\system32\drivers\Ndisprot.sys
2008-12-05 05:40 --------- d-----w c:\documents and settings\Tim\Application Data\Ableton
2008-11-05 06:12 96,093 ----a-w c:\windows\system32\tsrvdsfgql.dll-uninst.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2007-07-25 01:59 3,679,744 ----a-w c:\program files\Shortcut to IKEA Home Planner.lnk
2006-06-21 12:54 4,225,744 ----a-w c:\documents and settings\Tim\Limewire Lime Wire Pro 4.12.3.exe
2006-05-14 12:25 5,462,881 ----a-w c:\documents and settings\Chris\drfclientinstall_cd.exe
2008-09-04 23:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-22 133104]
"H/PC Connection Agent"="c:\progra~1\MICROS~3\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"WinFast Schedule"="c:\program files\Aspire\WFTVFM\WFWIZ.exe" [2004-05-03 163840]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-02 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-29 113664]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-01-05 200704]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-08-17 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"VIDC.DVSD"= pdvcodec.dll
"msacm.imc"= xbadpcm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk]
backup=c:\windows\pss\Smart Wizard Wireless Settings.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ashampoo AntiSpyWare Guard
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PVModule
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamCleaner
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Photo Express Calendar Checker
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinPatrol

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 20:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aspire Schedule]
--a------ 2004-05-03 15:11 163840 c:\program files\Aspire\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
--a------ 2004-08-11 14:15 110592 c:\program files\Acer\Acer eMode\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
--a------ 2006-04-17 14:54 505344 c:\program files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-08 09:31 43008 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2004-11-11 22:00 864256 c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 09:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-09-22 17:15 133104 c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 15:04 40960 c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-03-20 17:34 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
--a------ 2004-08-04 15:36 372736 c:\program files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPS]
--a------ 2004-03-04 10:53 372736 c:\acer\PSM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 14:46 57393 c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-21 11:52 40960 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 c:\program files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-19 07:30 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-02 07:24 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2004-05-03 15:11 163840 c:\program files\Aspire\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-09-21 15:32 2807808 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2006-02-22 11:35 344064 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2006-01-11 15:08 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"ose"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"CAISafe"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer eConsole\\eConsole.exe"=
"c:\\WINDOWS\\System32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\System32\\javaw.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\Chris\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\RingtoneExpress\\RingtoneExpress.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:UDP"= 6346:UDP:Gnutella
"6346:TCP"= 6346:TCP:Gnutella
"40823:TCP"= 40823:TCP:Limew1
"40823:UDP"= 40823:UDP:Limew1
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2006-03-01 12032]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-26 97928]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [1980-01-01 84788]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 231704]
R4 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [1998-09-25 52800]
R4 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [1980-01-01 209171]
R4 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [1980-01-01 9284]
R4 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [1980-01-01 36261]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-11-12 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\DRIVERS\BrParImg.sys --> c:\windows\system32\DRIVERS\BrParImg.sys [?]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-11-12 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-11-12 61440]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-23 10976]
S3 Klsmsep;Klsmsep Device;c:\windows\system32\drivers\Klsmsep.sys [2005-07-26 24142]
S3 malg8xc;malg8xc;c:\windows\system32\drivers\malg8xc.sys [2006-03-05 24784]
S3 malg8xm;malg8xm;c:\windows\system32\drivers\malg8xm.sys [2006-03-05 25044]
S3 malg8xu;malg8xu;c:\windows\system32\drivers\malg8xu.sys [2006-03-05 51669]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-16 38496]
S3 MR97310_VGA_DUAL_CAMERA;VSD821;c:\windows\system32\drivers\MR97310v.sys [2005-08-18 116126]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592]
S3 ulusba;NEC 616 Command Port Driver;c:\windows\system32\drivers\ulusba.sys [2005-05-29 25856]
S3 ulusbc;NEC 616 CONTROL Driver;c:\windows\system32\drivers\ulusbc.sys [2005-05-29 43264]
S3 ulusbe;NEC 616 ENUMERATION Driver;c:\windows\system32\drivers\ulusbe.sys [2005-05-29 12928]
S3 ulusbm;NEC 616 Modem Driver;c:\windows\system32\drivers\ulusbm.sys [2005-05-29 36352]
S3 ulusbo;NEC 616 OBEX Port Driver;c:\windows\system32\drivers\ulusbo.sys [2005-05-29 33920]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\Aspire\WFTVFM\WFIOCTL.SYS --> c:\program files\Aspire\WFTVFM\WFIOCTL.SYS [?]
S4 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-23 81356]
S4 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-10-23 39182]
S4 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2004-10-23 9804]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f183c8dc-dc9c-11dd-b85d-000feab3b7cb}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\MESSAGES\SDNotify.exe [2007-04-19 14:03]

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1980453956-377644614-3286179537-1007.job
- c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-22 17:15]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-BVRPLiveUpdate - c:\program files\Avanquest update\Engine\Setup.exe
Notify-winykd32 - winykd32.dll
MSConfigStartUp-Windows - system.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {29D73455-3ADA-49BB-9067-44822F6728F5} - hxxp://www.joga.com/activex/uploadactx.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\jgcd3ubp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ninemsn.com.au/
FF - plugin: c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-20 14:20:55
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,30,39,11,f6,45,
c2,54,81,2e,e8,e1,00,eb,16,2b,de,46,cc,86,20,4e,94,bb,6a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{580924E7-4534-80EF-AD4675C17646FF10}\{0EFB2AA0-1A3E-507D-F9B34D5CF29081CD}\{BBABFA65-B0A6-C96D-B621BCAFF6A8D6D6}*]
"YKBG4FY6MRBLZHWNMN5KORGMPA1"=hex:01,00,01,00,00,00,00,00,da,37,90,89,91,09,97,
9b,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,e6,8b,5d,39,6d,
78,24,22,46,47,15,b0,92,4b,c7,ef,03,bd,c8,73,fb,4a,e1,1a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,03,93,01,3c,55,
9d,12,ec,7a,45,05,fd,91,e8,6f,31,5c,83,01,dd,82,b9,6c,77,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2a,e6,7f,87,e1,
ea,5c,9d,6b,65,49,6a,7e,99,74,f7,fe,e9,9f,12,34,8a,21,d7,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,15,4e,f7,04,99,
54,fb,c7,e9,02,6c,fa,fb,1d,47,57,3b,f1,7f,4e,98,e3,9c,7b,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,c3,22,ec,af,b9,
0d,c8,ce,50,93,e5,ab,ec,6a,4e,ab,59,99,ec,a4,75,71,a4,17,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,54,fb,b0,15,ba,
0c,78,e3,97,20,4e,9a,c7,f1,35,ee,29,66,fd,33,76,0e,46,9f,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,40,61,ac,42,50,
e0,d8,96,aa,52,c6,00,84,3c,26,64,ea,84,52,c4,71,a1,1b,d3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,cd,81,60,76,19,
ef,6d,05,b2,46,9a,e2,1b,fe,1b,94,61,df,40,2f,37,e9,4a,06,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,9d,60,c0,f1,c6,
51,af,df,37,a4,aa,c3,a6,15,56,0a,7d,7c,a4,bf,b3,7f,38,25,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,83,ba,cd,59,76,
57,f4,f0,f8,31,0f,a9,5f,a0,ec,fb,4e,73,39,bd,d7,42,41,8e,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,71,a1,52,77,45,
6e,10,8f,05,73,21,dd,54,d8,4a,c5,c0,d8,9a,f3,68,70,9b,c7,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1860)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'Explorer.EXE'(1580)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Lavasoft\Ad-Aware\aawservice.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\BrmfBAgS.exe
c:\program files\JAVA\JRE6\BIN\JQS.EXE
c:\program files\NERO\NERO8\NERO BACKITUP\NBSERVICE.EXE
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-01-20 14:26:04 - machine was rebooted [Tim]
ComboFix-quarantined-files.txt 2009-01-20 03:56:00

Pre-Run: 24,715,821,056 bytes free
Post-Run: 27,140,685,824 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn

517 --- E O F --- 2009-01-19 20:47:18

Thanks,

Tim.

#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:59 PM

Posted 20 January 2009 - 04:19 AM

Hello Tim,

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
c:\program files\virus cleaner.exe
RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{580924E7-4534-80EF-AD4675C17646FF10}\{0EFB2AA0-1A3E-507D-F9B34D5CF29081CD}\{BBABFA65-B0A6-C96D-B621BCAFF6A8D6D6}*]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh DDS log.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 modano182

modano182
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 20 January 2009 - 06:37 PM

Hi Thunder,

Ok did that. All is working now. Here is the contents of the combofix log:

ComboFix 09-01-19.03 - Tim 2009-01-21 9:42:15.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.509 [GMT 10.5:30]
Running from: c:\documents and settings\Tim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tim\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\program files\virus cleaner.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\virus cleaner.exe

.
((((((((((((((((((((((((( Files Created from 2008-12-20 to 2009-01-20 )))))))))))))))))))))))))))))))
.

2009-01-17 00:20 . 2009-01-17 00:20 <DIR> d-------- c:\documents and settings\Andrea\Application Data\Malwarebytes
2009-01-16 18:10 . 2009-01-16 18:10 <DIR> d-------- c:\program files\Audacity 1.3 Beta (Unicode)
2009-01-16 18:10 . 2009-01-16 18:10 <DIR> d-------- c:\documents and settings\Tim\Application Data\Audacity
2009-01-16 09:37 . 2009-01-16 09:37 <DIR> d-------- c:\documents and settings\Tim\Application Data\Malwarebytes
2009-01-16 09:37 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-16 09:36 . 2009-01-16 09:37 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-16 09:36 . 2009-01-16 09:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-16 09:36 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-16 09:17 . 2009-01-16 09:17 410,984 --a------ c:\windows\system32\deploytk.dll
2009-01-09 17:57 . 2009-01-09 17:57 <DIR> d-------- c:\documents and settings\Tim\Application Data\U3
2009-01-08 10:56 . 2009-01-08 10:56 65 --a------ c:\windows\system32\BD7420.dat
2009-01-07 19:54 . 2009-01-07 19:54 <DIR> d-------- c:\documents and settings\Default\Application Data\U3
2009-01-07 11:53 . 2009-01-07 11:53 <DIR> d--hs---- C:\FOUND.018
2009-01-06 15:03 . 2009-01-06 15:03 <DIR> d--hs---- C:\FOUND.017
2009-01-02 15:11 . 2009-01-02 15:11 <DIR> d--hs---- C:\FOUND.016
2008-12-28 00:08 . 2008-12-28 00:08 <DIR> d--hs---- C:\FOUND.015
2008-12-23 20:59 . 2008-03-21 13:57 14,640 --------- c:\windows\system32\spmsgXP_2k3.dll
2008-12-23 20:59 . 2008-12-23 20:59 0 --ah----- c:\windows\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-12-23 20:59 . 2008-12-23 20:59 0 --ah----- c:\windows\system32\drivers\Msft_Kernel_ggsemc_01007.Wdf
2008-12-23 20:51 . 2008-12-23 20:52 1,107,296 --a------ c:\windows\system32\WdfCoInstaller01007.dll
2008-12-23 20:51 . 2008-12-23 20:52 22,368 --a------ c:\windows\system32\drivers\ggsemc.sys
2008-12-23 20:51 . 2008-12-23 20:52 10,976 --a------ c:\windows\system32\drivers\ggflt.sys
2008-12-23 20:13 . 2008-12-23 20:13 <DIR> d-------- c:\documents and settings\Default\Application Data\Sony
2008-12-23 20:13 . 2008-12-23 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony
2008-12-23 20:07 . 2008-12-23 20:07 <DIR> d-------- c:\program files\Avanquest update
2008-12-23 20:07 . 2008-12-23 20:07 <DIR> d-------- c:\documents and settings\All Users\Application Data\BVRP Software
2008-12-23 20:06 . 2008-12-23 20:06 <DIR> d-------- c:\program files\Sony Ericsson
2008-12-23 20:06 . 2008-12-23 20:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\Sony Ericsson
2008-12-23 20:05 . 2008-12-23 20:06 <DIR> d-------- c:\documents and settings\Default\Application Data\InstallShield

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 10:59 6,656 ----a-w c:\windows\system32\drivers\flpydisk.sys
2008-12-13 06:40 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
2008-12-13 01:51 --------- d-----w c:\program files\iTunes
2008-12-13 01:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-12-13 01:50 --------- d-----w c:\program files\QuickTime
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 ------w c:\windows\system32\dllcache\srv.sys
2008-12-10 02:31 --------- d-----w c:\program files\Ableton
2008-12-10 01:36 58,904 ----a-w c:\windows\system32\azipcontmn.dll
2008-12-05 05:45 27,904 ----a-w c:\windows\system32\drivers\Ndisprot.sys
2008-12-05 05:40 --------- d-----w c:\documents and settings\Tim\Application Data\Ableton
2008-11-05 06:12 96,093 ----a-w c:\windows\system32\tsrvdsfgql.dll-uninst.exe
2008-10-24 11:21 455,296 ------w c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-23 12:36 286,720 ------w c:\windows\system32\dllcache\gdi32.dll
2007-07-25 01:59 3,679,744 ----a-w c:\program files\Shortcut to IKEA Home Planner.lnk
2006-06-21 12:54 4,225,744 ----a-w c:\documents and settings\Tim\Limewire Lime Wire Pro 4.12.3.exe
2006-05-14 12:25 5,462,881 ----a-w c:\documents and settings\Chris\drfclientinstall_cd.exe
2008-09-04 23:24 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090520080906\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-20_14.23.27.95 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-20 03:58:04 16,384 ----a-w c:\windows\Temp\Perflib_Perfdata_14c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-09-22 133104]
"H/PC Connection Agent"="c:\progra~1\MICROS~3\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-28 1261336]
"RegistryMechanic"="c:\program files\Registry Mechanic\RegMech.exe" [2008-07-08 2828184]
"WinFast Schedule"="c:\program files\Aspire\WFTVFM\WFWIZ.exe" [2004-05-03 163840]
"SetDefPrt"="c:\program files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 49152]
"ControlCenter2.0"="c:\program files\Brother\ControlCenter2\brctrcen.exe" [2004-11-11 864256]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2005-12-02 180269]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-01-16 136600]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 c:\windows\system32\narrator.exe]

c:\documents and settings\Chris\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-29 113664]
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-01-05 200704]
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [2006-08-17 159744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
"VIDC.TR20"= tr2032.dll
"vidc.vivo"= ivvideo.dll
"VIDC.DVSD"= pdvcodec.dll
"msacm.imc"= xbadpcm.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Smart Wizard Wireless Settings.lnk]
backup=c:\windows\pss\Smart Wizard Wireless Settings.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=c:\windows\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
--a------ 2008-09-03 20:12 111936 c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aspire Schedule]
--a------ 2004-05-03 15:11 163840 c:\program files\Aspire\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
--a------ 2004-08-11 14:15 110592 c:\program files\Acer\Acer eMode\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiTrayTools]
--a------ 2006-04-17 14:54 505344 c:\program files\Ray Adams\ATI Tray Tools\atitray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2007-09-20 15:35 202024 c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
--a------ 2007-09-08 09:31 43008 c:\program files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2004-11-11 22:00 864256 c:\program files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-14 09:42 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a------ 2008-09-22 17:15 133104 c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndexSearch]
--a------ 2004-04-14 15:04 40960 c:\program files\ScanSoft\PaperPort\IndexSearch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2006-03-20 17:34 86960 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
--a------ 2004-08-04 15:36 372736 c:\program files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPS]
--a------ 2004-03-04 10:53 372736 c:\acer\PSM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
--a------ 2007-09-20 09:51 1836328 c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2007-03-01 15:57 153136 c:\program files\Common Files\Nero\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PaperPort PTD]
--a------ 2004-04-14 14:46 57393 c:\program files\ScanSoft\PaperPort\pptd40nt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-21 11:52 40960 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 17:14 49152 c:\program files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
-ra------ 2003-10-14 10:22 155648 c:\program files\Common Files\ScanSoft Shared\SSBkgdUpdate\SSBkgdUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2008-01-21 12:17 61440 c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-10 04:27 144784 c:\program files\Java\jre1.6.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-06-19 07:30 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2005-12-02 07:24 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
--a------ 2004-05-03 15:11 163840 c:\program files\Aspire\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 18:43 69632 c:\windows\ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcWzrd]
--a------ 2005-09-21 15:32 2807808 c:\windows\ALCWZRD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2006-02-22 11:35 344064 c:\windows\system32\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--------- 2004-03-17 15:10 61952 c:\windows\system32\Hdaudpropshortcut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
--------- 2006-01-11 15:08 577536 c:\windows\soundman.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinDefend"=2 (0x2)
"ose"=3 (0x3)
"Macromedia Licensing Service"=3 (0x3)
"IDriverT"=3 (0x3)
"CAISafe"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"Bonjour Service"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Acer\\Acer eConsole\\eConsole.exe"=
"c:\\WINDOWS\\System32\\dpnsvr.exe"=
"c:\\Program Files\\Microsoft Games\\Links 2003\\LinksMMIII.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\WINDOWS\\System32\\javaw.exe"=
"c:\\WINDOWS\\System32\\rtcshare.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"c:\\Program Files\\Messenger\\MSMSGS.EXE"=
"c:\\Program Files\\Outlook Express\\msimn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Empires II\\age2_x1.exe"=
"c:\\WINDOWS\\System32\\dplaysvr.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Documents and Settings\\Chris\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\Nero\\Nero8\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\RingtoneExpress\\RingtoneExpress.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6346:UDP"= 6346:UDP:Gnutella
"6346:TCP"= 6346:TCP:Gnutella
"40823:TCP"= 40823:TCP:Limew1
"40823:UDP"= 40823:UDP:Limew1
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 0 (0x0)
"AllowInboundTimestampRequest"= 0 (0x0)
"AllowInboundMaskRequest"= 0 (0x0)
"AllowInboundRouterRequest"= 0 (0x0)
"AllowOutboundDestinationUnreachable"= 0 (0x0)
"AllowOutboundSourceQuench"= 0 (0x0)
"AllowOutboundParameterProblem"= 0 (0x0)
"AllowOutboundTimeExceeded"= 0 (0x0)
"AllowRedirect"= 0 (0x0)
"AllowOutboundPacketTooBig"= 0 (0x0)

R1 atitray;atitray;c:\program files\Ray Adams\ATI Tray Tools\atitray.sys [2006-03-01 12032]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-05-26 97928]
R3 C4C_BSC2;C4C_BSC2;c:\windows\system32\drivers\C4C_BSC2.sys [1980-01-01 84788]
R4 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-05-26 231704]
R4 HPFECP13;HPFECP13;c:\windows\system32\drivers\HPFecp13.sys [1998-09-25 52800]
R4 WF23880;WinFast TV2000/DV2000 WDM Video Capture.;c:\windows\system32\drivers\wf88vcap.sys [1980-01-01 209171]
R4 WF88XBAR;WinFast TV2000/DV2000 WDM Crossbar.;c:\windows\system32\drivers\WF88XBAR.sys [1980-01-01 9284]
R4 WFTUNE;WinFast TV2000/DV2000 WDM Tuner.;c:\windows\system32\drivers\wf88tune.sys [1980-01-01 36261]
S3 brfilt;Brother MFC Filter Driver;c:\windows\system32\drivers\BrFilt.sys [2007-11-12 2944]
S3 brparimg;Brother Multi Function Parallel Image driver;c:\windows\system32\DRIVERS\BrParImg.sys --> c:\windows\system32\DRIVERS\BrParImg.sys [?]
S3 BrParWdm;Brother WDM Parallel Driver;c:\windows\system32\drivers\BrParwdm.sys [2007-11-12 39552]
S3 BrSerWDM;Brother WDM Serial driver;c:\windows\system32\drivers\BrSerWdm.sys [2007-11-12 61440]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2008-12-23 10976]
S3 Klsmsep;Klsmsep Device;c:\windows\system32\drivers\Klsmsep.sys [2005-07-26 24142]
S3 malg8xc;malg8xc;c:\windows\system32\drivers\malg8xc.sys [2006-03-05 24784]
S3 malg8xm;malg8xm;c:\windows\system32\drivers\malg8xm.sys [2006-03-05 25044]
S3 malg8xu;malg8xu;c:\windows\system32\drivers\malg8xu.sys [2006-03-05 51669]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-01-16 38496]
S3 MR97310_VGA_DUAL_CAMERA;VSD821;c:\windows\system32\drivers\MR97310v.sys [2005-08-18 116126]
S3 rcp_service;ReaConverter scheduler service;c:\program files\ReaConverter 5.5 Pro\rcp_scheduler.exe [2007-11-30 558592]
S3 ulusba;NEC 616 Command Port Driver;c:\windows\system32\drivers\ulusba.sys [2005-05-29 25856]
S3 ulusbc;NEC 616 CONTROL Driver;c:\windows\system32\drivers\ulusbc.sys [2005-05-29 43264]
S3 ulusbe;NEC 616 ENUMERATION Driver;c:\windows\system32\drivers\ulusbe.sys [2005-05-29 12928]
S3 ulusbm;NEC 616 Modem Driver;c:\windows\system32\drivers\ulusbm.sys [2005-05-29 36352]
S3 ulusbo;NEC 616 OBEX Port Driver;c:\windows\system32\drivers\ulusbo.sys [2005-05-29 33920]
S3 WFIOCTL;WFIOCTL;\??\c:\program files\Aspire\WFTVFM\WFIOCTL.SYS --> c:\program files\Aspire\WFTVFM\WFIOCTL.SYS [?]
S4 BT848;WinFast TV2000 XP WDM Video Capture;c:\windows\system32\drivers\wf2kvcap.sys [2004-10-23 81356]
S4 tv2ktunr;WinFast TV2000 XP WDM TVTuner;c:\windows\system32\drivers\wf2ktunr.sys [2004-10-23 39182]
S4 Tv2kXbar;WinFast TV2000 XP WDM Crossbar;c:\windows\system32\drivers\wf2kXbar.sys [2004-10-23 9804]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f183c8dc-dc9c-11dd-b85d-000feab3b7cb}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\MESSAGES\SDNotify.exe [2007-04-19 14:03]

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-01-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1980453956-377644614-3286179537-1007.job
- c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-22 17:15]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ninemsn.com.au/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = local.;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
DPF: {29D73455-3ADA-49BB-9067-44822F6728F5} - hxxp://www.joga.com/activex/uploadactx.cab
FF - ProfilePath - c:\documents and settings\Tim\Application Data\Mozilla\Firefox\Profiles\jgcd3ubp.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.ninemsn.com.au/
FF - plugin: c:\documents and settings\Tim\Local Settings\Application Data\Google\Update\1.2.133.33\npGoogleOneClick7.dll
FF - plugin: c:\program files\Real\RealArcade\Plugins\Mozilla\npracplug.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-21 09:47:09
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"cd042efbbd7f7af1647644e76e06692b"=hex:e2,63,26,f1,3f,c8,ff,68,30,39,11,f6,45,
c2,54,81,2e,e8,e1,00,eb,16,2b,de,46,cc,86,20,4e,94,bb,6a,e2,63,26,f1,3f,c8,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"bca643cdc5c2726b20d2ecedcc62c59b"=hex:71,3b,04,66,8b,46,0d,96,e6,8b,5d,39,6d,
78,24,22,46,47,15,b0,92,4b,c7,ef,03,bd,c8,73,fb,4a,e1,1a,6a,9c,d6,61,af,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2c81e34222e8052573023a60d06dd016"=hex:ff,7c,85,e0,43,d4,0e,fe,03,93,01,3c,55,
9d,12,ec,7a,45,05,fd,91,e8,6f,31,5c,83,01,dd,82,b9,6c,77,ff,7c,85,e0,43,d4,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"2582ae41fb52324423be06337561aa48"=hex:86,8c,21,01,be,91,eb,e7,2a,e6,7f,87,e1,
ea,5c,9d,6b,65,49,6a,7e,99,74,f7,fe,e9,9f,12,34,8a,21,d7,86,8c,21,01,be,91,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"caaeda5fd7a9ed7697d9686d4b818472"=hex:f5,1d,4d,73,a8,13,5c,05,15,4e,f7,04,99,
54,fb,c7,e9,02,6c,fa,fb,1d,47,57,3b,f1,7f,4e,98,e3,9c,7b,f5,1d,4d,73,a8,13,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"a4a1bcf2cc2b8bc3716b74b2b4522f5d"=hex:df,20,58,62,78,6b,cf,c8,c3,22,ec,af,b9,
0d,c8,ce,50,93,e5,ab,ec,6a,4e,ab,59,99,ec,a4,75,71,a4,17,df,20,58,62,78,6b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"4d370831d2c43cd13623e232fed27b7b"=hex:31,77,e1,ba,b1,f8,68,02,54,fb,b0,15,ba,
0c,78,e3,97,20,4e,9a,c7,f1,35,ee,29,66,fd,33,76,0e,46,9f,fb,a7,78,e6,12,2f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1d68fe701cdea33e477eb204b76f993d"=hex:83,6c,56,8b,a0,85,96,ab,40,61,ac,42,50,
e0,d8,96,aa,52,c6,00,84,3c,26,64,ea,84,52,c4,71,a1,1b,d3,01,3a,48,fc,e8,04,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"1fac81b91d8e3c5aa4b0a51804d844a3"=hex:f6,0f,4e,58,98,5b,89,c9,cd,81,60,76,19,
ef,6d,05,b2,46,9a,e2,1b,fe,1b,94,61,df,40,2f,37,e9,4a,06,f6,0f,4e,58,98,5b,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"f5f62a6129303efb32fbe080bb27835b"=hex:b1,cd,45,5a,a8,c4,f8,b9,9d,60,c0,f1,c6,
51,af,df,37,a4,aa,c3,a6,15,56,0a,7d,7c,a4,bf,b3,7f,38,25,3d,ce,ea,26,2d,45,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"fd4e2e1a3940b94dceb5a6a021f2e3c6"=hex:e3,0e,66,d5,eb,bc,2f,6b,83,ba,cd,59,76,
57,f4,f0,f8,31,0f,a9,5f,a0,ec,fb,4e,73,39,bd,d7,42,41,8e,2a,b7,cc,b5,b9,7f,\

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32*]
"ThreadingModel"="Apartment"
@="c:\\WINDOWS\\system32\\OLE32.DLL"
"8a8aec57dd6508a385616fbc86791ec2"=hex:fa,ea,66,7f,d4,3b,6b,70,71,a1,52,77,45,
6e,10,8f,05,73,21,dd,54,d8,4a,c5,c0,d8,9a,f3,68,70,9b,c7,6c,43,2d,1e,aa,22,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(668)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-21 9:49:47
ComboFix-quarantined-files.txt 2009-01-20 23:19:46
ComboFix2.txt 2009-01-20 03:56:06

Pre-Run: 26,829,783,040 bytes free
Post-Run: 26,808,057,856 bytes free

378 --- E O F --- 2009-01-20 22:39:22


THANK YOU SO MUCH FOR YOUR HELP!!!

Very much appreciated!

Regards,

Tim.

#6 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:59 PM

Posted 21 January 2009 - 05:58 AM

Hello Tim,

Your log looks fine now. :thumbsup:

You can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

No more issues ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#7 modano182

modano182
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:11:29 PM

Posted 21 January 2009 - 10:09 PM

No more issues.

Thanks once again for all of your help :thumbsup:

Kind Regards,

Tim.

#8 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:03:59 PM

Posted 22 January 2009 - 05:17 AM

Glad we could help, Tim :thumbsup:

Please read this Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks.
To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
and/or Grinlers tutorial on how malware is hidden and installed

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users