Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malware on my work computer


  • This topic is locked This topic is locked
71 replies to this topic

#1 smiley4017

smiley4017

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 09 March 2009 - 12:49 PM

Hello everyone,
This is my first time posting to bleepingComputers.
I am having a heck of a time trying to figure out what is causing my problem.
About every 3 time I log into my work computer I have no desktop (no icons, no start bar, nothing). I figured out that something is adding explorer.exe folder to the hkey_local_machine\software\microsoft\windows nt\currentversion\immage file execution options\
I can get into the task manager and start a new task and go into regedit and delete the explorer.exe folder and reboot and all is well. But, after 1 or 2 more boots it comes back and I have to go through the whole process again.
This is a work computer and reformatting is not an option.

Below is my hijackthis log file, I looked through it and nothing looked to bad, but I am not an expert and hopefully you all can see the problem.
I already ran superantispyware and malwarebytes.

Thank you for any help you can give me.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:48:35 PM, on 3/9/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18372)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\TSUsage32.exe
C:\PROGRA~1\NOVELL\ZENWORKS\NALWIN32.EXE
C:\Program Files\Novell\ZENworks\NalWin.exe
C:\WINDOWS\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\X1\X1FileMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\rileygp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Documents and Settings\rileygp\Desktop\repair\Virus Removal\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
X:\LogMeInIgnition\LMIIgnition.exe
X:\LogMeInIgnition\LMIGuardian.exe
c:\novell\groupwise\grpwise.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 172.16.32.103:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.7;mrmc_iis;webnt;PB_EIW_SERVER;intranet.mclaren.org;Portal.Mclaren.org;172.16.*;pcnlrh.mclaren.org;pcn.mclaren.org;mhcc-db3.mclaren.org;tms.phns.com;pcncm-mhcc.phns.com;my.phns.com;portal.phns.com;10.2.*;10.10.*;remotefnt.phns.com;vcm.phns.com;vsssecure.phns.com;mhcc-omega.mclaren.org;*.smsrsm.com;*.bhsnet.org;*.smshealthconx.net;*-pacs*.mclaren.org;*.?rmcmswshsm1.mclaren.org;<local>
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: QT Breadcrumbs Address Bar - {af83e43c-dd2b-4787-826b-31b17dee52ed} - mscoree.dll (file missing)
O3 - Toolbar: QT TabBar - {d2bf470e-ed1c-487f-a333-2bd8835eb6ce} - mscoree.dll (file missing)
O3 - Toolbar: QT Tab Standard Buttons - {D2BF470E-ED1C-487F-A666-2BD8835EB6CE} - mscoree.dll (file missing)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINDOWS\system32\zentray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKLM\..\Run: [Google Quick Search Box] "C:\Program Files\Google\Quick Search Box\qsb.exe" /autorun
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [X1FileMonitor.exe] C:\Program Files\X1\X1FileMonitor.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: X1.lnk = C:\Program Files\X1\X1.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.4.2\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Launch Cooliris - {3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1216213329734
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) -
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u1...=javadl.sun.com
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Program Files\Stardock\Fences\DesktopDock.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client Update Service for Novell (cusrvc) - Novell, Inc. - C:\WINDOWS\system32\cusrvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate1c90e03a9ba7b12) (gupdate1c90e03a9ba7b12) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: PatchLink Update - Novell, Inc. - C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Proxy Host Service (ProxyHostService) - Funk Software, Inc. - C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
O23 - Service: Novell ZENworks Remote Management Agent (Remote Management Agent) - Novell, Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: ZENworks Asset Management - Collection Client (TSCensus Collection Client) - Novell, Inc. - C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
O23 - Service: Novell XTier Agent Services (XTAgent) - Novell, Inc. - C:\WINDOWS\System32\Novell\XTAgent.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, Inc. - C:\Program Files\Novell\ZENworks\wm.exe

--
End of file - 11274 bytes

BC AdBot (Login to Remove)

 


#2 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:01:28 AM

Posted 21 March 2009 - 02:22 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.


Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

R,
K
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)

#3 smiley4017

smiley4017
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 24 March 2009 - 09:44 AM

Below is my DDS log file and I have attached the: Attach.zip file.
Thank you all for your help, this is driving me crazy


DDS (Ver_09-03-16.01) - NTFSx86
Run by rileygp at 10:36:15.39 on Tue 03/24/2009
Internet Explorer: 8.0.6001.18372 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.292 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\PatchLink\Update Agent\GRAVITIXSERVICE.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClientSvc.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\Asset Management\bin\CClient.exe
C:\Program Files\Funk Software\Proxy Host\ph32svc.exe
C:\PROGRA~1\NOVELL\ZENWORKS\NALWIN32.EXE
C:\Program Files\Novell\ZENworks\NalWin.exe
C:\WINDOWS\clntrust.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\PatchLink\Update Agent\Dagent.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Google\Quick Search Box\qsb.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\X1\X1FileMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\X1\X1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\program files\x1\X1Systray.exe
C:\Program Files\X1\X1Service.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\X1\textExtractor.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rileygp\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.7;mrmc_iis;webnt;PB_EIW_SERVER;intranet.mclaren.org;Portal.Mclaren.org;172.16.*;pcnlrh.mclaren.org;pcn.mclaren.org;mhcc-db3.mclaren.org;tms.phns.com;pcncm-mhcc.phns.com;my.phns.com;portal.phns.com;10.2.*;10.10.*;remotefnt.phns.com;vcm.phns.com;vsssecure.phns.com;mhcc-omega.mclaren.org;*.smsrsm.com;*.bhsnet.org;*.smshealthconx.net;*-pacs*.mclaren.org;*.?rmcmswshsm1.mclaren.org;<local>
uInternet Settings,ProxyServer = 172.16.32.103:80
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll
BHO: Cooliris Plug-In for Internet Explorer: {eaee5c74-6d0d-4aca-9232-0da4a7b866ba} - c:\program files\piclensie\cooliris.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {968631B6-4729-440D-9BF4-251F5593EC9A} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [X1FileMonitor.exe] c:\program files\x1\X1FileMonitor.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [NWTRAY] NWTRAY.EXE
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\qsb.exe" /autorun
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\rileygp\startm~1\programs\startup\x1.lnk - c:\program files\x1\X1.exe
uPolicies-explorer: ForceActiveDestopOn = 0 (0x0)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.4.2\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {3437D640-C91A-458f-89F5-B9095EA4C28B} - {04F93351-81D2-4484-9982-0D55DEFFFAE6} - c:\program files\piclensie\cooliris.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: Microsoft XML Parser for Java
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1216213329734
DPF: {88D969C0-F192-11D4-A65F-0040963251E5}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://sdlc-esd.sun.com/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab?AuthParam=1231877557_dba4af62ba2edc7f9a4f0379744ab8b3&GroupName=JSC&FilePath=/ESD5/JSCDL/jre/6u11-b90/jinstall-6u11-windows-i586-jc.cab&File=jinstall-6u11-windows-i586-jc.cab&BHost=javadl.sun.com
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_9993303B90FE6C1D.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
STS: Fences: {ec654325-1273-c2a9-2b7c-45a29bce2fbd} - c:\program files\stardock\fences\DesktopDock.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rileygp\applic~1\mozilla\firefox\profiles\z5ha0u0z.default\
FF - component: c:\documents and settings\rileygp\application data\mozilla\firefox\profiles\z5ha0u0z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\rileygp\application data\mozilla\firefox\profiles\z5ha0u0z.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\rileygp\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\palmone\packag~1\NPInstal.dll
FF - plugin: c:\program files\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: x:\firefoxportable\app\firefox\plugins\np32dsw.dll
FF - plugin: x:\firefoxportable\app\firefox\plugins\npdeploytk.dll
FF - plugin: x:\firefoxportable\app\firefox\plugins\npnul32.dll
FF - plugin: x:\firefoxportable\app\firefox\plugins\nppdf32.dll
FF - plugin: x:\firefoxportable\app\firefox\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\mozilla firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");

============= SERVICES / DRIVERS ===============

R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-1-17 6899]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-7-19 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-7-19 169632]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-8-17 167936]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-9-27 116464]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-9-27 1813232]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\novell\zenworks\asset management\bin\CClientSvc.exe [2008-3-26 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-3-26 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-1-10 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-13 101936]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090323.003\naveng.sys [2009-3-24 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090323.003\navex15.sys [2009-3-24 876144]
R3 PhPortVK;Proxy Host Keyboard Driver Filter;c:\windows\system32\drivers\PhPortVK.sys [2007-2-26 4089]
R3 ProxyHostKeyboardPort;Proxy Host Keyboard Port;c:\windows\system32\drivers\PhPort2K_Kbd.sys [2005-7-22 3993]
R3 ProxyHostMousePort;Proxy Host Mouse Port;c:\windows\system32\drivers\PhPort2K_Mou.sys [2005-7-22 3993]
S2 gupdate1c90e03a9ba7b12;Google Update Service (gupdate1c90e03a9ba7b12);c:\program files\google\update\GoogleUpdate.exe [2008-9-3 133104]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-3-17 34760]
S3 SideWnd;SideWnd;c:\windows\system32\drivers\innvmini.sys [2005-9-29 4480]

=============== Created Last 30 ================

2009-03-18 14:09 54,156 a---h--- c:\windows\QTFont.qfn
2009-03-18 14:09 1,409 a------- c:\windows\QTFont.for
2009-03-17 09:58 34,760 a------- c:\windows\system32\drivers\Partizan.sys
2009-03-17 09:58 32,480 a------- c:\windows\system32\Partizan.exe
2009-03-17 09:56 2 a--shrot c:\windows\winstart.bat
2009-03-12 16:36 <DIR> --d----- c:\docume~1\rileygp\applic~1\diag
2009-03-05 10:36 <DIR> a-dshr-- C:\cmdcons
2009-03-05 10:32 161,792 a------- c:\windows\SWREG.exe
2009-03-05 10:32 98,816 a------- c:\windows\sed.exe
2009-02-25 10:14 <DIR> --d----- C:\VundoFix Backups
2009-02-24 17:39 <DIR> --d----- c:\program files\Unlocker
2009-02-24 17:39 <DIR> --d----- c:\docume~1\rileygp\applic~1\Desktopicon
2009-02-24 16:51 <DIR> --d----- c:\docume~1\rileygp\applic~1\JAM Software

==================== Find3M ====================

2009-03-16 12:50 5,018 a------- c:\windows\system32\KGyGaAvL.sys
2009-01-15 03:05 911,872 a------- c:\windows\system32\wininet.dll
2009-01-15 03:05 43,008 a------- c:\windows\system32\licmgr10.dll
2009-01-15 03:04 18,944 a------- c:\windows\system32\corpol.dll
2009-01-15 03:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-01-15 03:03 72,704 a------- c:\windows\system32\admparse.dll
2009-01-15 03:03 71,680 a------- c:\windows\system32\iesetup.dll
2009-01-15 03:01 34,304 a------- c:\windows\system32\imgutil.dll
2009-01-15 03:00 48,128 a------- c:\windows\system32\mshtmler.dll
2009-01-15 03:00 45,568 a------- c:\windows\system32\mshta.exe
2009-01-15 02:50 156,160 a------- c:\windows\system32\msls31.dll
2009-01-13 16:04 410,984 a------- c:\windows\system32\deploytk.dll
2008-03-26 11:02 88 ---shr-- c:\windows\system32\F6147F20BA.sys

============= FINISH: 10:37:10.60 ===============

Attached Files



#4 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 24 March 2009 - 11:12 PM

Howdy, my name is Hoov, and I will be helping you with your dilemma.

Please make sure you watch this thread for responses. If you click the options tab at the top of your first post, you can select to track this thread.

Here is what I am asking you to do during the repair of your computer

*Tell me everything that you have done, if anything, to try and fix this problem.

*Please only use 1 forum to help clear up your problem. Posting on more than 1 and following instructions from more than 1 forum will cause those helping you to pull out thier hair.

*Follow my instructions - If you can't for some reason, or if you don't understand something, please tell me. If you deviate from my instructions, tell me, it may make a difference on where we go. Don't install anything, even other programs that have nothing to do with security or malware, it could cause things to change, and I would never know it.

*Have faith. I will do all I can to get your computer working, and if I can't - someone else here will know something else to try.

*Stick with me to the end. My aim is to fix your problems, and give you the tools and knowledge to keep this from happening again.

Now onto trying to fix your computer.

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

Run comboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Also make sure you close all your browsers just before the instructions tell you to start the scanner.

Please include the C:\ComboFix.txt in your next reply for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#5 smiley4017

smiley4017
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 26 March 2009 - 08:04 AM

Thank you for taking the time to help me.
this is what I have done so far.
I have booted off from Avira Rescue Disc and ran scans and had it delete anyfile that was infected.
Next I ran Malwarebytes and deleted anything it found.
Next I ran Superspyware and deleted anything it found.
Next I ran Combofix (below is the log file).

I am still having the same problem. Everytime I come into work and turn on my computer there is no icons, thank goodness I know how to get it back, I run task manager then new task, run regedit, delete explorer.exe under "Image File Execurtion Options" and then run explorer.exe to get the icons back. It works but gets me frusterated.

Here is the Combofix log

ComboFix 09-03-04.01 - rileygp 2009-03-05 9:38:52.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.388 [GMT -5:00]
Running from: c:\combofix\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\twain32
c:\windows\system32\twain32\local.ds
c:\windows\system32\twain32\user.ds
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe
X:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-02-05 to 2009-03-05 )))))))))))))))))))))))))))))))
.

2009-02-25 09:14 . 2009-02-25 09:14 <DIR> d-------- C:\VundoFix Backups
2009-02-24 16:39 . 2009-02-24 16:40 <DIR> d-------- c:\program files\Unlocker
2009-02-24 16:39 . 2009-02-24 16:39 <DIR> d-------- c:\documents and settings\rileygp\Application Data\Desktopicon
2009-02-24 15:51 . 2009-02-24 15:51 <DIR> d-------- c:\documents and settings\rileygp\Application Data\JAM Software
2009-02-18 14:51 . 2009-02-18 14:54 <DIR> d-------- c:\documents and settings\rileygp\Application Data\GlarySoft
2009-02-18 14:26 . 2009-02-18 14:26 <DIR> d-------- c:\program files\Glary Utilities
2009-02-18 11:15 . 2009-02-18 11:15 <DIR> d--hs---- c:\documents and settings\rileygp\IECompatCache
2009-02-18 11:13 . 2009-02-18 11:13 <DIR> d--hs---- c:\documents and settings\rileygp\PrivacIE
2009-02-18 11:13 . 2009-02-18 11:13 <DIR> d--hs---- c:\documents and settings\rileygp\IETldCache
2009-02-18 11:03 . 2009-02-18 11:07 <DIR> d--h-c--- c:\windows\ie8
2009-02-18 10:40 . 2009-02-18 10:41 1,374 --a------ c:\windows\imsins.BAK
2009-02-17 08:46 . 2009-02-17 09:37 <DIR> d-------- c:\program files\SUPERAntiSpyware
2009-02-17 08:46 . 2009-02-17 09:37 <DIR> d-------- c:\documents and settings\rileygp\Application Data\SUPERAntiSpyware.com
2009-02-17 08:46 . 2009-02-17 08:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-16 10:33 . 2009-02-16 10:33 <DIR> d-------- c:\documents and settings\rileygp\Application Data\Malwarebytes
2009-02-16 10:33 . 2009-02-16 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 10:26 . 2009-02-06 10:26 <DIR> d-------- c:\program files\PicLensIE
2009-02-06 09:22 . 2009-02-06 09:22 <DIR> d-------- c:\program files\Stardock
2009-02-06 09:22 . 2009-02-06 09:22 <DIR> d-------- c:\documents and settings\rileygp\Application Data\Stardock
2009-02-06 09:22 . 2009-02-06 09:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Stardock
2009-02-06 09:22 . 2009-02-06 09:22 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{E94FD7CC-6945-4744-99C3-9BFF40AA2F24}

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-05 14:43 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-04 18:14 --------- d-----w c:\documents and settings\rileygp\Application Data\TeraCopy
2009-03-04 14:55 --------- d-----w c:\program files\InfoRad Wireless
2009-02-25 18:38 --------- d-----w c:\program files\Google
2009-02-17 14:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-03 13:43 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-27 14:29 --------- d-----w c:\program files\JalbumWin
2009-01-22 18:35 --------- d-----w c:\program files\Photo Print Calendar from YOKOHAMA Ver.3.00E beta
2009-01-22 18:34 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-21 19:12 --------- d-----w c:\program files\fontpicker
2009-01-21 19:11 --------- d-----w c:\program files\Common Files\Adobe AIR
2009-01-15 20:54 --------- d-----w c:\documents and settings\All Users\Application Data\WinZip
2009-01-13 20:04 --------- d-----w c:\program files\Java
2009-01-12 15:49 --------- d-----w c:\program files\MFP
2009-01-09 18:23 --------- d-----w c:\program files\palmOne
2009-01-09 18:23 --------- d-----w c:\program files\Forms3
2007-02-26 16:51 60,516 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-02-26 16:51 49,246 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-26 16:51 165,990 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-03-26 15:02 88 --sh--r c:\windows\system32\F6147F20BA.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"X1FileMonitor.exe"="c:\program files\X1\X1FileMonitor.exe" [2007-04-03 428544]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-14 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-01 15872]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-02-25 68592]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\rileygp\Start Menu\Programs\Startup\
X1.lnk - c:\program files\X1\X1.exe [2007-04-03 4964352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDestopOn"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-04 513384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 09:17 24576 c:\windows\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GroupWise Notify.lnk]
backup=c:\windows\pss\GroupWise Notify.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideWindow.lnk]
backup=c:\windows\pss\SideWindow.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^Shortcut to operator.lnk]
backup=c:\windows\pss\Shortcut to operator.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^X1 System Tray.lnk]
backup=c:\windows\pss\X1 System Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^X1.lnk]
backup=c:\windows\pss\X1.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a0pe3zq3ozk80jhqrzrihfmvexwvki4h
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a2gk3ctyp8ot6qvseg0wlxdsty2dvxy9wu5ow47zu0hpyvqd
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a8sf6pbhenrv257w4jly7ck1229ubd7kobg6wal04611pyg1fo
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a9t2hnn8hbwwjr389u5r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\a9w21zqvbv8k0djjyo00u71cj34go6m7v4yjds
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aq8e64orqsgi3fhjgk57t
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aqk91j79q7eejvaa94kdzn2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\arpmjeowul1as0mzsq87csayose20n1o6ebl5vq6ea
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ay03sj94lvvyylju3a2ev04i0ihu2b
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b1vr49l6qt5p45y8mv835mz7mmz7mx2zhl8u98g11vyxqvy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b1x5nn9od81m7jf452tm50j4funockh652jfyj
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b6ghniz5spl91gu272o46qzrhibm5j0
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\b77o0czhn8l
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\baj7whdv6dclaun3dlvod73pcaiaxvydkdey95
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bc5t42jdf6tlldwxogv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bho98nwhsewk6hi54s2tqci2zjfdldu3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bjpotp1qlegs898oxvh5rf8l6tqsew0yjaf2ygo1u3oftef9
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bph828zi9pczg0467cdedifde
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bpzpf9xgq8n3r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bt6uk44j2kk1hvbxb2vnwg1eagtkiev28atn72bcs
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btso9iwgizo2dqqo6jinuplk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bv40v1xb5q7h0h8rviyi6bp1tq24kkz6mntj0y6d3h8yd15zkp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\byn5rpu37w5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cfp4ko0iiegrcws1pq8je
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cqf4yw9vp2987i4bjpk4xp7hie725i8f4hoa
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctmd74tsruf6xlwd4qo5cadwy0nhz3wyhmy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cu6as097dn7d0tn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d5c7y41o814e4chev7dq9g9ip26m5ml5x7d3l
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d5ck4b0ltivfrn6pwkm1k1d60rfzotc68uv3z3awbao6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d6dazdtyo7cen0a9ipjcp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d7yd24lnad6jn5t
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\d7ziujedjizwwt35bfa8z
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dfosi1ryu439piz1rso
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dj17d5mwjm81c2cfs
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlnzyta4ssjsxoii96o78y8f3vmw61qo8w70
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Drag'n'Drop_Autolaunch
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvjzga2wlxkit6ea23q83vm056vkm6y78qffc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e3kzyujjx5supww9vm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e5qjbey0nywbpmmeh37mog0ls5bqi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e8c3lnsei7air2r1tjs0q99ir2r4lqnvy95a6qt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\e9zf1jxptnfsp5uq5s7lbp93je0poods
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eez14lecykrlfwlc3t
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\el3r3ugq9b9di9jzfv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\er5cbk5els164c2ueole7wkaxngio1a9uiu972t1uh5xf4m
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eszvkmb16zhz2lq956w7i8
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezcs1nglweg2lbjv0meji89eox2xttmxlbw0d7yq1qjai73db
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4wei7zfnusqufys3c
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\falgtrpg0z6xteehcuhheopb3qk1w9xqod7ken
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fcq7tkkry2uob4l15hj7mog80w7tr9zxyp4eh8uy9y1aw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fh5y994jc9omexazsqfhbmn406gemojwlx9mjnfeu9o4of
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fmh6oimr9uo0fevdaneeaxdz2ovzm29k0njvrgp4z0k4s
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\foymeopdtke2ij4m3a4cnb4rb7jkwlwraqwxvvsk6vpe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fptxhhcjebxvv2s7vi15r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fr5ni4oq6jn2lo6oa05n76tfwrn9pwfy7vrjku4oqdolm7
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\fvmfmibyt2997j0s7c4iutd5su2ckvy9wgkph7
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g12p2gy5l3wazdheyfrvhjngkcd836b6hb4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g3dds8m2o3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\g4njnkw3ii2bpwbq2utgnxraif
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gb5cmgdnqiy6f5a75nxo82cwibupwo
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\geo5lz0ouzzi730zcc12ske
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ghgkvo2b0audmh0jh3n6f77gb5spcxsrtpzx620me
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gmlblh2mvq8o4gnfa73lswj33bzveghu3ki7s165gyio7ww8l3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gr785bilqt405pt43pndt0jatfnucrbj9zfojako7kcsjq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gw290jzz0tat
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gwbz76kub8y
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\h6j232dt1z4dr50noof54p2x16b1x8bgx9dhnnkeu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\haut9csyabj3yrz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hdg4oj7bmqveohj41vsc1fcg62dxbfkbwajthhljmghpubly
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hhxbvvb8walgvh1u3hpf8711jaqb1gmg90ywsrnq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotSync
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hsexdy2w7uhgg40a8ro
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hynmfdi601d0xeh0wxprsmk74ik59e7u8sf
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iaoq0k3qzktncfgt0sjtyplnxkfs46f6bps4x0k05exu8mk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ib4otvvylabjfd3vvk5uhuieani9tm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iqgyv60hcqv7u7zx5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iqn1viva1u50omg76pajze5mujbka2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iyd1sm40qhioq1mbmfe845aedx0ju5bawx8pdnd4zahzktn0k5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j3m6aef30effynqjk6si4vew
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j7p021h90semdu09yvcbfctz3j4j7j4pz1gnq5fp4w6xmkon
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\j9n6x3jp9fh9cu8tfibiqr02brsarn60i5xq321fex3d676jdk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jgxzyd9k0kcxd26umra33fyozv6fxrn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jk5pdokdoijakgc8tlbomqb80m2qrzr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ju4q2emc62x0nelizyu8cvcchth7ugqzopjz49ryee4ib
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k455y6zdi9yser00luq6adqpb0xo94l19oxb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kcirzuoiragvfl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kk778cyzp6no7n04i4yo08jtuhguo5kv9ignp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ko89ntqdhhikwsa
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ku09f9m0umks9aczgzhdmgc0w26ggdk0yf19i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\l1j61ix1w5d1h0y1w4323
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\l2t3zdmj186l5yvf8fngcbuyn4ff4cqzvvl0hon1krj17esr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\l5qwfx6a6xsoipciv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\l6d8un14pi31wu6tezxqosbdmfub535mlsjycq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\le0v82q2wskdv57dye619n
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lgezj5g3qarz8vydhd70wt2in5w5kjq6dst7hvtci6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lgroyxvqiwc4s6owqgk27jit21l73
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lh361wz1qf8p9o4b7a63v1vpwv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lp12bekdj8b1f92f6lt2ime2hn4xaunuirht8
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lp4vgpbtxn314rmylcu5h7jornv8onl7km40of3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lv2hm6y9c9q2hd3eh2ibw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\m1o13pn3vlurx368l6jsgde7qzi9mh8e1w49bx5rlfe6ouho6s
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mhhopv8rzab51gg7ghm4gcme8fje4gtbgvu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mjp94pmns088pjd7s7dpjcquonjm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mlsnbi2bn9onsrc
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mtazgym474nco11lf
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mxxdgmt86ic8oogwd8hnrqb78delargh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mzmgahatdgj2tr4mchfml6btwlylw0kxvqa1gf3pvx058crjo3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mzst2aomou5eluyu7f
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mztobj86ir065mzr1s5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\n3puj2yh8wdvcgeqoftfy152ozdec3gc3geymki6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\n5ar6guj4ldtv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\n708losy3a283ic8g9qxnwogjfkzfopj6uik5cxgpq95cw724i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nh6p3mo8g15gp42teqmm17r140ozo8ei
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nhoe298rzsou
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nji71nhrq009qdnpk98trgftei7o6lbo2yh4castuh7
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nqcgh8kw0gxwtp0at8ikwsdabdaxcr42xcf825pffy
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nt09bwl2in11iotha8zqdak938l9ec
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntilda388g601u
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nveimx3gp1t9m3gsekhqs97khk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\o4porag6lx0nxacvl2mp4ao
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\o8ho55bh8dd4asr824er8pyuhack67s2cbiv2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oa6tb8sns6x797piofiviwvu3vjje7hygwjla94kx
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ofzcv3mbrlh7vjpchq8ffz2llpozytndtwds6jrn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ojdhgv36up1l1j8lfa4ci345ljtls4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oo8qhfexxeqs08
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\otmkpae21eebnpbc45frgr4qcv3q
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\peh20jfrc2ivg0u
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pre95juu8sxrrmaqqsl9hdb9vd41rtk438mptjd22
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pvotr3jrq08o3q0che2sn78s056be2z9c6fa6bhzrtom43vj
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pw158l9th46o5e48xbnfhpntha95mhaw53x5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q11vhutgppkhgjw749ictbuuqkflnfl1cexq39qlx77kd6x
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\q53djewxkkq22lchycos1g3ywo0jgqnepi7484440qbj7wj
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qdz0z921v5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qeibllr5kid77fcqr31hwj42rsaa90mfn2u7zqwf9rxvmw7j
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qi0224gb2qoyxik6gdrq106y9
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qn6ac9xz9s6yhjmlfzw3xs6xfbfczb5yyld7v8ap5v
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qq3l3agi7ke6ham7kx7immpkodaxgx8apywkoru3k8q
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quc7g9bz9i4kpy2vf2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\reeihkwzgxqdycmk0bo
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rex9mnlfh6peb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\riop29pg8thuk2btmvc3itbiva4vn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rrloow6v1xc5808dirmeabl0193ej83gvurfc357eq7dwlpo1
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rst6gs2eq0wuh03b8jrn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rvpyznjox1vxvs2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rx2w03qs2jy9kqmu718ikguj0c18s27wq6w7u4pnq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rzcigaragt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\rzdd2mln6jwxyvg5g2pmh18by1w2noj1m3au8h50m8u
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\s4o7qd4tu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sa3cm689rumqxrqt0y0buhw5scheccl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sb65iiu0d87p4pj5p9dyhbgy3rpdqgjgphcx
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sf2id0hwxuounxftpfceunuqd1z036cf86y3
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sqb8tzrztcb1sibqrsyobl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\susho7evlp04x920xdi89z0fwhka70s2i6526abjsi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\t29zf2okutk09oggmvths1fmiqz0pyl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\t2sx32qyu1kvbcp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\t3zmcrtufdxzwjchbxafkglalnorx13vufybczsipgu8q
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\t5a7xoc09vkhhwotcm2s0vw1urrocrbxj89m
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\t9f6uxpzd4744zjw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tldcdf4xzqkhn1lz5jn5bfwroob5yl8gr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tvpi5s4rkuw8hpajobc2jnh7n8wtfxhtyp4tvd3g2cofqq65f
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tyyqcgfnpl4u52to0lwkv1lxbrad90b35948ge9ve2i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tyyx1zw7jhraltgm19nyc4d4wd8pmymdv3r1vabklh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u0h9dstogixltfejrzfsh3s6xb5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u5ykc35jkkk8yahhg6io
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\u9wnq5nese4q
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ubd7uqg8hdv
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ugder79x72nu874toz3cu2bl
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uimhu1nx4ubh2n8qcm
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ukz2s4dgj4sgr6zvc3nqee94l7p2i8yr2gt
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\unx9vyqy2yhnn7hkz8cxs15mmrdlggdsohp90ka9
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uq1v749fiyeofa968jgb9tedivwi
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uuxlmu94xf7zz3tudo8zitzeitjvueq9gdq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\v0v2u14yd2vn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\v3ynkeutg1dguccpy2wny2wtm9vho4ckcm4bt5uc76
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\v6g8kc9e5295270l
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\visxmh69y0pibtvn2jqe60btacu2r
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vldwknw1nruzv8i8d
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vpcrt0o19pz
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vxulzbj2ydwt8mihrrf2jw99dp8sfq7dh5626ncsgm4rv7
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vzebteenc3s3kjqt0u7blnqf2t5mcbql32wgwxl505o2zh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w3ff807w8wf518r44u4yv459v
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w6e9bhq5gsf4je
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wcsm88g2x9vjb0rcemjaw69843b0ul393zvulh6dhwgg4sn
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherWatcher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WeatherWatcherLive
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wjmfc7hkb28i87nvjriungjw2r7mnh5xic4h
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wlllp630qhyib4mppwuyoqhmqx
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wpi2dy07jfhh681kfj2lxkzb1ivv1dln9eo5przd4s3aznxe
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wrdp8hvkzul26yeldalztsnb42ku9yrgjfhg6ski1gucde
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wt454g10uhh7weqjiqjj
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ww94m57c24y8tttd8rvw68kxmfs0s
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x3vjudrsh8ba35hbrc2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x4htc563q7ap
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\x7nfndvw8fwxez8sta3418ea
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xd15650uum92z6i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xd8gqzzuppcw6f8ct95do
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xjmtsy692t0zhsrw7mxmyv089485v
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xqcg7jxrcgex5
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xtkeqndjrw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xuotwahm5e9xndykxhiq8934jlr2h
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\y4xvzezd5bjohzhbasfvccq460dqyfobdrqh
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\y5jdyp4a7cijpfh5ic8hw8d2
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yaq05e6x9q9qsd9f8s57ydsloxy9cfn87ntm2o5ub6i
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yfrg5o7kue0jftvtgelbk4b4zx8dz1j6si
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yhgdeqk36y6j8m69r24bs05cv0of7mln4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yj7ddxhvg7xr
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yq99kgfh1wq4j5ghpbt241iox
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yrinzp0rszoptpg0il5sad3lkmjmy9rwg
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yshir28qwu1vinnx71i5ltnqncjauk
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ysxv55inozkv1067pa5mht7215705quzkxo8iwj8d4f
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yugyrhnu759ap89wvss6kwhkdeu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\yuwvhwntzpbcateszubudgkfj8qsu7ylw1xag
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z09m8xtak0mkpqrhv9vrdvgfvb
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z0wa60imh0lstc66pd8li71z7wkduqbnpja2ly9y2ie
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z2x796d4vptxss7m
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z6ws9sn6kwb30sw642lwuyzoszr4i59wtrw
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z6yyrjb0hfyc3dimifrtz26vep6t3od7aqoq2evlf5yjz8opp
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\z79f1zauh5zsc4ihitkh6c3c4402zm5u17g2aofzpax
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zehxpwg0cw867014
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zf83zmdqysco
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ziksldtzmgmsck8rt3y6qincj095ksfhk49ayecstzvanw6
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zismtwnoc73v9jntin5i3gz4
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zjlj68gkz06h13guyj2231zksneqldqdnt7ljsemrol5hq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zmy61xbknzv3k7kipf9ytcq
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zq5hcbznhx98zl56vc684azpd66o3ysum43
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zsixlkc5vx0p1y9m7hkl7on4war0rlz07rva
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zvhxdxcjquyjq87fylj1a29clhdt9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 21:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-07 10:13 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
--a------ 1999-10-12 04:50 47888 c:\program files\IBM\Client Access\cwbckver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Help Update]
--a------ 1999-10-12 04:50 15632 c:\program files\IBM\Client Access\cwbinhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
--a------ 1999-10-12 04:50 6928 c:\program files\IBM\Client Access\cwbsvstr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
--a------ 2007-10-30 18:52 16200 c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 05:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 20:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 09:38 133104 c:\documents and settings\rileygp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 12:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 01:41 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--------- 2006-03-23 19:13 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--------- 2006-03-23 19:17 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--------- 2006-03-23 19:17 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDPS]
--------- 2004-05-17 13:27 32859 c:\windows\system32\dpmw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDDM]
--a------ 2005-08-09 14:16 394816 c:\program files\PatchLink\Update Agent\pddm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyHostTrayIcon]
--a------ 2002-07-05 13:42 87696 c:\program files\Funk Software\Proxy Host\PhTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 22:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 13:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-14 12:38 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X1FileMonitor.exe]
--a------ 2007-04-03 17:08 428544 c:\program files\X1\X1FileMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmwltry]
--------- 2003-07-17 15:40 483328 c:\windows\system32\bcmwltry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Removecpl]
--------- 2003-01-16 10:33 24576 c:\windows\system32\RemoveCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\WINDOWS\\clntrust.exe"=
"x:\\LogMeInIgnition\\LMIIgnition.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-01-17 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-08-17 167936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2008-03-26 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-03-26 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\Novell\xtagent.exe [2006-05-02 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-01-10 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-27 101936]
R3 PhPortVK;Proxy Host Keyboard Driver Filter;c:\windows\system32\drivers\PhPortVK.sys [2007-02-26 4089]
R3 ProxyHostKeyboardPort;Proxy Host Keyboard Port;c:\windows\system32\drivers\PhPort2K_Kbd.sys [2005-07-22 3993]
R3 ProxyHostMousePort;Proxy Host Mouse Port;c:\windows\system32\drivers\PhPort2K_Mou.sys [2005-07-22 3993]
S2 gupdate1c90e03a9ba7b12;Google Update Service (gupdate1c90e03a9ba7b12);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-03 133104]
S3 SideWnd;SideWnd;c:\windows\system32\drivers\innvmini.sys [2005-09-29 4480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{104356ec-438d-11dd-b06d-001aa0a9d903}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cef5e3d-f43a-11dc-affe-001aa0a9d903}]
\Shell\AutoRun\command - a2h2.com
\Shell\open\Command - a2h2.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-03-05 c:\windows\Tasks\GlaryInitialize.job
- c:\program files\Glary Utilities\initialize.exe [2009-02-12 17:10]

2009-03-05 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-03 09:38]

2009-03-05 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1669680417-841367934-745497630-1017.job
- c:\documents and settings\rileygp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 09:38]
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{B4870B70-F390-11d2-9FB9-F4ED725EA20D} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = 127.0.0.7;mrmc_iis;webnt;PB_EIW_SERVER;intranet.mclaren.org;Portal.Mclaren.org;172.16.*;pcnlrh.mclaren.org;pcn.mclaren.org;mhcc-db3.mclaren.org;tms.phns.com;pcncm-mhcc.phns.com;my.phns.com;portal.phns.com;10.2.*;10.10.*;remotefnt.phns.com;vcm.phns.com;vsssecure.phns.com;mhcc-omega.mclaren.org;*.smsrsm.com;*.bhsnet.org;*.smshealthconx.net;*-pacs*.mclaren.org;*.?rmcmswshsm1.mclaren.org;<local>
uInternet Settings,ProxyServer = 172.16.32.103:80
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\rileygp\Application Data\Mozilla\Firefox\Profiles\z5ha0u0z.default\
FF - component: c:\documents and settings\rileygp\Application Data\Mozilla\Firefox\Profiles\z5ha0u0z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - component: c:\program files\Google\Google Gears\Firefox\components\gears.dll
FF - plugin: c:\documents and settings\rileygp\Application Data\Mozilla\Firefox\Profiles\z5ha0u0z.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\rileygp\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\np32dsw.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\npdeploytk.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\npnul32.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\nppdf32.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-05 09:43:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(688)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\program files\Novell\ZENworks\WMNTAPI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\progra~1\Iomega\System32\AppServices.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\PatchLink\Update Agent\GravitixService.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\snmp.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Novell\ZENworks\Asset Management\Bin\cclient.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\Funk Software\Proxy Host\Ph32Svc.exe
c:\program files\PatchLink\Update Agent\dagent.exe
c:\progra~1\Novell\ZENworks\NALWIN32.EXE
c:\program files\Novell\ZENworks\NalWin.exe
c:\windows\clntrust.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\X1\X1Systray.exe
c:\program files\X1\X1Service.exe
c:\program files\Volumouse\volumouse.exe
.
**************************************************************************
.
Completion time: 2009-03-05 9:51:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-05 14:51:53

Pre-Run: 50,009,071,616 bytes free
Post-Run: 49,974,816,768 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

542

#6 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 26 March 2009 - 01:04 PM

I think I know what is going on. I have had users have the same kind of problem, except they had Spybot's TeaTimer running. In Symantec or one of the other programs you have running, there is an option or monitor running that prevents changes to the registry. Find it and turn it off. Make sure the entry is deleted in the registry before rebooting. With it gone and the monitor turned off, reboot the computer and see if it is back or if it is still gone. Let me know what program and option it is that is doing the registry restore, and then I can get the instructions to reset the monitor. Then it shouldn't restore the registry entry anymore.

Also could you open Malwarebytes' Anti-Malware and Superantispyware and get the logs from them that you removed malware with, and post both of them. The section of the registry that [HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^X1.lnk] has a whole bunch of random entries, that appear to have been a virus infection at one time. But I would like to see what those logs say.
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#7 smiley4017

smiley4017
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 27 March 2009 - 08:09 AM

I don't beleive that it is the antivirus software keeping me from changing my registery: After I remove the registry entry and reboot it works fine. I can reboot and shut it down 2 or 3 times before it happens again, if the virus protection is keeping me from changing the registry it should do it every time I reboot, right?
Here is my malwarebytes log: The SuperAntispyware log must have been deleted when I unsistalled it. I looked under the "C:\Documents and Settings\rileygp\Application Data\SUPERAntiSpyware.com" and the root directory and couldn't find it. Sorry. Hope this helps.
And thank you again for your help,

Malwarebytes' Anti-Malware 1.34
Database version: 1765
Windows 5.1.2600 Service Pack 2

2/16/2009 10:49:43 AM
mbam-log-2009-02-16 (10-49-43).txt

Scan type: Quick Scan
Objects scanned: 91207
Time elapsed: 10 minute(s), 1 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 1
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 3

Memory Processes Infected:
C:\WINDOWS\Temp\winlognn.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\osm3of8s3njd.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af42a3-94f3-42bd-f634-3604832c897d} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lrijh8s73jhbfgfd (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: c:\windows\system32\twex.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Backdoor.Bot) -> Data: system32\twex.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools (Hijack.Regedit) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.UserInit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,) Good: (userinit.exe) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions (Hijack.FolderOptions) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\osm3of8s3njd.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\twex.exe (Backdoor.Bot) -> Delete on reboot.
C:\WINDOWS\Temp\winlognn.exe (Trojan.FakeAlert) -> Delete on reboot.

#8 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 27 March 2009 - 12:53 PM

Please update Malwarebytes' Anti-Malware and then reboot to safe mode and run a full scan with Malwarebytes' Anti-Malware. While still in safe mode, run combofix and then reboot to normal windows and post both logs up.

Is there anything else strange in inexplicable happening to your computer?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#9 smiley4017

smiley4017
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 27 March 2009 - 03:18 PM

Thank you for such a quick response. It appears nothing else is wrong with my computer. Once I restore my desktop everything is fine.
Here are the two logs.

ComboFix 09-03-26.03 - rileygp 2009-03-27 15:39:47.2 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1022.811 [GMT -4:00]
Running from: c:\documents and settings\rileygp\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)
.

((((((((((((((((((((((((( Files Created from 2009-02-27 to 2009-03-27 )))))))))))))))))))))))))))))))
.

2009-03-27 12:58 . 2009-03-27 12:58 <DIR> d--hs---- c:\documents and settings\LocalService\IETldCache
2009-03-27 11:16 . 2009-03-27 11:17 <DIR> d--h-c--- c:\windows\ie8
2009-03-24 11:47 . 2009-03-24 11:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-24 11:47 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 11:47 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-18 14:09 . 2009-03-26 09:14 54,156 --ah----- c:\windows\QTFont.qfn
2009-03-18 14:09 . 2009-03-18 14:09 1,409 --a------ c:\windows\QTFont.for
2009-03-17 09:58 . 2009-03-17 09:58 34,760 --a------ c:\windows\system32\drivers\Partizan.sys
2009-03-17 09:58 . 2009-03-17 09:58 32,480 --a------ c:\windows\system32\Partizan.exe
2009-03-17 09:56 . 2009-03-17 09:56 (2) -rahs-ot- c:\windows\winstart.bat
2009-03-12 16:36 . 2009-03-12 16:36 <DIR> d-------- c:\documents and settings\rileygp\Application Data\diag
2009-03-08 14:22 . 2009-03-08 14:22 49,152 --------- c:\windows\system32\msrating.dll.mui
2009-03-08 14:22 . 2009-03-08 14:22 2,560 --------- c:\windows\system32\mshta.exe.mui
2009-03-08 14:21 . 2009-03-08 14:21 4,096 --------- c:\windows\system32\ie4uinit.exe.mui
2009-03-08 14:20 . 2009-03-08 14:20 81,920 --------- c:\windows\system32\iedkcs32.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-27 19:46 --------- d-----w c:\program files\Symantec AntiVirus
2009-03-27 18:46 --------- d-----w c:\program files\InfoRad Wireless
2009-03-26 14:35 --------- d-----w c:\documents and settings\rileygp\Application Data\TeraCopy
2009-03-26 13:14 5,018 ----a-w c:\windows\system32\KGyGaAvL.sys
2009-03-24 17:23 --------- d-----w c:\documents and settings\rileygp\Application Data\Desktopicon
2009-03-08 08:34 914,944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 08:34 43,008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 08:33 420,352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 08:33 18,944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 08:32 72,704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 08:32 71,680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 08:31 48,128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 08:31 45,568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 08:31 34,816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 08:22 156,160 ----a-w c:\windows\system32\msls31.dll
2009-02-25 18:38 --------- d-----w c:\program files\Google
2009-02-24 21:40 --------- d-----w c:\program files\Unlocker
2009-02-24 20:51 --------- d-----w c:\documents and settings\rileygp\Application Data\JAM Software
2009-02-18 19:54 --------- d-----w c:\documents and settings\rileygp\Application Data\GlarySoft
2009-02-17 14:37 --------- d-----w c:\program files\SUPERAntiSpyware
2009-02-17 14:37 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-02-17 14:37 --------- d-----w c:\documents and settings\rileygp\Application Data\SUPERAntiSpyware.com
2009-02-17 13:46 --------- d-----w c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2009-02-16 15:33 --------- d-----w c:\documents and settings\rileygp\Application Data\Malwarebytes
2009-02-16 15:33 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-06 15:26 --------- d-----w c:\program files\PicLensIE
2009-02-06 14:22 --------- dc-h--w c:\documents and settings\All Users\Application Data\{E94FD7CC-6945-4744-99C3-9BFF40AA2F24}
2009-02-06 14:22 --------- d-----w c:\program files\Stardock
2009-02-06 14:22 --------- d-----w c:\documents and settings\rileygp\Application Data\Stardock
2009-02-06 14:22 --------- d-----w c:\documents and settings\All Users\Application Data\Stardock
2009-02-03 13:43 --------- d-----w c:\program files\Microsoft Silverlight
2009-01-27 14:29 --------- d-----w c:\program files\JalbumWin
2009-01-13 20:04 410,984 ----a-w c:\windows\system32\deploytk.dll
2009-01-07 22:21 26,144 ----a-w c:\windows\system32\spupdsvc.exe
2009-01-07 22:20 265,720 ----a-w c:\windows\system32\msdbg2.dll
2009-01-07 22:20 26,112 ----a-w c:\windows\system32\idndl.dll
2009-01-07 22:20 24,576 ----a-w c:\windows\system32\nlsdl.dll
2009-01-07 22:20 23,552 ----a-w c:\windows\system32\normaliz.dll
2007-02-26 16:51 60,516 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2007-02-26 16:51 49,246 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2007-02-26 16:51 165,990 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
2008-03-26 15:02 88 --sh--r c:\windows\system32\F6147F20BA.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-03-05_ 9.50.51.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\Hiv-backup\ERDNT.EXE
- 2005-10-21 01:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE
- 2009-01-15 07:23:42 59,880 -c--a-w c:\windows\ie8\spuninst\iecustom.dll
+ 2009-03-08 18:23:50 58,464 -c--a-w c:\windows\ie8\spuninst\iecustom.dll
- 2008-10-13 18:55:34 231,456 -c--a-w c:\windows\ie8\spuninst\spuninst.exe
+ 2009-01-07 22:20:58 231,456 -c--a-w c:\windows\ie8\spuninst\spuninst.exe
- 2008-10-13 18:55:34 382,496 -c--a-w c:\windows\ie8\spuninst\updspapi.dll
+ 2009-01-07 22:21:02 382,496 -c--a-w c:\windows\ie8\spuninst\updspapi.dll
- 2008-11-07 15:22:07 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
+ 2009-03-25 14:16:01 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat.exe
- 2008-11-07 15:22:09 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
+ 2009-03-25 14:16:05 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_3D.exe
- 2008-11-07 15:22:08 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
+ 2009-03-25 14:16:04 295,606 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Acrobat_Standard.exe
- 2008-11-07 15:22:09 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
+ 2009-03-25 14:16:04 25,214 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_Distiller.exe
- 2008-11-07 15:22:08 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
+ 2009-03-25 14:16:04 7,278 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\_SC_ELEMENTS_DT.exe
- 2008-11-07 15:22:07 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
+ 2009-03-25 14:16:01 23,558 ----a-r c:\windows\Installer\{AC76BA86-1033-0000-7760-000000000003}\SC_Designer_PFM.70DBED24_B579_40CB_AB0B_F1221A3E9EC5.exe
- 2000-08-31 13:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 12:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2000-08-31 13:00:00 161,792 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 12:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2009-01-15 07:03:12 128,512 ----a-w c:\windows\system32\advpack.dll
+ 2009-03-08 08:32:48 128,512 ----a-w c:\windows\system32\advpack.dll
- 2009-01-15 07:03:32 72,704 -c--a-w c:\windows\system32\dllcache\admparse.dll
+ 2009-03-08 08:32:56 72,704 -c--a-w c:\windows\system32\dllcache\admparse.dll
- 2009-01-15 07:03:12 128,512 -c--a-w c:\windows\system32\dllcache\advpack.dll
+ 2009-03-08 08:32:48 128,512 -c--a-w c:\windows\system32\dllcache\advpack.dll
- 2009-01-15 07:04:28 18,944 -c--a-w c:\windows\system32\dllcache\corpol.dll
+ 2009-03-08 08:33:40 18,944 -c--a-w c:\windows\system32\dllcache\corpol.dll
- 2009-01-15 07:01:22 348,160 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
+ 2009-03-08 08:31:44 348,160 -c--a-w c:\windows\system32\dllcache\dxtmsft.dll
- 2009-01-15 07:01:16 216,064 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
+ 2009-03-08 08:31:38 216,064 -c--a-w c:\windows\system32\dllcache\dxtrans.dll
- 2009-01-15 06:53:40 68,608 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
+ 2009-03-08 08:24:28 68,608 -c--a-w c:\windows\system32\dllcache\hmmapi.dll
- 2009-01-15 07:03:28 172,544 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
+ 2009-03-08 08:32:54 173,056 -c--a-w c:\windows\system32\dllcache\ie4uinit.exe
- 2009-01-15 07:03:42 125,952 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
+ 2009-03-08 08:33:02 125,952 -c--a-w c:\windows\system32\dllcache\ieakeng.dll
- 2009-01-15 07:03:50 228,352 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
+ 2009-03-08 08:33:08 229,376 -c--a-w c:\windows\system32\dllcache\ieaksie.dll
- 2009-01-15 07:03:20 163,840 -c--a-w c:\windows\system32\dllcache\ieakui.dll
+ 2009-03-08 08:32:52 163,840 -c--a-w c:\windows\system32\dllcache\ieakui.dll
- 2009-01-15 07:17:22 392,040 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
+ 2009-03-08 18:09:26 391,536 -c--a-w c:\windows\system32\dllcache\iedkcs32.dll
- 2009-01-15 07:01:52 183,808 -c--a-w c:\windows\system32\dllcache\iepeers.dll
+ 2009-03-08 08:31:56 183,808 -c--a-w c:\windows\system32\dllcache\iepeers.dll
- 2009-01-15 07:03:14 55,808 -c--a-w c:\windows\system32\dllcache\iernonce.dll
+ 2009-03-08 08:32:50 55,808 -c--a-w c:\windows\system32\dllcache\iernonce.dll
- 2009-01-15 07:03:18 71,680 -c--a-w c:\windows\system32\dllcache\iesetup.dll
+ 2009-03-08 08:32:50 71,680 -c--a-w c:\windows\system32\dllcache\iesetup.dll
- 2009-01-15 07:17:22 636,264 -c--a-w c:\windows\system32\dllcache\iexplore.exe
+ 2009-03-08 18:09:26 638,816 -c--a-w c:\windows\system32\dllcache\iexplore.exe
- 2009-01-15 07:01:26 34,304 -c--a-w c:\windows\system32\dllcache\imgutil.dll
+ 2009-03-08 08:31:38 34,816 -c--a-w c:\windows\system32\dllcache\imgutil.dll
- 2009-01-15 07:03:14 94,720 -c--a-w c:\windows\system32\dllcache\inseng.dll
+ 2009-03-08 08:32:46 94,720 -c--a-w c:\windows\system32\dllcache\inseng.dll
- 2009-01-15 07:03:58 724,992 -c--a-w c:\windows\system32\dllcache\jscript.dll
+ 2009-03-08 08:33:16 726,528 -c--a-w c:\windows\system32\dllcache\jscript.dll
- 2009-01-15 07:04:16 25,600 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
+ 2009-03-08 08:33:26 25,600 -c--a-w c:\windows\system32\dllcache\jsproxy.dll
- 2009-01-15 07:05:34 43,008 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
+ 2009-03-08 08:34:30 43,008 -c--a-w c:\windows\system32\dllcache\licmgr10.dll
- 2009-01-15 07:00:38 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
+ 2009-03-08 08:31:02 45,568 -c--a-w c:\windows\system32\dllcache\mshta.exe
- 2009-01-15 07:13:18 5,888,512 -c--a-w c:\windows\system32\dllcache\mshtml.dll
+ 2009-03-08 08:41:16 5,937,152 -c--a-w c:\windows\system32\dllcache\mshtml.dll
- 2009-01-15 07:01:06 66,560 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
+ 2009-03-08 08:31:26 66,560 -c--a-w c:\windows\system32\dllcache\mshtmled.dll
- 2009-01-15 07:00:46 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
+ 2009-03-08 08:31:18 48,128 -c--a-w c:\windows\system32\dllcache\mshtmler.dll
- 2009-01-15 06:50:38 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
+ 2009-03-08 08:22:38 156,160 -c--a-w c:\windows\system32\dllcache\msls31.dll
- 2009-01-15 07:05:34 193,536 -c--a-w c:\windows\system32\dllcache\msrating.dll
+ 2009-03-08 08:34:18 193,536 -c--a-w c:\windows\system32\dllcache\msrating.dll
- 2009-01-15 07:02:20 611,840 -c--a-w c:\windows\system32\dllcache\mstime.dll
+ 2009-03-08 08:32:04 611,840 -c--a-w c:\windows\system32\dllcache\mstime.dll
- 2009-01-15 07:05:34 109,056 -c--a-w c:\windows\system32\dllcache\occache.dll
+ 2009-03-08 08:34:18 109,568 -c--a-w c:\windows\system32\dllcache\occache.dll
- 2009-01-15 07:01:18 46,592 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
+ 2009-03-08 08:31:36 46,592 -c--a-w c:\windows\system32\dllcache\pngfilt.dll
- 2008-10-13 18:55:32 134,144 -c----w c:\windows\system32\dllcache\sqmapi.dll
+ 2009-01-07 22:20:54 134,144 -c----w c:\windows\system32\dllcache\sqmapi.dll
- 2009-01-15 07:06:00 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
+ 2009-03-08 08:34:28 105,984 -c--a-w c:\windows\system32\dllcache\url.dll
- 2009-01-15 07:06:48 1,182,720 -c--a-w c:\windows\system32\dllcache\urlmon.dll
+ 2009-03-08 08:34:56 1,206,784 -c--a-w c:\windows\system32\dllcache\urlmon.dll
- 2009-01-15 07:03:36 420,352 -c--a-w c:\windows\system32\dllcache\vbscript.dll
+ 2009-03-08 08:33:06 420,352 -c--a-w c:\windows\system32\dllcache\vbscript.dll
- 2009-01-15 07:04:56 755,200 -c--a-w c:\windows\system32\dllcache\VGX.dll
+ 2009-03-08 08:33:48 759,296 -c--a-w c:\windows\system32\dllcache\VGX.dll
- 2009-01-15 07:06:08 236,544 -c--a-w c:\windows\system32\dllcache\webcheck.dll
+ 2009-03-08 08:34:48 236,544 -c--a-w c:\windows\system32\dllcache\webcheck.dll
- 2009-01-15 07:05:42 911,872 -c--a-w c:\windows\system32\dllcache\wininet.dll
+ 2009-03-08 08:34:58 914,944 -c--a-w c:\windows\system32\dllcache\wininet.dll
- 2009-01-15 07:01:22 348,160 ----a-w c:\windows\system32\dxtmsft.dll
+ 2009-03-08 08:31:44 348,160 ----a-w c:\windows\system32\dxtmsft.dll
- 2009-01-15 07:01:16 216,064 ----a-w c:\windows\system32\dxtrans.dll
+ 2009-03-08 08:31:38 216,064 ----a-w c:\windows\system32\dxtrans.dll
- 2009-01-15 07:01:40 59,904 ----a-w c:\windows\system32\icardie.dll
+ 2009-03-08 08:31:52 59,904 ----a-w c:\windows\system32\icardie.dll
- 2009-01-15 07:03:28 172,544 ----a-w c:\windows\system32\ie4uinit.exe
+ 2009-03-08 08:32:54 173,056 ----a-w c:\windows\system32\ie4uinit.exe
- 2009-01-15 07:03:42 125,952 ----a-w c:\windows\system32\ieakeng.dll
+ 2009-03-08 08:33:02 125,952 ----a-w c:\windows\system32\ieakeng.dll
- 2009-01-15 07:03:50 228,352 ----a-w c:\windows\system32\ieaksie.dll
+ 2009-03-08 08:33:08 229,376 ----a-w c:\windows\system32\ieaksie.dll
- 2009-01-15 07:03:20 163,840 ----a-w c:\windows\system32\ieakui.dll
+ 2009-03-08 08:32:52 163,840 ----a-w c:\windows\system32\ieakui.dll
- 2008-12-14 22:12:42 3,698,040 ----a-w c:\windows\system32\ieapfltr.dat
+ 2009-02-07 01:07:58 3,698,584 ----a-w c:\windows\system32\ieapfltr.dat
- 2009-01-15 06:35:10 445,440 ----a-w c:\windows\system32\ieapfltr.dll
+ 2009-03-08 08:11:12 445,952 ----a-w c:\windows\system32\ieapfltr.dll
- 2009-01-15 07:17:22 392,040 ----a-w c:\windows\system32\iedkcs32.dll
+ 2009-03-08 18:09:26 391,536 ----a-w c:\windows\system32\iedkcs32.dll
- 2009-01-15 07:12:12 10,963,968 ----a-w c:\windows\system32\ieframe.dll
+ 2009-03-08 08:39:48 11,063,808 ----a-w c:\windows\system32\ieframe.dll
- 2009-01-15 07:01:52 183,808 ----a-w c:\windows\system32\iepeers.dll
+ 2009-03-08 08:31:56 183,808 ----a-w c:\windows\system32\iepeers.dll
- 2009-01-15 07:03:14 55,808 ----a-w c:\windows\system32\iernonce.dll
+ 2009-03-08 08:32:50 55,808 ----a-w c:\windows\system32\iernonce.dll
- 2009-01-15 07:02:50 1,975,296 ----a-w c:\windows\system32\iertutil.dll
+ 2009-03-08 08:32:22 1,985,024 ----a-w c:\windows\system32\iertutil.dll
- 2009-01-15 07:03:18 36,864 ----a-w c:\windows\system32\ieudinit.exe
+ 2009-03-08 08:32:52 36,864 ----a-w c:\windows\system32\ieudinit.exe
- 2009-01-15 06:50:50 164,352 ----a-w c:\windows\system32\ieui.dll
+ 2009-03-08 08:22:46 164,352 ----a-w c:\windows\system32\ieui.dll
- 2009-01-15 07:03:14 94,720 ----a-w c:\windows\system32\inseng.dll
+ 2009-03-08 08:32:46 94,720 ----a-w c:\windows\system32\inseng.dll
- 2009-01-15 07:03:58 724,992 ----a-w c:\windows\system32\jscript.dll
+ 2009-03-08 08:33:16 726,528 ----a-w c:\windows\system32\jscript.dll
- 2009-01-15 07:04:16 25,600 ----a-w c:\windows\system32\jsproxy.dll
+ 2009-03-08 08:33:26 25,600 ----a-w c:\windows\system32\jsproxy.dll
+ 2009-02-03 02:07:18 240,544 ----a-r c:\windows\system32\Macromed\Flash\FlashUtil10b.exe
- 2009-01-27 15:20:40 89,102 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
+ 2009-03-24 14:33:25 88,590 ----a-w c:\windows\system32\Macromed\Flash\uninstall_activeX.exe
- 2009-01-15 07:02:40 593,920 ----a-w c:\windows\system32\msfeeds.dll
+ 2009-03-08 08:32:26 594,432 ----a-w c:\windows\system32\msfeeds.dll
- 2009-01-15 07:01:40 54,272 ----a-w c:\windows\system32\msfeedsbs.dll
+ 2009-03-08 08:31:52 55,296 ----a-w c:\windows\system32\msfeedsbs.dll
- 2009-01-15 07:01:42 13,312 ----a-w c:\windows\system32\msfeedssync.exe
+ 2009-03-08 08:31:54 13,312 ----a-w c:\windows\system32\msfeedssync.exe
- 2009-01-15 07:13:18 5,888,512 ----a-w c:\windows\system32\mshtml.dll
+ 2009-03-08 08:41:16 5,937,152 ----a-w c:\windows\system32\mshtml.dll
- 2009-01-15 07:01:06 66,560 ----a-w c:\windows\system32\mshtmled.dll
+ 2009-03-08 08:31:26 66,560 ----a-w c:\windows\system32\mshtmled.dll
- 2009-01-15 07:05:34 193,536 ----a-w c:\windows\system32\msrating.dll
+ 2009-03-08 08:34:18 193,536 ----a-w c:\windows\system32\msrating.dll
- 2009-01-15 07:02:20 611,840 ----a-w c:\windows\system32\mstime.dll
+ 2009-03-08 08:32:04 611,840 ----a-w c:\windows\system32\mstime.dll
- 2009-01-15 07:05:34 109,056 ----a-w c:\windows\system32\occache.dll
+ 2009-03-08 08:34:18 109,568 ----a-w c:\windows\system32\occache.dll
- 2008-11-03 13:38:40 71,308 ------w c:\windows\system32\perfc009.dat
+ 2009-03-09 12:42:10 71,308 ----a-w c:\windows\system32\perfc009.dat
- 2008-11-03 13:38:40 441,624 ------w c:\windows\system32\perfh009.dat
+ 2009-03-09 12:42:11 441,624 ----a-w c:\windows\system32\perfh009.dat
- 2009-01-15 07:01:18 46,592 ----a-w c:\windows\system32\pngfilt.dll
+ 2009-03-08 08:31:36 46,592 ----a-w c:\windows\system32\pngfilt.dll
- 2008-10-13 18:55:34 16,928 ------w c:\windows\system32\spmsg.dll
+ 2009-01-07 22:20:58 16,928 ------w c:\windows\system32\spmsg.dll
- 2009-01-15 07:06:00 105,984 ----a-w c:\windows\system32\url.dll
+ 2009-03-08 08:34:28 105,984 ----a-w c:\windows\system32\url.dll
- 2009-01-15 07:06:48 1,182,720 ----a-w c:\windows\system32\urlmon.dll
+ 2009-03-08 08:34:56 1,206,784 ----a-w c:\windows\system32\urlmon.dll
- 2009-01-15 07:06:08 236,544 ----a-w c:\windows\system32\webcheck.dll
+ 2009-03-08 08:34:48 236,544 ----a-w c:\windows\system32\webcheck.dll
- 2009-01-15 07:06:22 208,384 ----a-w c:\windows\system32\WinFXDocObj.exe
+ 2009-03-08 08:34:48 208,384 ----a-w c:\windows\system32\WinFXDocObj.exe
- 2008-10-13 18:55:36 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2009-01-07 22:21:04 121,856 ----a-w c:\windows\system32\xmllite.dll
+ 2009-03-27 19:46:11 16,384 ----atw c:\windows\temp\Perflib_Perfdata_114.dat
+ 2009-03-27 19:46:21 16,384 ----atw c:\windows\temp\Perflib_Perfdata_5b8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"X1FileMonitor.exe"="c:\program files\X1\X1FileMonitor.exe" [2007-04-03 428544]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-14 68856]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-09-27 125168]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-01-17 40960]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-07-19 52896]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2008-05-02 15872]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\qsb.exe" [2009-02-25 68592]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-28 413696]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 c:\windows\system32\nwtray.exe]

c:\documents and settings\rileygp\Start Menu\Programs\Startup\
X1.lnk - c:\program files\X1\X1.exe [2007-04-03 4964352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceActiveDestopOn"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-04 513384]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-08-24 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 10:17 24576 c:\windows\system32\Novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GroupWise Notify.lnk]
backup=c:\windows\pss\GroupWise Notify.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=c:\windows\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HOTSYNCSHORTCUTNAME.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SideWindow.lnk]
backup=c:\windows\pss\SideWindow.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^palmOne Registration.lnk]
backup=c:\windows\pss\palmOne Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^Shortcut to operator.lnk]
backup=c:\windows\pss\Shortcut to operator.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^X1 System Tray.lnk]
backup=c:\windows\pss\X1 System Tray.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^rileygp^Start Menu^Programs^Startup^X1.lnk]
backup=c:\windows\pss\X1.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
--a------ 2008-10-14 22:38 623992 c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-11-07 11:13 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Check Version]
--a------ 1999-10-12 05:50 47888 c:\program files\IBM\Client Access\cwbckver.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Help Update]
--a------ 1999-10-12 05:50 15632 c:\program files\IBM\Client Access\cwbinhlp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Client Access Service]
--a------ 1999-10-12 05:50 6928 c:\program files\IBM\Client Access\cwbsvstr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel File Shell Monitor]
--a------ 2007-10-30 19:52 16200 c:\program files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--------- 2004-08-04 06:00 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
--------- 2005-12-09 21:29 49152 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
--a----t- 2008-09-03 10:38 133104 c:\documents and settings\rileygp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2006-11-13 13:39 1289000 c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-02-19 02:41 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxhkcmd]
--------- 2006-03-23 20:13 77824 c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxpers]
--------- 2006-03-23 20:17 118784 c:\windows\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igfxtray]
--------- 2006-03-23 20:17 94208 c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NDPS]
--------- 2004-05-17 14:27 32859 c:\windows\system32\dpmw32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PDDM]
--a------ 2005-08-09 15:16 394816 c:\program files\PatchLink\Update Agent\pddm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProxyHostTrayIcon]
--a------ 2002-07-05 14:42 87696 c:\program files\Funk Software\Proxy Host\PhTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 14:42 1404928 c:\program files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-03-14 13:38 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\X1FileMonitor.exe]
--a------ 2007-04-03 18:08 428544 c:\program files\X1\X1FileMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bcmwltry]
--------- 2003-07-17 16:40 483328 c:\windows\system32\bcmwltry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Removecpl]
--------- 2003-01-16 11:33 24576 c:\windows\system32\RemoveCpl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=
"c:\\WINDOWS\\clntrust.exe"=
"x:\\LogMeInIgnition\\LMIIgnition.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-01-17 6899]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [2006-08-17 167936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2006-09-27 116464]
R2 TSCensus Collection Client;ZENworks Asset Management - Collection Client;c:\program files\Novell\ZENworks\Asset Management\Bin\CClientSvc.exe [2008-03-26 49152]
R2 WNTHW;WNTHW;c:\windows\system32\drivers\WNTHW.SYS [2008-03-26 9176]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\Novell\xtagent.exe [2006-05-02 61440]
R3 Darpan;Darpan;c:\windows\system32\drivers\Darpan.sys [2005-01-10 2773]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-03-13 101936]
R3 PhPortVK;Proxy Host Keyboard Driver Filter;c:\windows\system32\drivers\PhPortVK.sys [2007-02-26 4089]
R3 ProxyHostKeyboardPort;Proxy Host Keyboard Port;c:\windows\system32\drivers\PhPort2K_Kbd.sys [2005-07-22 3993]
R3 ProxyHostMousePort;Proxy Host Mouse Port;c:\windows\system32\drivers\PhPort2K_Mou.sys [2005-07-22 3993]
S2 gupdate1c90e03a9ba7b12;Google Update Service (gupdate1c90e03a9ba7b12);c:\program files\Google\Update\GoogleUpdate.exe [2008-09-03 133104]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [2009-03-17 34760]
S3 SideWnd;SideWnd;c:\windows\system32\drivers\innvmini.sys [2005-09-29 4480]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{104356ec-438d-11dd-b06d-001aa0a9d903}]
\Shell\AutoRun\command - E:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2cef5e3d-f43a-11dc-affe-001aa0a9d903}]
\Shell\AutoRun\command - a2h2.com
\Shell\open\Command - a2h2.com

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-02-25 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-03-27 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-09-03 10:38]

2009-03-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1669680417-841367934-745497630-1017.job
- c:\documents and settings\rileygp\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-03 10:38]

2009-03-27 c:\windows\Tasks\User_Feed_Synchronization-{F80233CC-819A-40DD-9C00-E709468CFB72}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 04:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = 127.0.0.7;mrmc_iis;webnt;PB_EIW_SERVER;intranet.mclaren.org;Portal.Mclaren.org;172.16.*;pcnlrh.mclaren.org;pcn.mclaren.org;mhcc-db3.mclaren.org;tms.phns.com;pcncm-mhcc.phns.com;my.phns.com;portal.phns.com;10.2.*;10.10.*;remotefnt.phns.com;vcm.phns.com;vsssecure.phns.com;mhcc-omega.mclaren.org;*.smsrsm.com;*.bhsnet.org;*.smshealthconx.net;*-pacs*.mclaren.org;*.?rmcmswshsm1.mclaren.org;<local>
uInternet Settings,ProxyServer = 172.16.32.103:80
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_9993303B90FE6C1D.dll
DPF: Microsoft XML Parser for Java
FF - ProfilePath - c:\documents and settings\rileygp\Application Data\Mozilla\Firefox\Profiles\z5ha0u0z.default\
FF - component: c:\documents and settings\rileygp\Application Data\Mozilla\Firefox\Profiles\z5ha0u0z.default\extensions\piclens@cooliris.com\components\coolirisstub.dll
FF - plugin: c:\documents and settings\rileygp\Application Data\Mozilla\Firefox\Profiles\z5ha0u0z.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\documents and settings\rileygp\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\progra~1\palmOne\PACKAG~1\NPInstal.dll
FF - plugin: c:\program files\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\np32dsw.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\npdeploytk.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\npnul32.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\nppdf32.dll
FF - plugin: x:\firefoxportable\App\firefox\plugins\npRACtrl.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.closed", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.document", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.frames", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.history", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.length", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.opener", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.parent", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.self", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.top", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("capability.policy.default.Window.window", "allAccess");
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.cookie.p3plevel", 1); // 0=low, 1=medium, 2=high, 3=custom
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.enablePad", false); // Allow client to do proxy autodiscovery
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.default", "chrome://branding/content/searchconfig.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.search.param.Google.1.custom", "chrome://branding/content/searchconfig.properties");
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-27 15:47:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\program files\Novell\ZENworks\WMNTAPI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\NALNTSRV.EXE
c:\program files\PatchLink\Update Agent\GravitixService.exe
c:\windows\system32\PSIService.exe
c:\windows\system32\snmp.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Novell\ZENworks\Asset Management\Bin\cclient.exe
c:\program files\Novell\ZENworks\WM.EXE
c:\program files\Funk Software\Proxy Host\Ph32Svc.exe
c:\progra~1\Novell\ZENworks\NALWIN32.EXE
c:\program files\Novell\ZENworks\NalWin.exe
c:\windows\clntrust.exe
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\Novell\ZENworks\Asset Management\Bin\TSUsage32.exe
c:\progra~1\MI3AA1~1\rapimgr.exe
c:\program files\X1\X1Systray.exe
c:\program files\X1\X1Service.exe
.
**************************************************************************
.
Completion time: 2009-03-27 15:55:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-27 19:55:37
ComboFix2.txt 2009-03-05 14:51:59

Pre-Run: 48,886,689,792 bytes free
Post-Run: 49,003,335,680 bytes free

489

_____________

Malwarebytes' Anti-Malware 1.35
Database version: 1906
Windows 5.1.2600 Service Pack 2

3/27/2009 4:09:39 PM
mbam-log-2009-03-27 (16-09-39).txt

Scan type: Quick Scan
Objects scanned: 82858
Time elapsed: 5 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#10 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 27 March 2009 - 03:31 PM

Do you use Visual Studio?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#11 smiley4017

smiley4017
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 27 March 2009 - 05:58 PM

No I do not use it

#12 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 27 March 2009 - 06:50 PM

Would you be using sandboxie or another anonymizer type software?

Edited by Hoov, 27 March 2009 - 06:50 PM.

Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#13 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 27 March 2009 - 06:53 PM

I am asking some other guys about this, it doesn't make sense to me. I am missing something, probably something simple. :thumbup2:
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image

#14 smiley4017

smiley4017
  • Topic Starter

  • Members
  • 36 posts
  • OFFLINE
  •  
  • Local time:01:28 AM

Posted 28 March 2009 - 07:11 AM

Thank you for your effort. This driving me nuts

#15 Hoov

Hoov

  • Malware Response Team
  • 3,519 posts
  • OFFLINE
  •  
  • Location:Mikado Michigan
  • Local time:12:28 AM

Posted 28 March 2009 - 04:11 PM

Does any other file come up in that registry entry?
Visiting From SpywareHammer.com and DonHoover.net

Tilting at windmills hurts you more than the windmills.
-From the Notebooks of Lazarus Long
Senior of the Howard Families

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users