Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit.Agent- Help me, please!


  • This topic is locked This topic is locked
2 replies to this topic

#1 archkre

archkre

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:59 PM

Posted 01 May 2009 - 11:11 AM

Hi there:Win32/Rootkit.Agent- Help me, please!
It is booting my laptop over and over !

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:21:19 PM, on 4/30/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Safe mode with network support

Running processes:
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\SpeedProject\SpeedCommander 12\SpeedCommander.exe
C:\Windows\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Mozilla Firefox 3.1 Beta 2\firefox.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:9666
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: ::1 localhost
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: EverProfitsAddOns - {1b08a88c-3083-4512-93dc-ce1321deb555} - C:\Program Files\Ever Profits Toolbar\adxloader.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O3 - Toolbar: Ever Profits Toolbar - {4fe8e2eb-f905-45a9-8de9-9ad2f228ccc9} - C:\Program Files\Ever Profits Toolbar\adxloader.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [VistaStartMenu] "C:\Program Files\Vista Start Menu\VistaStartMenu.exe"
O4 - HKCU\..\Run: [UberIcon] "C:\Program Files\UberIcon\UberIcon Manager.exe"
O4 - HKCU\..\RunOnce: [Application Restart #0] C:\Program Files\Windows Media Player\wmpnscfg.exe
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: StartupFaster
O4 - Global Startup: Update ESET's licence.lnk = C:\Program Files\Eset\MiNODLogin\MiNODLogin.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Add to VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra 'Tools' menuitem: Add to &VideoGet - {88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - C:\PROGRA~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ArchVision Content Manager Service - Unknown owner - C:\Program Files\ArchVision\ArchVision Content Manager\rpcACMapp.exe (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\Windows\SYSTEM32\crypserv.exe
O23 - Service: ESET HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: ESET Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe

--
End of file - 11249 bytes
-----------------------------------------------------------------------------------
ComboFix 09-04-30.01 - Eli 04/30/2009 16:07.4 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.958.548 [GMT -3:00]
Running from: F:\ComboFix.exe
FW: COMODO Firewall Pro *disabled*
.

((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-30 )))))))))))))))))))))))))))))))
.

2009-04-30 16:49 . 2008-06-19 19:24 28544 ----a-w c:\windows\system32\drivers\pavboot.sys
2009-04-24 03:25 . 2009-04-30 16:49 -------- d-----w c:\program files\Panda Security
2009-04-24 00:52 . 2009-04-24 00:52 155 ----a-w c:\windows\system32\SelfDel.bat
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-----w c:\programdata\Hewlett-Packard
2009-04-23 21:20 . 2009-04-23 21:20 -------- d-----w c:\users\All Users\Hewlett-Packard
2009-04-23 21:10 . 2009-04-23 21:10 -------- d-sh--w c:\windows\system32\%APPDATA%
2009-04-23 16:01 . 2009-04-30 12:24 -------- d-----w c:\program files\Proxy Switcher Standard
2009-04-21 18:50 . 2009-04-21 18:50 -------- dc----w C:\Autodesk
2009-04-20 22:25 . 2009-04-20 22:26 -------- d-----w c:\program files\Vidalia Bundle
2009-04-20 20:29 . 2009-04-20 20:29 -------- d-----w c:\program files\ProxyShell
2009-04-16 21:11 . 2009-04-17 03:48 -------- d-----w c:\users\Eli\AppData\Local\PMB Files
2009-04-16 21:11 . 2009-04-16 21:15 -------- d-----w c:\programdata\PMB Files
2009-04-16 21:11 . 2009-04-16 21:15 -------- d-----w c:\users\All Users\PMB Files
2009-04-16 21:10 . 2009-04-16 21:10 -------- d-----w c:\program files\Pando Networks
2009-04-15 11:14 . 2009-03-03 04:40 827392 ----a-w c:\windows\system32\wininet.dll
2009-04-15 11:14 . 2009-03-03 02:28 26624 ----a-w c:\windows\system32\ieUnatt.exe
2009-04-15 11:14 . 2009-03-03 04:37 78336 ----a-w c:\windows\system32\ieencode.dll
2009-04-12 11:30 . 2009-04-12 11:30 -------- d-----w c:\programdata\HP
2009-04-12 11:30 . 2009-04-12 11:30 -------- d-----w c:\users\All Users\HP
2009-04-09 18:21 . 2009-04-09 18:21 38240 ----a-w c:\windows\system32\drivers\epfwwfp.sys
2009-04-09 18:21 . 2009-04-09 18:21 33096 ----a-w c:\windows\system32\drivers\epfwndis.sys
2009-04-09 18:21 . 2009-04-09 18:21 133000 ----a-w c:\windows\system32\drivers\epfw.sys
2009-04-09 18:18 . 2009-04-09 18:18 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-04-09 18:10 . 2009-04-09 18:10 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-04-09 17:49 . 2009-04-09 17:49 -------- d-----w c:\program files\Microsoft Visual Studio 8
2009-04-01 00:47 . 2008-04-07 07:38 22872 ----a-r c:\windows\system32\AdobePDFUI.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-30 19:11 . 2008-10-04 14:21 1356 ----a-w c:\users\Eli\AppData\Local\d3d9caps.dat
2009-04-30 19:11 . 2009-03-06 13:33 -------- d-----w c:\program files\Mozilla Firefox 3.1 Beta 2
2009-04-30 18:58 . 2007-11-14 09:53 12 ----a-w c:\windows\bthservsdp.dat
2009-04-30 18:53 . 2009-03-21 22:15 27649 ----a-w c:\users\All Users\nvModes.dat
2009-04-30 18:53 . 2009-03-21 22:15 27649 ----a-w c:\programdata\nvModes.dat
2009-04-30 15:52 . 2009-03-06 21:53 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-29 15:36 . 2009-03-09 21:40 -------- d-----w c:\program files\GSA Auto SoftSubmit
2009-04-29 13:45 . 2006-11-02 12:50 174 --sha-w c:\program files\desktop.ini
2009-04-27 20:53 . 2009-03-11 14:02 -------- d-----w c:\program files\NoteTab Pro 5
2009-04-26 12:11 . 2009-02-27 16:37 -------- d-----w c:\program files\RSS Submit
2009-04-24 23:45 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-04-24 23:45 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-04-24 23:45 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-24 23:42 . 2008-03-04 03:21 -------- d-----w c:\program files\Eset
2009-04-24 12:19 . 2009-03-02 17:06 -------- d-----w c:\program files\FriendBlasterPro
2009-04-24 12:09 . 2009-03-02 17:32 -------- d-----w c:\program files\TwitterBlasterPro
2009-04-22 22:53 . 2009-02-09 23:07 -------- d-----w c:\program files\SEO Directory Submitter
2009-04-22 11:59 . 2009-02-17 01:12 -------- d-----w c:\program files\SocialSpeed
2009-04-17 20:22 . 2007-08-05 01:49 -------- d--h--w c:\program files\InstallShield Installation Information
2009-04-17 20:22 . 2007-08-05 01:45 -------- d-----w c:\program files\Hewlett-Packard
2009-04-17 14:30 . 2009-02-09 16:54 -------- d-----w c:\program files\Replay Video Capture
2009-04-17 14:25 . 2009-02-25 18:51 -------- d-----w c:\program files\VideoPostRobot
2009-04-15 13:10 . 2008-03-03 14:35 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-04-10 17:53 . 2009-03-21 16:54 -------- d-----w c:\program files\SENuke
2009-04-09 18:01 . 2007-12-27 17:03 181088 ----a-w c:\users\Eli\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-09 17:54 . 2006-11-02 12:37 -------- d-----w c:\program files\MSBuild
2009-04-08 22:47 . 2008-03-03 15:37 -------- d-----w c:\program files\IrfanView
2009-04-06 18:32 . 2009-03-06 21:53 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 18:32 . 2009-03-06 21:53 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-02 19:19 . 2008-07-09 14:45 891448 ----a-w c:\windows\system32\drivers\tcpip.sys
2009-03-31 17:35 . 2009-04-23 21:14 17160 ----a-w c:\windows\Help\OEM\scripts\HC_TotalCareAdvisorUpdate.exe
2009-03-31 00:37 . 2009-03-13 12:10 -------- d-----w c:\program files\CoreFTP
2009-03-30 19:30 . 2009-04-23 21:14 17160 ----a-w c:\windows\Help\OEM\scripts\HC_DanzkaDubraBIOSUpdate.exe
2009-03-26 19:36 . 2009-03-26 19:36 257071 ----a-w c:\windows\XHeader Uninstaller.exe
2009-03-26 19:36 . 2009-03-26 19:36 -------- d-----w c:\program files\XHeader
2009-03-26 19:36 . 2009-03-26 19:36 -------- d-----w c:\program files\Common Files\Thraex Software
2009-03-25 22:36 . 2009-02-06 18:06 -------- d-----w c:\program files\PromoSoft
2009-03-25 21:33 . 2009-03-25 21:33 -------- d-----w c:\program files\Mythicsoft
2009-03-25 20:50 . 2009-03-25 20:49 -------- d-----w c:\program files\SmartFTP Client
2009-03-23 19:22 . 2008-03-04 02:17 -------- d-----w c:\program files\Avanquest
2009-03-22 15:48 . 2009-03-22 15:48 -------- d---a-w c:\program files\Neoretix
2009-03-19 19:11 . 2007-08-05 02:44 -------- d-----w c:\program files\Common Files\Adobe
2009-03-19 19:06 . 2008-03-04 19:06 -------- d-----w c:\program files\Common Files\PX Storage Engine
2009-03-19 16:41 . 2008-03-03 15:04 -------- d-----w c:\program files\Google
2009-03-19 16:34 . 2008-05-03 21:38 -------- d-----w c:\program files\Common Files\Autodesk Shared
2009-03-19 16:30 . 2008-11-20 18:05 -------- d-----w c:\program files\Ashampoo
2009-03-19 00:37 . 2009-03-19 00:37 -------- d-----w c:\program files\Vstplugins
2009-03-19 00:37 . 2009-03-19 00:37 -------- d-----w c:\program files\Sony
2009-03-18 21:52 . 2009-03-02 22:31 -------- d-----w c:\program files\RSS Wizard
2009-03-18 03:53 . 2009-03-18 03:53 -------- d-----w c:\program files\SocialSubmitterDemo
2009-03-18 02:54 . 2009-02-16 11:16 -------- d-----w c:\program files\Ever Profits Toolbar
2009-03-17 18:59 . 2009-01-03 20:16 2560 ----a-w c:\windows\_MSRSTRT.EXE
2009-03-17 15:09 . 2009-03-06 01:31 -------- d--h--w c:\program files\NiwradSoft
2009-03-17 03:38 . 2009-04-15 11:15 40960 ----a-w c:\windows\AppPatch\apihex86.dll
2009-03-17 03:38 . 2009-04-15 11:15 13824 ----a-w c:\windows\system32\apilogen.dll
2009-03-17 03:38 . 2009-04-15 11:15 24064 ----a-w c:\windows\system32\amxread.dll
2009-03-15 03:50 . 2006-11-02 11:18 -------- d-----w c:\program files\Windows Mail
2009-03-14 12:54 . 2009-03-14 00:25 -------- d-----w c:\program files\Free Link Cloaker
2009-03-14 00:46 . 2009-03-14 00:45 -------- d-----w c:\program files\Phantom Cloaker
2009-03-13 12:16 . 2008-09-01 00:22 -------- d-----w c:\program files\Siber Systems
2009-03-13 01:16 . 2009-02-06 17:41 -------- d-----w c:\program files\WebPosition 4
2009-03-12 23:57 . 2009-03-12 23:57 -------- d-----w c:\program files\The Internet Marketing Center
2009-03-12 13:32 . 2008-03-04 01:39 -------- d-----w c:\program files\FlashFXP
2009-03-11 10:16 . 2009-03-11 10:16 -------- d-----w c:\program files\PowerMenu
2009-03-10 21:53 . 2009-01-23 01:48 -------- d-----w c:\program files\Lavasoft
2009-03-09 19:01 . 2009-02-12 19:32 -------- d-----w c:\program files\Freeware PDF Unlocker
2009-03-09 01:12 . 2009-03-09 01:11 -------- d-----w c:\program files\RoboSoft 3
2009-03-07 17:59 . 2009-03-07 17:59 -------- d-----w c:\program files\NPUST
2009-03-07 17:56 . 2009-03-07 17:56 -------- d-----w c:\program files\Living Easy Software
2009-03-07 16:26 . 2009-03-07 16:26 -------- d-----w c:\program files\Common Files\SpeedProject
2009-03-07 16:26 . 2008-06-28 15:05 -------- d-----w c:\program files\SpeedProject
2009-03-07 15:39 . 2009-03-07 15:39 -------- d-----w c:\program files\IntelliAdmin
2009-03-06 22:22 . 2008-04-21 23:03 -------- d-----w c:\program files\Common Files\Wise Installation Wizard
2009-03-06 22:22 . 2008-04-22 00:40 -------- d-----w c:\program files\SUPERAntiSpyware
2009-03-06 20:12 . 2009-04-23 21:14 21256 ----a-w c:\windows\Help\OEM\scripts\HPScript.exe
2009-03-06 13:16 . 2009-03-06 13:16 7852 ----a-w c:\windows\system32\mcdmsg7.dll
2009-03-06 12:13 . 2007-08-05 02:28 -------- d-----w c:\program files\Microsoft Works
2009-03-05 23:06 . 2009-03-05 23:06 -------- d-----w c:\program files\Object Desktop
2009-03-05 22:11 . 2008-08-30 13:39 -------- d-----w c:\program files\Vista Start Menu
2009-03-05 15:29 . 2009-03-26 21:16 16648 ----a-w c:\windows\Help\OEM\scripts\HC_ProtectSmartPatch.exe
2009-03-04 13:28 . 2009-03-04 13:28 -------- d-----w c:\program files\Common Files\SWF Studio
2009-03-03 23:17 . 2008-10-30 16:49 -------- d-----w c:\program files\Pegasys Inc
2009-03-03 23:06 . 2007-08-05 02:48 -------- d-----w c:\program files\HP Games
2009-03-03 04:46 . 2009-04-15 11:15 3599328 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-03-03 04:46 . 2009-04-15 11:15 3547632 ----a-w c:\windows\system32\ntoskrnl.exe
2009-03-03 04:39 . 2009-04-15 11:15 183296 ----a-w c:\windows\system32\sdohlp.dll
2009-03-03 04:39 . 2009-04-15 11:15 551424 ----a-w c:\windows\system32\rpcss.dll
2009-03-03 04:39 . 2009-04-15 11:15 26112 ----a-w c:\windows\system32\printfilterpipelineprxy.dll
2009-03-03 04:37 . 2009-04-15 11:15 98304 ----a-w c:\windows\system32\iasrecst.dll
2009-03-03 04:37 . 2009-04-15 11:15 44032 ----a-w c:\windows\system32\iasdatastore.dll
2009-03-03 04:37 . 2009-04-15 11:15 54784 ----a-w c:\windows\system32\iasads.dll
2009-03-03 03:04 . 2009-04-15 11:15 666624 ----a-w c:\windows\system32\printfilterpipelinesvc.exe
2009-03-03 02:38 . 2009-04-15 11:15 17408 ----a-w c:\windows\system32\iashost.exe
2009-03-02 17:37 . 2009-03-02 17:37 -------- d-----w c:\program files\Nuclear Coffee
2009-03-02 17:02 . 2009-03-02 17:02 -------- d-----w c:\program files\NotePage
2009-02-24 01:46 . 2009-02-24 01:46 91 ----a-w c:\users\Eli\AppData\Local\fusioncache.dat
2009-02-18 20:37 . 2008-03-13 14:23 263184 ---ha-w c:\windows\system32\mlfcache.dat
2009-02-13 08:49 . 2009-04-15 11:15 72704 ----a-w c:\windows\system32\secur32.dll
2009-02-13 08:49 . 2009-04-15 11:15 1255936 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 03:10 . 2009-03-11 10:10 2033152 ----a-w c:\windows\system32\win32k.sys
2007-01-06 13:19 . 2007-01-06 13:19 108 --sha-r c:\windows\neoqaz2.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VistaStartMenu"="c:\program files\Vista Start Menu\VistaStartMenu.exe" [2008-07-09 1331200]
"UberIcon"="c:\program files\UberIcon\UberIcon Manager.exe" [2007-08-18 159744]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Application Restart 0"="c:\program files\Windows Media Player\wmpnscfg.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-04-09 2029640]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2009-04-06 401040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2008-12-03 3882312]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Update ESET's licence.lnk - c:\program files\Eset\MiNODLogin\MiNODLogin.exe [2009-4-19 125952]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\StartupFaster
Actualizar la licencia del NOD32.lnk - c:\program files\Eset\ESET Smart Security\MiNODLogin.exe [2008-9-25 125952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Actualizar la licencia del NOD32.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Actualizar la licencia del NOD32.lnk
backup=c:\windows\pss\Actualizar la licencia del NOD32.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=c:\windows\pss\Adobe Reader Synchronizer.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=c:\windows\pss\WinZip Quick Pick.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Eli^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^PowerMenu.lnk]
path=c:\users\Eli\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerMenu.lnk
backup=c:\windows\pss\PowerMenu.lnk.Startup
backupExtension=.Startup

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"HP Health Check Scheduler"=c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-1491950412-2009852829-4049741679-1000]
"EnableNotifications"=dword:00000001
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{7528C9F9-5F63-4907-820E-5AE2980E0288}"= c:\program files\HP\QuickPlay\QP.exe:Quick Play
"{E9A2201F-0316-4990-9FF4-BD92ECD9F2EB}"= c:\program files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{F86521EC-F013-4DEC-8ECF-394A3BA411AD}"= UDP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1E7CD4B0-5C7B-4182-8E47-908AD1D3631A}"= TCP:c:\program files\earthlink totalaccess\TaskPanl.exe:taskpanl
"{1A96733B-1920-4D1A-AA0D-D0A748C5D4E6}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{A450AD95-B5EC-4B8A-85AA-A7AD5AA39F8A}"= UDP:c:\windows\ehome\ehshell.exe:Windows Media Center
"{DC9868B6-AEFE-4FD3-9D87-57B842414B9A}"= TCP:c:\windows\ehome\ehshell.exe:Windows Media Center
"{56CF2D5D-0AD4-46A5-AE06-8C88E678B150}"= UDP:c:\program files\7-Zip\7zFM.exe:7-Zip File Manager
"{822D0F7B-DDDE-4A27-8BFE-D54D5E4AE7AA}"= TCP:c:\program files\7-Zip\7zFM.exe:7-Zip File Manager
"TCP Query User{23E3BF57-ED59-4B64-9EBD-7E02B31ABC60}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{AF381AFB-1262-42A2-8AD3-920F727FC333}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"{682D23E8-E86C-4A43-9D5B-4CADCDCE90A6}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{055324B6-58F7-4A39-91B8-66BD74B849A0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{DF10F12C-AE82-4595-92DC-E6507E3DC8BD}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{A1A36068-8F96-40B5-A57A-5345856D3C0F}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2C1FDC35-E0E8-40AF-B24B-739D74A2F3DB}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{CA010460-A2C6-4C89-BF07-72D5D94E85B6}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{6A88AD41-C0ED-4673-8C45-3932AA447E9E}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{05AE3CCB-9DAB-4229-834B-1EBD900FE709}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{38A29E48-8011-47F2-8F0E-40E372039479}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent
"{DE26C65D-6DA1-499E-8050-787B63FA2FAA}"= UDP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{FDE37A47-7D36-40EE-AB3F-FC72A27D9319}"= TCP:c:\program files\Autodesk\Backburner\monitor.exe:backburner 2.3 monitor
"{985F9086-523A-4742-889A-EEB3BF5B2C29}"= UDP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{14C015BF-CBC1-4AF7-8665-104AB307FD68}"= TCP:c:\program files\Autodesk\Backburner\manager.exe:backburner 2.3 manager
"{C39DAB44-2C24-4060-8E30-5DDF6B64A3A1}"= UDP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{8BC0BA89-E93C-47E8-9E35-966118D36F36}"= TCP:c:\program files\Autodesk\Backburner\server.exe:backburner 2.3 server
"{680A5CAF-1BE7-4B49-9FCD-820E182BAB67}"= UDP:c:\program files\Autodesk\3ds Max 2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{5D3633D7-1F1F-446C-81FE-53B2C8CF81C3}"= TCP:c:\program files\Autodesk\3ds Max 2009\3dsmax.exe:Autodesk 3ds Max 2009 32-bit
"{31A1EEAB-800D-4F1E-9A9F-1D794FEEAA2B}"= Disabled:UDP:c:\program files\Skype\Phone\Skype.exe:Skype
"{683660CD-0B4C-4A0E-A651-7B8CAB551985}"= Disabled:TCP:c:\program files\Skype\Phone\Skype.exe:Skype
"{94256596-E725-409F-B954-A16801BB6543}"= UDP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMapp.exe:ArchVision Content Manager
"{645B27F5-24B9-4477-BC85-EB9C3433673F}"= TCP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMapp.exe:ArchVision Content Manager
"{5EDC0E58-0B88-471B-8ACE-6D38CF8F2F19}"= UDP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMftp.exe:ArchVision Download Processor
"{B5E941A1-61A0-4B99-884C-E746EAB9FD90}"= TCP:c:\program files\ArchVision\ArchVision Content Manager\rpcACMftp.exe:ArchVision Download Processor
"{0165DBAD-6B2D-40C6-B3A2-A18FCEA5F0AB}"= TCP:2799:Altova License Metering Port (UDP)
"{C247AD69-1BFF-473B-992D-51541B0B610A}"= UDP:2799:Altova License Metering Port (TCP)
"{AB2A34A1-5CDF-4885-BA98-334E3BB6B1DB}"= UDP:c:\program files\uTorrent\uTorrent.exe:µTorrent (TCP-In)
"{B75A3332-B6B7-4302-B590-95EB2B72110F}"= TCP:c:\program files\uTorrent\uTorrent.exe:µTorrent (UDP-In)
"{75E9027A-E04D-4D46-B964-271E5A0FFF2F}"= UDP:5353:Adobe CSI CS4
"{3A160451-E083-40E6-A371-DAAC3E483DEF}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{697155E5-27AA-4A7A-8C28-86387B449C28}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{A82CFDF4-C6C7-4B84-8B29-C60702D32A55}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{1598EE94-3BAB-496D-9E02-7DD2A80F56D4}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{5D6DFC7B-6D2C-49F8-AD69-BA4F38553498}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{F9EC70F9-0D8E-4A9C-B1DF-5F9F64D702DE}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{BDFBCE30-0D68-4090-A417-A18943D72B65}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{CB4CD9FC-4BE1-4341-B20D-D3CF51A322D6}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F4AC6798-21B3-4E6A-BFA7-54B6BE4FC23B}"= UDP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster
"{7AB1DE7F-4400-40A9-8ED0-F580134D4D0C}"= TCP:c:\program files\Pando Networks\Media Booster\PMB.exe:Pando Media Booster

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\EarthLink TotalAccess\\TaskPanl.exe"= c:\program files\EarthLink TotalAccess\TaskPanl.exe:*:Enabled:Earthlink
"c:\\Program Files\\FlashFXP\\FlashFXP.exe"= c:\program files\FlashFXP\FlashFXP.exe:*:Enabled:FlashFXP v3
"c:\\Program Files\\IBP 10\\IBP.exe"= c:\program files\IBP 10\IBP.exe:*:Enabled:Internet Business Promoter (IBP)

R0 Lbd;Lbd; [x]
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-06-19 28544]
R1 ehdrv;ehdrv;c:\windows\system32\DRIVERS\ehdrv.sys [2009-04-09 107256]
R1 SASKUTIL;SASKUTIL; [x]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [2009-04-09 731840]
R2 epfwwfp;epfwwfp;c:\windows\system32\DRIVERS\epfwwfp.sys [2009-04-09 38240]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [2007-08-31 600912]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2008-12-04 226640]
R3 ArchVision Content Manager Service;ArchVision Content Manager Service; [x]
R3 fssfltr;fssfltr;c:\windows\system32\DRIVERS\fssfltr.sys [2008-12-08 55264]
R3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2008-12-08 533344]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-04-06 15504]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
R3 tenCapture;tenCapture;c:\windows\system32\DRIVERS\tenCapture.sys [2007-04-21 9344]
R4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2009-04-06 179856]
R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\System32\TUProgSt.exe [2009-02-05 603904]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8412efa7-e8fc-11dc-afb2-001e375ff685}]
\shell\Setup\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8412efaa-e8fc-11dc-afb2-001e375ff685}]
\shell\AutoRun\command - F:\LaunchU3.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2009-04-30 c:\windows\Tasks\1-Click Maintenance.job
- c:\program files\TuneUp Utilities 2008\OneClickStarter.exe [2008-06-20 12:09]

2009-04-24 c:\windows\Tasks\HPCeeScheduleForEli.job
- c:\program files\hewlett-packard\sdp\ceement\HPCEE.exe [2007-08-05 21:23]
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/advanced_search?hl=en
uDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = local
uInternet Settings,ProxyServer = 127.0.0.1:9666
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
IE: {{88CFA58B-A63F-4A94-9C54-0C7A58E3333E} - {17A84966-F1E9-4645-AA9E-5E771EE1C859} - c:\progra~1\NUCLEA~1\VideoGet\Plugins\VIDEOG~1.DLL
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\Mozilla Firefox 3.1 Beta 2\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\Mozilla Firefox 3.1 Beta 2\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-30 16:13
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\ovfsthxpyeaoqhs.sys 83456 bytes executable
c:\windows\system32\ovfsthxcxeqcrob.dll 60928 bytes executable
c:\windows\system32\ovfsthxhkrdgvff.dll 18432 bytes executable
c:\windows\system32\ovfsthxijkwrrsw.dat 43 bytes
c:\windows\system32\ovfsthxmjninhoe.dll 18432 bytes executable
c:\windows\system32\ovfsthxrmjsbsft.dat 532550 bytes

scan completed successfully
hidden files: 6

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\default\Software\Microsoft\Windows\CurrentVersion\{80931a9f5e5146ffebc38bc8d3faec28}*jopa]
"00"="4bN5tp7prQGqlHHBOMtxM95Qd03gyb2veSgc9F6X/0o="

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe"

[HKEY_USERS\software\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx, 1"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\software\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx"
"ThreadingModel"="Apartment"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlDbg10b.ocx, 1"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"

[HKEY_USERS\software\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"

[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"

[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_USERS\software\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_USERS\software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)

[HKEY_USERS\software\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"

[HKEY_USERS\software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""

[HKEY_USERS\software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"

[HKEY_USERS\software\Microsoft\Office\Common\Smart Tag\Actions\{B7EFF951-E52F-45CC-9EF7-57124F2177CC}]
@Denied: (A) (Everyone)
"Solution"="{15727DE6-F92D-4E46-ACB4-0E2C58B31A18}"

[HKEY_USERS\software\Microsoft\Schema Library\ActionsPane3]
@Denied: (A) (Everyone)

[HKEY_USERS\software\Microsoft\Schema Library\ActionsPane3\0]
"Key"="ActionsPane3"
"Location"="c:\\Program Files\\Common Files\\Microsoft Shared\\VSTO\\ActionsPane3.xsd"

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet002\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
"inst"=dword:00000000

[HKEY_USERS\system\ControlSet003\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"

[HKEY_USERS\system\ControlSet004\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
"inst"=dword:00000000

[HKEY_USERS\system\ControlSet005\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"

[HKEY_USERS\system\ControlSet006\Services\ovfsthxaenyojuh]
@DACL=(02 0000)
"start"=dword:00000001
"type"=dword:00000001
"group"="file system"
"imagepath"=expand:"\\systemroot\\system32\\drivers\\ovfsthxpyeaoqhs.sys"
"inst"=dword:00000000

[HKEY_USERS\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_USERS\system\ControlSet007\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(1052)
c:\windows\system32\btncopy.dll
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-04-30 16:15
ComboFix-quarantined-files.txt 2009-04-30 19:15

Pre-Run: 81,834,311,680 bytes free
Post-Run: 81,795,493,888 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=7 Sets=1,2,3,4,5,6,7
505 --- E O F --- 2009-04-18 06:03
-------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.36
Database version: 1945
Windows 6.0.6001 Service Pack 1

4/30/2009 4:43:16 PM
mbam-log-2009-04-30 (16-43-16).txt

Scan type: Quick Scan
Objects scanned: 69120
Time elapsed: 3 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\drivers\ovfsthxpyeaoqhs.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthxcxeqcrob.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ovfsthxhkrdgvff.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ovfsthxmjninhoe.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ovfsthxijkwrrsw.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\ovfsthxrmjsbsft.dat (Trojan.Agent) -> Quarantined and deleted successfully.

BC AdBot (Login to Remove)

 


#2 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:59 PM

Posted 14 May 2009 - 11:16 AM

Hello

Apologize for the delay in response we get overwhelmed at times but we are trying our best to keep up.
If you have since resolved the original problem you were having would appreciate you letting us know If not please perform the following below so I can have a look at the current condition of your machine.

Thanks and again sorry for the delay.

Before we can continue, please post a fresh HijackThis log back here :thumbup2:
Posted Image

#3 Baabiouz

Baabiouz

    Finnish Malware Fighter


  • Members
  • 3,355 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:59 PM

Posted 18 May 2009 - 07:48 AM

This thread will now be closed.
If you need this topic reopened, please contact me.

This applies only to the original topic starter.
Everyone else please begin a New Topic.
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users