Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Evil rootkit will not go away!


  • This topic is locked This topic is locked
24 replies to this topic

#1 micropirate

micropirate

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 17 August 2009 - 07:51 PM

I have been battling this infection for 3 says now. I am usually pretty skilled at getting rid of them.

I have used many tried and true combinations of removal including CCleaner, followed by Malwarebytes, followed by Combofix. It finds and removes multiple infections and then on reboot is re-infected. Blue screens rule the day when not in safe mode. I have tried numerous other fixes and removal wares to no avail.

Once everything is suppossedly cleaned, when I reboot in safe mode IE is always re-directed to cliccked.cn (mostly, and some other crap search sites). Slowly but shurley the infections reappear. At one point It removed my desktop and I could not run any .exe, it killed Combofix and Malwarebytes. I had to re-download those and then run as .com to recapture my desktop. This is the nastiest infection I have ever seen

Hers is my latest hijack this! and Malwarebytes logs. Any help would be trulyt appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43:55, on 8/17/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Windows\RtHDVCpl.exe
C:\Program Files\Toshiba\Power Saver\TPwrMain.exe
C:\Program Files\Toshiba\SmoothView\SmoothView.exe
C:\Program Files\Toshiba\FlashCards\TCrdMain.exe
C:\Program Files\Toshiba\ConfigFree\NDSTray.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\acrotray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Synaptics\SynTP\SynToshiba.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Windows\ehome\ehtray.exe
C:\Users\dan\AppData\Local\Google\Update\GoogleUpdate.exe
C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Users\dan\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=127.0.0.1:7070
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: SACert Class - {740FE5FB-65F1-46C5-9E54-A19C8A8D7AC2} - C:\Windows\system32\SoftAheadCert.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe
O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [mcagent_exe] "C:\Program Files\McAfee.com\Agent\mcagent.exe" /runkey
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\dan\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [eFax 4.4] "C:\Program Files\eFax Messenger 4.4\J2GDllCmd.exe" /R
O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [autochk] rundll32.exe C:\Windows\system32\config\SYSTEM~1\protect.dll,_IWMPEvents@16 (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: eFax 4.4.lnk = C:\Program Files\eFax Messenger 4.4\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.30.0\gears.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {076169AA-8C3D-4CFC-AC23-3ACA88FC21B5} (F-Secure Online Scanner Launcher) - http://download.sp.f-secure.com/ols/f-secu.../fslauncher.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.9.113.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll C:\PROGRA~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll
O23 - Service: McAfee Application Installer Cleanup (0167721245720840) (0167721245720840mcinstcleanup) - Unknown owner - C:\Users\dan\AppData\Local\Temp\016772~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\Windows\svchast.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Nalpeiron Licensing Service (ASTSRV) - Nalpeiron Ltd. - C:\Windows\system32\ASTSRV.EXE
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Desktop Manager 5.7.806.10245 (GoogleDesktopManager-061008-081103) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Update Service (gupdate1c9e1a499df3c80) (gupdate1c9e1a499df3c80) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: PEVSystemStart - Unknown owner - cmd /k start /i "/dC:" "C:\ComboFix\HIDEC.exe" "C:\Windows\system32\CF29915.exe" /c RD /S/Q \$RECYCLE.bin \RECYCLER \RECYCLED (file missing)
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 17485 bytes


This was the last log from malwarebyte's which now has my computer running without signs of infection. I am certain this will last only momentarily


Malwarebytes' Anti-Malware 1.40
Database version: 2644
Windows 6.0.6001 Service Pack 1 (Safe Mode)

8/17/2009 20:04:19
mbam-log-2009-08-17 (20-04-16).txt

Scan type: Quick Scan
Objects scanned: 89861
Time elapsed: 5 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 11

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11781684 (Rogue.Multiple.H) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ueshlcfi (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Driver Setup (Worm.Palevo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\11781684 (Rogue.Multiple.H) -> No action taken.
C:\Windows\System32\lowsec (Stolen.data) -> No action taken.
C:\Users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Security (Rogue.TotalSecurity) -> No action taken.

Files Infected:
C:\ProgramData\11781684\11781684 (Rogue.Multiple.H) -> No action taken.
C:\ProgramData\11781684\11781684.exe (Rogue.Multiple.H) -> No action taken.
C:\ProgramData\11781684\pc11781684ins (Rogue.Multiple.H) -> No action taken.
C:\ins.exe (Rogue.SystemSecurity) -> No action taken.
C:\Windows\System32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\Windows\System32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\Users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Total Security\Total Security 2009.lnk (Rogue.TotalSecurity) -> No action taken.
C:\Users\dan\Desktop\Total Security 2009.lnk (Rogue.TotalSecurity) -> No action taken.
C:\Users\dan\AppData\Roaming\ueshlcfi.dll (Trojan.Agent) -> No action taken.
C:\Windows\System32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\Windows\waw32.exe (Worm.Palevo) -> No action taken.

BC AdBot (Login to Remove)

 


#2 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:44 PM

Posted 17 August 2009 - 08:50 PM

Greetings micropirate and Welcome to the Forums,

It's not a good idea to run combofix on your own unless you've had proper training...as you already know I'm sure since the download page clearly spells that out.

You can try to rename combofix to:
services.exe
...your end result will be a file that is named services.exe and not services.exe.exe
Once renamed, run the program again...post back THAT log. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#3 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 08:39 AM

ComboFix 09-08-10.06 - dan 08/18/2009 9:01.5.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1098 [GMT -4:00]
Running from: c:\users\dan\Desktop\ComboFix.exe
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\isns.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe


.
((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 13:15 . 2009-08-18 13:15 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-18 12:22 . 2009-08-18 12:22 -------- d-----w- c:\users\dan\AppData\Local\Apple Computer
2009-08-18 01:47 . 2009-08-18 01:47 35 ----a-w- c:\users\dan\AppData\Roaming\SetValue.bat
2009-08-18 01:45 . 2009-08-18 12:24 -------- d-----w- c:\users\dan\AppData\Local\Adobe
2009-08-18 01:28 . 2009-08-18 01:28 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-18 01:28 . 2009-08-18 01:28 -------- d-----w- c:\progra~2\avg8
2009-08-18 01:19 . 2009-08-18 01:19 -------- d-----w- c:\users\dan\AppData\Roaming\AVG8
2009-08-16 13:51 . 2009-08-16 13:51 -------- d-----w- c:\program files\Trend Micro
2009-08-16 12:48 . 2009-08-16 12:48 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2009-08-15 23:07 . 2009-08-15 23:07 -------- d-----w- C:\_OTM
2009-08-15 17:06 . 2009-08-15 17:06 -------- d-----w- c:\windows\Sun
2009-08-15 15:29 . 2009-08-15 15:29 -------- d-----w- C:\Windows Antivirus Pro
2009-08-15 11:55 . 2009-08-15 11:55 -------- dc-h--w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 11:25 . 2009-08-18 13:22 -------- d-----w- c:\users\dan\AppData\Local\temp
2009-08-14 19:59 . 2009-08-14 19:59 -------- d-----w- c:\progra~2\RegCure
2009-08-14 19:50 . 2009-08-14 19:50 3584 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-14 19:50 . 2009-08-14 19:50 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-14 19:49 . 2009-08-14 19:49 -------- d-----w- c:\program files\MSECACHE
2009-08-14 02:23 . 2009-08-14 02:23 -------- d-----w- c:\windows\CheckSur
2009-08-14 01:44 . 2009-08-14 01:44 -------- d-----w- c:\windows\system32\EventProviders
2009-07-29 22:15 . 2007-04-23 02:11 237568 ----a-w- c:\windows\system32\xvidvfw.dll
2009-07-29 22:15 . 2007-04-23 02:11 1216512 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-29 22:15 . 2007-04-23 02:10 237568 ----a-w- c:\windows\system32\OggDS.dll
2009-07-29 22:15 . 2007-04-23 02:09 921600 ----a-w- c:\windows\system32\vorbisenc.dll
2009-07-29 22:15 . 2007-04-23 02:09 188416 ----a-w- c:\windows\system32\vorbis.dll
2009-07-29 22:15 . 2007-04-23 02:09 45056 ----a-w- c:\windows\system32\ogg.dll
2009-07-29 16:22 . 2009-07-29 16:22 -------- d-----w- c:\program files\PowerISO
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 01:47 . 2007-11-21 00:36 -------- d-----w- c:\program files\Google
2009-08-18 01:47 . 2009-08-18 01:47 691 ----a-w- c:\users\dan\AppData\Roaming\GetValue.vbs
2009-08-18 01:31 . 2007-11-21 00:53 -------- d-----w- c:\progra~2\McAfee
2009-08-18 01:22 . 2008-10-06 22:50 -------- d-----w- c:\program files\Metasploit
2009-08-18 00:04 . 2009-06-22 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 14:26 . 2008-05-25 01:24 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-16 01:15 . 2008-05-25 00:03 -------- d-----w- c:\progra~2\F-Secure
2009-08-16 00:56 . 2009-06-26 16:17 1356 ----a-w- c:\users\dan\AppData\Local\d3d9caps.dat
2009-08-15 11:33 . 2008-05-25 01:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-15 11:33 . 2008-01-11 01:15 -------- d-----w- c:\program files\Lavasoft
2009-08-15 00:56 . 2008-05-25 01:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 16:55 . 2009-06-28 14:37 -------- d-----w- c:\program files\AlterWind Log Analyzer Lite
2009-08-03 17:36 . 2009-06-22 18:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-22 18:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 17:12 . 2008-01-12 20:32 -------- d-----w- c:\program files\dvdSanta
2009-07-22 01:14 . 2008-01-27 18:09 -------- d-----w- c:\users\dan\AppData\Roaming\uTorrent
2009-07-18 17:45 . 2008-07-14 13:42 -------- d-----w- c:\program files\Safari
2009-07-18 17:43 . 2009-07-18 17:42 -------- d-----w- c:\program files\iTunes
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\program files\iPod
2009-07-18 17:42 . 2008-01-22 19:29 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 13:30 . 2009-07-18 13:30 -------- d--h--r- c:\users\dan\AppData\Roaming\SecuROM
2009-07-18 13:24 . 2009-07-18 13:24 -------- d-----w- c:\program files\AMD
2009-07-16 14:36 . 2009-07-12 22:06 -------- d-----w- c:\progra~2\Media Center Programs
2009-07-16 14:21 . 2009-07-12 21:35 -------- d-----w- c:\program files\THQ
2009-07-16 14:03 . 2009-07-16 00:47 -------- d-----w- c:\users\dan\AppData\Roaming\IGN_DLM
2009-07-16 00:47 . 2009-07-16 00:47 -------- d-----w- c:\program files\Download Manager
2009-07-13 15:09 . 2009-06-17 05:04 -------- d-----w- c:\users\dan\AppData\Roaming\NCH Swift Sound
2009-07-13 15:09 . 2008-09-16 16:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-07-12 20:17 . 2008-09-01 18:45 -------- d-----w- c:\users\dan\AppData\Roaming\CoreFTP
2009-07-12 13:50 . 2007-11-21 00:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 13:19 . 2009-06-29 02:09 -------- d-----w- c:\users\dan\AppData\Roaming\ThumbsPlus
2009-07-12 13:12 . 2009-07-12 00:08 -------- d-----w- c:\program files\Paradox Interactive
2009-07-12 13:08 . 2008-01-12 20:33 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-12 12:45 . 2009-07-11 22:22 -------- d-----w- c:\program files\BattleTanks II
2009-07-11 12:18 . 2009-07-11 12:18 -------- d-----w- c:\program files\Alcohol Soft
2009-07-11 11:59 . 2009-07-11 11:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-08 15:56 . 2008-01-10 19:45 129776 ----a-w- c:\users\dan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-02 13:46 . 2009-07-02 13:43 116841 ----a-w- c:\windows\hpqins00.dat
2009-07-02 05:01 . 2008-10-06 15:42 -------- d-----w- c:\program files\Acunetix
2009-07-01 14:03 . 2007-12-17 09:13 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-29 13:29 . 2008-05-27 05:24 -------- d-----w- c:\users\dan\AppData\Roaming\Alien Skin
2009-06-29 05:27 . 2008-05-27 05:11 -------- d-----w- c:\program files\Alien Skin
2009-06-29 02:26 . 2009-06-29 02:06 -------- d-----w- c:\program files\Thumbs7
2009-06-29 00:25 . 2008-01-12 20:31 -------- d-----w- c:\progra~2\Corel
2009-06-28 23:56 . 2009-06-28 23:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage PS
2009-06-28 22:36 . 2008-01-12 20:28 -------- d-----w- c:\program files\CoffeeCup Software
2009-06-28 16:45 . 2008-09-22 00:23 -------- d-----w- c:\progra~2\BVRP Software
2009-06-27 21:28 . 2009-06-27 21:28 -------- d-----w- c:\users\dan\AppData\Roaming\Anonymizer
2009-06-27 21:27 . 2009-06-27 21:27 -------- d-----w- c:\progra~2\Anonymizer
2009-06-26 16:09 . 2009-06-26 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-25 21:07 . 2009-06-25 21:07 -------- d-----w- c:\users\dan\AppData\Roaming\COWON
2009-06-25 12:24 . 2009-06-25 11:56 -------- d-----w- c:\users\dan\AppData\Roaming\Winamp
2009-06-25 11:59 . 2009-06-25 11:56 -------- d-----w- c:\program files\Winamp
2009-06-24 17:02 . 2009-06-24 17:02 -------- d-----w- c:\users\dan\AppData\Roaming\Ambient Design
2009-06-24 16:59 . 2009-06-24 16:59 -------- d-----w- c:\program files\ContrastMaster
2009-06-24 16:31 . 2009-06-24 16:31 -------- d-----w- c:\program files\Ambient Design
2009-06-24 16:25 . 2009-06-24 16:25 147123 ----a-w- c:\windows\Curvemeister_3 Uninstaller.exe
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Curvemeister.com
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Common Files\Thraex Software
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\progra~2\Curvemeister.com
2009-06-24 16:20 . 2009-06-24 16:04 -------- d-----w- c:\program files\VirtualDJ
2009-06-24 15:58 . 2009-06-24 15:58 -------- d-----w- c:\program files\FocalBlade
2009-06-24 15:56 . 2009-06-24 15:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage SL
2009-06-24 15:56 . 2009-06-24 15:55 -------- d-----w- c:\program files\Neat Image
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\BWStyler
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\lucasarts
2009-06-24 15:47 . 2009-06-24 15:46 -------- d-----w- c:\program files\JetAudio
2009-06-24 15:46 . 2009-06-24 15:46 -------- d-----w- c:\program files\Common Files\COWON
2009-06-24 15:44 . 2009-06-24 15:44 -------- d-----w- c:\program files\DynamicPhotoHDR4
2009-06-24 15:18 . 2008-01-12 20:31 -------- d-----w- c:\users\dan\AppData\Roaming\Corel
2009-06-24 15:13 . 2009-06-24 15:09 -------- d-----w- c:\program files\Common Files\Corel
2009-06-24 04:21 . 2008-12-07 05:23 -------- d-----w- c:\program files\RAR Password Cracker
2009-06-23 22:05 . 2008-01-11 02:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-23 13:03 . 2008-07-30 20:34 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-23 01:36 . 2009-06-23 01:36 -------- d-----w- c:\progra~2\SiteAdvisor
2009-06-23 00:12 . 2009-06-23 00:12 -------- d-----w- c:\program files\Sophos
2009-06-22 22:12 . 2009-06-22 22:12 -------- d-----w- c:\program files\AVG
2009-06-22 22:11 . 2009-06-22 22:11 -------- d-----w- c:\users\dan\AppData\Roaming\MixMeister Technology
2009-06-22 21:51 . 2008-03-02 21:39 -------- d-----w- c:\progra~2\FLEXnet
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\users\dan\AppData\Roaming\Malwarebytes
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\progra~2\Malwarebytes
2009-06-22 18:10 . 2009-06-22 18:10 -------- d-----w- c:\program files\CCleaner
2009-06-22 00:34 . 2008-02-15 00:46 726008 ----a-w- c:\users\dan\gotomypc_437.exe
2009-06-22 00:33 . 2009-06-22 00:33 726008 ----a-w- c:\users\dan\gotomypc_438.exe
2009-06-15 13:35 . 2008-12-13 19:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-27 15:52 . 2009-05-27 15:52 4710 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe
2002-07-19 15:50 . 2008-11-08 18:14 153088 ----a-w- c:\program files\UNWISE.EXE
2008-08-31 21:50 . 2008-08-31 21:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-05-24 22:08 . 2008-01-12 20:33 88 --sh--r- c:\windows\System32\FEB4958A57.sys
2007-12-13 18:03 . 2007-12-13 18:03 5 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_22.58.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 22:32 . 2009-08-18 13:22 83904 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-18 13:22 92222 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-10 19:45 . 2009-08-18 13:22 15448 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-658057386-4236903089-2978409280-1000_UserData.bin
+ 2009-08-18 01:28 . 2009-08-18 01:28 23832 c:\windows\System32\DriverStore\FileRepository\avgfwfd6.inf_4ebe219e\avgfwd6x.sys
+ 2006-11-02 13:02 . 2009-08-18 12:22 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-15 15:31 . 2009-08-15 17:07 89584 c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\Acrobat\8.0\UserCache.bin
+ 2009-08-15 15:30 . 2009-08-15 22:28 98304 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012009081520090816\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 51200 c:\windows\inf\infpub.dat
+ 2009-08-18 01:17 . 2009-08-18 01:17 4188 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\Data.dat
+ 2009-08-18 01:18 . 2009-08-18 01:18 5710 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\Data.dat
+ 2009-08-18 01:16 . 2009-08-18 01:16 5136 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\Data.dat
+ 2009-08-18 01:15 . 2009-08-18 01:15 5308 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\Data.dat
+ 2009-08-15 20:01 . 2009-08-15 20:01 9960 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZY45SEDA\Antivirus-7716_2015-1[1].exe
+ 2008-01-11 15:49 . 2009-08-18 12:11 280800 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2007-11-21 19:33 . 2009-08-18 12:22 147456 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 143360 c:\windows\inf\infstrng.dat
+ 2009-07-10 14:39 . 2009-07-10 14:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
- 2006-11-02 12:47 . 2009-07-11 12:06 2361728 c:\windows\System32\FNTCACHE.DAT
+ 2006-11-02 12:47 . 2009-08-15 23:21 2361728 c:\windows\System32\FNTCACHE.DAT
+ 2007-11-21 19:33 . 2009-08-18 12:22 1818624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-14 00:51 . 2009-08-18 13:16 3634416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
- 2009-08-14 00:51 . 2009-08-14 01:11 3634416 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 10:24 . 2009-07-29 21:49 24281536 c:\windows\System32\mrt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\dan\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-04 133104]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-10 4702208]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]

c:\users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E3232AEF-C167-4F08-8A16-B00BD8AFB2AA}"= Disabled:UDP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{C41659B7-EC37-4B79-A059-E402EC3E9E38}"= Disabled:TCP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{9C143B76-2322-4217-84A9-3F86C736F653}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{4AA8674B-064C-42F8-A06C-F7FBEEE65F3F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{36DE8E08-0889-4C73-8CA6-4B8297AF9CA1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{8C886B8A-81EB-4FA7-9100-131A778F68BE}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{68D43D20-0076-422B-BD68-0930E5CA7D76}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{773F207D-FE52-4DE4-B5AF-09439F098CDA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{621AD963-3F30-4BDE-B754-C7544950DF37}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{10318CCA-D295-4189-8BAB-1AA3773E3F5B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{F4E3C692-2E82-4351-B6C5-FA2121168EFF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{EB98158D-A683-4651-B5C8-0FE00369E472}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4C66775F-E70C-4848-B6AF-DECDE840DE48}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{225614D5-6401-476D-A5D0-04D56B62EE79}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AB81E238-277A-4EA3-A04B-1D8941A91349}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{2EA5BFF0-AD6E-40ED-B70F-224C9F129F0C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{EBA91A19-A70A-46AD-8D41-9F6D668B0340}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{83A9E68C-ADAD-4633-A702-D8BC6A23D08A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{49C82CDD-B2CB-4FD7-9523-12EED1898A36}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4E056627-DD0F-4558-B5D1-5874AF5339ED}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{DAA7058D-62BD-41EA-AADF-B21EBFE7A7D1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7255741A-774A-4B76-B7F8-33468EC02861}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{ED0B4A61-D65D-45B6-A550-1D2135EBFACF}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{FED621F6-CC76-4920-A1F6-43F1B9DAD1AB}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{2EF1E824-9208-4FF9-AD06-8C1CB6C8BFE6}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{DD1E4F58-63AB-4BF2-AF8D-3B5E0EE32004}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"TCP Query User{A92B914A-00B5-4730-9282-B9DBF95FF821}c:\\program files\\utorrent\\utorrent.exe"= UDP:c:\program files\utorrent\utorrent.exe:uTorrent
"UDP Query User{DF0443F9-C0E7-4C98-B159-393FCDCE7C2C}c:\\program files\\utorrent\\utorrent.exe"= TCP:c:\program files\utorrent\utorrent.exe:uTorrent
"{4551BD5B-B4D0-4821-B9A1-3281B29D7970}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{15E55FF1-0B22-4C1D-A5A6-7CCAED44C93C}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{483F4FA5-87CE-4E3C-8007-3A1FE8418427}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CFD5FA4D-B4B0-4EC6-9FE0-EFF8F8FEF3F8}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{04BE66C7-D214-4F13-9D29-37E1D40916B4}"= UDP:5353:Adobe CSI CS4
"{A142C3D4-229B-4D85-A50C-18C3DE9745F9}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{587DBFB8-38C2-44C9-92B5-61F93FEE8B57}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"TCP Query User{C1DC88E4-5BDA-422B-9DAF-0D61EA9E6680}c:\\program files\\emule\\emule.exe"= UDP:c:\program files\emule\emule.exe:eMule Plus
"UDP Query User{9F577C13-4738-4329-B25D-24F6507F1BB0}c:\\program files\\emule\\emule.exe"= TCP:c:\program files\emule\emule.exe:eMule Plus
"{A9832A22-A623-4B92-A5CA-D14A6E9557D5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{04C268E5-918E-4BF1-B4B3-ADE911EE39D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{9D7A7805-F54A-4417-B717-8C9AB193E32F}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{DC76F7C5-0D60-418B-9A2E-0871EC60B727}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"{8229ED63-3FC4-4FE1-BEA3-D3794EF7ACCF}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{684B30D5-BD03-4B95-A3F5-321E328BA577}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{C7A8E44B-56EC-4D3A-A2F0-DE2A85FD417C}"= UDP:3724:Blizzard Downloader: 3724
"{166B8B0A-1FAC-41EE-878C-8A64BE81113C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1E0F3A6F-9D28-451E-AB15-8BFEB90D79A5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3A0440AF-3D11-4008-9652-46EA2BB8920D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{9F0D1727-4310-46B5-98C8-E63237CBD5ED}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{8F6FA1D5-5273-4FBD-8B6B-AB71B02A12C2}c:\\program files\\coreftp\\coreftp.exe"= UDP:c:\program files\coreftp\coreftp.exe:Core FTP App
"UDP Query User{61A5F430-2BDD-4DD3-9F55-DDDF8A051D84}c:\\program files\\coreftp\\coreftp.exe"= TCP:c:\program files\coreftp\coreftp.exe:Core FTP App
"TCP Query User{EE112739-AA5E-4C70-A6DA-E7440ECA3606}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A894B584-0934-43B8-898F-553AE61EBB33}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{0BEED4FD-8F53-4BEC-8251-2AE3EE8D937D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{85023847-1861-4ADB-AA5B-8A119EF2E05F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{781D2C6F-6175-42D8-A167-15EA09FF4D57}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AB31243A-D3B9-435D-B0A4-841B57B738C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{905B8788-8DBA-439E-BDF5-6950E3548205}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{319A4283-84EF-4BAA-A030-9F86908603C8}"= UDP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AE5A2375-6D1B-453A-B058-CAEE0B4AC7F1}"= TCP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AD6C1BFA-2F04-4782-AC7C-663FCF255BA7}"= UDP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{08FB778A-6162-4E77-B095-004F8AAC38C3}"= TCP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{891F684E-0512-45EF-AA8A-F34877D32E75}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{506C3F16-7FB1-4CEC-B253-4C5729F70568}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [8/17/2009 21:28 23832]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\System32\ASTSRV.EXE [12/13/2008 22:47 57344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/24/2008 21:24 809296]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [1/22/2008 21:52 24652]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [11/20/2007 20:26 7168]
S2 AntipPro2009_100;AntipyProex;c:\windows\svchast.exe --> c:\windows\svchast.exe [?]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/17/2009 21:28 297752]
S2 gupdate1c9e1a499df3c80;Google Update Service (gupdate1c9e1a499df3c80);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 00:02 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/20/2007 20:36 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [11/2/2007 15:36 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 19:33 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 15:18 23680]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [11/30/2007 14:36 8704]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [3/28/2007 11:51 43008]
S4 WG511TFCS;Netgear WG511T Wireless Domain Login Service;c:\windows\System32\WG511TFCS.exe [3/3/2008 13:36 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKU-Default-Run-autochk - c:\windows\system32\config\SYSTEM~1\protect.dll
SafeBoot-mcmscsvc
SafeBoot-MCODS


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=127.0.0.1:7070
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\users\dan\AppData\Roaming\Mozilla\Firefox\Profiles\0t3rflzo.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=TG9RWSJFyeI4l.2udJHZJw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 7070
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
FF - plugin: c:\users\dan\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 1
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks - 127.0.0.1
user_pref(network.proxy.socks_port,7070);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 09:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5772)
c:\windows\system32\PDCopyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\windows\System32\PSIService.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\users\dan\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files\HP\Digital Imaging\bin\hpqste08.exe
c:\program files\HP\Digital Imaging\bin\hpqbam08.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-08-18 9:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 13:36
ComboFix2.txt 2009-08-16 00:29
ComboFix3.txt 2009-08-15 11:25
ComboFix4.txt 2009-08-14 23:13
ComboFix5.txt 2009-08-17 11:55

Pre-Run: 54,304,329,728 bytes free
Post-Run: 54,334,783,488 bytes free

439 --- E O F --- 2009-05-06 08:56

#4 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:44 PM

Posted 18 August 2009 - 11:28 AM

We have more than a few issues, don't we? Please uninstall the following software:
Viewpoint Manager<--Foistware
Adobe\Acrobat 8.0<--Out of date and exploited

Click start-->control panel-->programs and features...click on the program name to highlight it...From the menu at the top, select Uninstall or Remove for each of those. When the uninstall completes, please reboot the computer.

In Windows Vista, please open a blank Notepad by clicking start-->type Notepad in the search box...a link to your notepad should appear in the results. You can just click on that to open notepad.

Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Also, please tell us, did you install this program?:
c:\program files\RAR Password Cracker
...if so, tell us what you use it for. Thanks!

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::

File::
C:\Windows\system32\config\SYSTEM~1\protect.dll
c:\users\dan\AppData\Roaming\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe


Rootkit::
c:\windows\svchast.exe
c:\windows\System32\FEB4958A57.sys


Folder::
C:\Windows Antivirus Pro
c:\users\dan\AppData\Roaming\uTorrent
C:\Program Files\Symantec
C:\Program Files\Viewpoint
c:\program files\utorrent
c:\program files\emule


Driver::
0167721245720840
AntipPro2009_100
Automatic LiveUpdate Scheduler
Viewpoint Manager Service
FEB4958A57


Registry::
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -
O2 - BHO: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} -
O3 - Toolbar: AVGTOOLBAR - {A057A204-BACC-4D26-9990-79A187E2698E} -
O4 - HKUS\S-1-5-18\..\Run: [autochk]
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"TCP Query User{A92B914A-00B5-4730-9282-B9DBF95FF821}c:\\program files\\utorrent\\utorrent.exe"=-
"UDP Query User{DF0443F9-C0E7-4C98-B159-393FCDCE7C2C}c:\\program files\\utorrent\\utorrent.exe"=-
"TCP Query User{C1DC88E4-5BDA-422B-9DAF-0D61EA9E6680}c:\\program files\\emule\\emule.exe"=-
"UDP Query User{9F577C13-4738-4329-B25D-24F6507F1BB0}c:\\program files\\emule\\emule.exe"=-

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#5 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 12:38 PM

c:\program files\RAR Password Cracker

I had a file that had been compressed with WinRAR and could not for the life of me remember the password I had assigned it. That program is made for cracking password protected rar files. I found the program to be useless. Works kinda of like an old war dialer, runs dictionary words to guess at password.

I am working on your recommendations.

Please note: I am not a malicious computer hacker of any kind. I do like to hack programs for my own use and hack Linksys wireless routers (by replacing thier junk factory firmware with a Linux based software to push the power of the units up and make repeaters out of them), but beyond that I am just a computer enthusiast.

Note to 1972Vet:

I have a couple friends who were activated Coast Guard during Vietnam. I know you guys saw as much action and usually more than regular Navy. My hat is off to you. Thanks for serving.

#6 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 02:31 PM

I did as instructed, except the only viewpoint in my programs was Viewpoint Viewer not Viewpoint Manager. Viewpoint Manager is showing as a service and is not listed in installed programs. Now the Window Anti-Virus Pro rules my computer! It would not let me run any .exe programs. I changed combofix (services.exe, to services.com) Just so it would run (and yes I downloaded a cleam copy of Combofix) Help!!!!

Latest Combofix log

ComboFix 09-08-10.06 - dan 08/18/2009 14:50.6.2 - NTFSx86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1463 [GMT -4:00]
Running from: c:\users\dan\Desktop\services.com
Command switches used :: c:\users\dan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\dan\AppData\Roaming\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe"
"c:\windows\system32\config\SYSTEM~1\protect.dll"
.
ADS - Windows: deleted 0 bytes in 1 streams.
/wow section not completed

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AntipPro2009_100
-------\Service_Automatic LiveUpdate Scheduler
-------\Service_Viewpoint Manager Service


((((((((((((((((((((((((( Files Created from 2009-07-18 to 2009-08-18 )))))))))))))))))))))))))))))))
.

2009-08-18 19:05 . 2009-08-18 19:05 -------- d-----w- c:\users\dan\AppData\Local\Apple Computer
2009-08-18 18:00 . 2009-08-18 18:40 4 ----a-w- c:\windows\system32\bincd32.dat
2009-08-18 17:39 . 2009-08-18 19:00 176128 ----a-w- c:\windows\svchast.exe
2009-08-18 17:39 . 2009-08-18 18:17 64 ----a-w- c:\windows\ppp4.dat
2009-08-18 17:39 . 2009-08-18 18:17 3 ----a-w- c:\windows\ppp3.dat
2009-08-18 17:39 . 2009-08-18 17:56 827392 ----a-w- c:\windows\system32\dddesot.dll
2009-08-18 17:38 . 2009-08-18 18:17 65536 ----a-w- c:\windows\system32\desot.exe
2009-08-18 17:38 . 2009-08-18 17:38 36 ----a-w- c:\windows\system32\sysnet.dat
2009-08-18 17:38 . 2009-08-18 17:40 -------- d-----w- c:\program files\Windows Antivirus Pro
2009-08-18 13:36 . 2009-08-18 13:36 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-18 01:47 . 2009-08-18 01:47 35 ----a-w- c:\users\dan\AppData\Roaming\SetValue.bat
2009-08-18 01:28 . 2009-08-18 01:28 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-18 01:28 . 2009-08-18 01:28 -------- d-----w- c:\progra~2\avg8
2009-08-18 01:19 . 2009-08-18 01:19 -------- d-----w- c:\users\dan\AppData\Roaming\AVG8
2009-08-16 13:51 . 2009-08-16 13:51 -------- d-----w- c:\program files\Trend Micro
2009-08-16 12:48 . 2009-08-16 12:48 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2009-08-15 23:07 . 2009-08-15 23:07 -------- d-----w- C:\_OTM
2009-08-15 17:06 . 2009-08-15 17:06 -------- d-----w- c:\windows\Sun
2009-08-15 15:29 . 2009-08-15 15:29 -------- d-----w- C:\Windows Antivirus Pro
2009-08-15 11:55 . 2009-08-15 11:55 -------- dc-h--w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 11:25 . 2009-08-18 19:06 -------- d-----w- c:\users\dan\AppData\Local\temp
2009-08-14 19:59 . 2009-08-14 19:59 -------- d-----w- c:\progra~2\RegCure
2009-08-14 19:50 . 2009-08-14 19:50 3584 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-14 19:50 . 2009-08-14 19:50 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-14 19:49 . 2009-08-14 19:49 -------- d-----w- c:\program files\MSECACHE
2009-08-14 02:23 . 2009-08-14 02:23 -------- d-----w- c:\windows\CheckSur
2009-08-14 01:44 . 2009-08-14 01:44 -------- d-----w- c:\windows\system32\EventProviders
2009-07-29 22:15 . 2007-04-23 02:11 237568 ----a-w- c:\windows\system32\xvidvfw.dll
2009-07-29 22:15 . 2007-04-23 02:11 1216512 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-29 22:15 . 2007-04-23 02:10 237568 ----a-w- c:\windows\system32\OggDS.dll
2009-07-29 22:15 . 2007-04-23 02:09 921600 ----a-w- c:\windows\system32\vorbisenc.dll
2009-07-29 22:15 . 2007-04-23 02:09 188416 ----a-w- c:\windows\system32\vorbis.dll
2009-07-29 22:15 . 2007-04-23 02:09 45056 ----a-w- c:\windows\system32\ogg.dll
2009-07-29 16:22 . 2009-07-29 16:22 -------- d-----w- c:\program files\PowerISO
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-18 17:40 . 2008-01-23 01:49 -------- d-----w- c:\program files\Viewpoint
2009-08-18 01:47 . 2007-11-21 00:36 -------- d-----w- c:\program files\Google
2009-08-18 01:47 . 2009-08-18 01:47 691 ----a-w- c:\users\dan\AppData\Roaming\GetValue.vbs
2009-08-18 01:31 . 2007-11-21 00:53 -------- d-----w- c:\progra~2\McAfee
2009-08-18 01:22 . 2008-10-06 22:50 -------- d-----w- c:\program files\Metasploit
2009-08-18 00:04 . 2009-06-22 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 14:26 . 2008-05-25 01:24 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-16 01:15 . 2008-05-25 00:03 -------- d-----w- c:\progra~2\F-Secure
2009-08-16 00:56 . 2009-06-26 16:17 1356 ----a-w- c:\users\dan\AppData\Local\d3d9caps.dat
2009-08-15 11:33 . 2008-05-25 01:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-15 11:33 . 2008-01-11 01:15 -------- d-----w- c:\program files\Lavasoft
2009-08-15 00:56 . 2008-05-25 01:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 16:55 . 2009-06-28 14:37 -------- d-----w- c:\program files\AlterWind Log Analyzer Lite
2009-08-03 17:36 . 2009-06-22 18:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-22 18:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 17:12 . 2008-01-12 20:32 -------- d-----w- c:\program files\dvdSanta
2009-07-22 01:14 . 2008-01-27 18:09 -------- d-----w- c:\users\dan\AppData\Roaming\uTorrent
2009-07-18 17:45 . 2008-07-14 13:42 -------- d-----w- c:\program files\Safari
2009-07-18 17:43 . 2009-07-18 17:42 -------- d-----w- c:\program files\iTunes
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\program files\iPod
2009-07-18 17:42 . 2008-01-22 19:29 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 13:30 . 2009-07-18 13:30 -------- d--h--r- c:\users\dan\AppData\Roaming\SecuROM
2009-07-18 13:24 . 2009-07-18 13:24 -------- d-----w- c:\program files\AMD
2009-07-16 14:36 . 2009-07-12 22:06 -------- d-----w- c:\progra~2\Media Center Programs
2009-07-16 14:21 . 2009-07-12 21:35 -------- d-----w- c:\program files\THQ
2009-07-16 14:03 . 2009-07-16 00:47 -------- d-----w- c:\users\dan\AppData\Roaming\IGN_DLM
2009-07-16 00:47 . 2009-07-16 00:47 -------- d-----w- c:\program files\Download Manager
2009-07-13 15:09 . 2009-06-17 05:04 -------- d-----w- c:\users\dan\AppData\Roaming\NCH Swift Sound
2009-07-13 15:09 . 2008-09-16 16:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-07-12 20:17 . 2008-09-01 18:45 -------- d-----w- c:\users\dan\AppData\Roaming\CoreFTP
2009-07-12 13:50 . 2007-11-21 00:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 13:19 . 2009-06-29 02:09 -------- d-----w- c:\users\dan\AppData\Roaming\ThumbsPlus
2009-07-12 13:12 . 2009-07-12 00:08 -------- d-----w- c:\program files\Paradox Interactive
2009-07-12 13:08 . 2008-01-12 20:33 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-12 12:45 . 2009-07-11 22:22 -------- d-----w- c:\program files\BattleTanks II
2009-07-11 12:18 . 2009-07-11 12:18 -------- d-----w- c:\program files\Alcohol Soft
2009-07-11 11:59 . 2009-07-11 11:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-08 15:56 . 2008-01-10 19:45 129776 ----a-w- c:\users\dan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-02 13:46 . 2009-07-02 13:43 116841 ----a-w- c:\windows\hpqins00.dat
2009-07-02 05:01 . 2008-10-06 15:42 -------- d-----w- c:\program files\Acunetix
2009-07-01 14:03 . 2007-12-17 09:13 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-29 13:29 . 2008-05-27 05:24 -------- d-----w- c:\users\dan\AppData\Roaming\Alien Skin
2009-06-29 05:27 . 2008-05-27 05:11 -------- d-----w- c:\program files\Alien Skin
2009-06-29 02:26 . 2009-06-29 02:06 -------- d-----w- c:\program files\Thumbs7
2009-06-29 00:25 . 2008-01-12 20:31 -------- d-----w- c:\progra~2\Corel
2009-06-28 23:56 . 2009-06-28 23:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage PS
2009-06-28 22:36 . 2008-01-12 20:28 -------- d-----w- c:\program files\CoffeeCup Software
2009-06-28 16:45 . 2008-09-22 00:23 -------- d-----w- c:\progra~2\BVRP Software
2009-06-27 21:28 . 2009-06-27 21:28 -------- d-----w- c:\users\dan\AppData\Roaming\Anonymizer
2009-06-27 21:27 . 2009-06-27 21:27 -------- d-----w- c:\progra~2\Anonymizer
2009-06-26 16:09 . 2009-06-26 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-25 21:07 . 2009-06-25 21:07 -------- d-----w- c:\users\dan\AppData\Roaming\COWON
2009-06-25 12:24 . 2009-06-25 11:56 -------- d-----w- c:\users\dan\AppData\Roaming\Winamp
2009-06-25 11:59 . 2009-06-25 11:56 -------- d-----w- c:\program files\Winamp
2009-06-24 17:02 . 2009-06-24 17:02 -------- d-----w- c:\users\dan\AppData\Roaming\Ambient Design
2009-06-24 16:59 . 2009-06-24 16:59 -------- d-----w- c:\program files\ContrastMaster
2009-06-24 16:31 . 2009-06-24 16:31 -------- d-----w- c:\program files\Ambient Design
2009-06-24 16:25 . 2009-06-24 16:25 147123 ----a-w- c:\windows\Curvemeister_3 Uninstaller.exe
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Curvemeister.com
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Common Files\Thraex Software
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\progra~2\Curvemeister.com
2009-06-24 16:20 . 2009-06-24 16:04 -------- d-----w- c:\program files\VirtualDJ
2009-06-24 15:58 . 2009-06-24 15:58 -------- d-----w- c:\program files\FocalBlade
2009-06-24 15:56 . 2009-06-24 15:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage SL
2009-06-24 15:56 . 2009-06-24 15:55 -------- d-----w- c:\program files\Neat Image
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\BWStyler
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\lucasarts
2009-06-24 15:47 . 2009-06-24 15:46 -------- d-----w- c:\program files\JetAudio
2009-06-24 15:46 . 2009-06-24 15:46 -------- d-----w- c:\program files\Common Files\COWON
2009-06-24 15:44 . 2009-06-24 15:44 -------- d-----w- c:\program files\DynamicPhotoHDR4
2009-06-24 15:18 . 2008-01-12 20:31 -------- d-----w- c:\users\dan\AppData\Roaming\Corel
2009-06-24 15:13 . 2009-06-24 15:09 -------- d-----w- c:\program files\Common Files\Corel
2009-06-23 22:05 . 2008-01-11 02:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-23 13:03 . 2008-07-30 20:34 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-23 01:36 . 2009-06-23 01:36 -------- d-----w- c:\progra~2\SiteAdvisor
2009-06-23 00:12 . 2009-06-23 00:12 -------- d-----w- c:\program files\Sophos
2009-06-22 22:12 . 2009-06-22 22:12 -------- d-----w- c:\program files\AVG
2009-06-22 22:11 . 2009-06-22 22:11 -------- d-----w- c:\users\dan\AppData\Roaming\MixMeister Technology
2009-06-22 21:51 . 2008-03-02 21:39 -------- d-----w- c:\progra~2\FLEXnet
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\users\dan\AppData\Roaming\Malwarebytes
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\progra~2\Malwarebytes
2009-06-22 18:10 . 2009-06-22 18:10 -------- d-----w- c:\program files\CCleaner
2009-06-22 00:34 . 2008-02-15 00:46 726008 ----a-w- c:\users\dan\gotomypc_437.exe
2009-06-22 00:33 . 2009-06-22 00:33 726008 ----a-w- c:\users\dan\gotomypc_438.exe
2009-06-15 13:35 . 2008-12-13 19:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-05-27 15:52 . 2009-05-27 15:52 4710 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{DF6DA606-904D-4C18-823F-A4CFC3035E53}\ext.exe
2002-07-19 15:50 . 2008-11-08 18:14 153088 ----a-w- c:\program files\UNWISE.EXE
2008-08-31 21:50 . 2008-08-31 21:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2008-05-24 22:08 . 2008-01-12 20:33 88 --sh--r- c:\windows\System32\FEB4958A57.sys
2007-12-13 18:03 . 2007-12-13 18:03 5 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_22.58.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 22:32 . 2009-08-18 18:36 84380 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-18 18:36 92262 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-10 19:45 . 2009-08-18 18:36 15480 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-658057386-4236903089-2978409280-1000_UserData.bin
+ 2009-08-18 01:28 . 2009-08-18 01:28 23832 c:\windows\System32\DriverStore\FileRepository\avgfwfd6.inf_4ebe219e\avgfwd6x.sys
+ 2006-11-02 13:02 . 2009-08-18 18:46 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-15 15:31 . 2009-08-15 17:07 89584 c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\Acrobat\8.0\UserCache.bin
+ 2009-08-18 17:40 . 2009-08-18 18:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012009081820090819\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 51200 c:\windows\inf\infpub.dat
+ 2009-08-18 01:17 . 2009-08-18 01:17 4188 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\Data.dat
+ 2009-08-18 01:18 . 2009-08-18 01:18 5710 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\Data.dat
+ 2009-08-18 01:16 . 2009-08-18 01:16 5136 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\Data.dat
+ 2009-08-18 01:15 . 2009-08-18 01:15 5308 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\Data.dat
+ 2009-08-15 20:01 . 2009-08-15 20:01 9960 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZY45SEDA\Antivirus-7716_2015-1[1].exe
+ 2008-01-11 15:49 . 2009-08-18 12:11 280800 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2007-11-21 19:33 . 2009-08-18 18:46 147456 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 143360 c:\windows\inf\infstrng.dat
+ 2009-07-10 14:39 . 2009-07-10 14:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2006-11-02 12:47 . 2009-08-18 18:21 2360256 c:\windows\System32\FNTCACHE.DAT
+ 2007-11-21 19:33 . 2009-08-18 18:46 1818624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-14 00:51 . 2009-08-18 18:43 3914176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 10:24 . 2009-07-29 21:49 24281536 c:\windows\System32\mrt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F54AF7DE-6038-4026-8433-CC30E3F17212}]
2009-08-18 17:56 827392 ----a-w- c:\windows\System32\dddesot.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\dan\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-04 133104]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-10 4702208]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]

c:\users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E3232AEF-C167-4F08-8A16-B00BD8AFB2AA}"= Disabled:UDP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{C41659B7-EC37-4B79-A059-E402EC3E9E38}"= Disabled:TCP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{9C143B76-2322-4217-84A9-3F86C736F653}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{4AA8674B-064C-42F8-A06C-F7FBEEE65F3F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{36DE8E08-0889-4C73-8CA6-4B8297AF9CA1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{8C886B8A-81EB-4FA7-9100-131A778F68BE}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{68D43D20-0076-422B-BD68-0930E5CA7D76}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{773F207D-FE52-4DE4-B5AF-09439F098CDA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{621AD963-3F30-4BDE-B754-C7544950DF37}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{10318CCA-D295-4189-8BAB-1AA3773E3F5B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{F4E3C692-2E82-4351-B6C5-FA2121168EFF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{EB98158D-A683-4651-B5C8-0FE00369E472}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4C66775F-E70C-4848-B6AF-DECDE840DE48}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{225614D5-6401-476D-A5D0-04D56B62EE79}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AB81E238-277A-4EA3-A04B-1D8941A91349}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{2EA5BFF0-AD6E-40ED-B70F-224C9F129F0C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{EBA91A19-A70A-46AD-8D41-9F6D668B0340}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{83A9E68C-ADAD-4633-A702-D8BC6A23D08A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{49C82CDD-B2CB-4FD7-9523-12EED1898A36}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4E056627-DD0F-4558-B5D1-5874AF5339ED}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{DAA7058D-62BD-41EA-AADF-B21EBFE7A7D1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7255741A-774A-4B76-B7F8-33468EC02861}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{ED0B4A61-D65D-45B6-A550-1D2135EBFACF}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{FED621F6-CC76-4920-A1F6-43F1B9DAD1AB}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{2EF1E824-9208-4FF9-AD06-8C1CB6C8BFE6}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{DD1E4F58-63AB-4BF2-AF8D-3B5E0EE32004}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{4551BD5B-B4D0-4821-B9A1-3281B29D7970}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{15E55FF1-0B22-4C1D-A5A6-7CCAED44C93C}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{483F4FA5-87CE-4E3C-8007-3A1FE8418427}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CFD5FA4D-B4B0-4EC6-9FE0-EFF8F8FEF3F8}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{04BE66C7-D214-4F13-9D29-37E1D40916B4}"= UDP:5353:Adobe CSI CS4
"{A142C3D4-229B-4D85-A50C-18C3DE9745F9}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{587DBFB8-38C2-44C9-92B5-61F93FEE8B57}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{A9832A22-A623-4B92-A5CA-D14A6E9557D5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{04C268E5-918E-4BF1-B4B3-ADE911EE39D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{9D7A7805-F54A-4417-B717-8C9AB193E32F}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{DC76F7C5-0D60-418B-9A2E-0871EC60B727}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"{8229ED63-3FC4-4FE1-BEA3-D3794EF7ACCF}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{684B30D5-BD03-4B95-A3F5-321E328BA577}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{C7A8E44B-56EC-4D3A-A2F0-DE2A85FD417C}"= UDP:3724:Blizzard Downloader: 3724
"{166B8B0A-1FAC-41EE-878C-8A64BE81113C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1E0F3A6F-9D28-451E-AB15-8BFEB90D79A5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3A0440AF-3D11-4008-9652-46EA2BB8920D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{9F0D1727-4310-46B5-98C8-E63237CBD5ED}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{8F6FA1D5-5273-4FBD-8B6B-AB71B02A12C2}c:\\program files\\coreftp\\coreftp.exe"= UDP:c:\program files\coreftp\coreftp.exe:Core FTP App
"UDP Query User{61A5F430-2BDD-4DD3-9F55-DDDF8A051D84}c:\\program files\\coreftp\\coreftp.exe"= TCP:c:\program files\coreftp\coreftp.exe:Core FTP App
"TCP Query User{EE112739-AA5E-4C70-A6DA-E7440ECA3606}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A894B584-0934-43B8-898F-553AE61EBB33}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{0BEED4FD-8F53-4BEC-8251-2AE3EE8D937D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{85023847-1861-4ADB-AA5B-8A119EF2E05F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{781D2C6F-6175-42D8-A167-15EA09FF4D57}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AB31243A-D3B9-435D-B0A4-841B57B738C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{905B8788-8DBA-439E-BDF5-6950E3548205}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{319A4283-84EF-4BAA-A030-9F86908603C8}"= UDP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AE5A2375-6D1B-453A-B058-CAEE0B4AC7F1}"= TCP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AD6C1BFA-2F04-4782-AC7C-663FCF255BA7}"= UDP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{08FB778A-6162-4E77-B095-004F8AAC38C3}"= TCP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{891F684E-0512-45EF-AA8A-F34877D32E75}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{506C3F16-7FB1-4CEC-B253-4C5729F70568}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [8/17/2009 21:28 23832]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\System32\ASTSRV.EXE [12/13/2008 22:47 57344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/24/2008 21:24 809296]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [11/20/2007 20:26 7168]
S2 AntipPro2009_12;AntipyPro_12;c:\windows\svchast.exe [8/18/2009 13:39 176128]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/17/2009 21:28 297752]
S2 gupdate1c9e1a499df3c80;Google Update Service (gupdate1c9e1a499df3c80);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 00:02 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/20/2007 20:36 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [11/2/2007 15:36 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 19:33 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 15:18 23680]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [11/30/2007 14:36 8704]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [3/28/2007 11:51 43008]
S4 WG511TFCS;Netgear WG511T Wireless Domain Login Service;c:\windows\System32\WG511TFCS.exe [3/3/2008 13:36 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=127.0.0.1:7070
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\users\dan\AppData\Roaming\Mozilla\Firefox\Profiles\0t3rflzo.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=TG9RWSJFyeI4l.2udJHZJw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 7070
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\Download Manager\npfpdlm.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\users\dan\AppData\Local\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 1
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks - 127.0.0.1
user_pref(network.proxy.socks_port,7070);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 15:06
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3476)
c:\windows\system32\PDCopyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\PSIService.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\dan\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-08-18 15:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-18 19:19
ComboFix2.txt 2009-08-18 13:36
ComboFix3.txt 2009-08-16 00:29
ComboFix4.txt 2009-08-15 11:25
ComboFix5.txt 2009-08-18 18:49

Pre-Run: 58,416,848,896 bytes free
Post-Run: 56,482,910,208 bytes free

420 --- E O F --- 2009-05-06 08:56

#7 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 05:41 PM

re-scanned after re-download and running of combofix.exe


Edit added by 1972vet:
When you edit and remove what you had posted, it causes concern for several reasons. Sometimes it creates gaps in the thread, as in this case, and the thread loses cohesiveness to the reader. In addition, your help (me) loses the advantage of seeing exactly where the fix suggestion(s) came from. Let me ask...please do not edit a post to remove anything, rather edit (if needed) to add clarity without removing a thing.

For example if the original post said:
C:\Windows\System32\bad file
...and you edit the post to change something about that file path information, instead of removing and replacing what you posted, you could just add the following:
C:\Windows\System32\folder name\bad file
...then, simply add some verbiage as to what and why you did it. See?

Thanks for understanding!

Edited by 1972vet, 18 August 2009 - 07:08 PM.


#8 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:44 PM

Posted 18 August 2009 - 06:48 PM

I hope to drive home the fact that your current issues with the infection on your system is the direct result from using/visiting crack/warez web sites and the use of file sharing software. Please consider this as the proverbial straw...and chalk it up as the valuable experience it is for bringing about the change in surfing habits for you.

We'll take another swipe at it...first though, you should look for and uninstall :
MyWebSearch
...and I should say, the ViewPoint Viewer should go as well. Anything with ViewPoint in it's name.
ViewPoint View Manager
ViewPoint Tool Bar
ViewPoint Media Player

...all should be removed if present. Did you uninstall Adobe Reader 8? It does appear as though it is still installed. That version of Adobe Reader has been exploited and causes a serious security threat expecially for users who have a router. In fact, you would do well to reset your router:
1. Unplug or turn off your DSL/cable modem.
2. Locate the router's reset button.
3. Press, and hold, the Reset button down for 30 seconds.
4. Wait for your Power, WLAN and Internet light to turn on. (On the router)
5. Plug in or turn on your modem.(if it is separate from the router)
6. Open your web browser to see if you have an internet connection. If you still don't have an internet connection you may need to restart your computer.

Having reset the router, a default password will never do...please create a new strong password now in order to strengthen security of your wireless connection.


Next, please open another blank Notepad...Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Combofix will run again automatically. Please post back the new log that will be generated. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::


File::
c:\users\dan\AppData\Roaming\GetValue.vbs
c:\windows\System32\FEB4958A57.sys
c:\windows\svchast.exe


Folder::
c:\program files\Windows Antivirus Pro


Driver::
AntipPro2009_12
FEB4958A57

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#9 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 07:46 PM

Router security is something I am very familiar with as I do extensive work on routers and wireless networks. I have taken your advice and reset my routers (I have 2, 1 acts as a router the 2nd acts as a repeater).

Yes, I meant to take off uTorrent some time ago and rarely and now will never use it. It must admit that this virus/malware/rootkit was picked up from a comprimised cracked piece of software. It has taught me a painful lesson. Thanks for helping me in spite of my foolishness.

I had removed Adobe Acrobat 8 not Reader 8. I will remove it as well and follow the rest of your to do list.

#10 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 08:38 PM

Could not find Websearch or Viewpoint in Programs to remove. Adobe FReader removed and Combofix run with script.






ComboFix 09-08-10.06 - dan 08/18/2009 20:57.9.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.960 [GMT -4:00]
Running from: c:\users\dan\Desktop\ComboFix.exe
Command switches used :: c:\users\dan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\dan\AppData\Roaming\GetValue.vbs"
"c:\windows\svchast.exe"
"c:\windows\System32\FEB4958A57.sys"
.
ADS - Windows: deleted 0 bytes in 1 streams.

Overlay aborted ... Please run ComboFix once more
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Windows Antivirus Pro
c:\program files\Windows Antivirus Pro\msvcm80.dll
c:\program files\Windows Antivirus Pro\msvcp80.dll
c:\program files\Windows Antivirus Pro\msvcr80.dll
c:\program files\Windows Antivirus Pro\tmp\dbsinit.exe
c:\program files\Windows Antivirus Pro\tmp\images\i1.gif
c:\program files\Windows Antivirus Pro\tmp\images\i2.gif
c:\program files\Windows Antivirus Pro\tmp\images\i3.gif
c:\program files\Windows Antivirus Pro\tmp\images\j1.gif
c:\program files\Windows Antivirus Pro\tmp\images\j2.gif
c:\program files\Windows Antivirus Pro\tmp\images\j3.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj1.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj2.gif
c:\program files\Windows Antivirus Pro\tmp\images\jj3.gif
c:\program files\Windows Antivirus Pro\tmp\images\l1.gif
c:\program files\Windows Antivirus Pro\tmp\images\l2.gif
c:\program files\Windows Antivirus Pro\tmp\images\l3.gif
c:\program files\Windows Antivirus Pro\tmp\images\pix.gif
c:\program files\Windows Antivirus Pro\tmp\images\t1.gif
c:\program files\Windows Antivirus Pro\tmp\images\t2.gif
c:\program files\Windows Antivirus Pro\tmp\images\up1.gif
c:\program files\Windows Antivirus Pro\tmp\images\up2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w1.gif
c:\program files\Windows Antivirus Pro\tmp\images\w11.gif
c:\program files\Windows Antivirus Pro\tmp\images\w2.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.gif
c:\program files\Windows Antivirus Pro\tmp\images\w3.jpg
c:\program files\Windows Antivirus Pro\tmp\images\wt1.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt2.gif
c:\program files\Windows Antivirus Pro\tmp\images\wt3.gif
c:\program files\Windows Antivirus Pro\tmp\wispex.html
c:\program files\Windows Antivirus Pro\Windows Antivirus Pro.exe
c:\users\dan\AppData\Roaming\GetValue.vbs
c:\windows\System32\FEB4958A57.sys


.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_AntipPro2009_12


((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 01:11 . 2009-08-19 01:11 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-19 01:11 . 2009-08-19 01:11 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-19 00:47 . 2009-08-19 00:47 -------- d-----w- c:\users\dan\AppData\Local\Adobe
2009-08-18 19:05 . 2009-08-18 19:05 -------- d-----w- c:\users\dan\AppData\Local\Apple Computer
2009-08-18 18:00 . 2009-08-18 21:52 4 ----a-w- c:\windows\system32\bincd32.dat
2009-08-18 17:39 . 2009-08-18 18:17 64 ----a-w- c:\windows\ppp4.dat
2009-08-18 17:39 . 2009-08-18 18:17 3 ----a-w- c:\windows\ppp3.dat
2009-08-18 17:38 . 2009-08-18 17:38 36 ----a-w- c:\windows\system32\sysnet.dat
2009-08-18 01:47 . 2009-08-18 01:47 35 ----a-w- c:\users\dan\AppData\Roaming\SetValue.bat
2009-08-18 01:28 . 2009-08-18 01:28 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-18 01:28 . 2009-08-18 01:28 -------- d-----w- c:\progra~2\avg8
2009-08-18 01:19 . 2009-08-18 01:19 -------- d-----w- c:\users\dan\AppData\Roaming\AVG8
2009-08-16 13:51 . 2009-08-16 13:51 -------- d-----w- c:\program files\Trend Micro
2009-08-16 12:48 . 2009-08-16 12:48 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2009-08-15 23:07 . 2009-08-15 23:07 -------- d-----w- C:\_OTM
2009-08-15 17:06 . 2009-08-15 17:06 -------- d-----w- c:\windows\Sun
2009-08-15 11:55 . 2009-08-15 11:55 -------- dc-h--w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 11:25 . 2009-08-19 01:16 -------- d-----w- c:\users\dan\AppData\Local\temp
2009-08-14 19:59 . 2009-08-14 19:59 -------- d-----w- c:\progra~2\RegCure
2009-08-14 19:50 . 2009-08-14 19:50 3584 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-14 19:50 . 2009-08-14 19:50 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-14 19:49 . 2009-08-14 19:49 -------- d-----w- c:\program files\MSECACHE
2009-08-14 02:23 . 2009-08-14 02:23 -------- d-----w- c:\windows\CheckSur
2009-08-14 01:44 . 2009-08-14 01:44 -------- d-----w- c:\windows\system32\EventProviders
2009-07-29 22:15 . 2007-04-23 02:11 237568 ----a-w- c:\windows\system32\xvidvfw.dll
2009-07-29 22:15 . 2007-04-23 02:11 1216512 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-29 22:15 . 2007-04-23 02:10 237568 ----a-w- c:\windows\system32\OggDS.dll
2009-07-29 22:15 . 2007-04-23 02:09 921600 ----a-w- c:\windows\system32\vorbisenc.dll
2009-07-29 22:15 . 2007-04-23 02:09 188416 ----a-w- c:\windows\system32\vorbis.dll
2009-07-29 22:15 . 2007-04-23 02:09 45056 ----a-w- c:\windows\system32\ogg.dll
2009-07-29 16:22 . 2009-07-29 16:22 -------- d-----w- c:\program files\PowerISO
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 00:47 . 2007-11-21 00:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-18 01:47 . 2007-11-21 00:36 -------- d-----w- c:\program files\Google
2009-08-18 01:31 . 2007-11-21 00:53 -------- d-----w- c:\progra~2\McAfee
2009-08-18 01:22 . 2008-10-06 22:50 -------- d-----w- c:\program files\Metasploit
2009-08-18 00:04 . 2009-06-22 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 14:26 . 2008-05-25 01:24 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-16 01:15 . 2008-05-25 00:03 -------- d-----w- c:\progra~2\F-Secure
2009-08-16 00:56 . 2009-06-26 16:17 1356 ----a-w- c:\users\dan\AppData\Local\d3d9caps.dat
2009-08-15 11:33 . 2008-05-25 01:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-15 11:33 . 2008-01-11 01:15 -------- d-----w- c:\program files\Lavasoft
2009-08-15 00:56 . 2008-05-25 01:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 16:55 . 2009-06-28 14:37 -------- d-----w- c:\program files\AlterWind Log Analyzer Lite
2009-08-03 17:36 . 2009-06-22 18:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-22 18:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 17:12 . 2008-01-12 20:32 -------- d-----w- c:\program files\dvdSanta
2009-07-18 17:45 . 2008-07-14 13:42 -------- d-----w- c:\program files\Safari
2009-07-18 17:43 . 2009-07-18 17:42 -------- d-----w- c:\program files\iTunes
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\program files\iPod
2009-07-18 17:42 . 2008-01-22 19:29 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 13:30 . 2009-07-18 13:30 -------- d--h--r- c:\users\dan\AppData\Roaming\SecuROM
2009-07-18 13:24 . 2009-07-18 13:24 -------- d-----w- c:\program files\AMD
2009-07-16 14:36 . 2009-07-12 22:06 -------- d-----w- c:\progra~2\Media Center Programs
2009-07-16 14:21 . 2009-07-12 21:35 -------- d-----w- c:\program files\THQ
2009-07-16 14:03 . 2009-07-16 00:47 -------- d-----w- c:\users\dan\AppData\Roaming\IGN_DLM
2009-07-16 00:47 . 2009-07-16 00:47 -------- d-----w- c:\program files\Download Manager
2009-07-13 15:09 . 2009-06-17 05:04 -------- d-----w- c:\users\dan\AppData\Roaming\NCH Swift Sound
2009-07-13 15:09 . 2008-09-16 16:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-07-12 20:17 . 2008-09-01 18:45 -------- d-----w- c:\users\dan\AppData\Roaming\CoreFTP
2009-07-12 13:50 . 2007-11-21 00:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 13:19 . 2009-06-29 02:09 -------- d-----w- c:\users\dan\AppData\Roaming\ThumbsPlus
2009-07-12 13:12 . 2009-07-12 00:08 -------- d-----w- c:\program files\Paradox Interactive
2009-07-12 13:08 . 2008-01-12 20:33 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-12 12:45 . 2009-07-11 22:22 -------- d-----w- c:\program files\BattleTanks II
2009-07-11 12:18 . 2009-07-11 12:18 -------- d-----w- c:\program files\Alcohol Soft
2009-07-11 11:59 . 2009-07-11 11:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-08 15:56 . 2008-01-10 19:45 129776 ----a-w- c:\users\dan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-02 13:46 . 2009-07-02 13:43 116841 ----a-w- c:\windows\hpqins00.dat
2009-07-02 05:01 . 2008-10-06 15:42 -------- d-----w- c:\program files\Acunetix
2009-07-01 14:03 . 2007-12-17 09:13 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-29 13:29 . 2008-05-27 05:24 -------- d-----w- c:\users\dan\AppData\Roaming\Alien Skin
2009-06-29 05:27 . 2008-05-27 05:11 -------- d-----w- c:\program files\Alien Skin
2009-06-29 02:26 . 2009-06-29 02:06 -------- d-----w- c:\program files\Thumbs7
2009-06-29 00:25 . 2008-01-12 20:31 -------- d-----w- c:\progra~2\Corel
2009-06-28 23:56 . 2009-06-28 23:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage PS
2009-06-28 22:36 . 2008-01-12 20:28 -------- d-----w- c:\program files\CoffeeCup Software
2009-06-28 16:45 . 2008-09-22 00:23 -------- d-----w- c:\progra~2\BVRP Software
2009-06-27 21:28 . 2009-06-27 21:28 -------- d-----w- c:\users\dan\AppData\Roaming\Anonymizer
2009-06-27 21:27 . 2009-06-27 21:27 -------- d-----w- c:\progra~2\Anonymizer
2009-06-26 16:09 . 2009-06-26 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-25 21:07 . 2009-06-25 21:07 -------- d-----w- c:\users\dan\AppData\Roaming\COWON
2009-06-25 12:24 . 2009-06-25 11:56 -------- d-----w- c:\users\dan\AppData\Roaming\Winamp
2009-06-25 11:59 . 2009-06-25 11:56 -------- d-----w- c:\program files\Winamp
2009-06-24 17:02 . 2009-06-24 17:02 -------- d-----w- c:\users\dan\AppData\Roaming\Ambient Design
2009-06-24 16:59 . 2009-06-24 16:59 -------- d-----w- c:\program files\ContrastMaster
2009-06-24 16:31 . 2009-06-24 16:31 -------- d-----w- c:\program files\Ambient Design
2009-06-24 16:25 . 2009-06-24 16:25 147123 ----a-w- c:\windows\Curvemeister_3 Uninstaller.exe
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Curvemeister.com
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Common Files\Thraex Software
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\progra~2\Curvemeister.com
2009-06-24 16:20 . 2009-06-24 16:04 -------- d-----w- c:\program files\VirtualDJ
2009-06-24 15:58 . 2009-06-24 15:58 -------- d-----w- c:\program files\FocalBlade
2009-06-24 15:56 . 2009-06-24 15:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage SL
2009-06-24 15:56 . 2009-06-24 15:55 -------- d-----w- c:\program files\Neat Image
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\BWStyler
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\lucasarts
2009-06-24 15:47 . 2009-06-24 15:46 -------- d-----w- c:\program files\JetAudio
2009-06-24 15:46 . 2009-06-24 15:46 -------- d-----w- c:\program files\Common Files\COWON
2009-06-24 15:44 . 2009-06-24 15:44 -------- d-----w- c:\program files\DynamicPhotoHDR4
2009-06-24 15:18 . 2008-01-12 20:31 -------- d-----w- c:\users\dan\AppData\Roaming\Corel
2009-06-24 15:13 . 2009-06-24 15:09 -------- d-----w- c:\program files\Common Files\Corel
2009-06-23 22:05 . 2008-01-11 02:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-23 13:03 . 2008-07-30 20:34 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-23 01:36 . 2009-06-23 01:36 -------- d-----w- c:\progra~2\SiteAdvisor
2009-06-23 00:12 . 2009-06-23 00:12 -------- d-----w- c:\program files\Sophos
2009-06-22 22:12 . 2009-06-22 22:12 -------- d-----w- c:\program files\AVG
2009-06-22 22:11 . 2009-06-22 22:11 -------- d-----w- c:\users\dan\AppData\Roaming\MixMeister Technology
2009-06-22 21:51 . 2008-03-02 21:39 -------- d-----w- c:\progra~2\FLEXnet
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\users\dan\AppData\Roaming\Malwarebytes
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\progra~2\Malwarebytes
2009-06-22 18:10 . 2009-06-22 18:10 -------- d-----w- c:\program files\CCleaner
2009-06-22 00:34 . 2008-02-15 00:46 726008 ----a-w- c:\users\dan\gotomypc_437.exe
2009-06-22 00:33 . 2009-06-22 00:33 726008 ----a-w- c:\users\dan\gotomypc_438.exe
2009-06-15 13:35 . 2008-12-13 19:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2002-07-19 15:50 . 2008-11-08 18:14 153088 ----a-w- c:\program files\UNWISE.EXE
2008-08-31 21:50 . 2008-08-31 21:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-12-13 18:03 . 2007-12-13 18:03 5 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_22.58.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 22:32 . 2009-08-18 23:59 84998 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-18 23:59 92310 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-10 19:45 . 2009-08-18 23:59 15480 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-658057386-4236903089-2978409280-1000_UserData.bin
+ 2009-08-18 01:28 . 2009-08-18 01:28 23832 c:\windows\System32\DriverStore\FileRepository\avgfwfd6.inf_4ebe219e\avgfwd6x.sys
+ 2006-11-02 13:02 . 2009-08-18 23:56 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-15 15:31 . 2009-08-15 17:07 89584 c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\Acrobat\8.0\UserCache.bin
+ 2009-08-18 17:40 . 2009-08-18 18:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012009081820090819\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 51200 c:\windows\inf\infpub.dat
+ 2009-08-18 01:17 . 2009-08-18 01:17 4188 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\Data.dat
+ 2009-08-18 01:18 . 2009-08-18 01:18 5710 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\Data.dat
+ 2009-08-18 01:16 . 2009-08-18 01:16 5136 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\Data.dat
+ 2009-08-18 01:15 . 2009-08-18 01:15 5308 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\Data.dat
+ 2009-08-15 20:01 . 2009-08-15 20:01 9960 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZY45SEDA\Antivirus-7716_2015-1[1].exe
+ 2008-01-11 15:49 . 2009-08-18 12:11 280800 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2007-11-21 19:33 . 2009-08-18 23:56 147456 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 143360 c:\windows\inf\infstrng.dat
+ 2009-07-10 14:39 . 2009-07-10 14:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2006-11-02 12:47 . 2009-08-18 18:21 2360256 c:\windows\System32\FNTCACHE.DAT
+ 2007-11-21 19:33 . 2009-08-18 23:56 1818624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-14 00:51 . 2009-08-19 01:11 3914176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 10:24 . 2009-07-29 21:49 24281536 c:\windows\System32\mrt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\dan\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-04 133104]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-10 4702208]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]

c:\users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E3232AEF-C167-4F08-8A16-B00BD8AFB2AA}"= Disabled:UDP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{C41659B7-EC37-4B79-A059-E402EC3E9E38}"= Disabled:TCP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{9C143B76-2322-4217-84A9-3F86C736F653}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{4AA8674B-064C-42F8-A06C-F7FBEEE65F3F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{36DE8E08-0889-4C73-8CA6-4B8297AF9CA1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{8C886B8A-81EB-4FA7-9100-131A778F68BE}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{68D43D20-0076-422B-BD68-0930E5CA7D76}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{773F207D-FE52-4DE4-B5AF-09439F098CDA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{621AD963-3F30-4BDE-B754-C7544950DF37}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{10318CCA-D295-4189-8BAB-1AA3773E3F5B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{F4E3C692-2E82-4351-B6C5-FA2121168EFF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{EB98158D-A683-4651-B5C8-0FE00369E472}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4C66775F-E70C-4848-B6AF-DECDE840DE48}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{225614D5-6401-476D-A5D0-04D56B62EE79}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AB81E238-277A-4EA3-A04B-1D8941A91349}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{2EA5BFF0-AD6E-40ED-B70F-224C9F129F0C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{EBA91A19-A70A-46AD-8D41-9F6D668B0340}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{83A9E68C-ADAD-4633-A702-D8BC6A23D08A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{49C82CDD-B2CB-4FD7-9523-12EED1898A36}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4E056627-DD0F-4558-B5D1-5874AF5339ED}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{DAA7058D-62BD-41EA-AADF-B21EBFE7A7D1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7255741A-774A-4B76-B7F8-33468EC02861}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{ED0B4A61-D65D-45B6-A550-1D2135EBFACF}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{FED621F6-CC76-4920-A1F6-43F1B9DAD1AB}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{2EF1E824-9208-4FF9-AD06-8C1CB6C8BFE6}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{DD1E4F58-63AB-4BF2-AF8D-3B5E0EE32004}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{4551BD5B-B4D0-4821-B9A1-3281B29D7970}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{15E55FF1-0B22-4C1D-A5A6-7CCAED44C93C}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{483F4FA5-87CE-4E3C-8007-3A1FE8418427}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CFD5FA4D-B4B0-4EC6-9FE0-EFF8F8FEF3F8}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{04BE66C7-D214-4F13-9D29-37E1D40916B4}"= UDP:5353:Adobe CSI CS4
"{A142C3D4-229B-4D85-A50C-18C3DE9745F9}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{587DBFB8-38C2-44C9-92B5-61F93FEE8B57}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{A9832A22-A623-4B92-A5CA-D14A6E9557D5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{04C268E5-918E-4BF1-B4B3-ADE911EE39D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{9D7A7805-F54A-4417-B717-8C9AB193E32F}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{DC76F7C5-0D60-418B-9A2E-0871EC60B727}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"{8229ED63-3FC4-4FE1-BEA3-D3794EF7ACCF}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{684B30D5-BD03-4B95-A3F5-321E328BA577}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{C7A8E44B-56EC-4D3A-A2F0-DE2A85FD417C}"= UDP:3724:Blizzard Downloader: 3724
"{166B8B0A-1FAC-41EE-878C-8A64BE81113C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1E0F3A6F-9D28-451E-AB15-8BFEB90D79A5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3A0440AF-3D11-4008-9652-46EA2BB8920D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{9F0D1727-4310-46B5-98C8-E63237CBD5ED}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{8F6FA1D5-5273-4FBD-8B6B-AB71B02A12C2}c:\\program files\\coreftp\\coreftp.exe"= UDP:c:\program files\coreftp\coreftp.exe:Core FTP App
"UDP Query User{61A5F430-2BDD-4DD3-9F55-DDDF8A051D84}c:\\program files\\coreftp\\coreftp.exe"= TCP:c:\program files\coreftp\coreftp.exe:Core FTP App
"TCP Query User{EE112739-AA5E-4C70-A6DA-E7440ECA3606}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A894B584-0934-43B8-898F-553AE61EBB33}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{0BEED4FD-8F53-4BEC-8251-2AE3EE8D937D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{85023847-1861-4ADB-AA5B-8A119EF2E05F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{781D2C6F-6175-42D8-A167-15EA09FF4D57}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AB31243A-D3B9-435D-B0A4-841B57B738C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{905B8788-8DBA-439E-BDF5-6950E3548205}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{319A4283-84EF-4BAA-A030-9F86908603C8}"= UDP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AE5A2375-6D1B-453A-B058-CAEE0B4AC7F1}"= TCP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AD6C1BFA-2F04-4782-AC7C-663FCF255BA7}"= UDP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{08FB778A-6162-4E77-B095-004F8AAC38C3}"= TCP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{891F684E-0512-45EF-AA8A-F34877D32E75}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{506C3F16-7FB1-4CEC-B253-4C5729F70568}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [8/17/2009 21:28 23832]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\System32\ASTSRV.EXE [12/13/2008 22:47 57344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/24/2008 21:24 809296]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [11/20/2007 20:26 7168]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/17/2009 21:28 297752]
S2 gupdate1c9e1a499df3c80;Google Update Service (gupdate1c9e1a499df3c80);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 00:02 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/20/2007 20:36 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [11/2/2007 15:36 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 19:33 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 15:18 23680]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [11/30/2007 14:36 8704]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [3/28/2007 11:51 43008]
S4 WG511TFCS;Netgear WG511T Wireless Domain Login Service;c:\windows\System32\WG511TFCS.exe [3/3/2008 13:36 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=127.0.0.1:7070
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\users\dan\AppData\Roaming\Mozilla\Firefox\Profiles\0t3rflzo.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=TG9RWSJFyeI4l.2udJHZJw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 7070
FF - prefs.js: network.proxy.type - 1

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 1
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks - 127.0.0.1
user_pref(network.proxy.socks_port,7070);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-18 21:16
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(5912)
c:\windows\system32\PDCopyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\PSIService.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\dan\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-08-19 21:30 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 01:30
ComboFix2.txt 2009-08-19 00:12
ComboFix3.txt 2009-08-18 22:31
ComboFix4.txt 2009-08-18 19:19
ComboFix5.txt 2009-08-19 00:56

Pre-Run: 56,689,238,016 bytes free
Post-Run: 56,676,974,592 bytes free

439 --- E O F --- 2009-05-06 08:56

#11 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 18 August 2009 - 09:41 PM

Still getting cliccker.cn redirects

#12 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:44 PM

Posted 19 August 2009 - 07:55 AM

this virus/malware/rootkit was picked up from a comprimised cracked piece of software.

Uh huh...so, you've since removed it right? Your assignment for today is to memorize the text in my first sentence of post #8.

This is getting to be just like peeling an onion.

Open another blank Notepad please...Copy the below text in Bold and paste it into the blank Notepad. Save it as CFScript.txt...Change the "Save as type" to All Files and save it to your desktop. Now drag the text document over to your Combofix.exe

Once again, Combofix runs automatically. Please post back the new log that will be generated and advise how the system behaves for you now. Thanks!
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall



KILLALL::


File::
c:\windows\system32\bincd32.dat
c:\windows\ppp4.dat
c:\windows\ppp3.dat
c:\windows\system32\sysnet.dat
c:\users\dan\AppData\Roaming\SetValue.bat
c:\windows\system32\OggDS.dll
c:\windows\system32\ogg.dll

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#13 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 19 August 2009 - 10:50 AM

Here is the latest. Browser still being redirected.


ComboFix 09-08-18.04 - dan 08/19/2009 10:30.10.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1917.1168 [GMT -4:00]
Running from: c:\users\dan\Desktop\ComboFix.exe
Command switches used :: c:\users\dan\Desktop\CFScript.txt
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *disabled* (Outdated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Created a new restore point

FILE ::
"c:\users\dan\AppData\Roaming\SetValue.bat"
"c:\windows\ppp3.dat"
"c:\windows\ppp4.dat"
"c:\windows\system32\bincd32.dat"
"c:\windows\system32\ogg.dll"
"c:\windows\system32\OggDS.dll"
"c:\windows\system32\sysnet.dat"
.
ADS - Windows: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\dan\AppData\Roaming\SetValue.bat
c:\windows\Cursors\aero_link.cur
c:\windows\ppp3.dat
c:\windows\ppp4.dat
c:\windows\system32\bennuar.old
c:\windows\system32\bincd32.dat
c:\windows\system32\ogg.dll
c:\windows\system32\OggDS.dll
c:\windows\system32\sysnet.dat

.
((((((((((((((((((((((((( Files Created from 2009-07-19 to 2009-08-19 )))))))))))))))))))))))))))))))
.

2009-08-19 14:43 . 2009-08-19 14:43 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-19 14:43 . 2009-08-19 14:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-19 00:47 . 2009-08-19 00:47 -------- d-----w- c:\users\dan\AppData\Local\Adobe
2009-08-18 19:05 . 2009-08-18 19:05 -------- d-----w- c:\users\dan\AppData\Local\Apple Computer
2009-08-18 01:28 . 2009-08-18 01:28 23832 ----a-w- c:\windows\system32\drivers\avgfwd6x.sys
2009-08-18 01:28 . 2009-08-18 01:28 -------- d-----w- c:\progra~2\avg8
2009-08-18 01:19 . 2009-08-18 01:19 -------- d-----w- c:\users\dan\AppData\Roaming\AVG8
2009-08-16 13:51 . 2009-08-16 13:51 -------- d-----w- c:\program files\Trend Micro
2009-08-16 12:48 . 2009-08-16 12:48 -------- d-----w- c:\progra~2\Kaspersky Lab Setup Files
2009-08-15 23:07 . 2009-08-15 23:07 -------- d-----w- C:\_OTM
2009-08-15 17:06 . 2009-08-15 17:06 -------- d-----w- c:\windows\Sun
2009-08-15 11:55 . 2009-08-15 11:55 -------- dc-h--w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-15 11:25 . 2009-08-19 14:51 -------- d-----w- c:\users\dan\AppData\Local\temp
2009-08-14 19:59 . 2009-08-14 19:59 -------- d-----w- c:\progra~2\RegCure
2009-08-14 19:50 . 2009-08-14 19:50 3584 ----a-r- c:\users\dan\AppData\Roaming\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
2009-08-14 19:50 . 2009-08-14 19:50 -------- d-----w- c:\program files\Windows Installer Clean Up
2009-08-14 19:49 . 2009-08-14 19:49 -------- d-----w- c:\program files\MSECACHE
2009-08-14 02:23 . 2009-08-14 02:23 -------- d-----w- c:\windows\CheckSur
2009-08-14 01:44 . 2009-08-14 01:44 -------- d-----w- c:\windows\system32\EventProviders
2009-07-29 22:15 . 2007-04-23 02:11 237568 ----a-w- c:\windows\system32\xvidvfw.dll
2009-07-29 22:15 . 2007-04-23 02:11 1216512 ----a-w- c:\windows\system32\xvidcore.dll
2009-07-29 22:15 . 2007-04-23 02:09 921600 ----a-w- c:\windows\system32\vorbisenc.dll
2009-07-29 22:15 . 2007-04-23 02:09 188416 ----a-w- c:\windows\system32\vorbis.dll
2009-07-29 16:22 . 2009-07-29 16:22 -------- d-----w- c:\program files\PowerISO
2009-07-27 02:43 . 2009-07-27 02:43 58908 ----a-w- c:\windows\system32\drivers\scdemu.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-19 00:47 . 2007-11-21 00:45 -------- d-----w- c:\program files\Common Files\Adobe
2009-08-18 01:47 . 2007-11-21 00:36 -------- d-----w- c:\program files\Google
2009-08-18 01:31 . 2007-11-21 00:53 -------- d-----w- c:\progra~2\McAfee
2009-08-18 01:22 . 2008-10-06 22:50 -------- d-----w- c:\program files\Metasploit
2009-08-18 00:04 . 2009-06-22 18:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-17 14:26 . 2008-05-25 01:24 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-16 01:15 . 2008-05-25 00:03 -------- d-----w- c:\progra~2\F-Secure
2009-08-16 00:56 . 2009-06-26 16:17 1356 ----a-w- c:\users\dan\AppData\Local\d3d9caps.dat
2009-08-15 11:33 . 2008-05-25 01:13 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-08-15 11:33 . 2008-01-11 01:15 -------- d-----w- c:\program files\Lavasoft
2009-08-15 00:56 . 2008-05-25 01:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-05 16:55 . 2009-06-28 14:37 -------- d-----w- c:\program files\AlterWind Log Analyzer Lite
2009-08-03 17:36 . 2009-06-22 18:23 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 17:36 . 2009-06-22 18:23 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-01 17:12 . 2008-01-12 20:32 -------- d-----w- c:\program files\dvdSanta
2009-07-18 17:45 . 2008-07-14 13:42 -------- d-----w- c:\program files\Safari
2009-07-18 17:43 . 2009-07-18 17:42 -------- d-----w- c:\program files\iTunes
2009-07-18 17:42 . 2009-07-18 17:42 -------- d-----w- c:\program files\iPod
2009-07-18 17:42 . 2008-01-22 19:29 -------- d-----w- c:\program files\Common Files\Apple
2009-07-18 13:30 . 2009-07-18 13:30 -------- d--h--r- c:\users\dan\AppData\Roaming\SecuROM
2009-07-18 13:24 . 2009-07-18 13:24 -------- d-----w- c:\program files\AMD
2009-07-16 14:36 . 2009-07-12 22:06 -------- d-----w- c:\progra~2\Media Center Programs
2009-07-16 14:21 . 2009-07-12 21:35 -------- d-----w- c:\program files\THQ
2009-07-16 14:03 . 2009-07-16 00:47 -------- d-----w- c:\users\dan\AppData\Roaming\IGN_DLM
2009-07-16 00:47 . 2009-07-16 00:47 -------- d-----w- c:\program files\Download Manager
2009-07-13 15:09 . 2009-06-17 05:04 -------- d-----w- c:\users\dan\AppData\Roaming\NCH Swift Sound
2009-07-13 15:09 . 2008-09-16 16:30 -------- d-----w- c:\program files\NCH Swift Sound
2009-07-12 20:17 . 2008-09-01 18:45 -------- d-----w- c:\users\dan\AppData\Roaming\CoreFTP
2009-07-12 13:50 . 2007-11-21 00:13 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-07-12 13:19 . 2009-06-29 02:09 -------- d-----w- c:\users\dan\AppData\Roaming\ThumbsPlus
2009-07-12 13:12 . 2009-07-12 00:08 -------- d-----w- c:\program files\Paradox Interactive
2009-07-12 13:08 . 2008-01-12 20:33 2828 --sha-w- c:\windows\system32\KGyGaAvL.sys
2009-07-12 12:45 . 2009-07-11 22:22 -------- d-----w- c:\program files\BattleTanks II
2009-07-11 12:18 . 2009-07-11 12:18 -------- d-----w- c:\program files\Alcohol Soft
2009-07-11 11:59 . 2009-07-11 11:59 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-07-08 15:56 . 2008-01-10 19:45 129776 ----a-w- c:\users\dan\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-02 13:46 . 2009-07-02 13:43 116841 ----a-w- c:\windows\hpqins00.dat
2009-07-02 05:01 . 2008-10-06 15:42 -------- d-----w- c:\program files\Acunetix
2009-07-01 14:03 . 2007-12-17 09:13 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-29 13:29 . 2008-05-27 05:24 -------- d-----w- c:\users\dan\AppData\Roaming\Alien Skin
2009-06-29 05:27 . 2008-05-27 05:11 -------- d-----w- c:\program files\Alien Skin
2009-06-29 02:26 . 2009-06-29 02:06 -------- d-----w- c:\program files\Thumbs7
2009-06-29 00:25 . 2008-01-12 20:31 -------- d-----w- c:\progra~2\Corel
2009-06-28 23:56 . 2009-06-28 23:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage PS
2009-06-28 22:36 . 2008-01-12 20:28 -------- d-----w- c:\program files\CoffeeCup Software
2009-06-28 16:45 . 2008-09-22 00:23 -------- d-----w- c:\progra~2\BVRP Software
2009-06-27 21:28 . 2009-06-27 21:28 -------- d-----w- c:\users\dan\AppData\Roaming\Anonymizer
2009-06-27 21:27 . 2009-06-27 21:27 -------- d-----w- c:\progra~2\Anonymizer
2009-06-26 16:09 . 2009-06-26 16:09 -------- d-----w- c:\program files\Microsoft Silverlight
2009-06-25 21:07 . 2009-06-25 21:07 -------- d-----w- c:\users\dan\AppData\Roaming\COWON
2009-06-25 12:24 . 2009-06-25 11:56 -------- d-----w- c:\users\dan\AppData\Roaming\Winamp
2009-06-25 11:59 . 2009-06-25 11:56 -------- d-----w- c:\program files\Winamp
2009-06-24 17:02 . 2009-06-24 17:02 -------- d-----w- c:\users\dan\AppData\Roaming\Ambient Design
2009-06-24 16:59 . 2009-06-24 16:59 -------- d-----w- c:\program files\ContrastMaster
2009-06-24 16:31 . 2009-06-24 16:31 -------- d-----w- c:\program files\Ambient Design
2009-06-24 16:25 . 2009-06-24 16:25 147123 ----a-w- c:\windows\Curvemeister_3 Uninstaller.exe
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Curvemeister.com
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\program files\Common Files\Thraex Software
2009-06-24 16:25 . 2009-06-24 16:25 -------- d-----w- c:\progra~2\Curvemeister.com
2009-06-24 16:20 . 2009-06-24 16:04 -------- d-----w- c:\program files\VirtualDJ
2009-06-24 15:58 . 2009-06-24 15:58 -------- d-----w- c:\program files\FocalBlade
2009-06-24 15:56 . 2009-06-24 15:56 -------- d-----w- c:\users\dan\AppData\Roaming\NeatImage SL
2009-06-24 15:56 . 2009-06-24 15:55 -------- d-----w- c:\program files\Neat Image
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\BWStyler
2009-06-24 15:51 . 2009-06-24 15:51 -------- d-----w- c:\program files\lucasarts
2009-06-24 15:47 . 2009-06-24 15:46 -------- d-----w- c:\program files\JetAudio
2009-06-24 15:46 . 2009-06-24 15:46 -------- d-----w- c:\program files\Common Files\COWON
2009-06-24 15:44 . 2009-06-24 15:44 -------- d-----w- c:\program files\DynamicPhotoHDR4
2009-06-24 15:18 . 2008-01-12 20:31 -------- d-----w- c:\users\dan\AppData\Roaming\Corel
2009-06-24 15:13 . 2009-06-24 15:09 -------- d-----w- c:\program files\Common Files\Corel
2009-06-23 22:05 . 2008-01-11 02:28 -------- d-----w- c:\program files\Mozilla Thunderbird
2009-06-23 13:03 . 2008-07-30 20:34 -------- d-----w- c:\program files\Essentials Codec Pack
2009-06-23 01:36 . 2009-06-23 01:36 -------- d-----w- c:\progra~2\SiteAdvisor
2009-06-23 00:12 . 2009-06-23 00:12 -------- d-----w- c:\program files\Sophos
2009-06-22 22:12 . 2009-06-22 22:12 -------- d-----w- c:\program files\AVG
2009-06-22 22:11 . 2009-06-22 22:11 -------- d-----w- c:\users\dan\AppData\Roaming\MixMeister Technology
2009-06-22 21:51 . 2008-03-02 21:39 -------- d-----w- c:\progra~2\FLEXnet
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\users\dan\AppData\Roaming\Malwarebytes
2009-06-22 18:23 . 2009-06-22 18:23 -------- d-----w- c:\progra~2\Malwarebytes
2009-06-22 18:10 . 2009-06-22 18:10 -------- d-----w- c:\program files\CCleaner
2009-06-22 00:34 . 2008-02-15 00:46 726008 ----a-w- c:\users\dan\gotomypc_437.exe
2009-06-22 00:33 . 2009-06-22 00:33 726008 ----a-w- c:\users\dan\gotomypc_438.exe
2009-06-15 13:35 . 2008-12-13 19:47 410984 ----a-w- c:\windows\system32\deploytk.dll
2002-07-19 15:50 . 2008-11-08 18:14 153088 ----a-w- c:\program files\UNWISE.EXE
2008-08-31 21:50 . 2008-08-31 21:50 122880 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
2007-12-13 18:03 . 2007-12-13 18:03 5 --sh--r- c:\windows\System32\drivers\taishop.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-08-14_22.58.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-20 22:32 . 2009-08-19 01:17 85146 c:\windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2006-11-02 13:05 . 2009-08-19 01:17 92310 c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-01-10 19:45 . 2009-08-19 01:17 15480 c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-658057386-4236903089-2978409280-1000_UserData.bin
+ 2009-08-18 01:28 . 2009-08-18 01:28 23832 c:\windows\System32\DriverStore\FileRepository\avgfwfd6.inf_4ebe219e\avgfwd6x.sys
+ 2006-11-02 13:02 . 2009-08-19 01:14 98304 c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-15 15:31 . 2009-08-15 17:07 89584 c:\windows\System32\config\systemprofile\AppData\Roaming\Adobe\Acrobat\8.0\UserCache.bin
+ 2009-08-18 17:40 . 2009-08-18 18:02 32768 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012009081820090819\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 32768 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-06-22 16:44 . 2009-08-17 20:02 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-06-22 16:44 . 2009-06-22 18:03 16384 c:\windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\History\History.IE5\index.dat
+ 2009-08-17 14:56 . 2009-08-17 14:33 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Temp\Cookies\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 32768 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-01-16 21:18 . 2009-08-17 20:32 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-01-16 21:18 . 2009-06-22 18:02 16384 c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 86016 c:\windows\inf\infstor.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 86016 c:\windows\inf\infstor.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 51200 c:\windows\inf\infpub.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 51200 c:\windows\inf\infpub.dat
+ 2009-08-18 01:17 . 2009-08-18 01:17 4188 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\6C5E12FAC78F9E62150F5FA2B9196F5BFFCD2EAC\Data.dat
+ 2009-08-18 01:18 . 2009-08-18 01:18 5710 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\47A37E21F1E25EB35EF19A1DCF3D159E9D4EC8FE\Data.dat
+ 2009-08-18 01:16 . 2009-08-18 01:16 5136 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\346BD470C5775F019E9B2B6DD8D1E96D4550AFFD\Data.dat
+ 2009-08-18 01:15 . 2009-08-18 01:15 5308 c:\windows\System32\config\systemprofile\AppData\Roaming\SACore\Cache\DA39A3EE5E6B4B0D3255BFEF95601890AFD80709\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\23FF39261D8DC8DEF67053C1D676C84737A9CF8A\Data.dat
+ 2009-08-15 20:01 . 2009-08-15 20:01 9960 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZY45SEDA\Antivirus-7716_2015-1[1].exe
+ 2008-01-11 15:49 . 2009-08-19 11:03 281512 c:\windows\System32\WDI\SuspendPerformanceDiagnostics_SystemData_S3.bin
+ 2007-11-21 19:33 . 2009-08-19 01:14 147456 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2006-11-02 10:25 . 2009-07-18 13:24 143360 c:\windows\inf\infstrng.dat
+ 2006-11-02 10:25 . 2009-08-18 01:28 143360 c:\windows\inf\infstrng.dat
+ 2009-07-10 14:39 . 2009-07-10 14:39 406640 c:\windows\Downloaded Program Files\fslauncher.dll
+ 2006-11-02 12:47 . 2009-08-18 18:21 2360256 c:\windows\System32\FNTCACHE.DAT
+ 2007-11-21 19:33 . 2009-08-19 01:14 1818624 c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-08-14 00:51 . 2009-08-19 14:46 3914176 c:\windows\ServiceProfiles\LocalService\AppData\Local\FontCache3.0.0.0.dat
+ 2006-11-02 10:24 . 2009-07-29 21:49 24281536 c:\windows\System32\mrt.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Google Update"="c:\users\dan\AppData\Local\Google\Update\GoogleUpdate.exe" [2008-11-04 133104]
"eFax 4.4"="c:\program files\eFax Messenger 4.4\J2GDllCmd.exe" [2008-10-07 95744]
"igndlm.exe"="c:\program files\Download Manager\DLM.exe" [2009-05-15 1103216]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="c:\program files\Synaptics\SynTP\SynTPStart.exe" [2007-08-15 102400]
"TPwrMain"="c:\program files\TOSHIBA\Power Saver\TPwrMain.EXE" [2007-03-29 411192]
"HSON"="c:\program files\TOSHIBA\TBS\HSON.exe" [2006-12-08 55416]
"SmoothView"="c:\program files\Toshiba\SmoothView\SmoothView.exe" [2007-06-16 448080]
"00TCrdMain"="c:\program files\TOSHIBA\FlashCards\TCrdMain.exe" [2007-05-23 538744]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-08-14 1348904]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2007-10-15 49152]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-06-02 80896]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-07-13 292128]
"RtHDVCpl"="RtHDVCpl.exe" - c:\windows\RtHDVCpl.exe [2007-08-10 4702208]
"NDSTray.exe"="NDSTray.exe" [BU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="c:\program files\Picasa2\PicasaMediaDetector.exe" [2008-02-26 443968]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2008-05-23 160592]

c:\users\dan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]

c:\users\dan\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\
eFax 4.4.lnk - c:\program files\eFax Messenger 4.4\J2GTray.exe [2008-10-7 656896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll c:\progra~1\Google\GOOGLE~1\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"="0x00000000"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{E3232AEF-C167-4F08-8A16-B00BD8AFB2AA}"= Disabled:UDP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{C41659B7-EC37-4B79-A059-E402EC3E9E38}"= Disabled:TCP:d:\setup\HPZNUI01.EXE:hpznui01.exe
"{9C143B76-2322-4217-84A9-3F86C736F653}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{4AA8674B-064C-42F8-A06C-F7FBEEE65F3F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{36DE8E08-0889-4C73-8CA6-4B8297AF9CA1}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{8C886B8A-81EB-4FA7-9100-131A778F68BE}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{68D43D20-0076-422B-BD68-0930E5CA7D76}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{773F207D-FE52-4DE4-B5AF-09439F098CDA}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{621AD963-3F30-4BDE-B754-C7544950DF37}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{10318CCA-D295-4189-8BAB-1AA3773E3F5B}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{F4E3C692-2E82-4351-B6C5-FA2121168EFF}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{EB98158D-A683-4651-B5C8-0FE00369E472}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{4C66775F-E70C-4848-B6AF-DECDE840DE48}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{225614D5-6401-476D-A5D0-04D56B62EE79}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AB81E238-277A-4EA3-A04B-1D8941A91349}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{2EA5BFF0-AD6E-40ED-B70F-224C9F129F0C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{EBA91A19-A70A-46AD-8D41-9F6D668B0340}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{83A9E68C-ADAD-4633-A702-D8BC6A23D08A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpiscnapp.exe:hpiscnapp.exe
"{49C82CDD-B2CB-4FD7-9523-12EED1898A36}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4E056627-DD0F-4558-B5D1-5874AF5339ED}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{DAA7058D-62BD-41EA-AADF-B21EBFE7A7D1}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{7255741A-774A-4B76-B7F8-33468EC02861}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"TCP Query User{ED0B4A61-D65D-45B6-A550-1D2135EBFACF}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{FED621F6-CC76-4920-A1F6-43F1B9DAD1AB}c:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:c:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{2EF1E824-9208-4FF9-AD06-8C1CB6C8BFE6}c:\\windows\\system32\\ftp.exe"= UDP:c:\windows\system32\ftp.exe:File Transfer Program
"UDP Query User{DD1E4F58-63AB-4BF2-AF8D-3B5E0EE32004}c:\\windows\\system32\\ftp.exe"= TCP:c:\windows\system32\ftp.exe:File Transfer Program
"{4551BD5B-B4D0-4821-B9A1-3281B29D7970}"= UDP:c:\program files\Curse\CurseClient.exe:Curse Client
"{15E55FF1-0B22-4C1D-A5A6-7CCAED44C93C}"= TCP:c:\program files\Curse\CurseClient.exe:Curse Client
"TCP Query User{483F4FA5-87CE-4E3C-8007-3A1FE8418427}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{CFD5FA4D-B4B0-4EC6-9FE0-EFF8F8FEF3F8}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{04BE66C7-D214-4F13-9D29-37E1D40916B4}"= UDP:5353:Adobe CSI CS4
"{A142C3D4-229B-4D85-A50C-18C3DE9745F9}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{587DBFB8-38C2-44C9-92B5-61F93FEE8B57}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{A9832A22-A623-4B92-A5CA-D14A6E9557D5}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{04C268E5-918E-4BF1-B4B3-ADE911EE39D0}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{9D7A7805-F54A-4417-B717-8C9AB193E32F}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= UDP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"UDP Query User{DC76F7C5-0D60-418B-9A2E-0871EC60B727}c:\\users\\public\\games\\world of warcraft\\launcher.exe"= TCP:c:\users\public\games\world of warcraft\launcher.exe:Blizzard Launcher
"{8229ED63-3FC4-4FE1-BEA3-D3794EF7ACCF}"= UDP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{684B30D5-BD03-4B95-A3F5-321E328BA577}"= TCP:c:\users\Public\Documents\Blizzard Entertainment\World of Warcraft\WoW-3.0.9.9551-to-3.1.0.9767-enUS-downloader.exe:Blizzard Downloader
"{C7A8E44B-56EC-4D3A-A2F0-DE2A85FD417C}"= UDP:3724:Blizzard Downloader: 3724
"{166B8B0A-1FAC-41EE-878C-8A64BE81113C}"= UDP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{1E0F3A6F-9D28-451E-AB15-8BFEB90D79A5}"= TCP:c:\program files\Common Files\AOL\Loader\aolload.exe:AOL Loader
"{3A0440AF-3D11-4008-9652-46EA2BB8920D}"= UDP:c:\program files\AIM6\aim6.exe:AIM
"{9F0D1727-4310-46B5-98C8-E63237CBD5ED}"= TCP:c:\program files\AIM6\aim6.exe:AIM
"TCP Query User{8F6FA1D5-5273-4FBD-8B6B-AB71B02A12C2}c:\\program files\\coreftp\\coreftp.exe"= UDP:c:\program files\coreftp\coreftp.exe:Core FTP App
"UDP Query User{61A5F430-2BDD-4DD3-9F55-DDDF8A051D84}c:\\program files\\coreftp\\coreftp.exe"= TCP:c:\program files\coreftp\coreftp.exe:Core FTP App
"TCP Query User{EE112739-AA5E-4C70-A6DA-E7440ECA3606}c:\\program files\\java\\jre6\\bin\\java.exe"= UDP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"UDP Query User{A894B584-0934-43B8-898F-553AE61EBB33}c:\\program files\\java\\jre6\\bin\\java.exe"= TCP:c:\program files\java\jre6\bin\java.exe:Java™ Platform SE binary
"{0BEED4FD-8F53-4BEC-8251-2AE3EE8D937D}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{85023847-1861-4ADB-AA5B-8A119EF2E05F}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{781D2C6F-6175-42D8-A167-15EA09FF4D57}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{AB31243A-D3B9-435D-B0A4-841B57B738C1}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{905B8788-8DBA-439E-BDF5-6950E3548205}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{319A4283-84EF-4BAA-A030-9F86908603C8}"= UDP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AE5A2375-6D1B-453A-B058-CAEE0B4AC7F1}"= TCP:c:\program files\THQ\Company of Heroes\RelicCOH.exe:Company of Heroes
"{AD6C1BFA-2F04-4782-AC7C-663FCF255BA7}"= UDP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{08FB778A-6162-4E77-B095-004F8AAC38C3}"= TCP:c:\program files\THQ\Company of Heroes\RelicDownloader\RelicDownloader.exe:Relic Downloader
"{891F684E-0512-45EF-AA8A-F34877D32E75}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{506C3F16-7FB1-4CEC-B253-4C5729F70568}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"= c:\toshiba\ivp\NetInt\Netint.exe:*:Enabled:NIE - Toshiba Software Upgrades Engine
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\toshiba\Ivp\ISM\pinger.exe:*:Enabled:Toshiba Software Upgrades Pinger

R1 Avgfwfd;AVG network filter service;c:\windows\System32\drivers\avgfwd6x.sys [8/17/2009 21:28 23832]
R2 ASTSRV;Nalpeiron Licensing Service;c:\windows\System32\ASTSRV.EXE [12/13/2008 22:47 57344]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [5/24/2008 21:24 809296]
R3 FwLnk;FwLnk Driver;c:\windows\System32\drivers\FwLnk.sys [11/20/2007 20:26 7168]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [8/17/2009 21:28 297752]
S2 gupdate1c9e1a499df3c80;Google Update Service (gupdate1c9e1a499df3c80);c:\program files\Google\Update\GoogleUpdate.exe [5/31/2009 00:02 133104]
S3 GoogleDesktopManager-061008-081103;Google Desktop Manager 5.7.806.10245;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [11/20/2007 20:36 29744]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\System32\drivers\motccgp.sys [11/2/2007 15:36 18176]
S3 motccgpfl;MotCcgpFlService;c:\windows\System32\drivers\motccgpfl.sys [1/22/2007 19:33 7680]
S3 motport;Motorola USB Diagnostic Port;c:\windows\System32\drivers\motport.sys [6/18/2007 15:18 23680]
S3 SVRPEDRV;SVRPEDRV;c:\windows\System32\sysprep\PEDRV.SYS [11/30/2007 14:36 8704]
S3 winbondcir;Winbond IR Transceiver;c:\windows\System32\drivers\winbondcir.sys [3/28/2007 11:51 43008]
S4 WG511TFCS;Netgear WG511T Wireless Domain Login Service;c:\windows\System32\WG511TFCS.exe [3/3/2008 13:36 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = socks=127.0.0.1:7070
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Name-Space Handler: ftp\* - {419A0123-4312-1122-A0C0-434FDA6DA542} - c:\program files\CoreFTP\pftpns.dll
FF - ProfilePath - c:\users\dan\AppData\Roaming\Mozilla\Firefox\Profiles\0t3rflzo.default\
FF - prefs.js: browser.search.selectedEngine - MyWebSearch
FF - prefs.js: keyword.URL - hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZJman000&fl=0&ptb=TG9RWSJFyeI4l.2udJHZJw&url=http://search.mywebsearch.com/mywebsearch/dft_redir.jhtml&st=kwd&searchfor=
FF - prefs.js: network.proxy.socks - 127.0.0.1
FF - prefs.js: network.proxy.socks_port - 7070
FF - prefs.js: network.proxy.type - 1

---- FIREFOX POLICIES ----
FF - user.js: network.proxy.type - 1
FF - user.js: network.proxy.http -
FF - user.js: network.proxy.http_port - 0
FF - user.js: network.proxy.ssl -
FF - user.js: network.proxy.ssl_port - 0
FF - user.js: network.proxy.ftp -
FF - user.js: network.proxy.ftp_port - 0
FF - user.js: network.proxy.gopher -
FF - user.js: network.proxy.gopher_port - 0
FF - user.js: network.proxy.socks_version - 5
FF - user.js: network.proxy.socks - 127.0.0.1
user_pref(network.proxy.socks_port,7070);
FF - user.js: network.proxy.no_proxies_on -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-19 10:51
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'Explorer.exe'(3424)
c:\windows\system32\PDCopyHook.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Toshiba\ConfigFree\CFSvcs.exe
c:\program files\Nero\Nero8\Nero BackItUp\NBService.exe
c:\windows\System32\PSIService.exe
c:\program files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe
c:\windows\System32\TODDSrv.exe
c:\program files\Toshiba\Power Saver\TosCoSrv.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Toshiba\ConfigFree\NDSTray.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Synaptics\SynTP\SynToshiba.exe
c:\users\dan\AppData\Local\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\Toshiba\ConfigFree\CFSwMgr.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\servicing\TrustedInstaller.exe
.
**************************************************************************
.
Completion time: 2009-08-19 11:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-19 15:05
ComboFix2.txt 2009-08-19 01:30
ComboFix3.txt 2009-08-19 00:12
ComboFix4.txt 2009-08-18 22:31
ComboFix5.txt 2009-08-19 14:28

Pre-Run: 56,606,547,968 bytes free
Post-Run: 56,652,210,176 bytes free

409 --- E O F --- 2009-05-06 08:56

#14 1972vet

1972vet

  • Malware Response Team
  • 1,698 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Midwest U.S.A.
  • Local time:06:44 PM

Posted 19 August 2009 - 05:45 PM

You were instructed to removed "MyWeb Search"...why is it still present? Which browser is being re-directed? Both?

Let's see an uninstall list:
Open HijackThis. Click-->Open the Misc Tools section-->Open Uninstall Manager-->Save list...and save the list to your Desktop, then close HijackThis.

A notepad file will open. Copy and paste the content of that text file back here on your next reply. Thanks!

Disabled Veteran, U.S.C.G. 1972 - 1978
mvpsigpic.jpg
2009 - 2013

Member: U.N.I.T.E.
Performance and Maintenance for Windows XP, Windows Vista and Windows Seven


#15 micropirate

micropirate
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:44 PM

Posted 19 August 2009 - 07:04 PM

Oh great sir. I indicated on a prvious post I was not able to find Mywebsearch and removie it. It was not in the programs section of the control panel (for removal) nor was it listed in Windows Install Cleanup.

I shall follow your instructions as issued.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users