Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

infected with various Generic.trojans and possible rootkit


  • Please log in to reply
24 replies to this topic

#1 eyedoctodd

eyedoctodd

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 16 September 2010 - 10:43 AM

(I moved this here from the Am I infected forum after reading the proper procedures. I will try to delete that post so I am not double-posting.)

Hello all,

Last Friday I clicked on something I apparently shouldn't have and all hell broke loose within 1 minute. Lots of fake spyware notices, 'click here to clean', wouldn't let me run taskmgr or my AVG Free 9. Spybot S&D going crazy...

Googled these symptoms and found this thread in this board:
http://www.bleepingcomputer.com/forums/lof...hp/t275495.html

Managed to place rkill and mbam on the infected computer via remote admin file transfer from a clean PC.

Followed the steps with Rkill to gain control of my desktop, downloaded, updated and ran MBAM, found lots-o-baddies and removed.
In the reboots required, at least at one point I could not boot other than into safe mode and was ready to format and reinstall windows.
Managed to run ATF and SAS (after updating as applicable and using the settings in the thread mentioned above).

SAS found something like 3 trojans, and 500+ tracking cookies.

Removed/quarantined all those and things seem a lot better.
Browsers were not loading any page, I took out the altered proxy settings and they seem OK.

I have everything except AVG and Spybot S&D disabled from the startup process via MSconfig.

Browsers are working again but loading up spam tabs.
I have run MBAM and AVG several times and sometimes they come up clean but most times they come up with a couple of items in the localsettings folder.

Not sure if I'm getting reinfected or just not cleaning the infection out completely. Minutes ago, Spybot S&D intercepted something trying to insert itself into the startup routine and every time I denied it access, it immediately tried again. I clicked "remember decision" and my screen was filling up with the standard SBS&D boxes stating "user decision". Since MBAM was asking for a reboot at the time, I rebooted it.

I have not run SAS more than the one time because it literally took 27 hours to scan the first time.
I have disabled the wireless connection so it is no longer internet-connected.
I don't do any banking or very private stuff on this computer but I would like to be able to check facebook without worrying about my password being stolen.
(I have changed my fbook pasword). I have avoided going to any site that I would need a password for, so it cannot be intercepted.

I am concerned about a rootkit, but the first few rootkit scanners I tried found none. However, they were older (like 2007). When I ran GMER, it did indicate rootkit activity (log attached).

In reading some other posts it sounds like I will (with your expert guidance) be running OTL and posting logs and running scripts to clean this up for good.

Please help me, I'm all yours!!

Many thanks in advance,

Todd

EDIT: the trojans have various names, there is not just one name that reappears. Also at one point when both MBAM and AVG were scanning, the resident shield alert from AVG came on and listed a threat, and the process it pointed to was MBAM. I think that just means that MBAM "handled" the threat by scanning it but thought I should mention that on the off chance that MBAM has become infected. I did re-download and reinstall MBAM with a fresh copy and it did that even after reinstalling but has not been doing that for the past day or so.

This post has been edited by eyedoctodd: Yesterday, 06:02 PM

------------------------------------------------------------------------------------------------------------------------------------
DDS Log:


DDS (Ver_10-03-17.01) - NTFSx86
Run by Todd Bainbridge at 0:07:33.01 on Thu 09/16/2010
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2560.1865 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
C:\Program Files\PCNetSoftware\RAC Server\RACs.exe
C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe
C:\WINDOWS\System32\rserver30\RServer3.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\rserver30\FamItrfc.Exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe
C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.4\MoeMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
D:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg9\toolbar\IEToolbar.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MoeMonitor.exe] "c:\documents and settings\todd bainbridge\local settings\application data\microsoft\live mesh\bin\servicing\0.9.4014.4\MoeMonitor.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
uPolicies-explorer: NoWindowsUpdate = 0 (0x0)
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-explorer: NoWindowsUpdate = 0 (0x0)
mPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1231686935484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: {95BF9F02-A9D7-4F82-9975-1719A98A75A8} = 4.2.2.2,4.2.2.3
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: RACServerLogon - RACServerLogon2.dll
Notify: wlcrdplauncher - c:\program files\live mesh\remote desktop\wlcrdplauncher.dll
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\progra~1\qualcomm\eudora\EuShlExt.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\toddba~1\applic~1\mozilla\firefox\profiles\kz82yjvs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - component: c:\documents and settings\todd bainbridge\application data\mozilla\firefox\profiles\kz82yjvs.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\winnt_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\todd bainbridge\application data\mozilla\firefox\profiles\kz82yjvs.default\extensions\{d1f30069-9e00-468c-8cb6-3fb6c4ece8c6}\components\GSearch.dll
FF - plugin: c:\documents and settings\todd bainbridge\application data\mozilla\firefox\profiles\kz82yjvs.default\extensions\logmeinclient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2007-6-3 77312]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-11-14 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-11-14 29584]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-11-14 243024]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2007-2-2 41176]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-15 308136]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-11-15 54752]
R2 PCNetSoftware RAC Server;PCNetSoftware RAC Server;c:\program files\pcnetsoftware\rac server\RACs.exe [2009-3-23 3186688]
R2 RACDriver;RAC driver;c:\program files\pcnetsoftware\rac server\RACDriver.sys [2009-3-23 8208]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2007-2-2 1235032]
R2 StarWindServiceAE;StarWind AE Service;c:\program files\alcohol soft\alcohol 120\starwind\StarWindServiceAE.exe [2007-5-28 275968]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\live mesh\remote desktop\wlcrasvc.exe [2009-5-28 44880]
R3 mirrorv3;mirrorv3;c:\windows\system32\drivers\rminiv3.sys [2006-11-1 3328]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [2009-5-28 9040]
S0 cpnlbc;cpnlbc;c:\windows\system32\drivers\uckihb.sys --> c:\windows\system32\drivers\uckihb.sys [?]
S1 jaadgwiq;jaadgwiq;\??\c:\windows\system32\drivers\jaadgwiq.sys --> c:\windows\system32\drivers\jaadgwiq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-11 135664]
S2 ohciusb;Open Host Controller Miniport USB Driver;\??\c:\windows\system32\drivers\ohciusb.sys --> c:\windows\system32\drivers\ohciusb.sys [?]
S2 ohdusb;Open Host Controller Miniport USB Driver (rev.d);\??\c:\windows\system32\drivers\ohdusb.sys --> c:\windows\system32\drivers\ohdusb.sys [?]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [2009-5-28 19392]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]

=============== Created Last 30 ================

2010-09-16 04:02:15 20 ----a-w- c:\documents and settings\todd bainbridge\defogger_reenable
2010-09-15 20:36:44 0 d-----w- c:\docume~1\toddba~1\applic~1\Tyfoyv
2010-09-15 20:36:44 0 d-----w- c:\docume~1\toddba~1\applic~1\Bysuo
2010-09-13 17:19:58 0 d-----w- c:\docume~1\toddba~1\applic~1\SUPERAntiSpyware.com
2010-09-13 17:19:58 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-09-13 17:19:44 0 d-----w- c:\program files\SUPERAntiSpyware
2010-09-13 14:55:10 112 ----a-w- c:\docume~1\alluse~1\applic~1\j23CxofN.dat
2010-09-13 13:50:43 9333808 ----a-w- C:\SUPERAntiSpyware.exe
2010-09-13 13:50:16 50688 ----a-w- C:\ATF-Cleaner.exe
2010-09-13 13:41:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 13:41:38 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 13:41:38 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 13:27:44 6153352 ----a-w- C:\zztoy.exe
2010-09-13 13:27:44 6153352 ----a-w- C:\mbam-setup-1.46(2).exe
2010-09-11 00:57:01 334720 ----a-w- C:\RootkitRevealer.exe
2010-09-11 00:51:28 95744 ----a-w- C:\rku37300509.exe
2010-09-11 00:38:01 0 d-----w- c:\program files\Trend Micro
2010-09-10 18:34:46 0 d-----w- c:\docume~1\toddba~1\applic~1\Malwarebytes
2010-09-10 18:16:33 0 d-----w- c:\windows\system32\MpEngineStore
2010-09-10 18:05:27 7302 ----a-w- c:\windows\system32\rrt_vf.wav
2010-09-10 18:05:27 7148 ----a-w- c:\windows\system32\rrt_tv.wav
2010-09-10 18:05:27 6282 ----a-w- c:\windows\system32\rrt_tn.wav
2010-09-10 18:05:27 16244 ----a-w- c:\windows\system32\rrt_is.wav
2010-09-10 14:59:45 72268 ----a-w- C:\procexp.chm
2010-09-10 14:59:45 3887480 ----a-w- C:\procexp.exe
2010-09-10 14:56:48 1402880 ----a-w- C:\HiJackThis.msi
2010-09-10 14:55:51 4857856 ----a-w- C:\RRT.exe
2010-09-10 14:54:16 1729668 ----a-w- C:\ProcessExplorer.zip
2010-09-10 14:46:42 12049864 ----a-w- C:\windows-kb890830-v3.10.exe
2010-09-10 14:37:37 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-09-10 14:25:44 6153352 ----a-w- C:\mbam-setup-1.46.exe
2010-09-10 01:13:33 0 d-----w- c:\program files\ScreensCorner
2010-09-10 01:13:16 5 ----a-w- C:\zrpt.xml
2010-09-10 01:10:17 0 d-----w- c:\docume~1\toddba~1\applic~1\F832026839C24D90DCA66DDA23328DF5
2010-09-07 02:51:18 0 d-----w- c:\documents and settings\todd bainbridge\Calibre Library
2010-09-07 02:51:07 0 d-----w- c:\docume~1\toddba~1\applic~1\calibre
2010-09-07 01:48:43 0 d-----w- c:\program files\Calibre2
2010-09-06 21:51:03 0 d-----w- c:\program files\iPod
2010-09-06 21:50:57 0 d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-06 21:14:43 0 d-----w- c:\program files\Bonjour

==================== Find3M ====================

2010-09-15 20:36:12 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-27 22:44:10 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44:10 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 22:44:10 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-15 13:33:02 12536 ----a-w- c:\windows\system32\avgrsstx.dll

============= FINISH: 0:08:59.00 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 23 September 2010 - 06:54 PM

Hello eyedoctodd smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.





I need for you to perform the following:




Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE. In your case this will include TeaTimer. The instructions for disabling it can also be found at the provided link.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.









Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 23 September 2010 - 10:22 PM

Hello, thewall.

Thank you for helping me.

I downloaded combofix and initially had trouble running it (it just hung before completing any stages). I rebooted the infected PC and ran combofix again and was successful, although it did reboot itself during the combofix process (as you'll see the log shows).

I will be watching and waiting for your next move. Thanks!
The following is my combofix log:
--------------------------------------

ComboFix 10-09-23.01 - Todd Bainbridge 09/23/2010 22:21:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2560.1934 [GMT -4:00]
Running from: c:\documents and settings\Todd Bainbridge\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\All Users\Documents\Server\admin.txt
c:\documents and settings\All Users\Documents\Server\server.dat
c:\program files\ScreensCorner\Common\msUDt.dll
c:\windows\system32\kungsfqjxxlerr.dat.REN

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

Infected copy of c:\windows\explorer.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

Infected copy of c:\windows\system32\drivers\mouclass.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6TO4
-------\Legacy_kungsfbltardbq
-------\Legacy_OHCIUSB
-------\Legacy_USERINIT
-------\Service_kungsfbltardbq
-------\Service_ohciusb


((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.

2010-09-24 03:05 . 2010-09-24 03:05 -------- d-----w- c:\windows\system32\CatRoot_bak
2010-09-24 02:33 . 2010-09-24 02:33 -------- d-----w- c:\windows\LastGood
2010-09-15 20:36 . 2010-09-15 20:42 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\Tyfoyv
2010-09-15 20:36 . 2010-09-15 20:36 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\Bysuo
2010-09-15 20:36 . 2010-09-15 20:37 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-13 17:20 . 2010-09-13 17:20 63488 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-13 17:20 . 2010-09-13 17:20 52224 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-13 17:20 . 2010-09-13 17:20 117760 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-13 17:19 . 2010-09-13 17:19 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\SUPERAntiSpyware.com
2010-09-13 17:19 . 2010-09-13 17:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-13 17:19 . 2010-09-15 06:02 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-13 13:50 . 2010-09-13 13:51 9333808 ----a-w- C:\SUPERAntiSpyware.exe
2010-09-13 13:50 . 2010-09-13 13:50 50688 ----a-w- C:\ATF-Cleaner.exe
2010-09-13 13:41 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-13 13:41 . 2010-09-13 13:41 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 13:41 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-13 13:27 . 2010-09-13 13:28 6153352 ----a-w- C:\zztoy.exe
2010-09-13 13:27 . 2010-09-13 13:28 6153352 ----a-w- C:\mbam-setup-1.46(2).exe
2010-09-11 00:57 . 2006-11-01 17:07 334720 ----a-w- C:\RootkitRevealer.exe
2010-09-11 00:51 . 2007-10-04 14:44 95744 ----a-w- C:\rku37300509.exe
2010-09-11 00:38 . 2010-09-11 00:38 388096 ----a-r- c:\documents and settings\Todd Bainbridge\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-09-11 00:38 . 2010-09-11 00:38 -------- d-----w- c:\program files\Trend Micro
2010-09-10 19:03 . 2010-09-10 19:03 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-09-10 19:01 . 2010-09-10 19:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2010-09-10 19:00 . 2010-09-10 19:01 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Microsoft
2010-09-10 18:34 . 2010-09-10 18:34 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\Malwarebytes
2010-09-10 18:16 . 2010-09-10 18:19 -------- d-----w- c:\windows\system32\MpEngineStore
2010-09-10 14:59 . 2010-06-07 20:16 3887480 ----a-w- C:\procexp.exe
2010-09-10 14:56 . 2010-09-10 14:56 1402880 ----a-w- C:\HiJackThis.msi
2010-09-10 14:55 . 2010-09-10 14:55 4857856 ----a-w- C:\RRT.exe
2010-09-10 14:54 . 2010-09-10 14:54 1729668 ----a-w- C:\ProcessExplorer.zip
2010-09-10 14:46 . 2010-09-10 14:46 12049864 ----a-w- C:\windows-kb890830-v3.10.exe
2010-09-10 14:37 . 2010-09-10 14:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-10 14:25 . 2010-09-10 14:26 6153352 ----a-w- C:\mbam-setup-1.46.exe
2010-09-10 01:14 . 2010-08-30 18:36 380928 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\extensions\{D1F30069-9E00-468c-8CB6-3FB6C4ECE8C6}\components\GSearch.dll
2010-09-10 01:13 . 2010-09-10 01:13 -------- d-----w- c:\program files\ScreensCorner
2010-09-10 01:10 . 2010-09-10 19:29 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\F832026839C24D90DCA66DDA23328DF5
2010-09-07 02:51 . 2010-09-07 03:58 -------- d-----w- c:\documents and settings\Todd Bainbridge\Calibre Library
2010-09-07 02:51 . 2010-09-07 03:18 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\calibre
2010-09-07 01:48 . 2010-09-07 01:50 -------- d-----w- c:\program files\Calibre2
2010-09-06 21:51 . 2010-09-06 21:51 -------- d-----w- c:\program files\iPod
2010-09-06 21:50 . 2010-09-06 21:52 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-06 21:43 . 2010-09-06 21:44 -------- d-----w- c:\program files\QuickTime
2010-09-06 21:14 . 2010-09-06 21:15 -------- d-----w- c:\program files\Bonjour
2010-09-06 20:57 . 2010-09-06 20:57 73000 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 10.0.0.68\SetupAdmin.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-15 20:36 . 2007-11-20 18:17 1984 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-13 17:18 . 2010-09-13 14:55 112 ----a-w- c:\documents and settings\All Users\Application Data\j23CxofN.dat
2010-09-13 00:24 . 2010-06-28 03:06 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\Dropbox
2010-09-11 00:37 . 2007-05-03 03:00 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\uTorrent
2010-09-08 20:53 . 2007-10-10 01:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-09-08 02:43 . 2007-07-14 22:55 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\NewsBin
2010-09-07 01:01 . 2007-05-03 03:43 -------- d-----w- c:\documents and settings\Todd Bainbridge\Application Data\Apple Computer
2010-09-06 21:52 . 2010-02-09 00:55 -------- d-----w- c:\program files\iTunes
2010-09-06 21:51 . 2007-10-10 01:05 -------- d-----w- c:\program files\Common Files\Apple
2010-09-05 01:01 . 2007-05-03 03:00 -------- d-----w- c:\program files\uTorrent
2010-08-09 20:35 . 2010-08-09 20:35 -------- d-----w- c:\program files\Carbonite
2010-08-09 20:35 . 2010-08-09 20:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Carbonite
2010-07-29 22:01 . 2010-07-30 01:48 85464 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
2010-07-29 22:01 . 2010-07-30 01:48 38872 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINCE\components\WeaveCrypto.dll
2010-07-27 22:44 . 2010-07-27 22:44 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-07-27 22:44 . 2010-07-27 22:44 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-07-27 22:44 . 2010-07-27 22:44 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-07-27 19:03 . 2007-08-08 13:27 -------- d-----w- c:\program files\NewsBin5
2010-07-21 03:41 . 2010-07-21 03:41 65536 ----a-r- c:\documents and settings\Todd Bainbridge\Application Data\Microsoft\Installer\{2517B7EA-6C03-4D86-A1B1-F3FE1C3BC03B}\ARPPRODUCTICON.exe
2010-07-15 13:33 . 2009-11-15 01:09 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 13:33 . 2010-07-15 13:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 13:31 . 2009-11-15 01:09 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-06-28 03:06 . 2010-06-28 03:06 89831 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Dropbox\bin\Uninstall.exe
.
CODE
<pre>
c:\program files\AVG\AVG9\avgtray .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2010-04-19 14:25 2117704 ----a-w- c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG9\Toolbar\IEToolbar.dll" [2010-04-19 2117704]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Green]
@="{95A27763-F62A-4114-9072-E81D87DE3B68}"
[HKEY_CLASSES_ROOT\CLSID\{95A27763-F62A-4114-9072-E81D87DE3B68}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Partial]
@="{E300CD91-100F-4E67-9AF3-1384A6124015}"
[HKEY_CLASSES_ROOT\CLSID\{E300CD91-100F-4E67-9AF3-1384A6124015}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Carbonite.Yellow]
@="{5E529433-B50E-4bef-A63B-16A6B71B071A}"
[HKEY_CLASSES_ROOT\CLSID\{5E529433-B50E-4bef-A63B-16A6B71B071A}]
2010-06-28 21:33 668816 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Todd Bainbridge\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"="c:\documents and settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.4\MoeMonitor.exe" [2009-05-29 1321808]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 1460560]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-15 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-04-19 7700480]

c:\documents and settings\Administrator\Start Menu\Programs\Startup\
ehcec.exe [2010-9-15 158208]

c:\documents and settings\Guest\Start Menu\Programs\Startup\
uwmae.exe [2010-9-15 158208]

c:\documents and settings\Default User\Start Menu\Programs\Startup\
wema.exe [2010-9-15 158208]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= "c:\progra~1\Qualcomm\Eudora\EuShlExt.dll" [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-15 13:33 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\RACServerLogon]
2007-09-11 15:03 57344 ----a-w- c:\windows\system32\RACServerLogon2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlcrdplauncher]
2009-05-29 03:48 21824 ----a-w- c:\program files\Live Mesh\Remote Desktop\wlcrdplauncher.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"wave2"=SMNT40.dll
"aux"=SMNT40.dll
"mixer1"=SMNT40.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VIA RAID TOOL.lnk
backup=c:\windows\pss\VIA RAID TOOL.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Todd Bainbridge^Start Menu^Programs^Startup^.lnk]
path=c:\documents and settings\Todd Bainbridge\Start Menu\Programs\Startup\.lnk
backup=c:\windows\pss\.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Todd Bainbridge^Start Menu^Programs^Startup^Dropbox.lnk]
path=c:\documents and settings\Todd Bainbridge\Start Menu\Programs\Startup\Dropbox.lnk
backup=c:\windows\pss\Dropbox.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-05-11 07:06 40048 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcohol.bin Autorun]
2008-02-22 11:30 1589704 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\Alcohol.bin

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
2008-12-03 13:47 4608 ----a-w- c:\program files\Alcohol Soft\Alcohol 120\AxCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
c:\progra~1\AVG\AVG9\avgtray.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bipro]
c:\windows\$NtUninstallMTF196$\mmduch.dll [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
2010-06-28 21:33 900240 ----a-r- c:\program files\Carbonite\Carbonite Backup\CarboniteUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKMOXRnoc]
c:\docume~1\TODDBA~1\LOCALS~1\Temp\debug.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKMOXRruf]
c:\docume~1\TODDBA~1\LOCALS~1\Temp\spoolsv.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKMOXRrxe]
c:\docume~1\TODDBA~1\LOCALS~1\Temp\system.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-09-01 12:32 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 19:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKdw+]
c:\windows\nvsvc32.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKexe]
c:\windows\system.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKfpe]
c:\windows\winamp.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKfre]
c:\windows\wininst.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2007-04-19 17:26 7700480 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2007-04-19 17:26 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2007-04-19 17:26 1626112 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
2010-06-30 01:35 755312 ----a-w- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
2006-01-30 16:00 98304 ----a-r- c:\program files\Hewlett-Packard\OrderReminder\OrderReminder.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 00:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RRT-Auto]
2010-09-10 14:55 4857856 ----a-w- C:\RRT.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2007-08-31 20:46 1460560 ----a-w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-12-01 13:50 149280 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tpdlpenk]
c:\documents and settings\Todd Bainbridge\Local Settings\Application Data\gsrdukyby\kywvppyuqiw.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2010-09-01 11:48 328568 ----a-w- c:\program files\uTorrent\utorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vbegrdst]
c:\documents and settings\Todd Bainbridge\Local Settings\Application Data\tewftxkny\kkpjhojuqiw.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YXE7DXCQ37]
c:\docume~1\TODDBA~1\LOCALS~1\Temp\Zbf.exe [N/A]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent]
2010-09-01 11:48 328568 ----a-w- c:\program files\uTorrent\utorrent.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Soulseek\\slsk.exe"=
"c:\\Program Files\\newsbinpro432\\nbpro.exe"=
"c:\\Program Files\\nbpro\\nbpro.exe"=
"c:\\Program Files\\Live Mesh\\Remote Desktop\\wlcrasvc.exe"=
"c:\\Documents and Settings\\Todd Bainbridge\\Local Settings\\Application Data\\Microsoft\\Live Mesh\\GacBase\\Moe.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\MusicBrainz Picard\\picard.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\RealVNC\\VNC4\\winvnc4.exe"=
"c:\\Documents and Settings\\Todd Bainbridge\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\PFPortChecker\\PFPortChecker.exe"=
"c:\\Program Files\\Simple Port Tester\\spt.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbjetManager.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\Orb.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbLauncher.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbSetupWizard.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbControlPanel.exe"=
"c:\\Program Files\\Orb Networks\\Orb\\bin\\OrbStreamerClient.exe"=
"c:\\Program Files\\NewsBin5\\nbpro.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4899:TCP"= 4899:TCP:radmin
"4899:UDP"= 4899:UDP:radminudp
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"8600:TCP"= 8600:TCP:Remote Administrator Control Server, TCP port 8600
"8080:TCP"= 8080:TCP:Remote Administrator Control Server, TCP port 8080
"443:TCP"= 443:TCP:Remote Administrator Control Server, TCP port 443

R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [6/3/2007 12:54 PM 77312]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/14/2009 9:09 PM 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/14/2009 9:09 PM 243024]
R1 raddrvv3;raddrvv3;c:\windows\system32\rserver30\raddrvv3.sys [2/2/2007 2:54 PM 41176]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 PCNetSoftware RAC Server;PCNetSoftware RAC Server;c:\program files\PCNetSoftware\RAC Server\RACs.exe [3/23/2009 10:33 PM 3186688]
R2 RACDriver;RAC driver;c:\program files\PCNetSoftware\RAC Server\RACDriver.sys [3/23/2009 10:33 PM 8208]
R2 RServer3;Radmin Server V3;c:\windows\system32\rserver30\rserver3.exe [2/2/2007 2:35 PM 1235032]
R2 wlcrasvc;Live Mesh Remote Desktop;c:\program files\Live Mesh\Remote Desktop\wlcrasvc.exe [5/28/2009 11:49 PM 44880]
R3 RDPDISPM;RDPDISPM;c:\windows\system32\drivers\rdpdispm.sys [5/28/2009 11:50 PM 9040]
S0 cpnlbc;cpnlbc;c:\windows\system32\drivers\uckihb.sys --> c:\windows\system32\drivers\uckihb.sys [?]
S1 jaadgwiq;jaadgwiq;\??\c:\windows\system32\drivers\jaadgwiq.sys --> c:\windows\system32\drivers\jaadgwiq.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2/11/2010 8:20 PM 135664]
S2 ohdusb;Open Host Controller Miniport USB Driver (rev.d);\??\c:\windows\system32\drivers\ohdusb.sys --> c:\windows\system32\drivers\ohdusb.sys [?]
S3 RDPVDD;RDPVDD;c:\windows\system32\drivers\rdpvmp.sys [5/28/2009 11:50 PM 19392]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S4 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/15/2010 9:32 AM 308136]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [12/3/2008 9:41 AM 716272]
.
Contents of the 'Scheduled Tasks' folder

2010-09-23 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 00:20]

2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-12 00:20]

2010-09-24 c:\windows\Tasks\Orb Index when idle.job
- c:\program files\Orb Networks\Orb\bin\OrbLauncher.exe [2010-06-30 01:35]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:6092
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: {95BF9F02-A9D7-4F82-9975-1719A98A75A8} = 4.2.2.2,4.2.2.3
FF - ProfilePath - c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/
FF - component: c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\extensions\{340c2bbc-ce74-4362-90b5-7c26312808ef}\platform\WINNT_x86-msvc\components\WeaveCrypto.dll
FF - component: c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\extensions\{D1F30069-9E00-468c-8CB6-3FB6C4ECE8C6}\components\GSearch.dll
FF - plugin: c:\documents and settings\Todd Bainbridge\Application Data\Mozilla\Firefox\Profiles\kz82yjvs.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\Google\Update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

Notify-WgaLogon - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-23 23:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\.arp1394]
"ImagePath"="\*"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"NoChange"="1"
"Installed"="1"
@=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
@=""
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(720)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\RACServerLogon2.dll

- - - - - - - > 'explorer.exe'(3412)
c:\program files\Carbonite\Carbonite Backup\CarboniteNSE.dll
c:\documents and settings\Todd Bainbridge\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\documents and settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\Bin\WLCShell.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Carbonite\Carbonite Backup\carboniteservice.exe
c:\program files\Diskeeper Corporation\Diskeeper\DkService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\No-IP\DUC20.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Orb Networks\Orb\bin\OrbMediaService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
c:\program files\RealVNC\VNC4\WinVNC4.exe
c:\program files\Orb Networks\Orb\bin\Orb.exe
c:\program files\Orb Networks\Orb\bin\OrbjetManager.exe
c:\windows\SoftwareDistribution\Download\fa06e29c141c84f43a95ba02f93d3774\update\update.exe
c:\windows\system32\wscntfy.exe
c:\windows\System32\rserver30\FamItrfc.Exe
.
**************************************************************************
.
Completion time: 2010-09-23 23:11:18 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-24 03:11

Pre-Run: 66,756,255,744 bytes free
Post-Run: 66,146,377,728 bytes free

- - End Of File - - 04BCE3A4C512F79323307D79C4817ABB




#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 24 September 2010 - 06:05 PM

Good deal. That took out a lot of things.

  • Submit file sample
  • Open to the Submission Channel.
  • Under Link to topic where this file was requested, input:
    CODE
    http://www.bleepingcomputer.com/forums/topic347717.html#entry1944918
  • Click Browse and select the c:\windows\system32\drivers\uckihb.sys
  • Under the comments section, say that thewall asked for the submission.
  • Then select Send File to send it
  • Do the same with this file: c:\windows\system32\drivers\jaadgwiq.sys
  • After that you should get a confirmation if it was uploaded successfully.
Let me know when you have uploaded the log.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 24 September 2010 - 07:06 PM

Hi, thewall.

Problem(s?). When I went to the suspect PC, it had apparently rebooted itself, stating that windows had installed an important update that required the reboot.
I'm not so sure that is legitimate since I'm accustomed to Windows asking permission to reboot after updates.

Second, neither of the files you asked me to submit exists, at least not in those locations. As we speak I am searching the C drive for the files.

Wondering if we have some nasty shapeshifter thingy going on or if Combofix or MBAM or SAS auto-deleted anything extra after reboot that had became uncloaked after running Combofix.

FYI, the PC is now connected to the internet since I needed to up those files. If that's wrong and i need to put them on a thumb drive and submit them from a clean PC so I can avoid turning on the internet connection to the infected PC, let me know.

Waiting your next instructions.

Thanks so much for your help.

Todd

#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 24 September 2010 - 08:45 PM

The update is a little questionable but it could have came about do to some of the infections blocking it when it tried to update earlier.

Those files may not exist. If you look in the ComboFix log there is a question mark at the end of the file path which indicates they may or may not be there.

How about opening up your MalwareBytes then do an update and a Quick Scan. If it doesn't find anything let me know but if it does please post the log it produces.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 25 September 2010 - 10:55 AM

Hi, I updated and scanned with MBAM and it came up clean, nothing found.

Do you think I'm clean or should I scan with combofix one more time?

Thanks!

-Also Windows says I have updates to download and install but I'm waiting for the go-ahead to do that.

Edited by eyedoctodd, 25 September 2010 - 10:57 AM.


#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 25 September 2010 - 12:15 PM

I don't think there is a need to run ComboFix again. I would like you to run another scan though. Let's try ESET:


I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 25 September 2010 - 05:41 PM

Here are the results. 5 infected files. The last 4 of them were things I downloaded years ago and just kept getting transferred into newer, larger harddrives. Yes, I know I shouldn't download and run warez or keygens, that's from quite a while ago.
The one exception appears to be the mouse driver, but I thought Combofix said it found and cleaned that one when I ran combofix.
I did not clear out the quarantine as you did not say to do that yet. Let me know if that ok to proceed with.

Here is the log.
------------------------------------------------------
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\mouclass.sys.vir Win32/Olmarik.ZC trojan cleaned - quarantined
E:\downloaded progs to try\CDR\Nero551028keygen.exe probably a variant of Win32/Agent.FMDRYJI trojan cleaned by deleting - quarantined
E:\downloaded progs to try\alt.binaries.warez.ibm-pc.0-day\Extensis Mask Pro 3.0\keygen.exe probably a variant of Win32/Agent.YXJDAE trojan cleaned by deleting - quarantined
E:\Burnable Essentials\Essentials 22\BFK\setup.exe probably unknown NewHeur_PE virus deleted - quarantined
G:\Reinstall\Desktop\pconpoint.exe a variant of Win32/Adware.ErrorClean application deleted - quarantined




#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 25 September 2010 - 11:24 PM

The Qoobox quarantine is part of ComboFix. It will be gone when we do an uninstall. I don't see any reason you can't clean the rest of the quarantine out. Since you already know about the danger of keygens and the like I won't into our normal warnings.

Let's get your Adobe Reader and Java updated then give me a rundown on how the computer is acting.


Please uninstall older version of Adobe Reader before installing the latest version

* Click Start
* Control Panel
* Double clicking on Add/Remove Programs
* Locate older version of Adobe Reader and click on Change/Remove to uninstall it
* Click HERE to download the latest version of Adobe Acrobat Reader.
* Select your Windows version and click onDownload. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you. If you are using other browsers, it will prompt you to save a file. Save this file to your desktop and run it to install the latest version of Adobe Reader.
* Close your Internet browser and open it again.






Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.


Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click Ok and reboot your computer.



If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 26 September 2010 - 11:11 AM

Hi,
It sounded like those would be quick changes, but WHEW! They were quite an adventure.

First off, I found the PC having rebooted again after installing windows updates that required a reboot. (That still sounds fishy to me).

I had no problems with the Java. Uninstalled about 6 old versions from prior to version 10, and version 17 I had.
I should note that the newest one was version 21, so that's what I installed, not 20 like in your instructions.

Adobe Reader was a royal pain. I kept getting error 1402 when trying to uninstall version 8.1, due to registry permissions not being there.
I finally found this solution:
http://kb2.adobe.com/cps/329/329137.html#m...0the%20registry
and was able to remove it and update to version 9.3 after re-setting permissions by following the instructions in that link.

Windows asked me to install a bunch more updates like the latest malicious software removal tool, SP3 for office 2003, and an update to the .NET framework 3.5, so I let it.

Back to your point, the computer seems to be running fine as far as functionality. I haven't detected any page redirects in browsing.

I still have some confusion and concern however.. I understand the point of the Qoobox being removed when combofix is uninstalled. I'm wondering if any of the scans you've helped me with have addressed the suspected rootkit activity from the original GMER scan. Maybe I'm getting ahead of myself and you had planned to check into this stuff next, so I apologize if I'm telling you your business, I don't mean it that way.

Lastly, when I was in the Add/Remove programs dialog taking out Adobe reader, I saw there was an entry for "Antivirus 2010" which I thought was a malicious fake antivirus. Also in my MSCONFIG, there are still a number of entries in the startup that though related to the trojans, like mmduch, kyvwppyuqiw, kkpjhojuqiw etc. (Just to clarify, those are all disabled but it would be great to have them gone for good in case one day I clicked something by accident and enabled the wrong thing)

Thanks so much for all your help so far!!!

Edited by eyedoctodd, 26 September 2010 - 11:20 AM.


#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 27 September 2010 - 08:37 PM

I will address all of your concerns but first I would like you to run the following for me and post both logs it produces.

  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#13 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 27 September 2010 - 09:45 PM

Thanks for your reassurance.

Here are the logs!
Log.txt:
----------------------------------

Logfile of random's system information tool 1.08 (written by random/random)
Run by Todd Bainbridge at 2010-09-27 22:42:20
Microsoft Windows XP Professional Service Pack 2
System drive C: has 60 GB (53%) free of 114 GB
Total RAM: 2560 MB (63% free)

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 10:42:34 PM, on 9/27/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
C:\Program Files\PCNetSoftware\RAC Server\RACs.exe
C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe
C:\WINDOWS\System32\rserver30\RServer3.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\rserver30\FamItrfc.Exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Orb Networks\Orb\bin\Orb.exe
C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\rserver30\FamItrf2.Exe
C:\Documents and Settings\Todd Bainbridge\Desktop\RSIT.exe
C:\Program Files\trend micro\Todd Bainbridge.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: AVG Safe Search - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [Uninstall Adobe Download Manager] "C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1noarp
O4 - HKCU\..\Run: [MoeMonitor.exe] "C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.4\MoeMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - S-1-5-18 Startup: wema.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: wema.exe (User 'Default user')
O4 - .DEFAULT User Startup: wema.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1231686935484
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{95BF9F02-A9D7-4F82-9975-1719A98A75A8}: NameServer = 4.2.2.2,4.2.2.3
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\acaptuser32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: avgrsstarter - avgrsstx.dll (file missing)
O20 - Winlogon Notify: RACServerLogon - RACServerLogon2.dll (file missing)
O20 - Winlogon Notify: wlcrdplauncher - C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CarboniteService - Carbonite, Inc. (www.carbonite.com) - C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NoIPDUCService - Vitalwerks LLC - C:\Program Files\No-IP\DUC20.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OrbMediaService - Orb Networks - C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe
O23 - Service: PCNetSoftware RAC Server - Miloslav Novotny N+P - C:\Program Files\PCNetSoftware\RAC Server\RACs.exe
O23 - Service: Radmin Server V3 (RServer3) - Famatech International Corp. - C:\WINDOWS\System32\rserver30\RServer3.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10838 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
C:\WINDOWS\tasks\Orb Index when idle.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2010-06-19 61888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2010-06-19 75200]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files\AVG\AVG9\avgssie.dll [2010-09-25 1619296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2007-08-31 1122128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6EBF7485-159F-4bff-A14F-B9E3AAC4465B}]
Search Helper - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll [2009-01-14 92504]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9030D464-4C02-4ABF-8ECC-5164760863C6}]
Windows Live Sign-in Helper - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22 408448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
AVG Security Toolbar BHO - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-04-19 2117704]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java™ Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-09-26 41760]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E15A8DC0-8516-42A1-81EA-DC94EC1ACF10}]
Windows Live Toolbar Helper - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-09-26 79648]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - AVG Security Toolbar - C:\Program Files\AVG\AVG9\Toolbar\IEToolbar.dll [2010-04-19 2117704]
{21FA44EF-376D-4D53-9B0F-8A89D3229068} - &Windows Live Toolbar - C:\Program Files\Windows Live\Toolbar\wltcore.dll [2009-02-06 1068904]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"=C:\WINDOWS\system32\NvCpl.dll [2007-04-19 7700480]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2010-06-19 35760]
"Adobe ARM"=C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"Uninstall Adobe Download Manager"=C:\Program Files\NOS\bin\getPlus_Helper_3004.dll [2010-09-01 66112]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MoeMonitor.exe"=C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\Bin\Servicing\0.9.4014.4\MoeMonitor.exe [2009-05-28 1321808]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2007-08-31 1460560]
"SUPERAntiSpyware"=C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [2010-09-15 2424560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcohol.bin Autorun]
C:\Program Files\Alcohol Soft\Alcohol 120\Alcohol.bin [2008-02-22 1589704]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe [2008-12-03 4608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2009-08-13 177440]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
C:\PROGRA~1\AVG\AVG9\avgtray.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bipro]
rundll32 C:\WINDOWS\$NtUninstallMTF196$\mmduch.dll,,Run []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Carbonite Backup]
C:\Program Files\Carbonite\Carbonite Backup\CarboniteUI.exe [2010-06-28 900240]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKMOXRnoc]
C:\DOCUME~1\TODDBA~1\LOCALS~1\Temp\debug.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKMOXRruf]
C:\DOCUME~1\TODDBA~1\LOCALS~1\Temp\spoolsv.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HNUKMOXRrxe]
C:\DOCUME~1\TODDBA~1\LOCALS~1\Temp\system.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2010-09-01 421160]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [2010-04-29 1090952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKdw+]
C:\WINDOWS\nvsvc32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKexe]
C:\WINDOWS\system.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKfpe]
C:\WINDOWS\winamp.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MKfre]
C:\WINDOWS\wininst.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-07-26 3883856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
C:\WINDOWS\system32\NvCpl.dll [2007-04-19 7700480]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
C:\WINDOWS\system32\NvMcTray.dll [2007-04-19 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe [2010-06-29 755312]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OrderReminder]
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder.exe [2006-01-30 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe [2004-11-02 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RRT-Auto]
C:\RRT.exe [2010-09-10 4857856]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2007-08-31 1460560]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre6\bin\jusched.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tpdlpenk]
C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\gsrdukyby\kywvppyuqiw.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
C:\Program Files\uTorrent\utorrent.exe [2010-09-01 328568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vbegrdst]
C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\tewftxkny\kkpjhojuqiw.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YXE7DXCQ37]
C:\DOCUME~1\TODDBA~1\LOCALS~1\Temp\Zbf.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\µTorrent]
C:\Program Files\uTorrent\utorrent.exe [2010-09-01 328568]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VIA RAID TOOL.lnk]
C:\PROGRA~1\VIA\RAID\RAID_T~1.EXE [2003-11-18 565248]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Todd Bainbridge^Start Menu^Programs^Startup^.lnk]
C:\WINDOWS\system32\msmapibx32.exe []

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Todd Bainbridge^Start Menu^Programs^Startup^Dropbox.lnk]
C:\DOCUME~1\TODDBA~1\APPLIC~1\Dropbox\bin\Dropbox.exe [2010-02-26 21979992]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\WINDOWS\system32\acaptuser32.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL [2009-09-03 548352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\avgrsstarter]
C:\WINDOWS\system32\avgrsstx.dll [2010-07-15 12536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\RACServerLogon]
C:\WINDOWS\system32\RACServerLogon2.dll [2007-09-11 57344]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlcrdplauncher]
C:\Program Files\Live Mesh\Remote Desktop\wlcrdplauncher.dll [2009-05-28 21824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"=C:\PROGRA~1\Qualcomm\Eudora\EuShlExt.dll [2005-11-14 86016]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"=C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoLogoff"=0
"NoDrives"=0
"NoDriveAutoRun"=67108863

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoLogoff"=0
"NoDrives"=0
"NoDriveAutoRun"=67108863
"HonorAutoRunSetting"=1

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\uTorrent\utorrent.exe"="C:\Program Files\uTorrent\utorrent.exe:*:Enabled:µTorrent"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\Soulseek\slsk.exe"="C:\Program Files\Soulseek\slsk.exe:*:Enabled:SoulSeek"
"C:\Program Files\newsbinpro432\nbpro.exe"="C:\Program Files\newsbinpro432\nbpro.exe:*:Enabled:NewsBin Pro"
"C:\Program Files\nbpro\nbpro.exe"="C:\Program Files\nbpro\nbpro.exe:*:Disabled:NewsBin Pro"
"C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe"="C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe:*:Enabled:Live Mesh Remote Desktop"
"C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe"="C:\Documents and Settings\Todd Bainbridge\Local Settings\Application Data\Microsoft\Live Mesh\GacBase\Moe.exe:*:Enabled:Live Mesh"
"C:\Program Files\AVG\AVG9\avgupd.exe"="C:\Program Files\AVG\AVG9\avgupd.exe:*:Enabled:avgupd.exe"
"C:\Program Files\AVG\AVG9\avgnsx.exe"="C:\Program Files\AVG\AVG9\avgnsx.exe:*:Enabled:avgnsx.exe"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"
"C:\Program Files\MusicBrainz Picard\picard.exe"="C:\Program Files\MusicBrainz Picard\picard.exe:*:Enabled:The next generation MusicBrainz tagger"
"C:\Program Files\Mozilla Firefox\firefox.exe"="C:\Program Files\Mozilla Firefox\firefox.exe:*:Enabled:Firefox"
"C:\Program Files\RealVNC\VNC4\winvnc4.exe"="C:\Program Files\RealVNC\VNC4\winvnc4.exe:*:Enabled:winvnc4.exe"
"C:\Documents and Settings\Todd Bainbridge\Application Data\Dropbox\bin\Dropbox.exe"="C:\Documents and Settings\Todd Bainbridge\Application Data\Dropbox\bin\Dropbox.exe:*:Enabled:Dropbox"
"C:\Program Files\PFPortChecker\PFPortChecker.exe"="C:\Program Files\PFPortChecker\PFPortChecker.exe:*:Enabled:PFPortchecker by portforward.com helps check if your ports are properly forwarded."
"C:\Program Files\Simple Port Tester\spt.exe"="C:\Program Files\Simple Port Tester\spt.exe:*:Enabled:Simple Port Tester By PcWinTech.com"
"C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe"="C:\Program Files\Orb Networks\Orb\bin\OrbjetManager.exe:*:Enabled:Orb"
"C:\Program Files\Orb Networks\Orb\bin\Orb.exe"="C:\Program Files\Orb Networks\Orb\bin\Orb.exe:*:Enabled:Orb"
"C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe"="C:\Program Files\Orb Networks\Orb\bin\OrbLauncher.exe:*:Enabled:OrbLauncher"
"C:\Program Files\Orb Networks\Orb\bin\OrbSetupWizard.exe"="C:\Program Files\Orb Networks\Orb\bin\OrbSetupWizard.exe:*:Enabled:OrbSetupWizard"
"C:\Program Files\Orb Networks\Orb\bin\OrbControlPanel.exe"="C:\Program Files\Orb Networks\Orb\bin\OrbControlPanel.exe:*:Enabled:OrbControlPanel"
"C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe"="C:\Program Files\Orb Networks\Orb\bin\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"C:\Program Files\NewsBin5\nbpro.exe"="C:\Program Files\NewsBin5\nbpro.exe:*:Enabled:NewsBin Pro"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\livecall.exe"="C:\Program Files\MSN Messenger\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\Program Files\Windows Live\Messenger\wlcsdk.exe"="C:\Program Files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call"
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe"="C:\Program Files\Windows Live\Sync\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

======List of files/folders created in the last 1 months======

2010-09-27 22:42:20 ----D---- C:\rsit
2010-09-27 10:21:37 ----D---- C:\Documents and Settings\All Users\Application Data\NOS
2010-09-27 10:21:36 ----D---- C:\Program Files\NOS
2010-09-26 11:36:42 ----SHD---- C:\Config.Msi
2010-09-26 11:34:30 ----D---- C:\WINDOWS\system32\XPSViewer
2010-09-26 11:34:27 ----D---- C:\Program Files\MSBuild
2010-09-26 11:34:21 ----D---- C:\Program Files\Reference Assemblies
2010-09-26 11:33:57 ----N---- C:\WINDOWS\system32\xpsshhdr.dll
2010-09-26 11:33:57 ----N---- C:\WINDOWS\system32\prntvpt.dll
2010-09-26 11:33:56 ----N---- C:\WINDOWS\system32\xpssvcs.dll
2010-09-26 11:33:56 ----D---- C:\c5ddd1f8bab2428b5eb28b5f527f
2010-09-26 11:31:39 ----D---- C:\Program Files\MSXML 6.0
2010-09-26 11:03:38 ----D---- C:\WINDOWS\ie8updates
2010-09-26 11:02:54 ----D---- C:\WINDOWS\WBEM
2010-09-26 11:02:08 ----HDC---- C:\WINDOWS\ie8
2010-09-26 11:02:08 ----D---- C:\WINDOWS\system32\en-US
2010-09-26 10:03:50 ----D---- C:\WINDOWS\system32\KB905474
2010-09-26 09:54:46 ----D---- C:\Documents and Settings\All Users\Application Data\Sun
2010-09-26 09:54:45 ----D---- C:\Program Files\Common Files\Java
2010-09-26 09:54:20 ----A---- C:\WINDOWS\system32\javaws.exe
2010-09-26 09:54:20 ----A---- C:\WINDOWS\system32\javaw.exe
2010-09-26 09:54:20 ----A---- C:\WINDOWS\system32\java.exe
2010-09-26 09:54:20 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-09-26 09:20:17 ----D---- C:\WINDOWS\system32\appmgmt
2010-09-26 03:03:52 ----HDC---- C:\WINDOWS\$NtUninstallKB970430$
2010-09-26 03:00:46 ----HDC---- C:\WINDOWS\$NtUninstallKB971737$
2010-09-25 16:45:12 ----A---- C:\WINDOWS\system32\muweb.dll
2010-09-25 16:45:12 ----A---- C:\WINDOWS\system32\mucltui.dll.mui
2010-09-25 16:45:12 ----A---- C:\WINDOWS\system32\mucltui.dll
2010-09-25 14:47:06 ----D---- C:\Program Files\ESET
2010-09-24 20:07:18 ----SHD---- C:\RECYCLER
2010-09-24 03:15:31 ----HDC---- C:\WINDOWS\$NtUninstallKB980218$
2010-09-24 03:15:26 ----HDC---- C:\WINDOWS\$NtUninstallKB951376-v2$
2010-09-24 03:15:20 ----HDC---- C:\WINDOWS\$NtUninstallKB952954$
2010-09-24 03:15:12 ----HDC---- C:\WINDOWS\$NtUninstallKB959426$
2010-09-24 03:15:06 ----HDC---- C:\WINDOWS\$NtUninstallKB946648$
2010-09-24 03:15:01 ----HDC---- C:\WINDOWS\$NtUninstallKB956803$
2010-09-24 03:14:55 ----HDC---- C:\WINDOWS\$NtUninstallKB960859$
2010-09-24 03:14:49 ----HDC---- C:\WINDOWS\$NtUninstallKB971468$
2010-09-24 03:14:39 ----HDC---- C:\WINDOWS\$NtUninstallKB979683$
2010-09-24 03:14:33 ----HDC---- C:\WINDOWS\$NtUninstallKB958869$
2010-09-24 03:14:18 ----HDC---- C:\WINDOWS\$NtUninstallKB954155_WM9$
2010-09-24 03:14:14 ----HDC---- C:\WINDOWS\$NtUninstallKB980195$
2010-09-24 03:14:08 ----HDC---- C:\WINDOWS\$NtUninstallKB980232$
2010-09-24 03:14:03 ----HDC---- C:\WINDOWS\$NtUninstallKB981350$
2010-09-24 03:13:56 ----HDC---- C:\WINDOWS\$NtUninstallKB955759$
2010-09-24 03:13:50 ----HDC---- C:\WINDOWS\$NtUninstallKB974318$
2010-09-24 03:13:44 ----HDC---- C:\WINDOWS\$NtUninstallKB969059$
2010-09-24 03:13:38 ----HDC---- C:\WINDOWS\$NtUninstallKB2229593$
2010-09-24 03:13:33 ----HDC---- C:\WINDOWS\$NtUninstallKB961503$
2010-09-24 03:13:28 ----HDC---- C:\WINDOWS\$NtUninstallKB950974$
2010-09-24 03:13:22 ----HDC---- C:\WINDOWS\$NtUninstallKB978037$
2010-09-24 03:13:17 ----HDC---- C:\WINDOWS\$NtUninstallKB975713$
2010-09-24 03:13:12 ----HDC---- C:\WINDOWS\$NtUninstallKB971657$
2010-09-24 03:13:06 ----HDC---- C:\WINDOWS\$NtUninstallKB978338$
2010-09-24 03:13:01 ----HDC---- C:\WINDOWS\$NtUninstallKB960225$
2010-09-24 03:12:55 ----HDC---- C:\WINDOWS\$NtUninstallKB972270$
2010-09-24 03:12:49 ----HDC---- C:\WINDOWS\$NtUninstallKB974112$
2010-09-24 03:12:46 ----D---- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2010-09-24 03:12:29 ----HDC---- C:\WINDOWS\$NtUninstallKB956572$
2010-09-24 03:12:23 ----HDC---- C:\WINDOWS\$NtUninstallKB956844$
2010-09-24 03:12:17 ----HDC---- C:\WINDOWS\$NtUninstallKB961501$
2010-09-24 03:12:10 ----HDC---- C:\WINDOWS\$NtUninstallKB975561$
2010-09-24 03:12:05 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2010-09-24 03:12:02 ----HDC---- C:\WINDOWS\$NtUninstallKB973869$
2010-09-24 03:11:56 ----HDC---- C:\WINDOWS\$NtUninstallKB975025$
2010-09-24 03:11:45 ----HDC---- C:\WINDOWS\$NtUninstallKB973540_WM9L$
2010-09-24 03:11:39 ----HDC---- C:\WINDOWS\$NtUninstallKB952004$
2010-09-24 03:11:34 ----HDC---- C:\WINDOWS\$NtUninstallKB974571$
2010-09-24 03:11:28 ----HDC---- C:\WINDOWS\$NtUninstallKB975560$
2010-09-24 03:11:19 ----HDC---- C:\WINDOWS\$NtUninstallKB973507$
2010-09-24 03:11:14 ----HDC---- C:\WINDOWS\$NtUninstallKB941569$
2010-09-24 03:10:47 ----HDC---- C:\WINDOWS\$NtUninstallKB977816$
2010-09-24 03:10:41 ----HDC---- C:\WINDOWS\$NtUninstallKB973687$
2010-09-24 03:10:36 ----HDC---- C:\WINDOWS\$NtUninstallKB950762$
2010-09-24 03:10:30 ----HDC---- C:\WINDOWS\$NtUninstallKB981793$
2010-09-24 03:10:26 ----HDC---- C:\WINDOWS\$NtUninstallKB978601$
2010-09-24 03:10:20 ----HDC---- C:\WINDOWS\$NtUninstallKB979559$
2010-09-24 03:10:15 ----HDC---- C:\WINDOWS\$NtUninstallKB952287$
2010-09-24 03:10:09 ----HDC---- C:\WINDOWS\$NtUninstallKB973904$
2010-09-24 03:10:01 ----HDC---- C:\WINDOWS\$NtUninstallKB967715$
2010-09-24 03:09:55 ----HDC---- C:\WINDOWS\$NtUninstallKB929399$
2010-09-24 03:09:28 ----HDC---- C:\WINDOWS\$NtUninstallKB950760$
2010-09-24 03:09:24 ----HDC---- C:\WINDOWS\$NtUninstallKB939683$
2010-09-24 03:08:49 ----HDC---- C:\WINDOWS\$NtUninstallKB974392$
2010-09-24 03:06:15 ----HDC---- C:\WINDOWS\$NtUninstallKB977914$
2010-09-24 03:06:04 ----HDC---- C:\WINDOWS\$NtUninstallKB951748$
2010-09-24 03:05:58 ----HDC---- C:\WINDOWS\$NtUninstallKB971961$
2010-09-24 03:05:39 ----HDC---- C:\WINDOWS\$NtUninstallKB978542$
2010-09-24 03:05:33 ----HDC---- C:\WINDOWS\$NtUninstallKB970238$
2010-09-24 03:05:27 ----HDC---- C:\WINDOWS\$NtUninstallKB979309$
2010-09-24 03:05:22 ----HDC---- C:\WINDOWS\$NtUninstallKB978695_WM9$
2010-09-24 03:05:19 ----HDC---- C:\WINDOWS\$NtUninstallKB979482$
2010-09-24 03:05:14 ----HDC---- C:\WINDOWS\$NtUninstallKB978706$
2010-09-24 03:05:05 ----HDC---- C:\WINDOWS\$NtUninstallKB958470$
2010-09-24 03:04:59 ----HDC---- C:\WINDOWS\$NtUninstallKB960803$
2010-09-24 03:04:54 ----HDC---- C:\WINDOWS\$NtUninstallKB973815$
2010-09-24 03:04:48 ----HDC---- C:\WINDOWS\$NtUninstallKB975562$
2010-09-24 03:04:20 ----HDC---- C:\WINDOWS\$NtUninstallKB971032$
2010-09-24 03:04:13 ----HDC---- C:\WINDOWS\$NtUninstallKB958644$
2010-09-24 03:04:07 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$
2010-09-24 03:04:02 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2010-09-24 03:03:45 ----HDC---- C:\WINDOWS\$NtUninstallKB982381$
2010-09-24 03:03:40 ----D---- C:\Program Files\MSXML 4.0
2010-09-24 03:03:31 ----HDC---- C:\WINDOWS\$NtUninstallKB954154_WM11$
2010-09-24 03:03:27 ----HDC---- C:\WINDOWS\$NtUninstallKB944338-v2$
2010-09-24 03:03:21 ----HDC---- C:\WINDOWS\$NtUninstallKB923561$
2010-09-24 03:03:15 ----HDC---- C:\WINDOWS\$NtUninstallKB975467$
2010-09-24 03:03:04 ----HDC---- C:\WINDOWS\$NtUninstallKB968389$
2010-09-23 23:11:19 ----A---- C:\ComboFix.txt
2010-09-23 23:05:44 ----D---- C:\WINDOWS\system32\CatRoot_bak
2010-09-23 22:37:38 ----N---- C:\WINDOWS\system32\tzchange.exe
2010-09-23 22:33:27 ----A---- C:\WINDOWS\system32\xpsp3res.dll
2010-09-23 22:12:26 ----A---- C:\Shortcut to ComboFix.exe.lnk
2010-09-23 21:27:14 ----A---- C:\Boot.bak
2010-09-23 21:27:07 ----RASHD---- C:\cmdcons
2010-09-23 21:22:49 ----A---- C:\WINDOWS\zip.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\SWSC.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\SWREG.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\sed.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\PEV.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\NIRCMD.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\MBR.exe
2010-09-23 21:22:49 ----A---- C:\WINDOWS\grep.exe
2010-09-23 21:22:36 ----D---- C:\WINDOWS\ERDNT
2010-09-23 21:06:01 ----D---- C:\Qoobox
2010-09-15 16:36:44 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\Tyfoyv
2010-09-15 16:36:44 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\Bysuo
2010-09-13 13:19:58 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\SUPERAntiSpyware.com
2010-09-13 13:19:58 ----D---- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-13 13:19:44 ----D---- C:\Program Files\SUPERAntiSpyware
2010-09-13 09:50:43 ----A---- C:\SUPERAntiSpyware.exe
2010-09-13 09:50:16 ----A---- C:\ATF-Cleaner.exe
2010-09-13 09:41:39 ----A---- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-09-13 09:41:38 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-09-13 09:41:38 ----A---- C:\WINDOWS\system32\drivers\mbam.sys
2010-09-13 09:27:44 ----A---- C:\zztoy.exe
2010-09-13 09:27:44 ----A---- C:\mbam-setup-1.46(2).exe
2010-09-10 20:57:01 ----A---- C:\RootkitRevealer.exe
2010-09-10 20:51:28 ----A---- C:\rku37300509.exe
2010-09-10 20:38:01 ----D---- C:\Program Files\Trend Micro
2010-09-10 14:52:04 ----A---- C:\mbam-log-2010-09-10 (14-51-37).txt
2010-09-10 14:34:46 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\Malwarebytes
2010-09-10 14:16:33 ----D---- C:\WINDOWS\system32\MpEngineStore
2010-09-10 14:14:58 ----A---- C:\WINDOWS\system32\MRT.exe
2010-09-10 10:59:45 ----A---- C:\procexp.exe
2010-09-10 10:59:45 ----A---- C:\Eula.txt
2010-09-10 10:55:51 ----A---- C:\RRT.exe
2010-09-10 10:46:42 ----A---- C:\windows-kb890830-v3.10.exe
2010-09-10 10:37:37 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-09-10 10:25:44 ----A---- C:\mbam-setup-1.46.exe
2010-09-09 21:13:33 ----D---- C:\Program Files\ScreensCorner
2010-09-09 21:10:17 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\F832026839C24D90DCA66DDA23328DF5
2010-09-06 22:51:07 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\calibre
2010-09-06 21:48:43 ----D---- C:\Program Files\Calibre2
2010-09-06 17:51:03 ----D---- C:\Program Files\iPod
2010-09-06 17:50:57 ----D---- C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-09-06 17:43:23 ----D---- C:\Program Files\QuickTime
2010-09-06 17:14:43 ----D---- C:\Program Files\Bonjour

======List of files/folders modified in the last 1 months======

2010-09-27 22:42:20 ----D---- C:\WINDOWS\Prefetch
2010-09-27 17:37:57 ----D---- C:\WINDOWS\system32\drivers\Avg
2010-09-27 10:21:36 ----RD---- C:\Program Files
2010-09-27 10:09:30 ----D---- C:\Program Files\Mozilla Firefox
2010-09-26 20:22:01 ----D---- C:\WINDOWS\Temp
2010-09-26 18:22:00 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-09-26 12:54:22 ----D---- C:\WINDOWS\Microsoft.NET
2010-09-26 12:54:17 ----RSD---- C:\WINDOWS\assembly
2010-09-26 12:25:48 ----SHD---- C:\System Volume Information
2010-09-26 12:25:48 ----D---- C:\WINDOWS\system32\Restore
2010-09-26 11:47:29 ----D---- C:\WINDOWS\system32\ias
2010-09-26 11:46:50 ----D---- C:\WINDOWS
2010-09-26 11:38:08 ----SHD---- C:\WINDOWS\Installer
2010-09-26 11:37:21 ----D---- C:\WINDOWS\system32
2010-09-26 11:37:21 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-09-26 11:37:10 ----D---- C:\WINDOWS\WinSxS
2010-09-26 11:34:24 ----RSD---- C:\WINDOWS\Fonts
2010-09-26 11:34:13 ----HD---- C:\WINDOWS\inf
2010-09-26 11:34:13 ----D---- C:\WINDOWS\system32\CatRoot2
2010-09-26 11:34:10 ----D---- C:\WINDOWS\system32\spool
2010-09-26 11:34:08 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-09-26 11:32:45 ----D---- C:\Program Files\Internet Explorer
2010-09-26 11:17:54 ----D---- C:\Program Files\Adobe
2010-09-26 11:14:55 ----SD---- C:\WINDOWS\Tasks
2010-09-26 11:07:15 ----D---- C:\WINDOWS\Help
2010-09-26 11:03:30 ----HD---- C:\WINDOWS\$hf_mig$
2010-09-26 11:03:11 ----A---- C:\WINDOWS\imsins.BAK
2010-09-26 11:02:59 ----D---- C:\WINDOWS\system32\config
2010-09-26 11:02:49 ----D---- C:\WINDOWS\Media
2010-09-26 10:49:26 ----A---- C:\WINDOWS\win.ini
2010-09-26 10:48:45 ----D---- C:\Program Files\Common Files\Microsoft Shared
2010-09-26 10:45:13 ----D---- C:\Program Files\Common Files\Adobe
2010-09-26 10:29:36 ----RASH---- C:\boot.ini
2010-09-26 10:29:36 ----A---- C:\WINDOWS\system.ini
2010-09-26 09:54:45 ----D---- C:\Program Files\Common Files
2010-09-26 09:41:40 ----D---- C:\Program Files\Java
2010-09-26 03:21:07 ----D---- C:\WINDOWS\system32\drivers
2010-09-25 14:47:09 ----SD---- C:\WINDOWS\Downloaded Program Files
2010-09-25 03:06:02 ----SD---- C:\Documents and Settings\All Users\Application Data\Microsoft
2010-09-24 20:07:18 ----D---- C:\WINDOWS\system32\CatRoot
2010-09-24 03:22:50 ----D---- C:\WINDOWS\system32\wbem
2010-09-24 03:22:50 ----D---- C:\WINDOWS\AppPatch
2010-09-24 03:22:49 ----D---- C:\WINDOWS\system32\Setup
2010-09-24 03:22:49 ----D---- C:\Program Files\Microsoft Silverlight
2010-09-24 03:15:08 ----D---- C:\Program Files\Messenger
2010-09-24 03:12:12 ----D---- C:\Program Files\Movie Maker
2010-09-24 03:05:41 ----D---- C:\Program Files\Outlook Express
2010-09-23 23:05:48 ----D---- C:\WINDOWS\system32\drivers\etc
2010-09-23 23:05:44 ----D---- C:\WINDOWS\Debug
2010-09-18 12:08:29 ----A---- C:\WINDOWS\NeroDigital.ini
2010-09-15 16:45:57 ----HDC---- C:\WINDOWS\$NtUninstallQ329441$
2010-09-14 20:36:16 ----HDC---- C:\WINDOWS\$NtUninstallKB823559$
2010-09-13 13:15:07 ----D---- C:\WINDOWS\Minidump
2010-09-13 10:00:45 ----D---- C:\WINDOWS\EHome
2010-09-13 06:57:45 ----HDC---- C:\WINDOWS\$NtUninstallKB954708$
2010-09-12 20:24:41 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\Dropbox
2010-09-12 10:40:48 ----D---- C:\WINDOWS\pss
2010-09-10 20:37:31 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\uTorrent
2010-09-10 17:52:32 ----A---- C:\WINDOWS\ntbtlog.txt
2010-09-10 14:59:34 ----D---- C:\Documents and Settings
2010-09-10 00:52:55 ----D---- C:\WINDOWS\Registration
2010-09-08 16:53:09 ----D---- C:\Documents and Settings\All Users\Application Data\Apple
2010-09-07 22:43:58 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\NewsBin
2010-09-06 21:01:13 ----D---- C:\Documents and Settings\Todd Bainbridge\Application Data\Apple Computer
2010-09-06 17:52:10 ----D---- C:\Program Files\iTunes
2010-09-06 17:51:01 ----D---- C:\Program Files\Common Files\Apple
2010-09-06 17:21:09 ----DC---- C:\WINDOWS\system32\DRVSTORE
2010-09-06 17:19:56 ----D---- C:\WINDOWS\system32\ReinstallBackups
2010-09-04 21:01:05 ----D---- C:\Program Files\uTorrent
2010-09-02 13:54:44 ----A---- C:\WINDOWS\AviSplitter.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R0 ohci1394;OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\System32\DRIVERS\ohci1394.sys [2004-08-04 61056]
R0 sbp2port;SBP-2 Transport/Protocol Bus Driver; C:\WINDOWS\system32\DRIVERS\sbp2port.sys [2004-08-04 43136]
R0 uagp35;Microsoft AGPv3.5 Filter; C:\WINDOWS\System32\DRIVERS\uagp35.sys [2004-08-04 44672]
R0 viasraid;viasraid; C:\WINDOWS\system32\DRIVERS\viasraid.sys [2003-10-30 77312]
R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-04 37376]
R1 AvgLdx86;AVG Free AVI Loader Driver x86; C:\WINDOWS\System32\Drivers\avgldx86.sys [2010-07-15 216400]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86; C:\WINDOWS\System32\Drivers\avgmfx86.sys [2010-06-02 29584]
R1 AvgTdiX;AVG Free Network Redirector; C:\WINDOWS\System32\Drivers\avgtdix.sys [2010-07-15 243024]
R1 raddrvv3;raddrvv3; \??\C:\WINDOWS\System32\rserver30\raddrvv3.sys []
R1 SASDIFSV;SASDIFSV; \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS []
R1 SASKUTIL;SASKUTIL; \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS []
R2 fssfltr;FssFltr; C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys [2009-08-05 54752]
R2 RACDriver;RAC driver; \??\C:\Program Files\PCNetSoftware\RAC Server\RACDriver.sys []
R3 aeaudio;aeaudio; C:\WINDOWS\system32\drivers\aeaudio.sys [2002-04-01 4816]
R3 BCM43XX;Wireless-G PCI Adapter Driver; C:\WINDOWS\System32\DRIVERS\bcmwl5.sys [2003-07-17 265728]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2009-05-18 26600]
R3 ltmodem5;LT Modem Driver; C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys [2004-08-04 606684]
R3 mirrorv3;mirrorv3; C:\WINDOWS\System32\DRIVERS\rminiv3.sys [2006-11-01 3328]
R3 MODEMCSA;Unimodem Streaming Filter Device; C:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\System32\DRIVERS\nic1394.sys [2004-08-04 61824]
R3 nv;nv; C:\WINDOWS\System32\DRIVERS\nv4_mini.sys [2007-04-19 3988384]
R3 RDPDISPM;RDPDISPM; C:\WINDOWS\system32\DRIVERS\rdpdispm.sys [2009-05-28 9040]
R3 smwdm;smwdm; C:\WINDOWS\system32\drivers\smwdm.sys [2003-07-15 578368]
R3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\System32\DRIVERS\usbprint.sys [2004-08-04 25856]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\System32\DRIVERS\usbscan.sys [2004-08-04 15104]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-04 20480]
S0 cpnlbc;cpnlbc; C:\WINDOWS\System32\drivers\uckihb.sys []
S1 InCDPass;InCDPass; C:\WINDOWS\system32\drivers\InCDPass.sys []
S1 InCDRm;InCD Reader; C:\WINDOWS\system32\drivers\InCDRm.sys []
S2 ohdusb;Open Host Controller Miniport USB Driver (rev.d); \??\C:\WINDOWS\system32\drivers\ohdusb.sys []
S3 .arp1394;.arp1394; \* []
S3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\System32\DRIVERS\arp1394.sys []
S3 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\System32\DRIVERS\CCDECODE.sys [2004-08-04 17024]
S3 EL2000;3Com 3C2000x EtherLink XL Adapter; C:\WINDOWS\System32\DRIVERS\EL2K_XP.sys [2003-07-31 147456]
S3 grmnusb;grmnusb; C:\WINDOWS\system32\drivers\grmnusb.sys [2007-03-08 8320]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-04 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-04 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-04 10880]
S3 QCDonner;Logitech QuickCam Express; C:\WINDOWS\system32\DRIVERS\OVCD.sys [2001-08-17 28032]
S3 RDPVDD;RDPVDD; C:\WINDOWS\system32\DRIVERS\rdpvmp.sys [2009-05-28 19392]
S3 rkhdrv40;Rootkit Unhooker Driver; C:\WINDOWS\system32\drivers\rkhdrv40.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-04 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-04 15360]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2010-04-19 41984]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\System32\DRIVERS\usbccgp.sys [2004-08-04 31616]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS [2004-08-04 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-04 19328]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]
S4 InCDFs;InCD File System; C:\WINDOWS\system32\drivers\InCDFs.sys []
S4 sptd;sptd; C:\WINDOWS\System32\Drivers\sptd.sys [2008-12-03 716272]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-08-13 144672]
R2 avg9wd;AVG Free WatchDog; C:\Program Files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-07-27 345376]
R2 CarboniteService;CarboniteService; C:\Program Files\Carbonite\Carbonite Backup\carboniteservice.exe [2010-06-28 2977936]
R2 Diskeeper;Diskeeper; C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe [2007-10-16 1094936]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-09-26 153376]
R2 NoIPDUCService;NoIPDUCService; C:\Program Files\No-IP\DUC20.exe [2010-03-21 1172992]
R2 NVSvc;NVIDIA Display Driver Service; C:\WINDOWS\system32\nvsvc32.exe [2007-04-19 159810]
R2 OrbMediaService;OrbMediaService; C:\Program Files\Orb Networks\Orb\bin\OrbMediaService.exe [2010-06-29 36352]
R2 PCNetSoftware RAC Server;PCNetSoftware RAC Server; C:\Program Files\PCNetSoftware\RAC Server\RACs.exe [2007-11-20 3186688]
R2 RServer3;Radmin Server V3; C:\WINDOWS\System32\rserver30\RServer3.exe [2007-02-02 1235032]
R2 SeaPort;SeaPort; C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R2 SoundMAX Agent Service (default);SoundMAX Agent Service; C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe [2002-09-20 45056]
R2 StarWindServiceAE;StarWind AE Service; C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe [2007-05-28 275968]
R2 WinVNC4;VNC Server Version 4; C:\Program Files\RealVNC\VNC4\WinVNC4.exe [2008-10-15 439632]
R2 wlcrasvc;Live Mesh Remote Desktop; C:\Program Files\Live Mesh\Remote Desktop\wlcrasvc.exe [2009-05-28 44880]
S2 gupdate;Google Update Service (gupdate); C:\Program Files\Google\Update\GoogleUpdate.exe [2010-02-11 135664]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FLEXnet Licensing Service;FLEXnet Licensing Service; C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [2009-10-09 651720]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; c:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 fsssvc;Windows Live Family Safety Service; C:\Program Files\Windows Live\Family Safety\fsssvc.exe [2009-08-05 704864]
S3 idsvc;Windows CardSpace; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-09-01 820008]
S3 nosGetPlusHelper;getPlus® Helper 3004; C:\WINDOWS\System32\svchost.exe [2004-08-04 14336]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; c:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]

-----------------EOF-----------------


Info.txt:
_______________



info.txt logfile of random's system information tool 1.08 2010-09-27 22:42:36

======Uninstall list======

-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent-->"C:\Program Files\uTorrent\uninstall.exe"
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch-->msiexec /I {AC76BA86-1033-F400-7761-000000000004}
Adobe Download Manager-->"C:\WINDOWS\system32\rundll32.exe" "C:\Program Files\NOS\bin\getPlus_Helper_3004.dll",Uninstall /IE2883E8F-472F-4fb0-9522-AC9BF37916A7 /Get1
Adobe Flash Player 10 Plugin-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10k_Plugin.exe -maintain plugin
Adobe Flash Player 9 ActiveX-->C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 9.3.4-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A93000000001}
Antivirus 2010-->\\.\globalroot\systemroot\system32\us?rinit.exe /uninstall
AoA MP4 Patch 1.0-->"C:\Program Files\AoA MP4 Patch\unins000.exe"
Apple Application Support-->MsiExec.exe /I{DAEAFD68-BB4A-4507-A241-C8804D2EA66D}
Apple Mobile Device Support-->MsiExec.exe /I{CCA1EEA3-555E-4D05-AC46-4B49C6C5D887}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
Araxis Merge v6.5-->MsiExec.exe /I{92AE1738-9196-4D65-B773-2C07C16C7DB8}
Avex Video Converter Platinum (remove only)-->"C:\Program Files\Avex\Avex Video Converter Platinum\bt-uninst.exe"
AVG Free 9.0-->C:\Program Files\AVG\AVG9\setup.exe /UNINSTALL
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour-->MsiExec.exe /X{FF1C31AE-0CDC-40CE-AB85-406F8B70D643}
calibre-->MsiExec.exe /I{9F875DF5-B60F-4326-96AE-0162E0F3BFE4}
Carbonite-->C:\Program Files\Carbonite\Carbonite Backup\CarboniteSetup.exe /remove
ClearType Tuning Control Panel Applet-->MsiExec.exe /I{C9E4932C-8417-4E4C-A0E3-EE534810AB4D}
Cucusoft Ultimate DVD + Video Converter Suite 7.13.7.7-->"C:\Program Files\Cucusoft\Ultimate-Converter\unins000.exe"
Diskeeper 2008 Pro Premier-->MsiExec.exe /X{67A48ED5-0B6A-470A-995C-B8F1942E8AB9}
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
ESET Online Scanner v3-->C:\Program Files\ESET\ESET Online Scanner\OnlineScannerUninstaller.exe
Eudora-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0A61D363-7D07-4321-BDB5-076D5080D93E}\setup.exe" -l0x9
EVGA Display Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{BEF3EFE7-5159-436D-9BF0-CCC633179EB4}\Setup.exe" -l0x9 -removeonly
Garmin City Navigator North America NT 2008 Update-->MsiExec.exe /X{96AF271A-43B5-4615-8D00-26B45EE58FC8}
Garmin Training Center 3.4.3-->MsiExec.exe /X{CEAEEFA6-DEBC-4B16-8F04-84C81440CA32}
Google Earth Plug-in-->MsiExec.exe /X{171E6C1E-B5FC-11DF-B115-005056C00008}
Google Earth-->MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
Handbrake 0.9.4-->C:\Program Files\Handbrake\uninst.exe
Hard Disk Low Level Format Tool 2.36 build 1181-->"C:\Program Files\HDDGURU LLF Tool\unins000.exe"
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows Media Format 11 SDK (KB929399)-->"C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Player 11 (KB939683)-->"C:\WINDOWS\$NtUninstallKB939683$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB926239)-->"C:\WINDOWS\$NtUninstallKB926239$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB954708)-->"C:\WINDOWS\$NtUninstallKB954708$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
iTunes Library Updater-->MsiExec.exe /I{C4C6B666-FF40-4077-8D37-1A605E9818A3}
iTunes-->MsiExec.exe /I{350FB27C-CF62-4EF3-AF9D-70FF313FE221}
Java™ 6 Update 21-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216021FF}
Junk Mail filter update-->MsiExec.exe /I{E2DFE069-083E-4631-9B6C-43C48E991DE5}
LaserJet 1020 series-->C:\Program Files\Zenographics\{0B91BE98-8C52-4EC7-A967-3113A3BF15B3}\SETUP.EXE -u "HPLJInstaller.dll=Hpl_1020.inf"
Last.fm 1.5.4.24567-->"C:\Program Files\Last.fm\unins000.exe"
Live Mesh-->MsiExec.exe /X{DCB4E1D9-B187-4B54-971E-1478485C9A53}
Magic ISO Maker v5.5 (build 0272)-->C:\PROGRA~1\MagicISO\UNWISE.EXE C:\PROGRA~1\MagicISO\INSTALL.LOG
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
MapSource - MetroGuide USA-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Garmin\Setup\MGUSA\setup.exe" AddRemove
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft Choice Guard-->MsiExec.exe /X{F0E12BBA-AD66-4022-A453-A1C8A0C4D570}
Microsoft Compression Client Pack 1.0 for Windows XP-->"C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Money Shared Libraries-->MsiExec.exe /X{5F00DF7E-418B-4CD9-8EC5-781156BCC49E}
Microsoft Office Live Add-in 1.3-->MsiExec.exe /I{57F0ED40-8F11-41AA-B926-4A66D0D1A9CC}
Microsoft Office Outlook Connector-->MsiExec.exe /I{95120000-0122-0409-0000-0000000FF1CE}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Search Enhancement Pack-->MsiExec.exe /I{9C9CEB9D-53FD-49A7-85D2-FE674F72F24E}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU]-->MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft Sync Framework Runtime Native v1.0 (x86)-->MsiExec.exe /I{8A74E887-8F0F-4017-AF53-CBA42211AAA5}
Microsoft Sync Framework Services Native v1.0 (x86)-->MsiExec.exe /I{BD64AF4A-8C80-4152-AD77-FCDDF05208AB}
Microsoft User-Mode Driver Framework Feature Pack 1.0-->"C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{837b34e3-7c30-493c-8f6a-2b0f04e2912c}
MobileMe Control Panel-->MsiExec.exe /I{3AC54383-31D1-4907-961B-B12CBB1D0AE8}
Mozilla Firefox (3.6.10)-->C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSVCRT-->MsiExec.exe /I{22B775E7-6C42-4FC5-8E10-9A5E3257BD94}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
MSXML 6.0 Parser (KB933579)-->MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
MusicBrainz Picard-->C:\Program Files\MusicBrainz Picard\uninst.exe
Nero 7 Ultra Edition-->MsiExec.exe /I{4781569D-5404-1F26-4B2B-6DF444441031}
NewsBin Pro 4.3-->C:\Program Files\newsbinpro432\uninst-nbpro.exe
NewsBin Pro-->C:\Program Files\NewsBin5\uninst.exe
No-IP.com DUC (remove only)-->"C:\Program Files\No-IP\DUC20.exe" -uninstall
Notepad++-->C:\Program Files\Notepad++\uninstall.exe
Orb Runtime libraries-->MsiExec.exe /I{2133CB3F-F891-4081-8681-FEE2B2419FF4}
Orb-->"C:\Program Files\Orb Networks\Orb\uninstall.exe"
OrderReminder HP LaserJet 1020-->"C:\Program Files\Hewlett-Packard\OrderReminder\uninstall\hpuninstaller.exe" hp_LaserJet_1020
PFPortChecker 1.0.32-->C:\Program Files\PFPortChecker\uninst.exe
PowerDVD-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PTDD Partition Table Doctor 3.5-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A35F88E5-A813-400C-AB99-09F5F5CDD2EC}\setup.exe" -l0x9 -removeonly
QuickPar 0.9-->C:\Program Files\QuickPar\uninst.exe
QuickTime-->MsiExec.exe /I{EB900AF8-CC61-4E15-871B-98D1EA3E8025}
Radmin Server 3.0-->MsiExec.exe /X{AAD51583-6D43-4444-A1FF-0C8345345526}
Radmin Viewer 3.4-->MsiExec.exe /X{2517B7EA-6C03-4D86-A1B1-F3FE1C3BC03B}
ratDVD 0.78.1444-->C:\Program Files\ratDVD\uninst.exe
Remote Administrator Control Server 3.3.1-->"C:\Program Files\PCNetSoftware\RAC Server\unins000.exe"
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB952069)-->"C:\WINDOWS\$NtUninstallKB952069_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB954155)-->"C:\WINDOWS\$NtUninstallKB954155_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB973540)-->"C:\WINDOWS\$NtUninstallKB973540_WM9L$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB978695)-->"C:\WINDOWS\$NtUninstallKB978695_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player 11 (KB954154)-->"C:\WINDOWS\$NtUninstallKB954154_WM11$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB941569)-->"C:\WINDOWS\$NtUninstallKB941569$\spuninst\spuninst.exe"
Security Update for Windows XP (KB944338-v2)-->"C:\WINDOWS\$NtUninstallKB944338-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB946648)-->"C:\WINDOWS\$NtUninstallKB946648$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950760)-->"C:\WINDOWS\$NtUninstallKB950760$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958470)-->"C:\WINDOWS\$NtUninstallKB958470$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971032)-->"C:\WINDOWS\$NtUninstallKB971032$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980195)-->"C:\WINDOWS\$NtUninstallKB980195$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981350)-->"C:\WINDOWS\$NtUninstallKB981350$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982381)-->"C:\WINDOWS\$NtUninstallKB982381$\spuninst\spuninst.exe"
Segoe UI-->MsiExec.exe /I{A1F66FC9-11EE-4F2F-98C9-16F8D1E69FB7}
Simple Port Tester-->"C:\WINDOWS\Simple Port Tester\uninstall.exe" "/U:C:\Program Files\Simple Port Tester\Uninstall\uninstall.xml"
SoulSeek Client 156c-->"C:\Program Files\Soulseek\uninstall.exe"
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy-->"C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SUPERAntiSpyware-->"C:\Program Files\SUPERAntiSpyware\Uninstall.exe"
tagtraum industries beaTunes 1.1.5-->"C:\Program Files\beaTunes\beaTunes-1.1.5\uninst.exe"
Update for Windows XP (KB898461)-->"C:\WINDOWS\$NtUninstallKB898461$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB961503)-->"C:\WINDOWS\$NtUninstallKB961503$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VIA Integrated Setup Wizard-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9497EBAA-87AD-41E6-8ED6-E1E52995A76C}
Videora iPhone Converter 3.08-->C:\Program Files\Video Converter 3\uninstaller.exe
Vio Video Converter 1.0-->C:\Program Files\Vio Video Converter\Uninst.exe
VLC media player 0.9.8a-->C:\Program Files\VideoLAN\VLC\uninstall.exe
VNC Free Edition 4.1.3-->"C:\Program Files\RealVNC\VNC4\unins000.exe"
Windows Essentials Media Codec Pack 1.0-->C:\Program Files\Essentials Codec Pack\uninst.exe
Windows Imaging Component-->"C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer 3.1 (KB893803)-->"C:\WINDOWS\$MSI31Uninstall_KB893803v2$\spuninst\spuninst.exe"
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows Live Call-->MsiExec.exe /I{F6BD194C-4190-4D73-B1B1-C48C99921BFE}
Windows Live Communications Platform-->MsiExec.exe /I{ED00D08A-3C5F-488D-93A0-A04F21F23956}
Windows Live Essentials-->C:\Program Files\Windows Live\Installer\wlarp.exe
Windows Live Essentials-->MsiExec.exe /I{81128EE8-8EAD-4DB0-85C6-17C2CE50FF71}
Windows Live Family Safety-->MsiExec.exe /X{139E303E-1050-497F-98B1-9AE87B15C463}
Windows Live Mail-->MsiExec.exe /I{6412CECE-8172-4BE5-935B-6CECACD2CA87}
Windows Live Messenger-->MsiExec.exe /X{A85FD55B-891B-4314-97A5-EA96C0BD80B5}
Windows Live Photo Gallery-->MsiExec.exe /X{D6C75F0B-3BC1-4FC9-B8C5-3F7E8ED059CA}
Windows Live Sign-in Assistant-->MsiExec.exe /I{45338B07-A236-4270-9A77-EBB4115517B5}
Windows Live Sync-->MsiExec.exe /X{84EBDF39-4B33-49D7-A0BD-EB6E2C4E81C1}
Windows Live Toolbar-->MsiExec.exe /X{995F1E2E-F542-4310-8E1D-9926F5A279B3}
Windows Live Upload Tool-->MsiExec.exe /I{205C6BDD-7B73-42DE-8505-9A093F35A238}
Windows Live Writer-->MsiExec.exe /X{178832DE-9DE0-4C87-9F82-9315A9B03985}
Windows Media Format 11 runtime-->"C:\Program Files\Windows Media Player\wmsetsdk.exe" /UninstallAll
Windows Media Format 11 runtime-->"C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Player 11-->"C:\Program Files\Windows Media Player\Setup_wm.exe" /Uninstall
Windows Media Player 11-->"C:\WINDOWS\$NtUninstallwmp11$\spuninst\spuninst.exe"
Windows Media Player Firefox Plugin-->MsiExec.exe /I{69FDFBB6-351D-4B8C-89D8-867DC9D0A2A4}
Windows XP Service Pack 2-->C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
Xvid 1.2.1 final uninstall-->"C:\Program Files\Xvid\unins000.exe"

======Security center information======

AV: AVG Anti-Virus Free

======System event log======

Computer Name: SYSTEM
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service CarboniteService with arguments ""
in order to run the server:
{36471C67-6A93-4434-92CC-4C614CD06666}

Record Number: 4204
Source Name: DCOM
Time Written: 20100910140231.000000-240
Event Type: error
User: SYSTEM\Todd Bainbridge

Computer Name: SYSTEM
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service CarboniteService with arguments ""
in order to run the server:
{36471C67-6A93-4434-92CC-4C614CD06666}

Record Number: 4203
Source Name: DCOM
Time Written: 20100910140231.000000-240
Event Type: error
User: SYSTEM\Todd Bainbridge

Computer Name: SYSTEM
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service CarboniteService with arguments ""
in order to run the server:
{36471C67-6A93-4434-92CC-4C614CD06666}

Record Number: 4202
Source Name: DCOM
Time Written: 20100910140231.000000-240
Event Type: error
User: SYSTEM\Todd Bainbridge

Computer Name: SYSTEM
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service CarboniteService with arguments ""
in order to run the server:
{36471C67-6A93-4434-92CC-4C614CD06666}

Record Number: 4201
Source Name: DCOM
Time Written: 20100910140231.000000-240
Event Type: error
User: SYSTEM\Todd Bainbridge

Computer Name: SYSTEM
Event Code: 10005
Message: DCOM got error "%1084" attempting to start the service CarboniteService with arguments ""
in order to run the server:
{36471C67-6A93-4434-92CC-4C614CD06666}

Record Number: 4200
Source Name: DCOM
Time Written: 20100910140231.000000-240
Event Type: error
User: SYSTEM\Todd Bainbridge

=====Application event log=====

Computer Name: SYSTEM
Event Code: 20
Message:
Record Number: 2122
Source Name: Google Update
Time Written: 20100916232205.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SYSTEM
Event Code: 20
Message:
Record Number: 2121
Source Name: Google Update
Time Written: 20100916222205.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SYSTEM
Event Code: 20
Message:
Record Number: 2120
Source Name: Google Update
Time Written: 20100916212205.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SYSTEM
Event Code: 20
Message:
Record Number: 2119
Source Name: Google Update
Time Written: 20100916202205.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

Computer Name: SYSTEM
Event Code: 20
Message:
Record Number: 2118
Source Name: Google Update
Time Written: 20100916192205.000000-240
Event Type: error
User: NT AUTHORITY\SYSTEM

======Environment variables======

"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\PROGRA~1\DISKEE~1\DISKEE~1;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Calibre2
"windir"=%SystemRoot%
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=6
"PROCESSOR_IDENTIFIER"=x86 Family 6 Model 10 Stepping 0, AuthenticAMD
"PROCESSOR_REVISION"=0a00
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"FP_NO_HOST_CHECK"=NO
"asl.log"=Destination=file
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip

-----------------EOF-----------------





#14 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:05:53 AM

Posted 27 September 2010 - 10:27 PM

Go into your Add/Remove and try to uninstall Antivirus 2010. Let me know what happens. I have a test coming up in a couple of days and so it probably will be tomorrow evening when I can get back with you.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#15 eyedoctodd

eyedoctodd
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 27 September 2010 - 10:30 PM

Will do right now.

Thanks for the heads up and good luck on your test!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users