# Browser redirect and multiple mshta processes



## mike2956 (Dec 6, 2010)

I need assistance please!

Had an attack of ThinkPoint and used guidance from bleeping computer to clear that up, then Malwarebytes found Zefarch so I followed Symantec advice to clear that up.

tdsskiller, rkill, malwarebytes, Symantec AV and Spybot all find nothing and yet I still have problems.

Occasional redirection particularly from google searches, windows explorer bombs, I get a firewall message saying that explorer is trying to make contact and task manager shaows many instances of mshta running.

I have follwoed the instructions in the sticky with the exception that I can not get GMER to complete a full scan and produce a log file, it runs for ten minutes or so the the PC freezes. attach.txt is attacged and the HJT and DDS logs are pasted below.

Thanks in anticipation

Mike

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 23:15:51, on 05/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FREEIN~1\Clearpch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\isposure\IsposureAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\isposure\IsposureAgent.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scan.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:5577
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [nonep] C:\DOCUME~1\Mike\LOCALS~1\Temp\tmp225a58b0\KillEXE.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [Igeyoqu] rundll32.exe "C:\WINDOWS\epinerp.dll",Startup
O4 - HKCU\..\Run: [{24C4E14A-76E2-82F4-60F0-D7298167A66A}] "C:\Documents and Settings\Mike\Application Data\Wuaw\kyix.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino USD - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Mike\Desktop\InterCasino USD.lnk (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino USD - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Mike\Desktop\InterCasino USD.lnk (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://rack1.expertagent.co.uk/asp/ScriptX.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {73888E2B-FF04-416C-8847-984D7FC4507F} (RtspVaPgCtrlNew2 Class) - http://60.248.39.149:1025/RtspVaPgDecNew2.cab
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - 
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E517EEC-6457-48FC-8B73-B7C737EA5E23}: NameServer = 8.8.8.8,8.8.4.4
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9eba46d592d6) (gupdate1c9eba46d592d6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IsposureAgent (isposure_svc) - Epitiro Ltd. - C:\Program Files\isposure\IsposureAgent.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SyncThru Web Admin Service (SWAS_Core) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
O23 - Service: SyncThru Web Admin Service Driver Management (SWAS_Srv_DriverManagement) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 11522 bytes

DDS (Ver_10-11-10.01) - NTFSx86 
Run by Mike at 23:19:09.54 on 05/12/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.1208 [GMT 0:00]
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\WINDOWS\System32\svchost.exe -k Akamai
C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\FREEIN~1\Clearpch.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\isposure\IsposureAgent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\isposure\IsposureAgent.exe
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\System32\mshta.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mshta.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Mike\My Documents\My received files\dds.pif
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Free Internet Window Washer] c:\progra~1\freein~1\Clearpch.exe -Start
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [Igeyoqu] rundll32.exe "c:\windows\epinerp.dll",Startup
uRun: [{24C4E14A-76E2-82F4-60F0-D7298167A66A}] "c:\documents and settings\mike\application data\wuaw\kyix.exe"
mRun: [VTTimer] VTTimer.exe
mRun: [S3Trayp] S3trayp.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [EEventManager] c:\program files\epson\creativity suite\event manager\EEventManager.exe
mRun: [DataCardMonitor] c:\program files\virgin mobile\broadband home\DataCardMonitor.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [nonep] c:\docume~1\mike\locals~1\temp\tmp225a58b0\KillEXE.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ndasde~1.lnk - c:\program files\ndas\system\ndasmgmt.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} - hxxp://rack1.expertagent.co.uk/asp/ScriptX.cab
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F} - hxxp://60.248.39.149:1025/RtspVaPgDecNew2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
DPF: {CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-0000-0000-0000-000000000000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} - hxxp://driveragent.com/files/driveragent.cab
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Hosts: 127.0.0.1 www.spywareinfo.com
============= SERVICES / DRIVERS ===============

=============== File Associations ===============
.scr=DWGTrueViewScriptFile
=============== Created Last 30 ================

==================== Find3M ====================

=================== ROOTKIT ====================
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS72251 rev.V33O -> Harddisk0\DR0 -> \Device\Scsi\viamraid1 
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B0AF555]<< 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b0b57b0]; MOV EAX, [0x8b0b582c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8B26EAB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007e[0x8B26F920]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007d[0x8B27C920]
7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8B26FA38]
\Driver\viamraid[0x8B278D90] -> IRP_MJ_CREATE -> 0x8B0AF555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\viamraid1Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_HDS72251&Prod_2VLSA80&Rev_V33O#4&885740&1&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
============= FINISH: 23:20:38.89 ===============


----------



## mike2956 (Dec 6, 2010)

Bump

MB found 7 things Spybot found 3 both required reboot to fix, but on reboot windows xp will not load it gets part way then reboots. The only reboots that will work are safe mode and last known good configuration.

Wndows explorer encounters a problem and needs toclose down but will run from task manager.

Task manager shows internet explorerer running processes but no window open.

Heeeeeelllllllllllllp!!!!!!!!!


Mike


----------



## dvk01 (Dec 14, 2002)

Delete any existing version of ComboFix you have sitting on your desktop
*Please read and follow all these instructions very carefully*​
Download ComboFix from *Here* or * Here*to your Desktop.
*As you download it rename it to username123.exe*

***Note: It is important that it is saved directly to your desktop and run from the desktop and not any other folder on your computer***
--------------------------------------------------------------------
1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


*Very Important!* *Temporarily disable* your *anti-virus* and *anti-malware* real-time protection and any *script blocking components of them or your firewall*_* before* _performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause _"unpredictable results" or stop combofix running at all_
Click on *THIS LINK * to see instructions on how to temporarily disable many security programs while running combofix. The list does not cover every program. If yours is not listed and you don't know how to disable it, please ask.
*Remember to re enable the protection again after combofix has finished*
--------------------------------------------------------------------
2. Close any open browsers and any other programs you might have running 
Double click on *combofix.exe* & follow the prompts.​If you are using windows XP It might display a pop up saying that "Recovery console is not installed, do you want to install?"
Please select yes & let it download the files it needs to do this 
When finished, it will produce a report for you. 
Please post the *"C:\ComboFix.txt" * for further review

*****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze *****

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply. Read  HERE  why we disable autoruns

*Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version. *

Please tell us if it has cured the problems or if there are any outstanding issues


----------



## mike2956 (Dec 6, 2010)

Thanks for joining the fray DVK01! Your assistance is appreciated

Ok so I did as instructed, turned off Symantec Corporate and Spybot and for that matter other stuff running in my system tray.

Downloaded and ran Combofix, it went through the following phases................

Message: not enough memory to complete the sort, but ran anyway!
Message: attempting to create a restore point.
Message: Recovery console not installed. So downloaded and installed it.
Message: Rootkit activity detected.
Windows shut down.
Windows rebooted. (first time that resort to last known good configuration was not required!)
Combofix then resumed scanning
Stages 1 and 2 completed
Message: PEV.cfxxe has encountered a problem and closed.
Then stages through to 39 or whatever were completed (sorry boredom and inattentiveness set in!)
Message: Preparing log report
Message: not enough memory to complete the sort, but ran anyway!

After combofix completed I was left with a blank screen (MS hill and sky) so ran task manager and from there ran explorer to enable me to shut down and reboot.

On booting

1/ Message: Firewall blocked features of internet explorer. Clicked on keep blocking. I had not asked IE to run!?

2/ turned on Symantec Corporate but it gave 2 messages: unable to create all windows and: Symantec AV could not open the dialog. Then Symantec encountered a problem and closed.

Ran Task Manager which showed 2 processes of IE even though no windows open so ended them

Then ran IE which told me that it was not the default browser I mad it so then did some browsing.

I searched on Google for "****" (sorry first thing that came to mind, facinating entry on wickipedia!). Selected various search results from google lis some of whic wer obvious redirects such as ......
http://www.discountreview.co.uk/health-beauty/home-gym-equipment.html?refcode=264833&show=a
http://www.cgdiscountgolf.co.uk/FootJoy-DryJoys-Sport-Rain-Shirt-P1786.aspx?src=a&awc=1838_1291673175_712a023a19a5b4866b85e36e4cc529c2

Here follows Combofix log............
ComboFix 10-12-04.06 - Mike 06/12/2010 21:14:16.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2417 [GMT 0:00]
Running from: c:\documents and settings\Mike\My Documents\mike2956.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\Mike\Application Data\Ebhyge\akbe.oby
c:\documents and settings\Mike\Application Data\inst.exe
c:\documents and settings\Mike\Application Data\install
c:\documents and settings\Mike\Application Data\Leos\nozee.buf
c:\documents and settings\Mike\Application Data\Musiro\usesa.exe
c:\documents and settings\Mike\Application Data\Olsev\bikil.exe
c:\documents and settings\Mike\Application Data\Paop\ebixu.okd
c:\documents and settings\Mike\Application Data\Paop\ebixu.tmp
c:\documents and settings\Mike\Application Data\Ynid\ysaqa.exe
c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}\chrome.manifest
c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}\chrome\content\_cfg.js
c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}\chrome\content\overlay.xul
c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}\install.rdf
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\epinerp.dll
c:\windows\system32\config\systemprofile\Application Data\Ipgi\lemo.muv
c:\windows\system32\config\systemprofile\Application Data\Ipgi\lemo.tmp
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\Drivers\jwujn.sys
c:\windows\system32\Drivers\kwievskq.sys
c:\windows\system32\Drivers\mclm.sys
c:\windows\system32\Drivers\oyshiyo.sys
c:\windows\system32\Drivers\pqflh.sys
c:\windows\system32\kernel.dll
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2010-11-06 to 2010-12-06 )))))))))))))))))))))))))))))))
.
2010-12-06 10:43 . 2010-12-06 10:43 -------- d-----w- c:\windows\Adobe32 ARM
2010-12-05 23:33 . 2010-12-05 23:33 -------- d-----w- c:\program files\JpZXpAtP
2010-12-05 23:29 . 2010-12-05 23:34 -------- d-----w- c:\program files\tmp
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-06 20:54 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1041:TCP"= 1041:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface

R0 aec6710D;aec6710D;c:\windows\system32\DRIVERS\aec6710d.sys [2009-01-04 9248]
R1 SiSV;SiSV;c:\windows\system32\DRIVERS\SiSV.sys [2001-08-17 50432]
R2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 133104]
R3 S3G700;S3G700;c:\windows\system32\DRIVERS\S3G700m.sys [2005-10-15 792576]
R3 SavRoam;SavRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]
S1 ndasfat;NDAS FAT;c:\windows\system32\DRIVERS\ndasfat.sys [2007-11-27 372584]
S2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe [2008-04-14 14336]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-02-08 34064]
S2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [2008-04-15 1449984]
S2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [2008-01-31 1060864]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [2003-02-24 6828]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F} - hxxp://60.248.39.149:1025/RtspVaPgDecNew2.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKCU-Run-Igeyoqu - c:\windows\epinerp.dll
HKCU-Run-{24C4E14A-76E2-82F4-60F0-D7298167A66A} - c:\documents and settings\Mike\Application Data\Musiro\usesa.exe
HKLM-Run-Adobe32 ARM - c:\windows\Adobe32 ARM\rundll32.exe
SafeBoot-klmdb.sys
MSConfigStartUp-drpvxoks - c:\documents and settings\Mike\Local Settings\Application Data\letuydwxa\uexbarutssd.exe
MSConfigStartUp-flawqadw - c:\documents and settings\Mike\Local Settings\Application Data\nktomtvbo\fseipqgtssd.exe
MSConfigStartUp-Uniblue RegistryBooster 2 - c:\program files\Uniblue\RegistryBooster 2\RegistryBooster.exe

**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-06 21:25
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwQueryDirectoryFile
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\Run?p?????9??[email protected]???????????????????????!???5?????????= 
scanning hidden files ...

c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe 67086 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HDS72251 rev.V33O -> Harddisk0\DR0 -> \Device\Scsi\viamraid1 
device: opened successfully
user: MBR read successfully
Disk trace:
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8B270555]<< 
c:\docume~1\Mike\LOCALS~1\Temp\catchme.sys 
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8b2767b0]; MOV EAX, [0x8b27682c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\Harddisk0\DR0[0x8B231AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007f[0x8B2BF920]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> \Device\0000007e[0x8B297920]
7 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EE130] -> [0x8B2BFA38]
\Driver\viamraid[0x8B28A600] -> IRP_MJ_CREATE -> 0x8B270555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Scsi\viamraid1Port2Path0Target0Lun0 -> \??\SCSI#Disk&Ven_HDS72251&Prod_2VLSA80&Rev_V33O#4&885740&1&000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user & kernel MBR OK 
Warning: possible TDL3 rootkit infection !
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(852)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(912)
c:\windows\system32\WININET.dll
.
Completion time: 2010-12-06 21:29:26
ComboFix-quarantined-files.txt 2010-12-06 21:29
Pre-Run: 37,651,652,608 bytes free
Post-Run: 37,686,263,808 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 799171A587E683CCD1574ABB4E43C12C


----------



## dvk01 (Dec 14, 2002)

next 
Run tdss killer from http://support.kaspersky.com/viruses/solutions?qid=208280684

post back with its log


----------



## mike2956 (Dec 6, 2010)

IE will not download from the link you provided. A window momentarily opens then dissapears. I have older version of TDSS killer on desktop, this runs but finds nothing, I am not aware that it creates a log?

I will use another machine to download from the link you provided and transfer to this machine on a USB stick.

Mike


----------



## mike2956 (Dec 6, 2010)

Got it! I skipped awaiting your instruction to cure!

2010/12/07 21:16:20.0609 TDSS rootkit removing tool 2.4.10.1 Dec 2 2010 12:28:01
2010/12/07 21:16:20.0609 ================================================================================
2010/12/07 21:16:20.0609 SystemInfo:
2010/12/07 21:16:20.0609 
2010/12/07 21:16:20.0609 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/07 21:16:20.0609 Product type: Workstation
2010/12/07 21:16:20.0609 ComputerName: MIKES-COMPUTER
2010/12/07 21:16:20.0609 UserName: Mike
2010/12/07 21:16:20.0609 Windows directory: C:\WINDOWS
2010/12/07 21:16:20.0609 System windows directory: C:\WINDOWS
2010/12/07 21:16:20.0609 Processor architecture: Intel x86
2010/12/07 21:16:20.0609 Number of processors: 1
2010/12/07 21:16:20.0609 Page size: 0x1000
2010/12/07 21:16:20.0609 Boot type: Normal boot
2010/12/07 21:16:20.0609 ================================================================================
2010/12/07 21:16:20.0890 Initialize success
2010/12/07 21:16:26.0468 ================================================================================
2010/12/07 21:16:26.0468 Scan started
2010/12/07 21:16:26.0468 Mode: Manual; 
2010/12/07 21:16:26.0468 ================================================================================
2010/12/07 21:16:26.0656 61883 (914a9709fc3bf419ad2f85547f2a4832) C:\WINDOWS\system32\DRIVERS\61883.sys
2010/12/07 21:16:26.0765 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/07 21:16:26.0812 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/07 21:16:26.0859 ADIHdAudAddService (d392183cc5379e302e50ceba635248eb) C:\WINDOWS\system32\drivers\ADIHdAud.sys
2010/12/07 21:16:26.0968 AEAudioService (9f59ae2de835641fbb0c6afd80d8fa9b) C:\WINDOWS\system32\drivers\AEAudio.sys
2010/12/07 21:16:27.0031 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/07 21:16:27.0078 aec6710D (89195a305c5b50ad305af3baada162dd) C:\WINDOWS\system32\DRIVERS\aec6710d.sys
2010/12/07 21:16:27.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/07 21:16:27.0781 AmdK8 (e9b9aae301a7f26fe00f5ce014d537cc) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/12/07 21:16:27.0906 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/12/07 21:16:28.0046 AsIO (c959989e2ce8da9bde8cafddba84badf) C:\WINDOWS\system32\drivers\AsIO.sys
2010/12/07 21:16:28.0093 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/07 21:16:28.0125 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/07 21:16:28.0218 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/07 21:16:28.0281 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/07 21:16:28.0312 Avc (f8e6956a614f15a0860474c5e2a7de6b) C:\WINDOWS\system32\DRIVERS\avc.sys
2010/12/07 21:16:28.0343 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/07 21:16:28.0515 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/07 21:16:28.0562 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/12/07 21:16:28.0625 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/07 21:16:28.0671 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/07 21:16:28.0750 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/07 21:16:28.0812 Changer (2a5815ca6fff24b688c01f828b96819c) C:\WINDOWS\system32\drivers\Changer.sys
2010/12/07 21:16:28.0968 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/07 21:16:29.0031 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/07 21:16:29.0093 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/12/07 21:16:29.0125 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/07 21:16:29.0171 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/07 21:16:29.0250 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/07 21:16:29.0359 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2010/12/07 21:16:29.0390 EraserUtilDrvI10 (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys
2010/12/07 21:16:29.0484 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/07 21:16:29.0531 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/07 21:16:29.0562 FETND5BV (41561219a8c2d5cc17aa463acff0506f) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2010/12/07 21:16:29.0609 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
2010/12/07 21:16:29.0656 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/07 21:16:29.0687 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/07 21:16:29.0734 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/07 21:16:29.0812 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/07 21:16:29.0859 FTDIBUS (8672947aeec467dc5907ba024baf06ef) C:\WINDOWS\system32\drivers\ftdibus.sys
2010/12/07 21:16:29.0890 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/07 21:16:29.0937 FTLUND  (e51ec9d232494c0713e0a0938dd9c893) C:\WINDOWS\system32\drivers\ftlund.sys
2010/12/07 21:16:29.0968 FTSER2K (1baea6f4a629abcbd87267c2c732c982) C:\WINDOWS\system32\drivers\ftser2k.sys
2010/12/07 21:16:30.0062 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
2010/12/07 21:16:30.0109 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/07 21:16:30.0156 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/07 21:16:30.0187 HdAudAddService (f58d2900c66a1e773e3375098e0e9337) C:\WINDOWS\system32\drivers\HdAudio.sys
2010/12/07 21:16:30.0265 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/12/07 21:16:30.0328 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/07 21:16:30.0406 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/07 21:16:30.0468 hwdatacard (07853191b1bdee5b39be4cfcfe3b9ad4) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
2010/12/07 21:16:30.0578 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2010/12/07 21:16:30.0640 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/07 21:16:30.0687 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/07 21:16:30.0781 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/07 21:16:30.0843 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/07 21:16:30.0875 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/07 21:16:30.0906 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/07 21:16:30.0953 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/07 21:16:31.0046 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/07 21:16:31.0078 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/07 21:16:31.0109 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/07 21:16:31.0156 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/07 21:16:31.0234 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/07 21:16:31.0296 lbrtfdc (406598827a1b5f77954de11dde115ced) C:\WINDOWS\system32\drivers\lbrtfdc.sys
2010/12/07 21:16:31.0343 lfsfilt (336bc479631a8969e7e6dcdbbe0c23d5) C:\WINDOWS\system32\DRIVERS\lfsfilt.sys
2010/12/07 21:16:31.0390 lpx (eb4ca48b554b27730d0af71c458e75ed) C:\WINDOWS\system32\DRIVERS\lpx.sys
2010/12/07 21:16:31.0421 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/07 21:16:31.0500 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/07 21:16:31.0515 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/07 21:16:31.0546 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/07 21:16:31.0593 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/07 21:16:31.0687 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/07 21:16:31.0734 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/07 21:16:31.0781 MSDV (1477849772712bac69c144dcf2c9ce81) C:\WINDOWS\system32\DRIVERS\msdv.sys
2010/12/07 21:16:31.0828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/07 21:16:31.0890 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/07 21:16:31.0921 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/07 21:16:31.0968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/07 21:16:32.0000 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/07 21:16:32.0046 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/12/07 21:16:32.0125 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
2010/12/07 21:16:32.0171 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/07 21:16:32.0218 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/12/07 21:16:32.0359 NAVENG (49d802531e5984cf1fe028c6c129b9d8) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101207.002\naveng.sys
2010/12/07 21:16:32.0421 NAVEX15 (158676a5758c1fa519563b3e72fbf256) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101207.002\navex15.sys
2010/12/07 21:16:32.0500 ndasbus (350b23d2ba840d62d2ac0843cb57cdf4) C:\WINDOWS\system32\DRIVERS\ndasbus.sys
2010/12/07 21:16:32.0546 ndasfat (fbe8604d05c6e179f5df984b115cf9d6) C:\WINDOWS\system32\DRIVERS\ndasfat.sys
2010/12/07 21:16:32.0593 ndasscsi (21b50da65077920f150756ab5ac39dce) C:\WINDOWS\system32\DRIVERS\ndasscsi.sys
2010/12/07 21:16:32.0640 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/07 21:16:32.0734 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/12/07 21:16:32.0781 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/07 21:16:32.0812 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/07 21:16:32.0843 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/07 21:16:32.0921 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/07 21:16:32.0984 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/07 21:16:33.0125 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/07 21:16:33.0437 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/12/07 21:16:33.0578 NPF (6623e51595c0076755c29c00846c4eb2) C:\WINDOWS\system32\drivers\npf.sys
2010/12/07 21:16:33.0625 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/07 21:16:33.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/07 21:16:33.0781 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/07 21:16:33.0812 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/07 21:16:33.0843 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/07 21:16:33.0875 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/12/07 21:16:33.0953 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/07 21:16:33.0984 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/07 21:16:34.0015 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/07 21:16:34.0062 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/07 21:16:34.0140 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/12/07 21:16:34.0187 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/07 21:16:34.0234 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
2010/12/07 21:16:34.0437 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/07 21:16:34.0484 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/12/07 21:16:34.0500 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/07 21:16:34.0546 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/07 21:16:34.0703 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/07 21:16:34.0734 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/07 21:16:34.0781 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/07 21:16:34.0812 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/07 21:16:34.0843 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/07 21:16:34.0890 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/07 21:16:34.0953 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/07 21:16:35.0000 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/07 21:16:35.0031 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/07 21:16:35.0109 S3G700 (9f8b17b6a5e35133c930f622340ea4e8) C:\WINDOWS\system32\DRIVERS\S3G700m.sys
2010/12/07 21:16:35.0218 S3GIGP (748c23980dbc0202e0091ee131799b1b) C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys
2010/12/07 21:16:35.0296 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
2010/12/07 21:16:35.0328 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2010/12/07 21:16:35.0484 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/07 21:16:35.0562 SenFiltService (eca77beeb2be8d573cf1b265e44fbfbd) C:\WINDOWS\system32\drivers\Senfilt.sys
2010/12/07 21:16:35.0593 Ser2pl (b490ad520257dda26c1d587a71e527b5) C:\WINDOWS\system32\DRIVERS\ser2pl.sys
2010/12/07 21:16:35.0671 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/07 21:16:35.0703 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/07 21:16:35.0734 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/07 21:16:35.0796 SiSV (3a4db551bcbfb9779b67e1982a1a8400) C:\WINDOWS\system32\DRIVERS\SiSV.sys
2010/12/07 21:16:35.0828 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/12/07 21:16:35.0875 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
2010/12/07 21:16:36.0015 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2010/12/07 21:16:36.0062 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/07 21:16:36.0109 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/07 21:16:36.0171 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/07 21:16:36.0218 ss_bus (bd15182e9d2d3fabc1d1313badbd2415) C:\WINDOWS\system32\DRIVERS\ss_bus.sys
2010/12/07 21:16:36.0281 ss_mdfl (67d1144f249a3c5e03ebd7a2304dee11) C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
2010/12/07 21:16:36.0312 ss_mdm (954b7ce2d54c703d6a8471d6b05a5e13) C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
2010/12/07 21:16:36.0359 StarOpen (306521935042fc0a6988d528643619b3) C:\WINDOWS\system32\drivers\StarOpen.sys
2010/12/07 21:16:36.0453 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/12/07 21:16:36.0500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/07 21:16:36.0531 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/07 21:16:36.0640 SymEvent (b3f8b9eab2ebe205c0fe053fba951d8c) C:\Program Files\Symantec\SYMEVENT.SYS
2010/12/07 21:16:36.0687 SYMREDRV (7c73b65f1bdfab9052a5076c0ca622de) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2010/12/07 21:16:36.0765 SYMTDI (b4562798891dca27ed67ca07acbadbd9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2010/12/07 21:16:36.0843 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/07 21:16:36.0921 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/07 21:16:37.0000 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/07 21:16:37.0031 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/07 21:16:37.0078 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/07 21:16:37.0140 TVICHW32 (e266683fc95abdec17cd378564e1b54b) C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS
2010/12/07 21:16:37.0187 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/07 21:16:37.0312 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/07 21:16:37.0375 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/07 21:16:37.0406 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/07 21:16:37.0484 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/07 21:16:37.0578 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/12/07 21:16:37.0609 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/07 21:16:37.0640 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/07 21:16:37.0687 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/07 21:16:37.0718 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/07 21:16:37.0781 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/12/07 21:16:37.0828 viamraid (79d0dcf683856593309601f4089f758a) C:\WINDOWS\system32\drivers\viamraid.sys
2010/12/07 21:16:37.0875 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/07 21:16:37.0953 vulfnths (c0f55cc0903cfdc819f6d857402b697c) C:\WINDOWS\System32\Drivers\vulfnth.sys
2010/12/07 21:16:37.0968 vulfntrs (545d98a7f61af1c7c4ad38b8f333e0b7) C:\WINDOWS\System32\Drivers\vulfntr.sys
2010/12/07 21:16:38.0015 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/07 21:16:38.0093 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/07 21:16:38.0187 WinDriver6 (097a8291df541f9b9af2c500797cdcaa) C:\WINDOWS\system32\drivers\windrvr6.sys
2010/12/07 21:16:38.0281 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/12/07 21:16:38.0484 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/12/07 21:16:38.0500 ================================================================================
2010/12/07 21:16:38.0500 Scan finished
2010/12/07 21:16:38.0500 ================================================================================
2010/12/07 21:16:38.0515 Detected object count: 1
2010/12/07 21:17:14.0109 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Skip


----------



## dvk01 (Dec 14, 2002)

do the cure & reboot 

then that machine should connect ok so run combofix again pleazse so we see what else needs cleaning up


----------



## mike2956 (Dec 6, 2010)

Ran Combofix again, found c:\....\Monu\ciru.exe here is log..........

ComboFix 10-12-07.03 - Mike 08/12/2010 9:33.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2524 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Adobe\plugs
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
c:\documents and settings\Mike\Start Menu\Programs\Hard Drive Diagnostic
c:\documents and settings\Mike\Start Menu\Programs\Hard Drive Diagnostic\Uninstall Hard Drive Diagnostic.lnk
c:\program files\Internet Explorer\complete.dat
c:\program files\Internet Explorer\dmlconf.dat
c:\windows\Adobe32 ARM
.
((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
.
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-06 21:45 . 2010-12-06 21:45 -------- d-----w- c:\program files\mwIlsVUKÇíŽ•Ëwhbifaar.exe
2010-12-05 23:33 . 2010-12-05 23:33 -------- d-----w- c:\program files\JpZXpAtP
2010-12-05 23:29 . 2010-12-05 23:34 -------- d-----w- c:\program files\tmp
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-07 08:13 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 03:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2008-04-14 03:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
.
((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-08 09:31 . 2010-12-08 09:31 16384 c:\windows\Temp\Perflib_Perfdata_7c8.dat
+ 2010-12-08 09:31 . 2010-12-08 09:31 16384 c:\windows\Temp\Perflib_Perfdata_3ec.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-08 09:36 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-08 09:36 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1038:TCP"= 1038:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-07 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=127.0.0.1:5577
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F} - hxxp://60.248.39.149:1025/RtspVaPgDecNew2.cab
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 09:40
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwQueryDirectoryFile
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ...

c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe 67086 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-08 09:42:45
ComboFix-quarantined-files.txt 2010-12-08 09:42
ComboFix2.txt 2010-12-06 21:29
Pre-Run: 37,066,403,840 bytes free
Post-Run: 37,146,116,096 bytes free
- - End Of File - - 1B92D2041B2C0BA98C8622D58D4FFCE3


----------



## mike2956 (Dec 6, 2010)

On second reboot Firewall is blocking internet explorer!?

Mike


----------



## dvk01 (Dec 14, 2002)

still more to do

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)
*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *
Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *

This will create a zip file inside C:\QooBox\quarantine named something like [38][email protected]

at the end it will pop up an alert & open your browser and ask you to send the zip file

please follow those instructions. We need to see the zip file before we can carry on with the fix

If there is no pop up alert or open browser then

please go to http://www.thespykiller.co.uk/index.php?board=1.0 and upload these files so I can examine them and if needed distribute them to antivirus companies.
Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, If there is more than 1 file then press the more attachments button for each extra file and browse and select etc and then when all the files are listed in the windows press send to upload the files ( do not post HJT logs there as they will not get dealt with)

Files to submit:
the zip file inside C:\QooBox\quarantine created by combofix named something like [38][email protected]

or to 
http://www.bleepingcomputer.com/submit-malware.php?channel=38


----------



## mike2956 (Dec 6, 2010)

Things did not go quite as expected. It ran and created a log (pasted below) and it created c:\qoobox but did not create a zip file. I have compressed the files into a rar file (attached) but in the process it could not compress the subdirectory \backenv

I could not post the file at thespykiller because the page would not display the image for visual verification so I have posted at bleepingcomputer.

ComboFix 10-12-07.04 - Mike 08/12/2010 11:31:57.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.1844 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
file zipped: c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe
c:\program files\Internet Explorer\dmlconf.dat
c:\program files\tmp
.
((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
.
2010-12-08 11:21 . 2010-12-08 11:21 -------- d-----w- c:\program files\win
2010-12-08 09:52 . 2010-12-08 09:52 -------- d-----w- c:\program files\wfuaBhaIu'½-Ëwhbifaar.exe
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-06 21:45 . 2010-12-06 21:45 -------- d-----w- c:\program files\mwIlsVUKÇíŽ•Ëwhbifaar.exe
2010-12-05 23:33 . 2010-12-05 23:33 -------- d-----w- c:\program files\JpZXpAtP
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 03:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2008-04-14 03:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
.
((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-08 09:51 . 2010-12-08 09:51 16384 c:\windows\Temp\Perflib_Perfdata_754.dat
+ 2010-12-08 09:51 . 2010-12-08 09:51 16384 c:\windows\Temp\Perflib_Perfdata_2d4.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-08 09:56 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-08 09:56 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
*Deregistered* - klmd25
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 11:36
Windows 5.1.2600 Service Pack 3 NTFS
detected NTDLL code modification:
ZwQueryDirectoryFile
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ...

c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe 67086 bytes executable
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-08 11:37:47
ComboFix-quarantined-files.txt 2010-12-08 11:37
ComboFix2.txt 2010-12-08 09:42
ComboFix3.txt 2010-12-06 21:29
Pre-Run: 37,141,897,216 bytes free
Post-Run: 37,136,441,344 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - F0E5BF436B0DAF0EDBC363CEA0173D16


----------



## dvk01 (Dec 14, 2002)

I am going to get some advise about deleting the files/folders that are giving trouble 
they are weird characters taht CF seems to be having problems with


----------



## dvk01 (Dec 14, 2002)

can you open the program files folder and take ascreen shot, so we can see what names appear
the unprintable characters are confusing combofix & we ned to work around it , but want to see what sort of characters they are using to make it hard for us now


----------



## mike2956 (Dec 6, 2010)

Screen shot as requested.

Thanks

Mike


----------



## dvk01 (Dec 14, 2002)

downlaod the attached delete.zip
unzip it to desktop ( or other suitable place) double click the delete.bat inside it & post the logit.txt it should make
also after that has run please run combofix again as I am sure we will have more to deal with


----------



## mike2956 (Dec 6, 2010)

Combofix to follow................

Volume in drive C has no label.
Volume Serial Number is F4A0-2379
Directory of c:\program files
08/12/2010 11:35 .
08/12/2010 11:35 ..
25/01/2009 20:51 ABBYYF~1.0SP ABBYY FineReader 6.0 Sprint
27/12/2007 16:17 ACROSO~1 Acro Software
12/11/2008 22:31 Adobe
03/09/2010 23:33 ADVANC~1 Advanced IP Scanner
25/12/2007 21:41 Ahead
24/12/2007 00:14 AMD
24/12/2007 00:15 ANALOG~1 Analog Devices
26/08/2010 23:14 ANGRYI~1 Angry IP Scanner
22/05/2009 11:31 APPLES~1 Apple Software Update
11/02/2008 20:32 ASUS
24/07/2010 23:02 Autodesk
02/12/2009 00:19 AVISYN~1.5 AviSynth 2.5
15/07/2010 18:20 Bonjour
10/07/2010 09:54 Citrix
08/12/2010 11:34 COMMON~1 Common Files
23/12/2007 20:11 COMPLU~1 ComPlus Applications
12/04/2010 23:55 DIFX
29/12/2008 23:54 DVDDEC~1 DVD Decrypter
07/07/2008 11:43 DVDSHR~1 DVD Shrink
07/11/2008 15:41 DVDFAB~2 DVDFab 5
25/04/2008 22:08 DVDFAB~1 DVDFab Express
11/11/2008 19:14 DVDVID~1 DVDVideoSoft
03/01/2008 22:09 epson
14/04/2009 08:09 EXIFDA~1 EXIF Date Changer
26/10/2008 15:11 FALCON~1 FalconSoft
03/01/2008 10:23 FILEZI~1 FileZilla
29/04/2008 21:44 FOCUSM~1 Focus Multimedia Ltd
27/12/2007 14:22 FREEIN~1 Free Internet Window Washer
24/08/2010 23:35 FREEIP~1 Free IP Scanner
12/04/2010 23:55 Garmin
25/08/2009 22:55 GLOBAL~1 GlobalSCAPE
02/10/2010 22:31 Google
27/12/2007 16:18 GPLGS
29/12/2007 14:08 HOMEPL~1 Home Plan Pro
20/02/2008 00:33 IBP10~1 IBP 10
29/12/2008 23:29 ImgBurn
28/08/2010 08:27 INSTAL~1 InstallShield Installation Information
24/06/2010 00:01 Intel
14/09/2010 00:06 INTERC~1 InterCasino $$$
08/12/2010 11:35 INTERN~1 Internet Explorer
15/07/2010 18:25 iPod
15/07/2010 18:26 iTunes
07/12/2010 23:49 Java
05/12/2010 23:33 JpZXpAtP
27/12/2007 17:02 KAREN'~1 Karen's Power Tools
03/09/2010 23:49 [email protected]
27/11/2010 21:44 MAGICD~1 MagicDVDCopier
04/12/2009 23:43 MAGICD~2 MagicDVDRipper
04/12/2010 02:19 MALWAR~1 Malwarebytes' Anti-Malware
28/09/2008 09:07 MESSEN~1 Messenger
23/08/2009 00:19 MFINST~1 MFInstall
24/12/2007 12:21 MI3AA1~1 Microsoft ActiveSync
24/12/2007 14:48 MI2493~1 Microsoft AutoRoute
14/05/2009 23:04 MICROS~1.2 Microsoft CAPICOM 2.1.0.2
23/12/2007 20:14 MICROS~1 microsoft frontpage
24/12/2007 14:46 MICROS~2 Microsoft Office
23/10/2010 14:23 MI2020~1 Microsoft Silverlight
24/12/2007 12:20 MICROS~3 Microsoft Visual Studio
14/05/2009 23:03 MICROS~4 Microsoft Works
24/12/2007 12:21 MICROS~1.NET Microsoft.NET
14/08/2010 09:43 MOVIEM~1 Movie Maker
09/08/2009 00:05 MSBuild
23/12/2007 20:10 MSN
23/12/2007 20:11 MSNGAM~1 MSN Gaming Zone
28/08/2008 00:24 MSXML4~1.0 MSXML 4.0
06/12/2010 21:45 MWILSV~1.EXE mwIlsVUKÇíŽ•Ëwhbifaar.exe
19/11/2009 11:03 NCHSOF~1 NCH Software
19/11/2009 11:03 NCHSWI~1 NCH Swift Sound
15/02/2008 23:23 NDAS
28/09/2008 08:55 NETMEE~1 NetMeeting
25/08/2009 23:45 No-IP
23/12/2007 20:11 ONLINE~1 Online Services
30/06/2010 00:09 OUTLOO~1 Outlook Express
04/09/2010 00:16 OVERLO~1.4 Overlook Fing 1.4
27/12/2007 14:09 PCMAGA~1 PC Magazine Utilities
15/07/2010 18:23 QUICKT~1 QuickTime
30/01/2009 14:11 Rapidocs
15/03/2008 21:05 Real
09/08/2009 00:05 REFERE~1 Reference Assemblies
24/12/2007 00:13 S3
25/08/2008 23:17 Samsung
06/12/2009 17:53 SAMSUN~1 Samsung Network Printer Utilities
31/10/2009 18:10 SONYER~1 Sony Ericsson
21/04/2010 00:56 SPYBOT~1 Spybot - Search & Destroy
24/12/2007 11:47 Symantec
08/12/2010 11:55 SYMANT~1 Symantec AntiVirus
18/05/2010 20:48 T610-6~1 T610-616-630-637 USB-Handset Manager
17/08/2009 22:54 TightVNC
20/03/2008 14:25 TOMTOM~1 TomTom HOME 2
24/12/2007 12:31 ToniArts
05/12/2010 23:14 TRENDM~1 Trend Micro
23/12/2007 20:19 UNINST~1 Uninstall Information
26/06/2010 15:40 VIA
05/02/2010 21:57 VIRGIN~1 Virgin Mobile
01/04/2008 12:26 VIRTUA~1 Virtual Earth 3D
26/06/2010 01:44 WebEx
08/12/2010 09:52 WFUABH~1.EXE wfuaBhaIu'½-Ëwhbifaar.exe
08/12/2010 11:21 win
07/12/2010 08:13 windows
28/09/2008 08:58 WINDOW~2 Windows Media Player
28/09/2008 08:55 WINDOW~1 Windows NT
23/12/2007 20:12 WINDOW~3 WindowsUpdate
04/09/2010 00:16 WinPcap
12/04/2010 23:52 WinRAR
23/12/2007 20:14 xerox
15/04/2010 00:12 XTNDCO~1 XTNDConnect PC
0 File(s) 0 bytes
108 Dir(s) 36,815,036,416 bytes free


----------



## mike2956 (Dec 6, 2010)

Combofix told me AV was running but nothing in system tray or task manager. So rebooted then ran combofix. Log as follows...................

ComboFix 10-12-07.06 - Mike 08/12/2010 16:59:04.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2329 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-08 to 2010-12-08 )))))))))))))))))))))))))))))))
.
2010-12-08 11:21 . 2010-12-08 11:21 -------- d-----w- c:\program files\win
2010-12-08 09:52 . 2010-12-08 09:52 -------- d-----w- c:\program files\wfuaBhaIu½Ëwhbifaar.exe
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-06 21:45 . 2010-12-06 21:45 -------- d-----w- c:\program files\mwIlsVUKÇíËwhbifaar.exe
2010-12-05 23:33 . 2010-12-05 23:33 -------- d-----w- c:\program files\JpZXpAtP
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-09-10 05:58 . 2008-04-14 03:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 03:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2008-04-14 03:41 43520 ----a-w- c:\windows\system32\licmgr10.dll
.
((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-08 16:52 . 2010-12-08 16:52 16384 c:\windows\Temp\Perflib_Perfdata_79c.dat
+ 2010-12-08 16:52 . 2010-12-08 16:52 16384 c:\windows\Temp\Perflib_Perfdata_314.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-08 16:57 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-08 16:57 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Mike\Start Menu\Programs\Startup\
whbifaar.exe [2010-12-5 67086]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-08 17:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-08 17:05:17
ComboFix-quarantined-files.txt 2010-12-08 17:05
ComboFix2.txt 2010-12-08 11:37
ComboFix3.txt 2010-12-08 09:42
ComboFix4.txt 2010-12-06 21:29
Pre-Run: 36,792,418,304 bytes free
Post-Run: 36,774,084,608 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 6D25EB3D36D2F2EEAA9508F6DD9B7D78


----------



## dvk01 (Dec 14, 2002)

lets try this & see what happens

delete any existing cfscript.txt from desktop

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## mike2956 (Dec 6, 2010)

ComboFix 10-12-08.04 - Mike 09/12/2010 10:20:33.5.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2336 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
FILE ::
"c:\documents and settings\Mike\Application Data\Monu\ciru.exe"
"c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe"
"c:\program files\MWILSV~1.EXE"
"c:\program files\WFUABH~1.EXE"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
c:\documents and settings\Mike\Start Menu\Programs\Startup\whbifaar.exe
c:\program files\JpZXpAtP
c:\program files\JpZXpAtP\whbifaar.exe
c:\program files\MWILSV~1.EXE
c:\program files\MWILSV~1.EXE\whbifaar.exe
c:\program files\mwIlsVUKÇíŽ•Ëwhbifaar.exe\whbifaar.exe
c:\program files\WFUABH~1.EXE
c:\program files\WFUABH~1.EXE\whbifaar.exe
c:\program files\wfuaBhaIu'½-Ëwhbifaar.exe\whbifaar.exe
c:\program files\win
.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-07 08:13 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of c:\program files\windows ----

((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-09 09:55 . 2010-12-09 09:55 16384 c:\windows\Temp\Perflib_Perfdata_750.dat
+ 2010-12-09 09:55 . 2010-12-09 09:55 16384 c:\windows\Temp\Perflib_Perfdata_3ec.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-09 10:00 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-09 10:00 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 10:24
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-09 10:26:32
ComboFix-quarantined-files.txt 2010-12-09 10:26
ComboFix2.txt 2010-12-08 17:05
ComboFix3.txt 2010-12-08 11:37
ComboFix4.txt 2010-12-08 09:42
ComboFix5.txt 2010-12-09 10:17
Pre-Run: 36,694,048,768 bytes free
Post-Run: 36,719,267,840 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 3241922DA3D1248B31F5372E6FE900A7


----------



## dvk01 (Dec 14, 2002)

I hope we have got it all but I can't be sure
as it is still showing a hidden start up entry in teh catchme section but it can't read the characters 
please reboot
then run combofix again & see what shows this time


----------



## mike2956 (Dec 6, 2010)

hmmm.... I would like to be sure!

Running........

Mike


----------



## mike2956 (Dec 6, 2010)

Try this!

ComboFix 10-12-08.04 - Mike 09/12/2010 12:13:21.6.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2269 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-07 08:13 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-09 11:59 . 2010-12-09 11:59 16384 c:\windows\Temp\Perflib_Perfdata_7e8.dat
+ 2010-12-09 11:59 . 2010-12-09 11:59 16384 c:\windows\Temp\Perflib_Perfdata_42c.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-09 12:04 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-09 12:04 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856  c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1035:TCP"= 1035:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 12:18
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-09 12:20:08
ComboFix-quarantined-files.txt 2010-12-09 12:20
ComboFix2.txt 2010-12-09 10:26
ComboFix3.txt 2010-12-08 17:05
ComboFix4.txt 2010-12-08 11:37
ComboFix5.txt 2010-12-09 12:12
Pre-Run: 36,674,527,232 bytes free
Post-Run: 36,669,087,744 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - F5E68BC6C230EC574D8A52705781999E


----------



## dvk01 (Dec 14, 2002)

something is recreating this every time we delete it & I don't know what 
I need to try to examine that file & see if it gives us a clue
c:\documents and settings\Mike\Application Data\Monu\ciru.exe

In fact I need to get copies of everythiung Combofix has deleted so far so

can you please go to C:\qoobox & right click the quarantine folder, select send to compressed(zip) folders 
that will make a zipped copy of the quarantine folder
then 
please upload that to http://www.thespykiller.co.uk/index.php?board=1.0 so we can examine the files

Just press new topic, fill in the needed details and just give a link to your post here & then press the browse button and then navigate to & select the files on your computer, When the file is listed in the windows press send to upload the file


----------



## dvk01 (Dec 14, 2002)

I found acopy in the qoobox.rar you previously uplaoded but would still liek all the others especially the weird named ones we deleted

It looks like it makes a copy of itself in memory & in C:\ciru.exe so replacing itself as soon as it is deleted

hopefully this will kill it

delete existing cfscript.txt

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## mike2956 (Dec 6, 2010)

Just posted to the spy killer, will run latest CFScript.

Mike


----------



## dvk01 (Dec 14, 2002)

I just changed to cfscript slightly so download the revised version I just uploaded & use that, if you have already done it, run it again with new script please to give us a better chance


----------



## mike2956 (Dec 6, 2010)

Latest run

ComboFix 10-12-08.04 - Mike 09/12/2010 13:55:23.7.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2341 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"C:\ciru.exe"
"c:\documents and settings\Mike\Application Data\Monu\ciru.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-07 08:13 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1037:TCP"= 1037:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 14:05
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2332)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NDAS\System\ndassvc.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\S3trayp.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-09 14:09:17 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-09 14:09
ComboFix2.txt 2010-12-09 12:20
ComboFix3.txt 2010-12-09 10:26
ComboFix4.txt 2010-12-08 17:05
ComboFix5.txt 2010-12-09 13:54
Pre-Run: 36,667,793,408 bytes free
Post-Run: 36,659,007,488 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 637ABC3EA48974137EDA238796EA74F7


----------



## mike2956 (Dec 6, 2010)

Ah just got latest post, I will run again!

Mike


----------



## mike2956 (Dec 6, 2010)

Here is log from latest run I believe it was following your mods as in post #27 but there was not a link in that post so I used the link in post #25 again! I hope this was right?

Mike

ComboFix 10-12-08.04 - Mike 09/12/2010 14:54:51.8.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2366 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"C:\ciru.exe"
"c:\documents and settings\Mike\Application Data\Monu\ciru.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-07 08:13 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 15:04
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2000)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NDAS\System\ndassvc.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\S3trayp.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-09 15:08:40 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-09 15:08
ComboFix2.txt 2010-12-09 14:09
ComboFix3.txt 2010-12-09 12:20
ComboFix4.txt 2010-12-09 10:26
ComboFix5.txt 2010-12-09 14:54
Pre-Run: 36,697,616,384 bytes free
Post-Run: 36,680,916,992 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - 600FDFD085335ADDCB50BB54C7EB7DE7


----------



## dvk01 (Dec 14, 2002)

Run combofix again now please & lets see if it is picking it up again or if it has gone this time

Just run combofix, no cfscript


----------



## mike2956 (Dec 6, 2010)

There you go, hopefully the final combo run without script.

Mike

ComboFix 10-12-08.04 - Mike 09/12/2010 17:16:31.9.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2317 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-09 to 2010-12-09 )))))))))))))))))))))))))))))))
.
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-05 22:59 . 2010-12-07 08:13 -------- d-----w- c:\program files\windows
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-09 15:03 . 2010-12-09 15:03 16384 c:\windows\Temp\Perflib_Perfdata_768.dat
+ 2010-12-09 15:03 . 2010-12-09 15:03 16384 c:\windows\Temp\Perflib_Perfdata_384.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-09 15:08 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-09 15:08 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-09 17:21
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-09 17:22:38
ComboFix-quarantined-files.txt 2010-12-09 17:22
ComboFix2.txt 2010-12-09 15:08
ComboFix3.txt 2010-12-09 14:09
ComboFix4.txt 2010-12-09 12:20
ComboFix5.txt 2010-12-09 17:15
Pre-Run: 36,670,980,096 bytes free
Post-Run: 36,671,172,608 bytes free
Current=2 Default=2 Failed=1 LastKnownGood=5 Sets=1,2,3,5
- - End Of File - - D2EDBA94A60667D1C3CF2871625625B5


----------



## dvk01 (Dec 14, 2002)

It is still deletinmg the same file every time & I don't know why

I will ask for soem more advice


----------



## dvk01 (Dec 14, 2002)

lets see if this might show anything we have missed 
Download *RSIT* (random's system information tool) from here to your desktop, then click on the *RSIT.exe* to start the scan. ( vista or Windows 7, right click the rsit.exe and select run as admin)

If necessary allow it to locate or download a copy of HijackThis as needed.

Once the scan completes a textbox will open - copy/paste those contents here for review please. The log can also be found at C:\rsit\log.txt.

*RSIT will also create a second log*, info.txt, which will be minimized to your taskbar. Post that here as well please (it will also be stored at C:\rsit\info.txt).

You can use separate posts here when replying and posting the log files if needed.


----------



## dvk01 (Dec 14, 2002)

Also uninstall spybot. It is possible teatimer is protecting it & stopping it being deleted


----------



## mike2956 (Dec 6, 2010)

OK just seen your post. 

Symantec AV just did a scheduled run and found many instances of TROJAN.ADH.2 all of which were in system restore files or in Qoobox.

Uninstalling spybot........


----------



## dvk01 (Dec 14, 2002)

don't worry about anything in system restore or inside qoobox as they are backups for protection 
Symantec will be detecting them now becasue we submitted the files to them for detction & protect others from this


----------



## mike2956 (Dec 6, 2010)

Logfile of random's system information tool 1.08 (written by random/random)
Run by Mike at 2010-12-10 14:16:51
Microsoft Windows XP Professional Service Pack 3
System drive C: has 35 GB (30%) free of 118 GB
Total RAM: 3007 MB (75% free)
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:17:03, on 10/12/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NDAS\System\ndassvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NDAS\System\ndasmgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Mike\Desktop\RSIT.exe
C:\Program Files\Trend Micro\HiJackThis\Mike.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scan.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EEventManager] C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe
O4 - HKLM\..\Run: [DataCardMonitor] C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [Free Internet Window Washer] C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [{24C4E14A-76E2-82F4-60F0-D7298167A66A}] "C:\Documents and Settings\Mike\Application Data\Monu\ciru.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: NDAS Device Management.lnk = C:\Program Files\NDAS\System\ndasmgmt.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: InterCasino USD - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Mike\Desktop\InterCasino USD.lnk (HKCU)
O9 - Extra 'Tools' menuitem: InterCasino USD - {909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} - C:\Documents and Settings\Mike\Desktop\InterCasino USD.lnk (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX Basic) - http://rack1.expertagent.co.uk/asp/ScriptX.cab
O16 - DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} (PlayerOCX Control) - http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
O16 - DPF: {73888E2B-FF04-416C-8847-984D7FC4507F} - 
O16 - DPF: {C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - 
O16 - DPF: {D27CDB6E-0000-0000-0000-000000000000} - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - 
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5E517EEC-6457-48FC-8B73-B7C737EA5E23}: NameServer = 8.8.8.8,8.8.4.4
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Update Service (gupdate1c9eba46d592d6) (gupdate1c9eba46d592d6) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NDAS Service (ndassvc) - XIMETA, Inc. - C:\Program Files\NDAS\System\ndassvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SyncThru Web Admin Service (SWAS_Core) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe
O23 - Service: SyncThru Web Admin Service Driver Management (SWAS_Srv_DriverManagement) - Unknown owner - C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
--
End of file - 9603 bytes
======Scheduled tasks folder======
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3049C3E9-B461-4BC5-8870-4C09146192CA}]
RealPlayer Download and Record Plugin for Internet Explorer - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [2008-03-15 370296]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
Java(tm) Plug-In 2 SSV Helper - C:\Program Files\Java\jre6\bin\jp2ssv.dll [2010-11-20 41760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
JQSIEStartDetectorImpl Class - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [2010-11-20 79648]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"=C:\WINDOWS\system32\VTTimer.exe [2006-09-21 53248]
"S3Trayp"=C:\WINDOWS\system32\S3trayp.exe [2007-06-11 176128]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2005-04-08 48752]
"vptray"=C:\PROGRA~1\SYMANT~1\VPTray.exe [2005-04-17 85184]
"EEventManager"=C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe [2005-04-08 102400]
"DataCardMonitor"=C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe [2008-07-21 253952]
"SoundMAXPnP"=C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
"QuickTime Task"=C:\Program Files\QuickTime\qttask.exe [2010-03-18 421888]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2010-06-15 141624]
"SunJavaUpdateSched"=C:\Program Files\Common Files\Java\Java Update\jusched.exe [2010-05-14 248552]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"=C:\PROGRA~1\FREEIN~1\Clearpch.exe [2007-08-29 1504256]
"TomTomHOME.exe"=C:\Program Files\TomTom HOME 2\HOMERunner.exe [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"=C:\Documents and Settings\Mike\Application Data\Monu\ciru.exe []
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2008-04-14 15360]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
C:\WINDOWS\system32\HDAShCut.exe [2004-10-27 61952]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
C:\Program Files\iTunes\iTunesHelper.exe [2010-06-15 141624]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe [2005-02-10 1937408]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe [2001-07-09 155648]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe [2010-03-18 421888]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe [2005-09-07 716800]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe [2005-05-20 925696]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE [1999-11-04 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
NDAS Device Management.lnk - C:\Program Files\NDAS\System\ndasmgmt.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
C:\WINDOWS\system32\NavLogon.dll [2005-04-17 43712]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PEVSystemStart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\procexp90.Sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\klmdb.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\PEVSystemStart]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\procexp90.Sys]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=323
"NoDriveAutoRun"=67108863
"NoDrives"=0
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"HonorAutoRunSetting"=1
"NoDriveAutoRun"=67108863
"NoDriveTypeAutoRun"=323
"NoDrives"=0
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\WINDOWS\system32\mmc.exe"="C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console"
"C:\Program Files\FileZilla\filezilla.exe"="C:\Program Files\FileZilla\filezilla.exe:*:Enabled:FileZilla"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\Program Files\Java\jre6\bin\java.exe"="C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary"
"C:\Program Files\[email protected]\LookAtHost.exe"="C:\Program Files\[email protected]\LookAtHost.exe:*:Enabled:[email protected]"
"C:\Program Files\[email protected]\LookAtLan.exe"="C:\Program Files\[email protected]\LookAtLan.exe:*:Enabled:[email protected]"
"C:\Program Files\WinPcap\rpcapd.exe"="C:\Program Files\WinPcap\rpcapd.exe:*:Enabled:Remote Packet Capture Daemon"
"C:\Program Files\InterCasino $$$\Casino.exe"="C:\Program Files\InterCasino $$$\Casino.exe:*:Enabled:Casino"
"C:\Program Files\Google\Google Earth\client\googleearth.exe"="C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
======File associations======
.scr - open - C:\WINDOWS\system32\notepad.exe "%1"
.scr - install - 
.scr - config - 
======List of files/folders created in the last 1 months======
2010-12-10 14:16:51 ----D---- C:\rsit
2010-12-09 17:22:38 ----A---- C:\ComboFix.txt
2010-12-08 10:13:23 ----A---- C:\TDSSKiller.2.4.10.1_08.12.2010_10.13.23_log.txt
2010-12-07 23:59:14 ----A---- C:\TDSSKiller.2.4.10.1_07.12.2010_23.59.14_log.txt
2010-12-07 23:49:36 ----A---- C:\WINDOWS\system32\javaws.exe
2010-12-07 23:49:36 ----A---- C:\WINDOWS\system32\javaw.exe
2010-12-07 23:49:36 ----A---- C:\WINDOWS\system32\java.exe
2010-12-07 23:49:36 ----A---- C:\WINDOWS\system32\deployJava1.dll
2010-12-07 23:46:57 ----A---- C:\TDSSKiller.2.4.10.1_07.12.2010_23.46.57_log.txt
2010-12-07 21:34:51 ----A---- C:\TDSSKiller.2.4.10.1_07.12.2010_21.34.51_log.txt
2010-12-07 21:16:20 ----A---- C:\TDSSKiller.2.4.10.1_07.12.2010_21.16.20_log.txt
2010-12-07 21:07:25 ----A---- C:\TDSSKiller.2.3.2.0_07.12.2010_21.07.25_log.txt
2010-12-06 21:07:57 ----A---- C:\Boot.bak
2010-12-06 21:07:52 ----RASHD---- C:\cmdcons
2010-12-06 21:03:44 ----A---- C:\WINDOWS\zip.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\SWXCACLS.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\SWSC.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\SWREG.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\sed.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\PEV.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\NIRCMD.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\MBR.exe
2010-12-06 21:03:44 ----A---- C:\WINDOWS\grep.exe
2010-12-06 21:03:27 ----D---- C:\WINDOWS\ERDNT
2010-12-06 21:02:17 ----D---- C:\Qoobox
2010-12-06 11:36:31 ----A---- C:\TDSSKiller.2.3.2.0_06.12.2010_11.36.31_log.txt
2010-12-06 11:36:05 ----A---- C:\TDSSKiller.2.3.2.0_06.12.2010_11.36.05_log.txt
2010-12-06 00:59:07 ----A---- C:\TDSSKiller.2.3.2.0_06.12.2010_00.59.07_log.txt
2010-12-05 23:14:58 ----D---- C:\Program Files\Trend Micro
2010-12-05 22:59:49 ----D---- C:\Program Files\windows
2010-12-04 12:42:53 ----A---- C:\TDSSKiller.2.3.2.0_04.12.2010_12.42.53_log.txt
2010-12-04 02:16:56 ----A---- C:\TDSSKiller.2.3.2.0_04.12.2010_02.16.56_log.txt
2010-12-04 01:49:55 ----A---- C:\TDSSKiller.2.3.2.0_04.12.2010_01.49.55_log.txt
2010-12-04 01:26:39 ----A---- C:\TDSSKiller.2.3.2.0_04.12.2010_01.26.39_log.txt
2010-11-27 21:41:56 ----A---- C:\TDSSKiller.2.3.2.0_27.11.2010_21.41.56_log.txt
2010-11-21 20:40:04 ----A---- C:\TDSSKiller.2.3.2.0_21.11.2010_20.40.04_log.txt
2010-11-17 23:23:32 ----A---- C:\TDSSKiller.2.3.2.0_17.11.2010_23.23.32_log.txt
2010-11-17 12:30:36 ----A---- C:\WINDOWS\system32\ftserui2.dll
2010-11-17 12:30:36 ----A---- C:\WINDOWS\system32\drivers\ftser2k.sys
2010-11-17 12:30:36 ----A---- C:\WINDOWS\system32\drivers\ftlund.sys
2010-11-12 21:32:24 ----A---- C:\TDSSKiller.2.3.2.0_12.11.2010_21.32.24_log.txt
======List of files/folders modified in the last 1 months======
2010-12-10 14:14:53 ----D---- C:\Program Files\Symantec AntiVirus
2010-12-10 14:07:15 ----D---- C:\WINDOWS\system32
2010-12-10 14:07:15 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2010-12-10 14:06:09 ----D---- C:\WINDOWS\Temp
2010-12-10 14:02:47 ----D---- C:\Program Files\Common Files\Akamai
2010-12-10 13:56:34 ----A---- C:\WINDOWS\SchedLgU.Txt
2010-12-10 13:53:29 ----D---- C:\Program Files\Spybot - Search & Destroy
2010-12-10 13:53:29 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-12-10 13:52:25 ----D---- C:\WINDOWS\Prefetch
2010-12-10 12:38:23 ----D---- C:\WINDOWS\system32\CatRoot2
2010-12-09 17:21:03 ----D---- C:\WINDOWS
2010-12-09 17:21:03 ----A---- C:\WINDOWS\system.ini
2010-12-09 17:20:57 ----D---- C:\WINDOWS\system32\drivers\etc
2010-12-09 17:19:42 ----D---- C:\WINDOWS\system32\drivers
2010-12-09 17:19:42 ----D---- C:\WINDOWS\AppPatch
2010-12-09 17:19:41 ----D---- C:\Program Files\Common Files
2010-12-09 13:28:42 ----A---- C:\WINDOWS\NeroDigital.ini
2010-12-09 10:24:14 ----RD---- C:\Program Files
2010-12-08 11:35:38 ----D---- C:\Program Files\Internet Explorer
2010-12-08 09:39:54 ----D---- C:\Documents and Settings\Mike\Application Data\Adobe
2010-12-08 09:12:44 ----D---- C:\Documents and Settings\Mike\Application Data\Tahui
2010-12-07 23:50:14 ----SHD---- C:\WINDOWS\Installer
2010-12-07 23:50:14 ----D---- C:\Program Files\Common Files\Java
2010-12-07 23:49:05 ----D---- C:\Program Files\Java
2010-12-07 22:28:09 ----D---- C:\WINDOWS\system32\wbem
2010-12-07 22:27:08 ----HD---- C:\WINDOWS\ShellNew
2010-12-07 21:49:59 ----A---- C:\WINDOWS\ODBC.INI
2010-12-07 21:49:01 ----A---- C:\WINDOWS\win.ini
2010-12-07 21:47:41 ----RSD---- C:\WINDOWS\Fonts
2010-12-07 20:49:03 ----SD---- C:\Documents and Settings\Mike\Application Data\Microsoft
2010-12-06 21:24:25 ----SD---- C:\WINDOWS\Tasks
2010-12-06 21:23:34 ----D---- C:\Documents and Settings\Mike\Application Data\Ynid
2010-12-06 21:23:33 ----D---- C:\Documents and Settings\Mike\Application Data\Paop
2010-12-06 21:23:31 ----D---- C:\Documents and Settings\Mike\Application Data\Olsev
2010-12-06 21:23:29 ----D---- C:\Documents and Settings\Mike\Application Data\Leos
2010-12-06 21:23:26 ----D---- C:\Documents and Settings\Mike\Application Data\Ebhyge
2010-12-06 21:11:07 ----D---- C:\Documents and Settings\Mike\Application Data\Musiro
2010-12-06 21:07:57 ----RASH---- C:\boot.ini
2010-12-06 19:09:27 ----D---- C:\Documents and Settings\Mike\Application Data\Tama
2010-12-06 19:01:35 ----D---- C:\Documents and Settings\Mike\Application Data\Ozoxv
2010-12-06 11:29:42 ----A---- C:\WINDOWS\ntbtlog.txt
2010-12-06 11:29:13 ----D---- C:\Documents and Settings\Mike\Application Data\Wuaw
2010-12-06 10:50:08 ----D---- C:\Documents and Settings\Mike\Application Data\Tuud
2010-12-06 10:43:12 ----RSHDC---- C:\WINDOWS\system32\dllcache
2010-12-06 09:40:39 ----D---- C:\WINDOWS\system32\appmgmt
2010-12-05 23:42:21 ----SHD---- C:\System Volume Information
2010-12-04 02:19:28 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2010-12-01 00:02:30 ----D---- C:\WINDOWS\WinSxS
2010-11-27 21:44:29 ----D---- C:\Program Files\MagicDVDCopier
2010-11-26 17:41:49 ----HD---- C:\WINDOWS\inf
2010-11-12 00:52:38 ----D---- C:\WINDOWS\Debug
2010-11-11 12:18:46 ----A---- C:\WINDOWS\system32\MRT.exe
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R0 gagp30kx;Microsoft Generic AGPv3.0 Filter for K8 Processor Platforms; C:\WINDOWS\system32\DRIVERS\gagp30kx.sys [2008-04-13 46464]
R0 lfsfilt;Lean File Sharing; C:\WINDOWS\system32\DRIVERS\lfsfilt.sys [2007-11-27 254440]
R0 lpx;LPX Protocol; C:\WINDOWS\system32\DRIVERS\lpx.sys [2007-11-27 62056]
R0 ohci1394;Texas Instruments OHCI Compliant IEEE 1394 Host Controller; C:\WINDOWS\system32\DRIVERS\ohci1394.sys [2008-04-13 61696]
R0 viamraid;viamraid; C:\WINDOWS\system32\drivers\viamraid.sys [2010-02-22 117248]
R1 AmdK8;AMD Processor Driver; C:\WINDOWS\system32\DRIVERS\AmdK8.sys [2010-06-29 36352]
R1 AsIO;AsIO; C:\WINDOWS\system32\drivers\AsIO.sys [2004-10-15 4962]
R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 ndasfat;NDAS FAT; \??\C:\WINDOWS\system32\DRIVERS\ndasfat.sys []
R1 SAVRT;SAVRT; \??\C:\Program Files\Symantec AntiVirus\savrt.sys []
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Symantec AntiVirus\Savrtpel.sys []
R1 StarOpen;StarOpen; C:\WINDOWS\system32\drivers\StarOpen.sys [2008-08-25 5632]
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2005-04-05 267192]
R2 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2009-02-08 34064]
R3 ADIHdAudAddService;ADI UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\ADIHdAud.sys [2005-10-05 141312]
R3 AEAudioService;AEAudio Service; C:\WINDOWS\system32\drivers\AEAudio.sys [2005-03-04 127872]
R3 Arp1394;1394 ARP Client Protocol; C:\WINDOWS\system32\DRIVERS\arp1394.sys [2008-04-14 60800]
R3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2005-06-22 43008]
R3 GEARAspiWDM;GEAR ASPI Filter Driver; C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys [2009-05-18 26600]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2008-04-13 144384]
R3 MTsensor;ATK0110 ACPI UTILITY; C:\WINDOWS\system32\DRIVERS\ASACPI.sys [2004-08-14 5810]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.003\naveng.sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20101209.003\navex15.sys []
R3 ndasbus;NDAS Bus Driver; C:\WINDOWS\system32\DRIVERS\ndasbus.sys [2007-11-27 75752]
R3 NIC1394;1394 Net Driver; C:\WINDOWS\system32\DRIVERS\nic1394.sys [2008-04-14 61824]
R3 pcouffin;VSO Software pcouffin; C:\WINDOWS\System32\Drivers\pcouffin.sys [2008-11-07 47360]
R3 S3GIGP;S3GIGP; C:\WINDOWS\system32\DRIVERS\S3gIGPm.sys [2007-07-23 714240]
R3 SenFiltService;SenFilt Service; C:\WINDOWS\system32\drivers\Senfilt.sys [2005-08-11 393088]
R3 Ser2pl;MAT Serial port driver; C:\WINDOWS\system32\DRIVERS\ser2pl.sys [2003-07-16 43264]
R3 SymEvent;SymEvent; \??\C:\Program Files\Symantec\SYMEVENT.SYS []
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2005-04-05 17976]
R3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2008-04-13 15104]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2008-04-13 26368]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbuhci.sys [2008-04-13 20608]
R3 WinDriver6;WinDriver6; C:\WINDOWS\system32\drivers\windrvr6.sys [2006-10-16 194362]
S0 aec6710D;aec6710D; C:\WINDOWS\system32\DRIVERS\aec6710d.sys [2009-01-04 9248]
S1 SiSV;SiSV; C:\WINDOWS\system32\DRIVERS\SiSV.sys [2001-08-17 50432]
S3 61883;61883 Unit Device; C:\WINDOWS\system32\DRIVERS\61883.sys [2008-04-13 48128]
S3 Avc;AVC Device; C:\WINDOWS\system32\DRIVERS\avc.sys [2008-04-13 38912]
S3 catchme;catchme; \??\C:\mike2956\catchme.sys []
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2008-04-13 17024]
S3 EraserUtilDrvI10;EraserUtilDrvI10; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys []
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\system32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FTDIBUS;SEMC DSS-20 SyncStation Serial Converter Driver; C:\WINDOWS\system32\drivers\ftdibus.sys [2003-02-21 19153]
S3 FTLUND;Lundinova Filter Driver; C:\WINDOWS\system32\drivers\ftlund.sys [2003-02-24 6828]
S3 FTSER2K;SEMC DSS-20 SyncStation Driver; C:\WINDOWS\system32\drivers\ftser2k.sys [2003-02-24 50396]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2004-10-27 145920]
S3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2008-04-13 10368]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2008-05-05 101376]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-23 12160]
S3 MSDV;Microsoft DV Camera and VCR; C:\WINDOWS\system32\DRIVERS\msdv.sys [2008-04-13 51200]
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2008-04-13 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2008-04-13 85248]
S3 ndasscsi;NDAS SCSI Miniport Driver; C:\WINDOWS\system32\DRIVERS\ndasscsi.sys [2007-11-27 187240]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2008-04-14 10880]
S3 S3G700;S3G700; C:\WINDOWS\system32\DRIVERS\S3G700m.sys [2005-10-15 792576]
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2008-04-13 11136]
S3 SONYPVU1;Sony USB Filter Driver (SONYPVU1); C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS [2001-08-17 7552]
S3 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM); C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 58320]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter; C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 8304]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers; C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 94000]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2008-04-13 15232]
S3 TVICHW32;TVICHW32; \??\C:\WINDOWS\system32\DRIVERS\TVICHW32.SYS []
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2008-04-13 32128]
S3 vulfnths;VIA USB Host Controller Lower Filter; C:\WINDOWS\System32\Drivers\vulfnth.sys [2005-01-05 6912]
S3 vulfntrs;VIA USB Roothub Lower Filter; C:\WINDOWS\System32\Drivers\vulfntr.sys [2005-06-06 11264]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2008-04-13 19200]
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 Akamai;Akamai NetSession Interface; C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe [2010-06-10 144176]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2010-05-18 345376]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2005-04-08 185968]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2005-04-08 161392]
R2 DefWatch;Symantec AntiVirus Definition Watcher; C:\Program Files\Symantec AntiVirus\DefWatch.exe [2005-04-17 19648]
R2 JavaQuickStarterService;Java Quick Starter; C:\Program Files\Java\jre6\bin\jqs.exe [2010-09-15 153376]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 ndassvc;NDAS Service; C:\Program Files\NDAS\System\ndassvc.exe [2007-11-27 237032]
R2 SWAS_Core;SyncThru Web Admin Service; C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [2008-04-15 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management; C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [2008-01-31 1060864]
R2 Symantec AntiVirus;Symantec AntiVirus; C:\Program Files\Symantec AntiVirus\Rtvscan.exe [2005-04-17 1706176]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2010-06-15 540472]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6); C:\Program Files\Google\Update\GoogleUpdate.exe [2009-06-12 133104]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2008-07-25 34312]
S3 ccPwdSvc;Symantec Password Validation; C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe [2005-04-08 83568]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2008-07-25 69632]
S3 FontCache3.0.0.0;Windows Presentation Foundation Font Cache 3.0.0.0; C:\WINDOWS\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe [2008-07-29 46104]
S3 IDriverT;InstallDriver Table Manager; C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe [2005-11-14 69632]
S3 idsvc;Windows CardSpace; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe [2008-07-29 881664]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 SavRoam;SAVRoam; C:\Program Files\Symantec AntiVirus\SavRoam.exe [2005-04-17 124608]
S3 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2005-04-05 206552]
S3 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2005-03-30 992864]
S4 NetTcpPortSharing;Net.Tcp Port Sharing Service; C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe [2008-07-29 132096]
-----------------EOF-----------------


----------



## mike2956 (Dec 6, 2010)

info.txt logfile of random's system information tool 1.08 2010-12-10 14:17:05
======Uninstall list======
Overlook Fing-->C:\Program Files\Overlook Fing 1.4\Uninstall.exe
-->C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Un7300PS.isu
-->C:\WINDOWS\UNNeroVision.exe /UNINSTALL
-->C:\WINDOWS\UNNMP.exe /UNINSTALL
-->MsiExec.exe /I{219B0DA4-8F1A-499D-8795-4A07C632521E}
-->MsiExec.exe /I{644B991F-B109-4360-9DA3-40CDAD13961C}
-->rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
3D Home Designer Deluxe Edition-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{FB4A5F2C-01AD-420E-9569-0CF5431C3638} 
ABBYY FineReader 6.0 Sprint-->MsiExec.exe /I{ACF60000-22B9-4CE9-98D6-2CCF359BAC07}
Adobe Acrobat 5.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player 10 ActiveX-->C:\WINDOWS\system32\Macromed\Flash\FlashUtil10l_ActiveX.exe -maintain activex
Adobe Photoshop 7.0-->C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
Adobe Reader 8.1.6-->MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81300000003}
Adobe SVG Viewer 3.0-->C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Advanced IP Scanner v1.5-->C:\Program Files\Advanced IP Scanner\uninstal.exe
Apple Application Support-->MsiExec.exe /I{B2D328BE-45AD-4D92-96F9-2151490A203E}
Apple Mobile Device Support-->MsiExec.exe /I{85991ED2-010C-4930-96FA-52F43C2CE98A}
Apple Software Update-->MsiExec.exe /I{6956856F-B6B3-4BE0-BA0B-8F495BE32033}
ASUSUpdate-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{587178E7-B1DF-494E-9838-FA4DD36E873C}\Setup.exe" -l0x9 
Athlon 64 Processor Driver-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C151CE54-E7EA-4804-854B-F515368B0798}\setup.exe" -l0x9 
Autodesk Design Review 2011-->c:\Program Files\Autodesk\Autodesk Design Review\Setup\Setup.exe /P {8D20B4D7-3422-4099-9332-39F27E617A6F} /M ADR
AviSynth 2.5-->"C:\Program Files\AviSynth 2.5\Uninstall.exe"
Bonjour-->MsiExec.exe /X{0CB9668D-F979-4F31-B8B8-67FE90F929F8}
Citrix Endpoint Analysis Plugin-->MsiExec.exe /I{50F824C8-2CF6-4b6a-B272-359996E433C2}
Citrix XenApp Web Plugin-->MsiExec.exe /X{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}
Cool & Quiet-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}\setup.exe" -l0x9 
CuteFTP 8 Home-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{949DBB22-2FB7-4DE1-804C-23D495A988D8}\Setup.exe" -l0x9 
CutePDF Writer 2.7-->C:\Program Files\Acro Software\CutePDF Writer\uninscpw.exe /uninstall
Desktop Lawyer-->C:\WINDOWS\UnRapClassic.exe
DVD Decrypter (Remove Only)-->"C:\Program Files\DVD Decrypter\uninstall.exe"
DVD Shrink 3.2-->"C:\Program Files\DVD Shrink\unins000.exe"
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.1.1.0-->"C:\Program Files\DVDFab 5\unins000.exe"
DVDFab Express 2.9.8.3-->"C:\Program Files\DVDFab Express\unins000.exe"
DWG TrueView 2011-->C:\Program Files\Autodesk\DWG TrueView 2011\Setup\Setup.exe /P {5783F2D7-9028-0409-0000-0060B0CE6BBA} /M AOEM /language en-US
EasyHtml-->C:\WINDOWS\uninst.exe -f"C:\Program Files\ToniArts\EasyHtml\DeIsL1.isu" -c"C:\Program Files\ToniArts\EasyHtml\_ISREG32.DLL"
EPSON Attach To Email-->C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{20C45B32-5AB6-46A4-94EF-58950CAF05E5} /l1033 ADDREMOVEDLG
EPSON Copy Utility 3-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{67EDD823-135A-4D59-87BD-950616D6E857}\SETUP.EXE" -l0x9 -UnInstall
EPSON Event Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{48F22622-1CC2-4A83-9C1E-644DD96F832D}\Setup.exe" -l0x9 -u
EPSON File Manager-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{E86BC406-944E-41F6-ADE6-2C136734C96B}\Setup.exe" -l0x9 UNINST
EPSON Image Clip Palette-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{314F6D08-A8B7-11D8-8446-0050BA1D384D}\Setup.exe" -l0x9 -u
EPSON Scan Assistant-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64}\Setup.exe" -l0x9 -u
EPSON Scan-->C:\Program Files\epson\escndv\setup\setup.exe /r
EXIF Date Changer v1.1-->"C:\Program Files\EXIF Date Changer\unins000.exe"
Express Rip-->C:\Program Files\NCH Swift Sound\ExpressRip\uninst.exe
FileZilla (remove only)-->"C:\Program Files\FileZilla\uninstall.exe"
Free DVD Decrypter version 1.3-->"C:\Program Files\DVDVideoSoft\Free DVD Decrypter\unins000.exe"
Free Internet Window Washer-->C:\PROGRA~1\FREEIN~1\UNWISE.EXE C:\PROGRA~1\FREEIN~1\INSTALL.LOG
Free IP Scanner-->C:\PROGRA~1\FREEIP~1\UNWISE.EXE C:\PROGRA~1\FREEIP~1\INSTALL.LOG
Garmin MapSource-->MsiExec.exe /X{58FA5D40-E35A-47ED-8AFA-68CCC758559E}
Garmin USB Drivers-->MsiExec.exe /X{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E}
Google Earth-->MsiExec.exe /X{4286E640-B5FB-11DF-AC4B-005056C00008}
Google Update Helper-->MsiExec.exe /I{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
HijackThis 1.99.1-->C:\Documents and Settings\Mike\Desktop\HijackThis.exe /uninstall
HiJackThis-->MsiExec.exe /X{45A66726-69BC-466B-A7A4-12FCBA4883D7}
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall /qb+ REBOOTPROMPT=""
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A7EEA2F2-BFCD-4A54-A575-7B81A786E658} /qb+ REBOOTPROMPT=""
Hotfix for Windows XP (KB2158563)-->"C:\WINDOWS\$NtUninstallKB2158563$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB952287)-->"C:\WINDOWS\$NtUninstallKB952287$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB961118)-->"C:\WINDOWS\$NtUninstallKB961118$\spuninst\spuninst.exe"
Hotfix for Windows XP (KB981793)-->"C:\WINDOWS\$NtUninstallKB981793$\spuninst\spuninst.exe"
IBP 10.0.1-->"C:\Program Files\IBP 10\unins000.exe"
ImgBurn-->"C:\Program Files\ImgBurn\uninstall.exe"
Intel NetportExpress Software-->C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Intel\Netport\Uninst.isu"
InterCasino-->C:\WINDOWS\system32\UnCasino5.exe InterCasinoV9EnglishUSD
Internet Explorer (Enable DEP)-->C:\WINDOWS\system32\sdbinst.exe -u "C:\WINDOWS\AppPatch\Custom\{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb"
iTunes-->MsiExec.exe /I{7AB3A249-FB81-416B-917A-A2A10E74C503}
J2SE Runtime Environment 5.0-->MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150000}
Java(TM) 6 Update 22-->MsiExec.exe /X{26A24AE4-039D-4CA4-87B4-2F83216019FF}
Karen's Computer Profiler-->C:\Program Files\Karen's Power Tools\Computer Profiler\uninst.exe
Karen's Directory Printer-->C:\Program Files\Karen's Power Tools\Directory Printer\uninst.exe
LiveUpdate 2.6 (Symantec Corporation)-->C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE /U
[email protected] 2.50 Build 35-->C:\WINDOWS\iun6002.exe "C:\Program Files\[email protected]\irunin.ini"
Magic DVD Copier Version 4.9.3-->"C:\Program Files\MagicDVDCopier\unins000.exe"
Magic DVD Ripper V5.4.2-->"C:\Program Files\MagicDVDRipper\unins000.exe"
Malwarebytes' Anti-Malware-->"C:\Program Files\Malwarebytes' Anti-Malware\unins000.exe"
Microsoft .NET Framework 2.0 Service Pack 2-->MsiExec.exe /I{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}
Microsoft .NET Framework 3.0 Service Pack 2-->MsiExec.exe /I{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}
Microsoft .NET Framework 3.5 SP1-->C:\WINDOWS\Microsoft.NET\Framework\v3.5\Microsoft .NET Framework 3.5 SP1\setup.exe
Microsoft .NET Framework 3.5 SP1-->MsiExec.exe /I{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}
Microsoft AutoRoute 2006-->MsiExec.exe /I{83ED1E80-A1B7-4236-BCF1-AC4A88151A6B}
Microsoft Office Professional Edition 2003-->MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Silverlight-->MsiExec.exe /X{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053-->MsiExec.exe /X{770657D0-A123-3C07-8E44-1C83EC895118}
Microsoft Visual C++ 2005 Redistributable-->MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17-->MsiExec.exe /X{9A25302D-30C0-39D9-BD6F-21E6EC160475}
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148-->MsiExec.exe /X{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}
MiraFoto-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{19ADA2D0-D577-11D2-A14E-08002BE4D8DC}\Setup.exe" -l0x9 
MSXML 4.0 SP2 (KB936181)-->MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
MSXML 4.0 SP2 (KB954430)-->MsiExec.exe /I{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}
MSXML 4.0 SP2 (KB973688)-->MsiExec.exe /I{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}
NDAS Software 3.20.1528-->MsiExec.exe /I{738B6229-A2BF-49BB-92C6-5328F49DAACD}
Nero Suite-->C:\Program Files\Common Files\Nero\Uninstall\Setupx.exe /uninstall ExtraUninstallID=""
No-IP.com DUC (remove only)-->"C:\Program Files\No-IP\DUC20.exe" -uninstall
PC Magazine DiskAction v2.3.1-->"C:\Program Files\PC Magazine Utilities\DiskAction 2\unins000.exe"
PC Probe II-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F7338FA3-DAB5-49B2-900D-0AFB5760C166}\setup.exe" -l0x9 
Perf3490P_3590P User's Guide-->C:\Program Files\EPSON\TPMANUAL\Perf3490P_3590P\USE_G\DOCUNINS.EXE
QuickTime-->MsiExec.exe /I{3D9892BB-A751-4E48-ADC8-E4289956CE1D}
RealPlayer-->C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SAMSUNG CDMA Modem Driver Set-->C:\WINDOWS\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
Samsung ML-7300 Driver-->C:\WINDOWS\IsUninst.exe -fC:\WINDOWS\Samsung\ADDPRINT\ML7300\ml73xl.isu -c"C:\WINDOWS\Samsung\ADDPRINT\ML7300\ML73002K.dll"
SAMSUNG Mobile Composite Device Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software-->C:\WINDOWS\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3-->"C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -runfromtemp -l0x0009 -removeonly
Security Update for CAPICOM (KB931906)-->MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906)-->MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {A8894F19-59C8-38D2-8A75-36C0CCE56A5B} /qb+ REBOOTPROMPT=""
Security Update for Windows Internet Explorer 8 (KB2183461)-->"C:\WINDOWS\ie8updates\KB2183461-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB2360131)-->"C:\WINDOWS\ie8updates\KB2360131-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB971961)-->"C:\WINDOWS\ie8updates\KB971961-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB981332)-->"C:\WINDOWS\ie8updates\KB981332-IE8\spuninst\spuninst.exe"
Security Update for Windows Internet Explorer 8 (KB982381)-->"C:\WINDOWS\ie8updates\KB982381-IE8\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB2378111)-->"C:\WINDOWS\$NtUninstallKB2378111_WM9$\spuninst\spuninst.exe"
Security Update for Windows Media Player (KB975558)-->"C:\WINDOWS\$NtUninstallKB975558_WM8$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2079403)-->"C:\WINDOWS\$NtUninstallKB2079403$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2115168)-->"C:\WINDOWS\$NtUninstallKB2115168$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2121546)-->"C:\WINDOWS\$NtUninstallKB2121546$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2160329)-->"C:\WINDOWS\$NtUninstallKB2160329$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2229593)-->"C:\WINDOWS\$NtUninstallKB2229593$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2259922)-->"C:\WINDOWS\$NtUninstallKB2259922$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2279986)-->"C:\WINDOWS\$NtUninstallKB2279986$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2286198)-->"C:\WINDOWS\$NtUninstallKB2286198$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2296011)-->"C:\WINDOWS\$NtUninstallKB2296011$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2347290)-->"C:\WINDOWS\$NtUninstallKB2347290$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2360937)-->"C:\WINDOWS\$NtUninstallKB2360937$\spuninst\spuninst.exe"
Security Update for Windows XP (KB2387149)-->"C:\WINDOWS\$NtUninstallKB2387149$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923561)-->"C:\WINDOWS\$NtUninstallKB923561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB923789)-->C:\WINDOWS\system32\MacroMed\Flash\genuinst.exe C:\WINDOWS\system32\MacroMed\Flash\KB923789.inf
Security Update for Windows XP (KB950762)-->"C:\WINDOWS\$NtUninstallKB950762$\spuninst\spuninst.exe"
Security Update for Windows XP (KB950974)-->"C:\WINDOWS\$NtUninstallKB950974$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951376-v2)-->"C:\WINDOWS\$NtUninstallKB951376-v2$\spuninst\spuninst.exe"
Security Update for Windows XP (KB951748)-->"C:\WINDOWS\$NtUninstallKB951748$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952004)-->"C:\WINDOWS\$NtUninstallKB952004$\spuninst\spuninst.exe"
Security Update for Windows XP (KB952954)-->"C:\WINDOWS\$NtUninstallKB952954$\spuninst\spuninst.exe"
Security Update for Windows XP (KB954459)-->"C:\WINDOWS\$NtUninstallKB954459$\spuninst\spuninst.exe"
Security Update for Windows XP (KB955069)-->"C:\WINDOWS\$NtUninstallKB955069$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956572)-->"C:\WINDOWS\$NtUninstallKB956572$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956744)-->"C:\WINDOWS\$NtUninstallKB956744$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956802)-->"C:\WINDOWS\$NtUninstallKB956802$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956803)-->"C:\WINDOWS\$NtUninstallKB956803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB956844)-->"C:\WINDOWS\$NtUninstallKB956844$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958644)-->"C:\WINDOWS\$NtUninstallKB958644$\spuninst\spuninst.exe"
Security Update for Windows XP (KB958869)-->"C:\WINDOWS\$NtUninstallKB958869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB959426)-->"C:\WINDOWS\$NtUninstallKB959426$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960225)-->"C:\WINDOWS\$NtUninstallKB960225$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960803)-->"C:\WINDOWS\$NtUninstallKB960803$\spuninst\spuninst.exe"
Security Update for Windows XP (KB960859)-->"C:\WINDOWS\$NtUninstallKB960859$\spuninst\spuninst.exe"
Security Update for Windows XP (KB961501)-->"C:\WINDOWS\$NtUninstallKB961501$\spuninst\spuninst.exe"
Security Update for Windows XP (KB969059)-->"C:\WINDOWS\$NtUninstallKB969059$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970238)-->"C:\WINDOWS\$NtUninstallKB970238$\spuninst\spuninst.exe"
Security Update for Windows XP (KB970430)-->"C:\WINDOWS\$NtUninstallKB970430$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971468)-->"C:\WINDOWS\$NtUninstallKB971468$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971657)-->"C:\WINDOWS\$NtUninstallKB971657$\spuninst\spuninst.exe"
Security Update for Windows XP (KB971961)-->"C:\WINDOWS\$NtUninstallKB971961$\spuninst\spuninst.exe"
Security Update for Windows XP (KB972270)-->"C:\WINDOWS\$NtUninstallKB972270$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973507)-->"C:\WINDOWS\$NtUninstallKB973507$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973869)-->"C:\WINDOWS\$NtUninstallKB973869$\spuninst\spuninst.exe"
Security Update for Windows XP (KB973904)-->"C:\WINDOWS\$NtUninstallKB973904$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974112)-->"C:\WINDOWS\$NtUninstallKB974112$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974318)-->"C:\WINDOWS\$NtUninstallKB974318$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974392)-->"C:\WINDOWS\$NtUninstallKB974392$\spuninst\spuninst.exe"
Security Update for Windows XP (KB974571)-->"C:\WINDOWS\$NtUninstallKB974571$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975025)-->"C:\WINDOWS\$NtUninstallKB975025$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975467)-->"C:\WINDOWS\$NtUninstallKB975467$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975560)-->"C:\WINDOWS\$NtUninstallKB975560$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975561)-->"C:\WINDOWS\$NtUninstallKB975561$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975562)-->"C:\WINDOWS\$NtUninstallKB975562$\spuninst\spuninst.exe"
Security Update for Windows XP (KB975713)-->"C:\WINDOWS\$NtUninstallKB975713$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977816)-->"C:\WINDOWS\$NtUninstallKB977816$\spuninst\spuninst.exe"
Security Update for Windows XP (KB977914)-->"C:\WINDOWS\$NtUninstallKB977914$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978037)-->"C:\WINDOWS\$NtUninstallKB978037$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978338)-->"C:\WINDOWS\$NtUninstallKB978338$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978542)-->"C:\WINDOWS\$NtUninstallKB978542$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978601)-->"C:\WINDOWS\$NtUninstallKB978601$\spuninst\spuninst.exe"
Security Update for Windows XP (KB978706)-->"C:\WINDOWS\$NtUninstallKB978706$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979309)-->"C:\WINDOWS\$NtUninstallKB979309$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979482)-->"C:\WINDOWS\$NtUninstallKB979482$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979559)-->"C:\WINDOWS\$NtUninstallKB979559$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979683)-->"C:\WINDOWS\$NtUninstallKB979683$\spuninst\spuninst.exe"
Security Update for Windows XP (KB979687)-->"C:\WINDOWS\$NtUninstallKB979687$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980218)-->"C:\WINDOWS\$NtUninstallKB980218$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980232)-->"C:\WINDOWS\$NtUninstallKB980232$\spuninst\spuninst.exe"
Security Update for Windows XP (KB980436)-->"C:\WINDOWS\$NtUninstallKB980436$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981322)-->"C:\WINDOWS\$NtUninstallKB981322$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981349)-->"C:\WINDOWS\$NtUninstallKB981349$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981852)-->"C:\WINDOWS\$NtUninstallKB981852$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981957)-->"C:\WINDOWS\$NtUninstallKB981957$\spuninst\spuninst.exe"
Security Update for Windows XP (KB981997)-->"C:\WINDOWS\$NtUninstallKB981997$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982132)-->"C:\WINDOWS\$NtUninstallKB982132$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982214)-->"C:\WINDOWS\$NtUninstallKB982214$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982381)-->"C:\WINDOWS\$NtUninstallKB982381$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982665)-->"C:\WINDOWS\$NtUninstallKB982665$\spuninst\spuninst.exe"
Security Update for Windows XP (KB982802)-->"C:\WINDOWS\$NtUninstallKB982802$\spuninst\spuninst.exe"
SEMC DSS-20 SyncStation Driver-->C:\WINDOWS\system32\ftdiunin.exe C:\WINDOWS\system32\ftdiun2k.ini
Sony Ericsson Communications Suite-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B8BC806D-0703-11D4-BB23-006008676AF8}\setup.exe" -l0x9 -l0009 --remove=y
Sony Ericsson File Manager-->MsiExec.exe /X{F00B1D05-AB7C-4E0A-87A0-CC25D82D7F1D}
Sony Ericsson Image Editor-->MsiExec.exe /X{4FB0FB47-8F1D-4339-8BE9-39819362AE05}
Sony Ericsson MMS Home Studio-->MsiExec.exe /X{83E9FDFD-B4E9-4FB7-A767-8339664CDE96}
Sony Ericsson Mobile Networking Wizard-->MsiExec.exe /X{4588138D-4194-41F9-BAD7-8CB886C9AD4F}
Sony Ericsson Sound Editor-->MsiExec.exe /X{8DD641C2-FFEC-4AED-A339-88BACFC60C39}
Sony Ericsson Sync Station-->MsiExec.exe /X{F2CE6BD0-54CD-4A53-BBB5-409D74B28EDD}
SoundMAX-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\setup.exe" -l0x9 -removeonly
Switch Sound File Converter-->C:\Program Files\NCH Swift Sound\Switch\uninst.exe
Symantec AntiVirus-->MsiExec.exe /I{5A633ED0-E5D7-4D65-AB8D-53ED43510284}
Symantec Technical Support Web Controls-->MsiExec.exe /X{9743AF47-B746-4324-B4C4-512E67D04370}
SyncThru Web Admin Service Driver Management-->MsiExec.exe /X{F8DF73E6-97CC-4950-96FC-0022EA737497}
SyncThru Web Admin Service-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{41F630B6-3A1C-40E0-8AD6-83C39C5B99E3}\Setup.exe" -l0x9 uninstall
T610-616-630-637 USB-Handset Manager-->C:\WINDOWS\USBT610phmgunin.exe C:\Program Files\T610-616-630-637 USB-Handset Manager\FileList.ini
TBO Advanced Chart Pattern Recognition-->MsiExec.exe /X{04B9AC25-2440-4368-8355-DA7303A133FC}
TightVNC 1.3.10-->"C:\Program Files\TightVNC\unins000.exe"
TomTom HOME-->C:\Program Files\TomTom HOME 2\Uninstall TomTom HOME.exe
Uninstall 1.0.0.1-->"C:\Program Files\Common Files\DVDVideoSoft\unins000.exe"
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)-->C:\WINDOWS\system32\msiexec.exe /package {CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} /uninstall {B2AE9C82-DC7B-3641-BFC8-87275C4F3607} /qb+ REBOOTPROMPT=""
Update for Windows Internet Explorer 8 (KB976662)-->"C:\WINDOWS\ie8updates\KB976662-IE8\spuninst\spuninst.exe"
Update for Windows Internet Explorer 8 (KB982632)-->"C:\WINDOWS\ie8updates\KB982632-IE8\spuninst\spuninst.exe"
Update for Windows XP (KB2141007)-->"C:\WINDOWS\$NtUninstallKB2141007$\spuninst\spuninst.exe"
Update for Windows XP (KB2345886)-->"C:\WINDOWS\$NtUninstallKB2345886$\spuninst\spuninst.exe"
Update for Windows XP (KB951978)-->"C:\WINDOWS\$NtUninstallKB951978$\spuninst\spuninst.exe"
Update for Windows XP (KB955759)-->"C:\WINDOWS\$NtUninstallKB955759$\spuninst\spuninst.exe"
Update for Windows XP (KB967715)-->"C:\WINDOWS\$NtUninstallKB967715$\spuninst\spuninst.exe"
Update for Windows XP (KB968389)-->"C:\WINDOWS\$NtUninstallKB968389$\spuninst\spuninst.exe"
Update for Windows XP (KB971737)-->"C:\WINDOWS\$NtUninstallKB971737$\spuninst\spuninst.exe"
Update for Windows XP (KB973687)-->"C:\WINDOWS\$NtUninstallKB973687$\spuninst\spuninst.exe"
Update for Windows XP (KB973815)-->"C:\WINDOWS\$NtUninstallKB973815$\spuninst\spuninst.exe"
VC_MergeModuleToMSI-->MsiExec.exe /I{900A92BA-19EF-4A34-86CF-7B6C85BDD971}
VIA Chrome9 HC IGP Family Display-->C:\WINDOWS\system32\s3minset.exe -uninf -u 'VIA Chrome9 HC IGP Family Display' -ver '07/23/2007, 6.14.10.0101'
VIA Platform Device Manager-->C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{20D4A895-748C-4D88-871C-FDB1695B0169} 
VIA Rhine-Family Fast Ethernet Adapter-->Rundll32.exe vuins32.dll,vuins32Ex $Rhine $VIA
VIA/S3G Display Driver 6.14.10.0071-->C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
VIA/S3G Display Driver-->C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
VIRGIN MOBILE BROADBAND HOME-->C:\Program Files\Virgin Mobile\Broadband Home\uninst.exe
Virtual Earth 3D (Beta)-->MsiExec.exe /I{D76D1828-BBA0-4BD9-8181-5ACC617DC5F2}
WavePad Sound Editor-->C:\Program Files\NCH Swift Sound\WavePad\uninst.exe
WebEx Support Manager for Internet Explorer-->MsiExec.exe /I{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90}
Windows Driver Package - Garmin (grmnusb) GARMIN Devices (06/03/2009 2.3.0.0)-->rundll32.exe C:\PROGRA~1\DIFX\15B7F172FC21855D\DIFxAppA.dll, DIFxARPUninstallDriverPackage C:\WINDOWS\system32\DRVSTORE\grmnusb_8E661E05CC789A6D1B8ABAA087CF60EDD72AC35D\grmnusb.inf
Windows Internet Explorer 8-->"C:\WINDOWS\ie8\spuninst\spuninst.exe"
Windows PowerShell(TM) 1.0-->"C:\WINDOWS\$NtUninstallKB926139-v2$\spuninst\spuninst.exe"
winpcap-overlook 4.02-->"C:\Program Files\WinPcap\uninstall.exe"
WinRAR archiver-->C:\Program Files\WinRAR\uninstall.exe
XTNDConnect PC-->RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D5CF3710-211B-11D4-B9B9-00105AE05C5D}\setup.exe" UNINSTALL
======Security center information======
AV: Symantec AntiVirus Corporate Edition (disabled)
======System event log======
Computer Name: MIKES-COMPUTER
Event Code: 36
Message: The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.
Record Number: 46421
Source Name: W32Time
Time Written: 20101018232532.000000+060
Event Type: warning
User: 
Computer Name: MIKES-COMPUTER
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load: 
aec6710D
Record Number: 46402
Source Name: Service Control Manager
Time Written: 20101018094642.000000+060
Event Type: error
User: 
Computer Name: MIKES-COMPUTER
Event Code: 8021
Message: The browser was unable to retrieve a list of servers from the browser master \\JANE on the network \Device\NetBT_Tcpip_{5E517EEC-6457-48FC-8B73-B7C737EA5E23}.
The data is the error code.
Record Number: 46397
Source Name: BROWSER
Time Written: 20101017233022.000000+060
Event Type: warning
User: 
Computer Name: MIKES-COMPUTER
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load: 
aec6710D
Record Number: 46367
Source Name: Service Control Manager
Time Written: 20101017102947.000000+060
Event Type: error
User: 
Computer Name: MIKES-COMPUTER
Event Code: 7026
Message: The following boot-start or system-start driver(s) failed to load: 
aec6710D
Record Number: 46320
Source Name: Service Control Manager
Time Written: 20101016114611.000000+060
Event Type: error
User: 
=====Application event log=====
Computer Name: MIKES-COMPUTER
Event Code: 4614
Message: The COM+ Event System detected an inconsistency in its internal state. The assertion "GetLastError() == 122L" failed at line 162 of d:\comxp_sp3\com\com1x\src\events\shared\sectools.cpp. Please contact Microsoft Product Support Services to report this error.
Record Number: 44351
Source Name: EventSystem
Time Written: 20101204013019.000000+000
Event Type: error
User: 
Computer Name: MIKES-COMPUTER
Event Code: 1524
Message: Windows cannot unload your classes registry file - it is still in use by other applications or services. The file will be unloaded when it is no longer in use.

Record Number: 44350
Source Name: Userenv
Time Written: 20101204013017.000000+000
Event Type: warning
User: MIKES-COMPUTER\Mike
Computer Name: MIKES-COMPUTER
Event Code: 5
Message:

Threat Found!Threat: SecurityEssentialFraud in File: C:\Documents and Settings\Mike\Application Data\Adobe\plugs\KB59125218.exe by: Auto-Protect scan. Action: Pending Side Effects Analysis. Action Description: 
Record Number: 44342
Source Name: Symantec AntiVirus
Time Written: 20101204012359.000000+000
Event Type: error
User: 
Computer Name: MIKES-COMPUTER
Event Code: 11014
Message: 
Record Number: 44341
Source Name: RouteService
Time Written: 20101204001010.000000+000
Event Type: warning
User: 
Computer Name: MIKES-COMPUTER
Event Code: 1002
Message: Hanging application ShowTime.exe, version 2.0.0.22, hang module hungapp, version 0.0.0.0, hang address 0x00000000.
Record Number: 44335
Source Name: Application Hang
Time Written: 20101203174455.000000+000
Event Type: error
User: 
======Environment variables======
"ComSpec"=%SystemRoot%\system32\cmd.exe
"Path"=%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\system32\wbem;C:\Program Files\Samsung\Samsung PC Studio 3;C:\WINDOWS\system32\WindowsPowerShell\v1.0;C:\Program Files\QuickTime\QTSystem;C:\Program Files\Overlook Fing 1.4\bin
"windir"=%SystemRoot%
"FP_NO_HOST_CHECK"=NO
"OS"=Windows_NT
"PROCESSOR_ARCHITECTURE"=x86
"PROCESSOR_LEVEL"=15
"PROCESSOR_IDENTIFIER"=x86 Family 15 Model 47 Stepping 2, AuthenticAMD
"PROCESSOR_REVISION"=2f02
"NUMBER_OF_PROCESSORS"=1
"PATHEXT"=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.PSC1
"TEMP"=%SystemRoot%\TEMP
"TMP"=%SystemRoot%\TEMP
"asl.log"=Destination=file;OnFirstLog=command,environment,parent
"CLASSPATH"=.;C:\Program Files\Java\jre6\lib\ext\QTJava.zip
"QTJAVA"=C:\Program Files\Java\jre6\lib\ext\QTJava.zip
-----------------EOF-----------------


----------



## dvk01 (Dec 14, 2002)

lets try again

after downloading this cfscript make sure you are disconnected from the net before running combofix
Unplug the modem cable if needs be so it can't connect while running

delete existing cfscript.txt

Download the attached CFScript.txt and save it to your desktop ( click on the link underneath this post & if you are using internet explorer when the "File download" pop up comes press *SAVE * and choose desktop in the list of selections in that window & press save)

*Disable any antivirus/antimalware/firewall realtime protection or script blocking in the same way you did previously before running combofix & remember to re-enable it when it has finished *

Close any open browsers 
Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.










This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply .

*Note: these instructions and script were created specifically for this user. If you are not this user, do NOT follow these instructions or use this script as it could damage the workings of your system and will not fix your problem. If you have a similar problem start your own topic in the malware fixing forum *


----------



## mike2956 (Dec 6, 2010)

This one run with network connection physically unplugged!

ComboFix 10-12-09.04 - Mike 10/12/2010 22:24:29.10.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2352 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
Command switches used :: c:\documents and settings\Mike\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FILE ::
"c:\documents and settings\Mike\Application Data\Monu\ciru.exe"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Ebhyge
c:\documents and settings\Mike\Application Data\Leos
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
c:\documents and settings\Mike\Application Data\Musiro
c:\documents and settings\Mike\Application Data\Olsev
c:\documents and settings\Mike\Application Data\Ozoxv
c:\documents and settings\Mike\Application Data\Ozoxv\wumem.ege
c:\documents and settings\Mike\Application Data\Paop
c:\documents and settings\Mike\Application Data\Tahui
c:\documents and settings\Mike\Application Data\Tahui\apex.hib
c:\documents and settings\Mike\Application Data\Tama
c:\documents and settings\Mike\Application Data\Tuud
c:\documents and settings\Mike\Application Data\Wuaw
c:\documents and settings\Mike\Application Data\Ynid
c:\program files\windows
.
((((((((((((((((((((((((( Files Created from 2010-11-10 to 2010-12-10 )))))))))))))))))))))))))))))))
.
2010-12-10 14:16 . 2010-12-10 14:17 -------- d-----w- C:\rsit
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1036:TCP"= 1036:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-10 22:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(1336)
c:\windows\system32\WININET.dll
c:\windows\system32\AcSignIcon.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Autodesk Shared\AcSignCore16.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\NDAS\System\ndassvc.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\VTTimer.exe
c:\windows\system32\S3trayp.exe
c:\program files\Symantec AntiVirus\DoScan.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-12-10 22:37:51 - machine was rebooted
ComboFix-quarantined-files.txt 2010-12-10 22:37
ComboFix2.txt 2010-12-09 17:22
ComboFix3.txt 2010-12-09 15:08
ComboFix4.txt 2010-12-09 14:09
ComboFix5.txt 2010-12-10 22:23
Pre-Run: 36,646,965,248 bytes free
Post-Run: 36,644,294,656 bytes free
- - End Of File - - 7866F29625F7089E6E8130B091C32DDB


----------



## dvk01 (Dec 14, 2002)

lets hope that fully deleted it this time

run combofix again and we will see


----------



## mike2956 (Dec 6, 2010)

It did download new version of combofix before running!?

ComboFix 10-12-09.08 - Mike 11/12/2010 9:57.11.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2361 [GMT 0:00]
Running from: c:\documents and settings\Mike\Desktop\mike2956.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Mike\Application Data\Monu\ciru.exe
.
((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
.
2010-12-10 14:16 . 2010-12-10 14:17 -------- d-----w- C:\rsit
2010-12-07 23:49 . 2010-09-15 04:50 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-12-07 12:31 . 2010-12-07 12:31 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-12-05 23:14 . 2010-12-05 23:14 388096 ----a-r- c:\documents and settings\Mike\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2010-12-05 23:14 . 2010-12-05 23:14 -------- d-----w- c:\program files\Trend Micro
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-12-04 02:21 . 2010-12-04 02:21 -------- d-sh--w- c:\documents and settings\LocalService\IECompatCache
2010-12-04 02:18 . 2010-12-06 21:23 -------- d-----w- c:\documents and settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17}
2010-11-17 12:30 . 2003-02-24 09:36 48631 ----a-w- c:\windows\system32\ftserui2.dll
2010-11-17 12:30 . 2003-02-24 09:36 50396 ----a-w- c:\windows\system32\drivers\ftser2k.sys
2010-11-17 12:30 . 2003-02-24 09:36 6828 ----a-w- c:\windows\system32\drivers\ftlund.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 17:42 . 2010-06-26 10:25 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-29 17:42 . 2010-06-26 10:25 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-18 11:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-23 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-15 02:29 . 2010-04-11 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
.
((((((((((((((((((((((((((((( [email protected]_21.25.33 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-12-11 09:31 . 2010-12-11 09:31 16384 c:\windows\Temp\Perflib_Perfdata_d8.dat
+ 2010-12-11 09:31 . 2010-12-11 09:31 16384 c:\windows\Temp\Perflib_Perfdata_2fc.dat
+ 2010-10-25 00:32 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
- 2007-12-24 12:22 . 2007-04-09 12:23 46472 c:\windows\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2001-08-23 12:00 . 2010-12-11 09:36 68156 c:\windows\system32\perfc009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 68156 c:\windows\system32\perfc009.dat
- 2007-12-24 12:22 . 2010-11-11 12:21 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 23040 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 61440 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 27136 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 11264 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 86016 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 12288 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 4096 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-12-24 12:22 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2010-10-25 00:32 . 2007-04-09 12:24 758664 c:\windows\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2001-08-23 12:00 . 2010-12-11 09:36 435260 c:\windows\system32\perfh009.dat
- 2001-08-23 12:00 . 2010-12-06 21:16 435260 c:\windows\system32\perfh009.dat
- 2010-04-11 00:01 . 2010-04-11 00:01 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 153376 c:\windows\system32\javaws.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\javaw.exe
- 2010-04-11 00:01 . 2010-04-11 00:01 145184 c:\windows\system32\java.exe
+ 2010-12-07 23:49 . 2010-09-15 04:50 145184 c:\windows\system32\java.exe
+ 2007-12-23 20:00 . 2010-12-07 23:45 322728 c:\windows\system32\FNTCACHE.DAT
- 2007-12-23 20:00 . 2010-10-16 10:44 322728 c:\windows\system32\FNTCACHE.DAT
+ 2010-12-07 23:50 . 2010-12-07 23:50 180224 c:\windows\Installer\2a778.msi
+ 2007-12-24 12:22 . 2010-12-07 21:49 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 409600 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 286720 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 249856 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 794624 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 135168 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-12-24 12:22 . 2010-12-07 21:49 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-12-24 12:22 . 2010-11-11 12:21 593920 c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Free Internet Window Washer"="c:\progra~1\FREEIN~1\Clearpch.exe" [2007-08-29 1504256]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-05-06 202088]
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}"="c:\documents and settings\Mike\Application Data\Monu\ciru.exe" [BU]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-21 53248]
"S3Trayp"="S3trayp.exe" [2007-06-11 176128]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-04-08 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-04-17 85184]
"EEventManager"="c:\program files\EPSON\Creativity Suite\Event Manager\EEventManager.exe" [2005-04-08 102400]
"DataCardMonitor"="c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe" [2008-07-21 253952]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2005-05-20 925696]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
NDAS Device Management.lnk - c:\program files\NDAS\System\ndasmgmt.exe [2007-11-27 236520]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\klmdb.sys]
@=""
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WATCHPNP_Samsung]
watchPnp.exe Samsung [X]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2004-10-27 15:21 61952 ------w- c:\windows\system32\HdAShCut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-06-15 15:33 141624 ----a-w- c:\program files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
2005-02-10 17:00 1937408 ------w- c:\program files\Ahead\Nero BackItUp\NBJ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 10:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 21:16 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAX]
2005-09-07 15:35 716800 ----a-w- c:\program files\Analog Devices\SoundMAX\SMax4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
2005-05-20 01:11 925696 ----a-r- c:\program files\Analog Devices\Core\smax4pnp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\FileZilla\\filezilla.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\[email protected]\\LookAtHost.exe"=
"c:\\Program Files\\[email protected]\\LookAtLan.exe"=
"c:\\Program Files\\WinPcap\\rpcapd.exe"=
"c:\\Program Files\\InterCasino $$$\\Casino.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:EnabledHCP Discovery Service
"1034:TCP"= 1034:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
R1 ndasfat;NDAS FAT;c:\windows\system32\drivers\ndasfat.sys [15/02/2008 23:37 372584]
R2 Akamai;Akamai NetSession Interface;c:\windows\System32\svchost.exe -k Akamai [14/04/2008 03:42 14336]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [08/02/2009 11:12 34064]
R2 SWAS_Core;SyncThru Web Admin Service;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe [06/12/2009 17:48 1449984]
R2 SWAS_Srv_DriverManagement;SyncThru Web Admin Service Driver Management;c:\program files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe [31/01/2008 18:06 1060864]
S0 aec6710D;aec6710D;c:\windows\system32\drivers\aec6710d.sys [04/01/2009 12:00 9248]
S1 SiSV;SiSV;c:\windows\system32\drivers\sisv.sys [10/02/2008 22:27 50432]
S2 gupdate1c9eba46d592d6;Google Update Service (gupdate1c9eba46d592d6);c:\program files\Google\Update\GoogleUpdate.exe [12/06/2009 21:23 133104]
S3 FTLUND;Lundinova Filter Driver;c:\windows\system32\drivers\ftlund.sys [17/11/2010 12:30 6828]
S3 S3G700;S3G700;c:\windows\system32\drivers\s3g700m.sys [24/12/2007 00:13 792576]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [17/04/2005 12:30 124608]
--- Other Services/Drivers In Memory ---
*Deregistered* - EraserUtilDrvI10
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai
.
Contents of the 'Scheduled Tasks' folder
2010-12-09 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
2010-12-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-12 21:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scan.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
TCP: {5E517EEC-6457-48FC-8B73-B7C737EA5E23} = 8.8.8.8,8.8.4.4
DPF: {66D393D5-4D80-497C-9F4F-F3839E090202} - hxxp://www.pysoft.com/Downloads/WebCamPlayerOCX.cab
DPF: {73888E2B-FF04-416C-8847-984D7FC4507F}
.
.
------- File Associations -------
.
.scr=DWGTrueViewScriptFile
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-11 10:01
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ... 
scanning hidden autostart entries ... 
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DataCardMonitor = c:\program files\Virgin Mobile\Broadband Home\DataCardMonitor.exe?s\CancelAutoplay\CLSID?s_NT?Pa?? ?K???????h?=?????E???????OCUME~1\Mike\LOCALS~1\Temp\?????B???SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]???????????????????????!???5?????????= 
scanning hidden files ... 
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-11 10:03:38
ComboFix-quarantined-files.txt 2010-12-11 10:03
ComboFix2.txt 2010-12-10 22:37
ComboFix3.txt 2010-12-09 17:22
ComboFix4.txt 2010-12-09 15:08
ComboFix5.txt 2010-12-11 09:54
Pre-Run: 36,591,919,104 bytes free
Post-Run: 36,623,544,320 bytes free
- - End Of File - - 844CE4A8E593CE840BC45F343C10E0DB


----------



## dvk01 (Dec 14, 2002)

I don't know whether this is a bug with Combofix or it is genuinely finding ciru.exe every time

lets see what this show

first
Please download GMER from: http://gmer.net/index.php

Click on the "Download EXE" button and save the randomly named .exe file to your desktop.

Note: You must uninstall any CD Emulation programs that you have before running GMER as they can cause conflicts and give false results.

Double click the GMER .exe file on your desktop to run the tool and it will automatically do a quick scan. When it finishes, select the rootkits tab on the top

If the tool warns of rootkit activity and asks if you want to run a full scan, click on No and make sure the following are unchecked on the right-hand side:

IAT/EAT
Any drive letter other than the primary system drive (which is generally C).

Click the Scan button and when the scan is finished, click Save and save the log in Notepad with the name ark.txt to your desktop.

Note: It's important that all other windows be closed and that you don't touch the mouse or do anything with the PC during the scan as it may cause it to freeze.

also select the autostarts tab & do the same there

then

Download *OTS.exe *to your Desktop 

Close any open browsers.
Double-click on *OTS.exe* to start the program.
If your Real protection or Antivirus intervenes with OTS, allow it to run.
In the *Processes * group click *ALL*
In the *modules * group click *ALL* 
In the * Services * group click *Safe List* 
In the *Drivers* group click *Safe List* 
In the *Registry * group click *ALL*
In the *Files Age* drop down box click *90 days* 
Make sure use company name white list and skip Microsoft files boxes are checked
 In the Files created and Files modified groups select *whitelist/file age *
in the *Additional scans sections* please select * Everything *and make sure safe list box is checked
Now on the toolbar at the top select "Scan all users" then click the *Run Scan* button
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file 
Use the * Reply* button and *attach the notepad file here*. I will review it when it comes in. 

It will be much too big so you will need to zip the file before it will be able to be uploaded


----------



## mike2956 (Dec 6, 2010)

Because this is clearly cetting a bit sticky (and thank you for you persistance by the way) I want to be certain.

I do not think I have any CD emulation software but on the other hand I might not recognise it if I fell over it! I do have software installed Called NDAS Device Management which alows network access to a remote XIMETA hard drive. Should I uninsatall this before continuing?

All the symptoms seem to have gone by the way but it would be nice to know I am totally in the clear.

Thanks
Mike


----------



## mike2956 (Dec 6, 2010)

Sorry on re reading your instructions there are a couple of things I want to be clear about.

I am not sure what you mean by "also select the autostarts tab & do the same there" where is the autostarts tab and should I do "the same" before or after I run GMER?

Should I rebot between running GMER and OTS?

Incidentally I had an interesting problem pasting the phrase "also select the autostarts tab & do the same there". when I did so the first time the window locked up and task manager showed that iexplorer was using 98% of CPU. The only way I could normalise this was to end the application!? 

Having tried twice (ctrl V and rt click paste) I pasted it into word, re cut and paste it, no problem!

Mike


----------



## mike2956 (Dec 6, 2010)

Sorry but on re reading your instructions I have some further queries

Where is the autostarts tab 
What is it that I should do there
Should I do it before I run GMER
Should I reboot between GMER and OTS

Thanks

Mike


----------



## dvk01 (Dec 14, 2002)

the nas sofware should be fine so ignor ethat

The autostart ta is in GMER

once gmer is started it should run a quick scan automatically. 
When that scan finished at the top press the >>>> beside rootkits & the menu expands and you should see a rootkit tab & an autostarts tab 
forst select rootkit tabs & run run afull scan
when that finishes, copy & paste the bresults. Then seelct autostarts & press scan & save results to paste back here 
It doesn't need to reboot in betweeen gmer & OTS but it won't do any harm

Both will just give logs & won't do any automaticic fixing


----------



## mike2956 (Dec 6, 2010)

Hmm....... Using sifferent PC to post this.

We never hve had GMER run successfully an this time is no exception. It scans away happily then just stops.

Previous twice it stopped on C:\M17300 whatever that is. searched but could not find.

This time it has stopped on C:\WINDOWS\System32\winlogon.exe and has been there a good 5 minutes.

Whats to do should I reboot and start again?

Mike


----------



## dvk01 (Dec 14, 2002)

reboot, forget the gmer then if it won't run & just run OTS


----------



## mike2956 (Dec 6, 2010)

OK. Here is log from OTS.

Mike


```
OTS logfile created on: 11/12/2010 18:14:48 - Run 1
OTS by OldTimer - Version 3.1.40.1     Folder = C:\Documents and Settings\Mike\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy
 
3.00 Gb Total Physical Memory | 2.00 Gb Available Physical Memory | 79.00% Memory free
5.00 Gb Paging File | 5.00 Gb Available in Paging File | 94.00% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092 [binary data]
 
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 115.03 Gb Total Space | 34.11 Gb Free Space | 29.66% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
Drive F: | 115.03 Gb Total Space | 27.00 Gb Free Space | 23.47% Space Free | Partition Type: NTFS
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
 
Computer Name: MIKES-COMPUTER
Current User Name: Mike
Logged in as Administrator.
 
Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 90 Days
 
[Processes - All]
ots.exe -> C:\Documents and Settings\Mike\Desktop\OTS.exe -> [2010/12/11 17:00:32 | 000,642,048 | ---- | M] (OldTimer Tools)
jqs.exe -> C:\Program Files\Java\jre6\bin\jqs.exe -> [2010/09/15 04:50:54 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.)
spoolsv.exe -> C:\WINDOWS\system32\spoolsv.exe -> [2010/08/17 13:17:06 | 000,058,880 | ---- | M] (Microsoft Corporation)
ituneshelper.exe -> C:\Program Files\iTunes\iTunesHelper.exe -> [2010/06/15 15:33:44 | 000,141,624 | ---- | M] (Apple Inc.)
ipodservice.exe -> C:\Program Files\iPod\bin\iPodService.exe -> [2010/06/15 15:33:36 | 000,540,472 | ---- | M] (Apple Inc.)
applemobiledeviceservice.exe -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.)
mdnsresponder.exe -> C:\Program Files\Bonjour\mDNSResponder.exe -> [2010/05/18 15:35:14 | 000,345,376 | ---- | M] (Apple Inc.)
jusched.exe -> C:\Program Files\Common Files\Java\Java Update\jusched.exe -> [2010/05/14 11:44:46 | 000,248,552 | ---- | M] (Sun Microsystems, Inc.)
services.exe -> C:\WINDOWS\system32\services.exe -> [2009/02/06 11:11:05 | 000,110,592 | ---- | M] (Microsoft Corporation)
wmiprvse.exe -> C:\WINDOWS\system32\wbem\wmiprvse.exe -> [2009/02/06 10:10:02 | 000,227,840 | ---- | M] (Microsoft Corporation)
datacardmonitor.exe -> C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe -> [2008/07/21 15:29:30 | 000,253,952 | ---- | M] (Huawei Technologies Co., Ltd.)
swas.exe -> C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe -> [2008/04/15 19:55:02 | 001,449,984 | ---- | M] ()
wscntfy.exe -> C:\WINDOWS\system32\wscntfy.exe -> [2008/04/14 03:42:42 | 000,013,824 | ---- | M] (Microsoft Corporation)
winlogon.exe -> C:\WINDOWS\system32\winlogon.exe -> [2008/04/14 03:42:40 | 000,507,904 | ---- | M] (Microsoft Corporation)
smss.exe -> C:\WINDOWS\system32\smss.exe -> [2008/04/14 03:42:38 | 000,050,688 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [RPCSS] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\rpcss.dll [RpcSs] -> [2009/02/09 12:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [NETWORKSERVICE] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\dnsrslvr.dll [Dnscache] -> [2008/04/14 03:41:54 | 000,045,568 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [NETSVCS] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\appmgmts.dll [AppMgmt] -> [2008/04/14 03:41:50 | 000,167,936 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\audiosrv.dll [AudioSrv] -> [2008/04/14 03:41:52 | 000,042,496 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\qmgr.dll [BITS] -> [2008/04/14 00:12:03 | 000,409,088 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\browser.dll [Browser] -> [2008/04/14 03:41:52 | 000,077,824 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\cryptsvc.dll [CryptSvc] -> [2008/04/14 03:41:52 | 000,062,464 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\dhcpcsvc.dll [Dhcp] -> [2008/04/14 03:41:52 | 000,126,976 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\dmserver.dll [dmserver] -> [2008/04/14 03:41:54 | 000,023,552 | ---- | M] (Microsoft Corp.)
-> C:\WINDOWS\system32\ersvc.dll [ERSvc] -> [2008/04/14 03:41:54 | 000,023,040 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\es.dll [EventSystem] -> [2008/07/07 20:26:58 | 000,253,952 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\shsvcs.dll [FastUserSwitchingCompatibility] -> [2008/04/14 03:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\pchealth\helpctr\binaries\pchsvc.dll [helpsvc] -> [2008/04/14 00:12:02 | 000,038,400 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\System32\hidserv.dll [HidServ] -> File not found
-> C:\WINDOWS\system32\kmsvc.dll [hkmsvc] -> [2008/04/14 03:41:58 | 000,061,440 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\srvsvc.dll [lanmanserver] -> [2010/08/27 05:57:43 | 000,099,840 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\wkssvc.dll [lanmanworkstation] -> [2009/06/10 06:14:49 | 000,132,096 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\msgsvc.dll [Messenger] -> [2008/04/14 03:42:00 | 000,033,792 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\qagentrt.dll [napagent] -> [2008/04/14 03:42:04 | 000,291,328 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\netman.dll [Netman] -> [2008/04/14 03:42:02 | 000,198,144 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\mswsock.dll [Nla] -> [2008/06/20 17:46:57 | 000,245,248 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\ntmssvc.dll [NtmsSvc] -> [2008/04/14 03:42:04 | 000,435,200 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\rasauto.dll [RasAuto] -> [2008/04/14 03:42:04 | 000,088,576 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\rasmans.dll [RasMan] -> [2008/04/14 03:42:04 | 000,186,368 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\mprdim.dll [RemoteAccess] -> [2008/04/14 03:41:58 | 000,053,248 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\schedsvc.dll [Schedule] -> [2008/04/14 00:12:05 | 000,192,512 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\seclogon.dll [seclogon] -> [2008/04/14 03:42:06 | 000,018,944 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\sens.dll [SENS] -> [2008/04/14 03:42:06 | 000,039,424 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\ipnathlp.dll [SharedAccess] -> [2008/04/14 03:41:56 | 000,331,264 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\shsvcs.dll [ShellHWDetection] -> [2008/04/14 03:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\srsvc.dll [srservice] -> [2008/04/14 00:12:07 | 000,171,008 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\tapisrv.dll [TapiSrv] -> [2008/04/14 03:42:08 | 000,249,856 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\shsvcs.dll [Themes] -> [2008/04/14 03:42:06 | 000,135,168 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\trkwks.dll [TrkWks] -> [2008/04/14 03:42:08 | 000,090,112 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\w32time.dll [W32Time] -> [2008/04/14 03:42:10 | 000,175,104 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\wbem\wmisvc.dll [winmgmt] -> [2008/04/14 00:12:09 | 000,144,896 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\advapi32.dll [Wmi] -> [2009/02/09 12:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\wscsvc.dll [wscsvc] -> [2008/04/14 03:42:12 | 000,080,896 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\wuauserv.dll [wuauserv] -> [2008/04/14 00:12:11 | 000,006,656 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\wzcsvc.dll [WZCSVC] -> [2008/04/14 03:51:44 | 000,483,840 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\xmlprov.dll [xmlprov] -> [2008/04/14 03:42:12 | 000,129,024 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [LOCALSERVICE] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\alrsvc.dll [Alerter] -> [2008/04/14 03:41:50 | 000,017,408 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\lmhsvc.dll [LmHosts] -> [2008/04/14 03:41:58 | 000,013,824 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\regsvc.dll [RemoteRegistry] -> [2008/04/14 03:42:06 | 000,059,904 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\ssdpsrv.dll [SSDPSRV] -> [2008/04/14 03:42:08 | 000,071,680 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\upnphost.dll [upnphost] -> [2008/04/14 03:42:10 | 000,185,856 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\webclnt.dll [WebClient] -> [2008/04/14 03:42:10 | 000,068,096 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [LOCALSERVICE] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\alrsvc.dll [Alerter] -> [2008/04/14 03:41:50 | 000,017,408 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\lmhsvc.dll [LmHosts] -> [2008/04/14 03:41:58 | 000,013,824 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\regsvc.dll [RemoteRegistry] -> [2008/04/14 03:42:06 | 000,059,904 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\ssdpsrv.dll [SSDPSRV] -> [2008/04/14 03:42:08 | 000,071,680 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\upnphost.dll [upnphost] -> [2008/04/14 03:42:10 | 000,185,856 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\webclnt.dll [WebClient] -> [2008/04/14 03:42:10 | 000,068,096 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [IMGSVC] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\wiaservc.dll [stisvc] -> [2008/04/14 03:42:10 | 000,333,824 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [DCOMLAUNCH] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\rpcss.dll [DcomLaunch] -> [2009/02/09 12:10:48 | 000,401,408 | ---- | M] (Microsoft Corporation)
-> C:\WINDOWS\system32\termsrv.dll [TermService] -> [2008/04/14 00:12:07 | 000,295,424 | ---- | M] (Microsoft Corporation)
svchost.exe -> C:\WINDOWS\system32\svchost.exe  [AKAMAI] -> [2008/04/14 03:42:38 | 000,014,336 | ---- | M] (Microsoft Corporation)
-> c:\Program Files\Common Files\Akamai\netsession_win_aeec0f0.dll [Akamai] -> [2010/12/07 23:46:03 | 003,020,888 | ---- | M] ()
lsass.exe -> C:\WINDOWS\system32\lsass.exe -> [2008/04/14 03:42:26 | 000,013,312 | ---- | M] (Microsoft Corporation)
explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
ctfmon.exe -> C:\WINDOWS\system32\ctfmon.exe -> [2008/04/14 03:42:18 | 000,015,360 | ---- | M] (Microsoft Corporation)
csrss.exe -> C:\WINDOWS\system32\csrss.exe -> [2008/04/14 03:42:16 | 000,006,144 | ---- | M] (Microsoft Corporation)
alg.exe -> C:\WINDOWS\system32\alg.exe -> [2008/04/14 03:42:14 | 000,044,544 | ---- | M] (Microsoft Corporation)
swasdrivermanagementplugin.exe -> C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe -> [2008/01/31 18:06:40 | 001,060,864 | ---- | M] ()
ndassvc.exe -> C:\Program Files\NDAS\System\ndassvc.exe -> [2007/11/27 17:06:54 | 000,237,032 | ---- | M] (XIMETA, Inc.)
ndasmgmt.exe -> C:\Program Files\NDAS\System\ndasmgmt.exe -> [2007/11/27 17:06:54 | 000,236,520 | ---- | M] (XIMETA, Inc.)
s3trayp.exe -> C:\WINDOWS\system32\S3Trayp.exe -> [2007/06/11 11:15:40 | 000,176,128 | ---- | M] (S3 Graphics Co., Ltd.)
vttimer.exe -> C:\WINDOWS\system32\VTTimer.exe -> [2006/09/21 16:36:18 | 000,053,248 | ---- | M] (S3 Graphics, Inc.)
smax4pnp.exe -> C:\Program Files\Analog Devices\Core\smax4pnp.exe -> [2005/05/20 01:11:06 | 000,925,696 | R--- | M] (Analog Devices, Inc.)
vptray.exe -> C:\Program Files\Symantec AntiVirus\VPTray.exe -> [2005/04/17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation)
rtvscan.exe -> C:\Program Files\Symantec AntiVirus\Rtvscan.exe -> [2005/04/17 12:30:40 | 001,706,176 | ---- | M] (Symantec Corporation)
defwatch.exe -> C:\Program Files\Symantec AntiVirus\DefWatch.exe -> [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation)
ccsetmgr.exe -> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -> [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation)
ccevtmgr.exe -> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -> [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation)
ccapp.exe -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe -> [2005/04/08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation)
eeventmanager.exe -> C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe -> [2005/04/08 14:09:42 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION)
mdm.exe -> C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE -> [2003/06/19 23:25:00 | 000,322,120 | ---- | M] (Microsoft Corporation)
 
[Modules - All]
ots.exe -> C:\Documents and Settings\Mike\Desktop\OTS.exe -> [2010/12/11 17:00:32 | 000,642,048 | ---- | M] (OldTimer Tools)
urlmon.dll -> C:\WINDOWS\system32\urlmon.dll -> [2010/09/10 05:58:08 | 001,210,880 | ---- | M] (Microsoft Corporation)
iertutil.dll -> C:\WINDOWS\system32\iertutil.dll -> [2010/09/10 05:58:06 | 001,986,560 | ---- | M] (Microsoft Corporation)
ieframe.dll -> C:\WINDOWS\system32\ieframe.dll -> [2010/09/10 05:58:05 | 011,080,192 | ---- | M] (Microsoft Corporation)
comctl32.dll -> C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll -> [2010/08/23 16:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation)
rpcrt4.dll -> C:\WINDOWS\system32\rpcrt4.dll -> [2010/08/16 08:45:00 | 000,590,848 | ---- | M] (Microsoft Corporation)
shell32.dll -> C:\WINDOWS\system32\shell32.dll -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
ole32.dll -> C:\WINDOWS\system32\ole32.dll -> [2010/07/16 12:05:55 | 001,288,192 | ---- | M] (Microsoft Corporation)
shlwapi.dll -> C:\WINDOWS\system32\shlwapi.dll -> [2009/12/08 09:23:28 | 000,474,112 | ---- | M] (Microsoft Corporation)
secur32.dll -> C:\WINDOWS\system32\secur32.dll -> [2009/06/25 08:25:26 | 000,056,832 | ---- | M] (Microsoft Corporation)
kernel32.dll -> C:\WINDOWS\system32\kernel32.dll -> [2009/03/21 14:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation)
ntdll.dll -> C:\WINDOWS\system32\ntdll.dll -> [2009/02/09 12:10:48 | 000,714,752 | ---- | M] (Microsoft Corporation)
advapi32.dll -> C:\WINDOWS\system32\advapi32.dll -> [2009/02/09 12:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation)
gdi32.dll -> C:\WINDOWS\system32\gdi32.dll -> [2008/10/23 12:36:14 | 000,286,720 | ---- | M] (Microsoft Corporation)
winspool.drv -> C:\WINDOWS\system32\winspool.drv -> [2008/04/14 03:42:46 | 000,146,432 | ---- | M] (Microsoft Corporation)
user32.dll -> C:\WINDOWS\system32\user32.dll -> [2008/04/14 03:42:10 | 000,578,560 | ---- | M] (Microsoft Corporation)
uxtheme.dll -> C:\WINDOWS\system32\uxtheme.dll -> [2008/04/14 03:42:10 | 000,218,624 | ---- | M] (Microsoft Corporation)
winmm.dll -> C:\WINDOWS\system32\winmm.dll -> [2008/04/14 03:42:10 | 000,176,128 | ---- | M] (Microsoft Corporation)
wldap32.dll -> C:\WINDOWS\system32\wldap32.dll -> [2008/04/14 03:42:10 | 000,172,032 | ---- | M] (Microsoft Corporation)
version.dll -> C:\WINDOWS\system32\version.dll -> [2008/04/14 03:42:10 | 000,018,944 | ---- | M] (Microsoft Corporation)
setupapi.dll -> C:\WINDOWS\system32\setupapi.dll -> [2008/04/14 03:42:06 | 000,985,088 | ---- | M] (Microsoft Corporation)
samlib.dll -> C:\WINDOWS\system32\samlib.dll -> [2008/04/14 03:42:06 | 000,064,000 | ---- | M] (Microsoft Corporation)
oleaut32.dll -> C:\WINDOWS\system32\oleaut32.dll -> [2008/04/14 03:42:04 | 000,551,936 | ---- | M] (Microsoft Corporation)
ntmarta.dll -> C:\WINDOWS\system32\ntmarta.dll -> [2008/04/14 03:42:04 | 000,118,784 | ---- | M] (Microsoft Corporation)
olepro32.dll -> C:\WINDOWS\system32\olepro32.dll -> [2008/04/14 03:42:04 | 000,084,992 | ---- | M] (Microsoft Corporation)
psapi.dll -> C:\WINDOWS\system32\psapi.dll -> [2008/04/14 03:42:04 | 000,023,040 | ---- | M] (Microsoft Corporation)
msvcrt.dll -> C:\WINDOWS\system32\msvcrt.dll -> [2008/04/14 03:42:02 | 000,343,040 | ---- | M] (Microsoft Corporation)
mslbui.dll -> C:\WINDOWS\system32\mslbui.dll -> [2008/04/14 03:42:02 | 000,025,088 | ---- | M] (Microsoft Corporation)
msctf.dll -> C:\WINDOWS\system32\MSCTF.dll -> [2008/04/14 03:42:00 | 000,297,984 | ---- | M] (Microsoft Corporation)
msimg32.dll -> C:\WINDOWS\system32\msimg32.dll -> [2008/04/14 03:42:00 | 000,004,608 | ---- | M] (Microsoft Corporation)
mpr.dll -> C:\WINDOWS\system32\mpr.dll -> [2008/04/14 03:41:58 | 000,059,904 | ---- | M] (Microsoft Corporation)
imm32.dll -> C:\WINDOWS\system32\imm32.dll -> [2008/04/14 03:41:56 | 000,110,080 | ---- | M] (Microsoft Corporation)
comres.dll -> C:\WINDOWS\system32\comres.dll -> [2008/04/14 03:41:52 | 000,792,064 | ---- | M] (Microsoft Corporation)
comdlg32.dll -> C:\WINDOWS\system32\comdlg32.dll -> [2008/04/14 03:41:52 | 000,276,992 | ---- | M] (Microsoft Corporation)
msscript.ocx -> C:\WINDOWS\system32\msscript.ocx -> [2008/04/14 03:40:22 | 000,110,592 | ---- | M] (Microsoft Corporation)
msctfime.ime -> C:\WINDOWS\system32\MSCTFIME.IME -> [2008/04/14 03:40:08 | 000,177,152 | ---- | M] (Microsoft Corporation)
srclient.dll -> C:\WINDOWS\system32\srclient.dll -> [2008/04/14 00:12:07 | 000,067,584 | ---- | M] (Microsoft Corporation)
clbcatq.dll -> C:\WINDOWS\system32\clbcatq.dll -> [2008/04/14 00:11:50 | 000,498,688 | ---- | M] (Microsoft Corporation)
framedyn.dll -> C:\WINDOWS\system32\framedyn.dll -> [2006/05/03 21:53:54 | 000,174,592 | ---- | M] (Microsoft Corporation)
 
[Win32 Services - Safe List]
(HidServ) Human Interface Device Access [Disabled | Stopped] -> C:\WINDOWS\System32\hidserv.dll -> File not found
(Akamai) Akamai NetSession Interface [Auto | Running] -> c:\Program Files\Common Files\Akamai\netsession_win_aeec0f0.dll -> [2010/12/07 23:46:03 | 003,020,888 | ---- | M] ()
(Apple Mobile Device) Apple Mobile Device [Auto | Running] -> C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe -> [2010/06/10 20:03:08 | 000,144,176 | ---- | M] (Apple Inc.)
(SWAS_Core) SyncThru Web Admin Service [Auto | Running] -> C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service\SWAS.exe -> [2008/04/15 19:55:02 | 001,449,984 | ---- | M] ()
(SWAS_Srv_DriverManagement) SyncThru Web Admin Service Driver Management [Auto | Running] -> C:\Program Files\Samsung Network Printer Utilities\SyncThru Web Admin Service Driver Management\SWASDriverManagementPlugin.exe -> [2008/01/31 18:06:40 | 001,060,864 | ---- | M] ()
(ndassvc) NDAS Service [Auto | Running] -> C:\Program Files\NDAS\System\ndassvc.exe -> [2007/11/27 17:06:54 | 000,237,032 | ---- | M] (XIMETA, Inc.)
(IDriverT) InstallDriver Table Manager [On_Demand | Stopped] -> C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe -> [2005/11/14 01:06:04 | 000,069,632 | ---- | M] (Macrovision Corporation)
(SavRoam) SavRoam [On_Demand | Stopped] -> C:\Program Files\Symantec AntiVirus\SavRoam.exe -> [2005/04/17 12:30:42 | 000,124,608 | ---- | M] (symantec)
(Symantec AntiVirus) Symantec AntiVirus [Auto | Running] -> C:\Program Files\Symantec AntiVirus\Rtvscan.exe -> [2005/04/17 12:30:40 | 001,706,176 | ---- | M] (Symantec Corporation)
(DefWatch) Symantec AntiVirus Definition Watcher [Auto | Running] -> C:\Program Files\Symantec AntiVirus\DefWatch.exe -> [2005/04/17 12:30:32 | 000,019,648 | ---- | M] (Symantec Corporation)
(ccSetMgr) Symantec Settings Manager [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -> [2005/04/08 15:54:52 | 000,161,392 | ---- | M] (Symantec Corporation)
(ccPwdSvc) Symantec Password Validation [On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -> [2005/04/08 15:54:50 | 000,083,568 | ---- | M] (Symantec Corporation)
(ccEvtMgr) Symantec Event Manager [Auto | Running] -> C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -> [2005/04/08 15:52:32 | 000,185,968 | ---- | M] (Symantec Corporation)
(SNDSrvc) Symantec Network Drivers Service [On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -> [2005/04/05 11:17:22 | 000,206,552 | ---- | M] (Symantec Corporation)
(SPBBCSvc) Symantec SPBBCSvc [On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -> [2005/03/30 21:48:22 | 000,992,864 | ---- | M] (Symantec Corporation)
 
[Driver Services - Safe List]
(catchme) catchme [Kernel | On_Demand | Stopped] -> C:\DOCUME~1\Mike\LOCALS~1\Temp\catchme.sys -> File not found
(NAVEX15) NAVEX15 [Kernel | On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101210.002\NAVEX15.SYS -> [2010/12/09 09:00:00 | 001,360,248 | ---- | M] (Symantec Corporation)
(NAVENG) NAVENG [Kernel | On_Demand | Running] -> C:\Program Files\Common Files\Symantec Shared\VirusDefs\20101210.002\NAVENG.SYS -> [2010/12/09 09:00:00 | 000,086,136 | ---- | M] (Symantec Corporation)
(eeCtrl) Symantec Eraser Control driver [Kernel | System | Running] -> C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -> [2010/10/18 08:14:40 | 000,371,248 | ---- | M] (Symantec Corporation)
(AmdK8) AMD Processor Driver [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\AmdK8.sys -> [2010/06/29 15:57:07 | 000,036,352 | ---- | M] ()
(NPF) NetGroup Packet Filter Driver [Kernel | Auto | Running] -> C:\WINDOWS\system32\drivers\npf.sys -> [2009/02/08 11:12:50 | 000,034,064 | ---- | M] (CACE Technologies)
(aec6710D) aec6710D [Kernel | Boot | Stopped] -> C:\WINDOWS\system32\DRIVERS\aec6710d.sys -> [2009/01/04 11:59:41 | 000,009,248 | ---- | M] (Microsoft Corporation)
(StarOpen) StarOpen [File_System | System | Running] -> C:\WINDOWS\System32\drivers\StarOpen.sys -> [2008/08/25 23:19:40 | 000,005,632 | ---- | M] ()
(hwdatacard) Huawei DataCard USB Modem and USB Serial [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ewusbmdm.sys -> [2008/05/05 17:42:18 | 000,101,376 | ---- | M] (Huawei Technologies Co., Ltd.)
(Changer) Changer [Kernel | System | Stopped] -> C:\WINDOWS\System32\drivers\changer.sys -> [2008/04/13 23:11:00 | 000,008,192 | ---- | M] (Microsoft Corporation)
(lbrtfdc) lbrtfdc [Kernel | System | Stopped] -> C:\WINDOWS\System32\drivers\lbrtfdc.sys -> [2008/04/13 23:10:28 | 000,034,688 | ---- | M] (Toshiba Corp.)
(HDAudBus) Microsoft UAA Bus Driver for High Definition Audio [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\hdaudbus.sys -> [2008/04/13 20:06:06 | 000,144,384 | ---- | M] (Windows (R) Server 2003 DDK provider)
(61883) 61883 Unit Device [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\61883.sys -> [2008/04/13 18:46:20 | 000,048,128 | ---- | M] (Microsoft Corporation)
(Avc) AVC Device [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\avc.sys -> [2008/04/13 18:46:20 | 000,038,912 | ---- | M] (Microsoft Corporation)
(MSDV) Microsoft DV Camera and VCR [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\msdv.sys -> [2008/04/13 18:46:09 | 000,051,200 | ---- | M] (Microsoft Corporation)
(ndasscsi) NDAS SCSI Miniport Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ndasscsi.sys -> [2007/11/27 17:06:58 | 000,187,240 | ---- | M] (XIMETA, Inc.)
(ndasfat) NDAS FAT [File_System | System | Running] -> C:\WINDOWS\system32\drivers\ndasfat.sys -> [2007/11/27 17:06:56 | 000,372,584 | ---- | M] (XIMETA, Inc.)
(ndasbus) NDAS Bus Driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ndasbus.sys -> [2007/11/27 17:06:56 | 000,075,752 | ---- | M] (XIMETA, Inc.)
(lfsfilt) Lean File Sharing [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\lfsfilt.sys -> [2007/11/27 17:06:54 | 000,254,440 | ---- | M] (XIMETA, Inc.)
(lpx) LPX Protocol [Kernel | Boot | Running] -> C:\WINDOWS\system32\DRIVERS\lpx.sys -> [2007/11/27 17:06:54 | 000,062,056 | ---- | M] (XIMETA, Inc.)
(S3GIGP) S3GIGP [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\S3gIGPm.sys -> [2007/07/23 14:54:54 | 000,714,240 | R--- | M] (S3 Graphics Co., Ltd.)
(WinDriver6) WinDriver6 [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\windrvr6.sys -> [2006/10/16 19:19:22 | 000,194,362 | ---- | M] (Jungo)
(S3G700) S3G700 [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\s3g700m.sys -> [2005/10/15 04:19:56 | 000,792,576 | R--- | M] (S3 Graphics Co., Ltd.)
(ADIHdAudAddService) ADI UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ADIHdAud.sys -> [2005/10/05 09:21:10 | 000,141,312 | R--- | M] (Analog Devices, Inc.)
(ss_mdm) SAMSUNG Mobile USB Modem 1.0 Drivers [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ss_mdm.sys -> [2005/08/30 16:59:00 | 000,094,000 | ---- | M] (MCCI)
(ss_mdfl) SAMSUNG Mobile USB Modem 1.0 Filter [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ss_mdfl.sys -> [2005/08/30 16:58:56 | 000,008,304 | ---- | M] (MCCI)
(ss_bus) SAMSUNG Mobile USB Device 1.0 driver (WDM) [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ss_bus.sys -> [2005/08/30 16:57:18 | 000,058,320 | ---- | M] (MCCI)
(SenFiltService) SenFilt Service [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\senfilt.sys -> [2005/08/11 05:49:28 | 000,393,088 | R--- | M] (Sensaura)
(SYMTDI) SYMTDI [Kernel | System | Running] -> C:\WINDOWS\System32\Drivers\SYMTDI.SYS -> [2005/04/05 11:17:02 | 000,267,192 | ---- | M] (Symantec Corporation)
(SYMREDRV) SYMREDRV [Kernel | On_Demand | Running] -> C:\WINDOWS\System32\Drivers\SYMREDRV.SYS -> [2005/04/05 11:17:00 | 000,017,976 | ---- | M] (Symantec Corporation)
(SymEvent) SymEvent [Kernel | On_Demand | Running] -> C:\Program Files\Symantec\SYMEVENT.SYS -> [2005/04/01 20:36:04 | 000,123,200 | ---- | M] (Symantec Corporation)
(SPBBCDrv) SPBBCDrv [Kernel | On_Demand | Stopped] -> C:\Program Files\Common Files\Symantec Shared\SPBBC\spbbcdrv.sys -> [2005/03/30 21:48:20 | 000,372,832 | ---- | M] (Symantec Corporation)
(SAVRTPEL) SAVRTPEL [Kernel | System | Running] -> C:\Program Files\Symantec AntiVirus\Savrtpel.sys -> [2005/02/04 20:14:32 | 000,053,896 | ---- | M] (Symantec Corporation)
(SAVRT) SAVRT [Kernel | System | Running] -> C:\Program Files\Symantec AntiVirus\savrt.sys -> [2005/02/04 20:14:30 | 000,324,232 | ---- | M] (Symantec Corporation)
(HdAudAddService) Microsoft UAA Function Driver for High Definition Audio Service [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\hdaudio.sys -> [2004/10/27 15:21:30 | 000,145,920 | ---- | M] (Windows (R) Server 2003 DDK provider)
(AsIO) AsIO [Kernel | System | Running] -> C:\WINDOWS\system32\drivers\AsIO.sys -> [2004/10/15 01:52:28 | 000,004,962 | R--- | M] ()
(MTsensor) ATK0110 ACPI UTILITY [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ASACPI.sys -> [2004/08/14 10:56:20 | 000,005,810 | R--- | M] ()
(Ser2pl) MAT Serial port driver [Kernel | On_Demand | Running] -> C:\WINDOWS\system32\drivers\ser2pl.sys -> [2003/07/16 14:27:40 | 000,043,264 | ---- | M] (Prolific Technology Inc.)
(FTSER2K) SEMC DSS-20 SyncStation Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ftser2k.sys -> [2003/02/24 09:36:14 | 000,050,396 | ---- | M] (FTDI Ltd.)
(FTLUND) Lundinova Filter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ftlund.sys -> [2003/02/24 09:36:12 | 000,006,828 | ---- | M] (FTDI Ltd.)
(FTDIBUS) SEMC DSS-20 SyncStation Serial Converter Driver [Kernel | On_Demand | Stopped] -> C:\WINDOWS\system32\drivers\ftdibus.sys -> [2003/02/21 10:25:22 | 000,019,153 | ---- | M] (FTDI Ltd.)
(SiSV) SiSV [Kernel | System | Stopped] -> C:\WINDOWS\system32\drivers\sisv.sys -> [2001/08/17 12:50:56 | 000,050,432 | ---- | M] (Silicon Integrated Systems Corporation)
 
[Registry - All]
< Internet Explorer Settings [HKEY_LOCAL_MACHINE\] > -> -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Page_URL" -> [URL]http://go.microsoft.com/fwlink/?LinkId=69157[/URL] -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Search_URL" -> [URL]http://go.microsoft.com/fwlink/?LinkId=54896[/URL] -> 
HKEY_LOCAL_MACHINE\: Main\\"Default_Secondary_Page_URL" ->  [binary data] -> 
HKEY_LOCAL_MACHINE\: Main\\"Extensions Off Page" -> about:NoAdd-ons -> 
HKEY_LOCAL_MACHINE\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_LOCAL_MACHINE\: Main\\"Search Page" -> [URL]http://go.microsoft.com/fwlink/?LinkId=54896[/URL] -> 
HKEY_LOCAL_MACHINE\: Main\\"Security Risk Page" -> about:SecurityRisk -> 
HKEY_LOCAL_MACHINE\: Main\\"Start Page" -> [URL]http://go.microsoft.com/fwlink/?LinkId=69157[/URL] -> 
HKEY_LOCAL_MACHINE\: Search\\"CustomizeSearch" -> [URL]http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm[/URL] -> 
HKEY_LOCAL_MACHINE\: Search\\"SearchAssistant" -> [URL]http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm[/URL] -> 
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> -> 
HKEY_USERS\.DEFAULT\: Main\\"Search Page" -> [URL]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/URL] -> 
HKEY_USERS\.DEFAULT\: Main\\"Start Page" -> [URL]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome[/URL] -> 
HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1 -> 
HKEY_USERS\.DEFAULT\: "ProxyOverride" -> <local> -> 
HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:5577 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> -> 
HKEY_USERS\S-1-5-18\: Main\\"Search Page" -> [URL]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/URL] -> 
HKEY_USERS\S-1-5-18\: Main\\"Start Page" -> [URL]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome[/URL] -> 
HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1 -> 
HKEY_USERS\S-1-5-18\: "ProxyOverride" -> <local> -> 
HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:5577 -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-19\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-20\] > -> -> 
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: Main\\"Local Page" -> C:\WINDOWS\system32\blank.htm -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: Main\\"Page_Transitions" -> 1 -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: Main\\"Search Page" -> [URL]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/URL] -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: Main\\"Start Page" -> [URL]http://www.scan.co.uk/[/URL] -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: Main\\"Start Page Redirect Cache AcceptLangs" -> en-gb -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: Main\\"Start Page Redirect Cache_TIMESTAMP" -> 72 E7 B9 25 EE 15 CB 01  [binary data] -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: URLSearchHooks\\"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}" [HKLM] -> C:\WINDOWS\system32\ieframe.dll [Microsoft Url Search Hook] -> [2010/09/10 05:58:05 | 011,080,192 | ---- | M] (Microsoft Corporation)
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: "ProxyEnable" -> 0 -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\: "ProxyOverride" -> *.local;<local> -> 
< FireFox Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla
HKLM\software\mozilla\Firefox\Extensions ->  -> 
HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758} -> C:\Program Files\Real\RealPlayer\browserrecord [C:\PROGRAM FILES\REAL\REALPLAYER\BROWSERRECORD] -> [2008/03/15 21:05:23 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\{20a82645-c095-46ed-80e3-08825760534b} -> C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\ [C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION\] -> [2009/09/02 00:09:00 | 000,000,000 | ---D | M]
HKLM\software\mozilla\Firefox\Extensions\\[email protected] -> C:\Program Files\Java\jre6\lib\deploy\jqs\ff [C:\PROGRAM FILES\JAVA\JRE6\LIB\DEPLOY\JQS\FF] -> [2010/04/11 00:01:46 | 000,000,000 | ---D | M]
< FireFox Extensions [User Folders] > -> 
  -> C:\Documents and Settings\Mike\Application Data\Mozilla\Extensions -> [2008/06/26 20:20:13 | 000,000,000 | ---D | M]
  -> C:\Documents and Settings\Mike\Application Data\Mozilla\Extensions\[email protected] -> [2008/06/26 20:20:13 | 000,000,000 | ---D | M]
< HOSTS File > ([2010/12/11 10:01:44 | 000,000,027 | ---- | M] - 1 lines) -> C:\WINDOWS\system32\drivers\etc\hosts -> 
Reset Hosts
127.0.0.1       localhost
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ -> 
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/22 23:08:42 | 000,062,080 | ---- | M] (Adobe Systems Incorporated)
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> [2008/03/15 21:05:23 | 000,370,296 | ---- | M] (RealPlayer)
{DBC80044-A445-435b-BC74-9C25C1C588A9} [HKLM] -> C:\Program Files\Java\jre6\bin\jp2ssv.dll [Java(tm) Plug-In 2 SSV Helper] -> [2010/11/20 18:47:44 | 000,041,760 | ---- | M] (Sun Microsystems, Inc.)
{E7E6F031-17CE-4C07-BC86-EABFE594F69C} [HKLM] -> C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll [JQSIEStartDetectorImpl Class] -> [2010/11/20 18:47:44 | 000,079,648 | ---- | M] (Sun Microsystems, Inc.)
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\Internet Explorer\Toolbar\ -> 
ShellBrowser\\"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" [HKLM] -> C:\WINDOWS\system32\browseui.dll [&Address] -> [2010/04/16 16:09:05 | 001,025,024 | ---- | M] (Microsoft Corporation)
ShellBrowser\\"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" [HKLM] -> C:\WINDOWS\system32\shell32.dll [&Links] -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{01E04581-4EEE-11D0-BFE9-00AA005B4383}" [HKLM] -> C:\WINDOWS\system32\browseui.dll [&Address] -> [2010/04/16 16:09:05 | 001,025,024 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{0E5CBF21-D15F-11D0-8301-00AA005B4383}" [HKLM] -> C:\WINDOWS\system32\shell32.dll [&Links] -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
WebBrowser\\"{F2CF5485-4E02-4F68-819C-B92DE9277049}" [HKLM] -> C:\WINDOWS\system32\ieframe.dll [&Links] -> [2010/09/10 05:58:05 | 011,080,192 | ---- | M] (Microsoft Corporation)
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"ccApp" -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe ["C:\Program Files\Common Files\Symantec Shared\ccApp.exe"] -> [2005/04/08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation)
"DataCardMonitor" -> C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe [C:\Program Files\Virgin Mobile\Broadband Home\DataCardMonitor.exe] -> [2008/07/21 15:29:30 | 000,253,952 | ---- | M] (Huawei Technologies Co., Ltd.)
"EEventManager" -> C:\Program Files\epson\Creativity Suite\Event Manager\EEventManager.exe [C:\Program Files\EPSON\Creativity Suite\Event Manager\EEventManager.exe] -> [2005/04/08 14:09:42 | 000,102,400 | ---- | M] (SEIKO EPSON CORPORATION)
"iTunesHelper" -> C:\Program Files\iTunes\iTunesHelper.exe ["C:\Program Files\iTunes\iTunesHelper.exe"] -> [2010/06/15 15:33:44 | 000,141,624 | ---- | M] (Apple Inc.)
"QuickTime Task" -> C:\Program Files\QuickTime\qttask.exe ["C:\Program Files\QuickTime\qttask.exe" -atboottime] -> [2010/03/18 21:16:10 | 000,421,888 | ---- | M] (Apple Inc.)
"S3Trayp" -> C:\WINDOWS\System32\S3Trayp.exe [S3trayp.exe] -> [2007/06/11 11:15:40 | 000,176,128 | ---- | M] (S3 Graphics Co., Ltd.)
"SoundMAXPnP" -> C:\Program Files\Analog Devices\Core\smax4pnp.exe [C:\Program Files\Analog Devices\Core\smax4pnp.exe] -> [2005/05/20 01:11:06 | 000,925,696 | R--- | M] (Analog Devices, Inc.)
"SunJavaUpdateSched" -> C:\Program Files\Common Files\Java\Java Update\jusched.exe ["C:\Program Files\Common Files\Java\Java Update\jusched.exe"] -> [2010/05/14 11:44:46 | 000,248,552 | ---- | M] (Sun Microsystems, Inc.)
"vptray" -> C:\Program Files\Symantec AntiVirus\VPTray.exe [C:\PROGRA~1\SYMANT~1\VPTray.exe] -> [2005/04/17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation)
"VTTimer" -> C:\WINDOWS\System32\VTTimer.exe [VTTimer.exe] -> [2006/09/21 16:36:18 | 000,053,248 | ---- | M] (S3 Graphics, Inc.)
< Run [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"CTFMON.EXE" -> C:\WINDOWS\system32\ctfmon.exe [C:\WINDOWS\system32\CTFMON.EXE] -> [2008/04/14 03:42:18 | 000,015,360 | ---- | M] (Microsoft Corporation)
< Run [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"CTFMON.EXE" -> C:\WINDOWS\system32\ctfmon.exe [C:\WINDOWS\system32\CTFMON.EXE] -> [2008/04/14 03:42:18 | 000,015,360 | ---- | M] (Microsoft Corporation)
< Run [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> 
"{24C4E14A-76E2-82F4-60F0-D7298167A66A}" -> C:\Documents and Settings\Mike\Application Data\Monu\ciru.exe ["C:\Documents and Settings\Mike\Application Data\Monu\ciru.exe"] -> File not found
"ctfmon.exe" -> C:\WINDOWS\system32\ctfmon.exe [C:\WINDOWS\system32\ctfmon.exe] -> [2008/04/14 03:42:18 | 000,015,360 | ---- | M] (Microsoft Corporation)
"Free Internet Window Washer" -> C:\Program Files\Free Internet Window Washer\Clearpch.exe [C:\PROGRA~1\FREEIN~1\Clearpch.exe -Start] -> [2007/08/29 14:47:34 | 001,504,256 | ---- | M] ()
"TomTomHOME.exe" -> C:\Program Files\TomTom HOME 2\HOMERunner.exe ["C:\Program Files\TomTom HOME 2\HOMERunner.exe"] -> [2008/05/06 08:42:14 | 000,202,088 | ---- | M] (TomTom)
< All Users Startup Folder > -> C:\Documents and Settings\All Users\Start Menu\Programs\Startup -> 
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NDAS Device Management.lnk -> C:\Program Files\NDAS\System\ndasmgmt.exe -> [2007/11/27 17:06:54 | 000,236,520 | ---- | M] (XIMETA, Inc.)
< Default User Startup Folder > -> C:\Documents and Settings\Default User\Start Menu\Programs\Startup -> 
< Mike Startup Folder > -> C:\Documents and Settings\Mike\Start Menu\Programs\Startup -> 
< Software Policy Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< Software Policy Settings [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Policies\Microsoft\Internet Explorer -> 
< CurrentVersion Policy Settings - Explorer [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"HonorAutoRunSetting"]\\"HonorAutoRunSetting[/URL]" ->  [1] -> File not found
[URL="file://\\"NoDriveAutoRun"]\\"NoDriveAutoRun[/URL]" ->  [67108863] -> File not found
[URL="file://\\"NoDriveTypeAutoRun"]\\"NoDriveTypeAutoRun[/URL]" ->  [323] -> File not found
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings - System [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
[URL="file://\\"dontdisplaylastusername"]\\"dontdisplaylastusername[/URL]" ->  [0] -> File not found
[URL="file://\\"legalnoticecaption"]\\"legalnoticecaption[/URL]" ->  [] -> File not found
[URL="file://\\"legalnoticetext"]\\"legalnoticetext[/URL]" ->  [] -> File not found
[URL="file://\\"shutdownwithoutlogon"]\\"shutdownwithoutlogon[/URL]" ->  [1] -> File not found
[URL="file://\\"undockwithoutlogon"]\\"undockwithoutlogon[/URL]" ->  [1] -> File not found
[URL="file://\\"DisableRegistryTools"]\\"DisableRegistryTools[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDriveTypeAutoRun"]\\"NoDriveTypeAutoRun[/URL]" ->  [323] -> File not found
[URL="file://\\"NoActiveDesktopChanges"]\\"NoActiveDesktopChanges[/URL]" ->  [0] -> File not found
[URL="file://\\"NoSetActiveDesktop"]\\"NoSetActiveDesktop[/URL]" ->  [0] -> File not found
[URL="file://\\"NoDriveAutoRun"]\\"NoDriveAutoRun[/URL]" ->  [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\.DEFAULT] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDriveTypeAutoRun"]\\"NoDriveTypeAutoRun[/URL]" ->  [323] -> File not found
[URL="file://\\"NoActiveDesktopChanges"]\\"NoActiveDesktopChanges[/URL]" ->  [0] -> File not found
[URL="file://\\"NoSetActiveDesktop"]\\"NoSetActiveDesktop[/URL]" ->  [0] -> File not found
[URL="file://\\"NoDriveAutoRun"]\\"NoDriveAutoRun[/URL]" ->  [67108863] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-18] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-19] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDriveTypeAutoRun"]\\"NoDriveTypeAutoRun[/URL]" ->  [0] -> File not found
[URL="file://\\"NoActiveDesktopChanges"]\\"NoActiveDesktopChanges[/URL]" ->  [0] -> File not found
[URL="file://\\"NoSetActiveDesktop"]\\"NoSetActiveDesktop[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-20] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDriveTypeAutoRun"]\\"NoDriveTypeAutoRun[/URL]" ->  [0] -> File not found
[URL="file://\\"NoActiveDesktopChanges"]\\"NoActiveDesktopChanges[/URL]" ->  [0] -> File not found
[URL="file://\\"NoSetActiveDesktop"]\\"NoSetActiveDesktop[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
[URL="file://\\"NoDriveTypeAutoRun"]\\"NoDriveTypeAutoRun[/URL]" ->  [323] -> File not found
[URL="file://\\"NoDriveAutoRun"]\\"NoDriveAutoRun[/URL]" ->  [67108863] -> File not found
[URL="file://\\"NoDrives"]\\"NoDrives[/URL]" ->  [0] -> File not found
< CurrentVersion Policy Settings [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System -> 
< Internet Explorer Menu Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2010/08/22 13:57:16 | 010,354,512 | ---- | M] (Microsoft Corporation)
< Internet Explorer Menu Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\MenuExt\ -> 
E&xport to Microsoft Excel -> C:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE [res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000] -> [2010/08/22 13:57:16 | 010,354,512 | ---- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ -> 
{92780B25-18CC-41C8-B9BE-3C9C571A8263}:{FF059E31-CC5A-4E2E-BF3B-96E929D65503} [HKLM] -> C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL [Button: Research] -> [2007/04/19 13:10:18 | 000,063,840 | ---- | M] (Microsoft Corporation)
{e2e2dd38-d088-4134-82b7-f2ba38496583}:Exec [HKLM] -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [Menu: @xpsp3res.dll,-20001] -> [2008/04/13 22:23:34 | 000,558,080 | ---- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Button: Messenger] -> [2008/04/14 00:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation)
{FB5F1910-F110-11d2-BB9E-00C04F795683}:Exec [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Menu: Windows Messenger] -> [2008/04/14 00:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 13:10:18 | 000,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 22:23:34 | 000,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\ -> 
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 13:10:18 | 000,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 22:23:34 | 000,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\Software\Microsoft\Internet Explorer\Extensions\ -> 
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"ButtonText" [HKLM] ->  [Reg Error: Key error.] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"CLSID" [HKLM] ->  [{0000031A-0000-0000-C000-000000000046}] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"Default Visible" [HKLM] ->  [Reg Error: Key error.] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"Exec" [HKLM] ->  [Reg Error: Key error.] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"HotIcon" [HKLM] ->  [Reg Error: Key error.] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"Icon" [HKLM] ->  [Reg Error: Key error.] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"MenuStatusBar" [HKLM] ->  [Reg Error: Key error.] -> File not found
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}\\"MenuText" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> C:\Program Files\Microsoft Office\OFFICE11\REFIEBAR.DLL [Research] -> [2007/04/19 13:10:18 | 000,063,840 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{DFB852A3-47F8-48C4-A200-58CAB36FD2A2}" [HKLM] ->  [Reg Error: Key error.] -> File not found
CmdMapping\\"{e2e2dd38-d088-4134-82b7-f2ba38496583}" [HKLM] -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [@xpsp3res.dll,-20001] -> [2008/04/13 22:23:34 | 000,558,080 | ---- | M] (Microsoft Corporation)
CmdMapping\\"{FB5F1910-F110-11d2-BB9E-00C04F795683}" [HKLM] -> C:\Program Files\Messenger\msmsgs.exe [Messenger] -> [2008/04/14 00:12:28 | 001,695,232 | -HS- | M] (Microsoft Corporation)
< Internet Explorer Plugins [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Plugins\ -> 
PluginsPageFriendlyName -> Microsoft ActiveX Gallery -> 
PluginsPage -> [URL]http://activex.microsoft.com/controls/find.asp?ext=%s&mime=%s[/URL] -> 
Extension\.spop -> C:\Program Files\Internet Explorer\PLUGINS\NPDocBox.dll [Reg Error: Value error.] -> [2001/01/30 13:56:24 | 000,225,280 | ---- | M] (InterTrust Technologies Corporation, Inc.)
< Default Prefix > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\URL\DefaultPrefix
"" -> http://
< Trusted Sites Domains [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7538 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7544 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7544 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 77 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 0 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 0 range(s) found. -> 
< Trusted Sites Domains [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ -> [Key] 7543 domain(s) found. -> 
< Trusted Sites Ranges [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> 
HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\ -> [Key] 36 range(s) found. -> 
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ -> 
{1663ed61-23eb-11d2-b92f-008048fdd814} [HKLM] -> [URL]http://rack1.expertagent.co.uk/asp/ScriptX.cab[/URL] [MeadCo ScriptX] -> 
{31435657-9980-0010-8000-00AA00389B71} [HKLM] -> [URL]http://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab[/URL] [Reg Error: Key error.] -> 
{66D393D5-4D80-497C-9F4F-F3839E090202} [HKLM] -> [URL]http://www.pysoft.com/Downloads/WebCamPlayerOCX.cab[/URL] [PlayerOCX Control] -> 
{73888E2B-FF04-416C-8847-984D7FC4507F} [HKLM] -> Reg Error: Value error. [Reg Error: Key error.] -> 
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab[/URL] [Java Plug-in 1.6.0_22] -> 
{C1FDEE68-98D5-4F42-A4DD-D0BECF5077EB} [HKLM] -> [URL]http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-29-0.cab[/URL] [EPUImageControl Class] -> 
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} [HKLM] -> [URL]http://java.sun.com/update/1.5.0/jinstall-1_5_0-windows-i586.cab[/URL] [Reg Error: Key error.] -> 
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab[/URL] [Java Plug-in 1.6.0_22] -> 
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} [HKLM] -> [URL]http://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab[/URL] [Java Plug-in 1.6.0_22] -> 
{CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} [HKLM] -> Reg Error: Value error. [Reg Error: Key error.] -> 
{D27CDB6E-0000-0000-0000-000000000000} [HKLM] -> [URL]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/URL] [Reg Error: Key error.] -> 
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> [URL]http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab[/URL] [Shockwave Flash Object] -> 
{E06E2E99-0AA1-11D4-ABA6-0060082AA75C} [HKLM] ->  [Reg Error: Value error.] -> 
{E2883E8F-472F-4FB0-9522-AC9BF37916A7} [HKLM] -> [URL]http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab[/URL] [Reg Error: Key error.] -> 
{E8F628B5-259A-4734-97EE-BA914D7BE941} [HKLM] -> [URL]http://driveragent.com/files/driveragent.cab[/URL] [Driver Agent ActiveX Control] -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\ -> 
DhcpNameServer -> 208.67.222.222 208.67.220.220 -> 
< Name Servers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ -> 
{5E517EEC-6457-48FC-8B73-B7C737EA5E23}\\DhcpNameServer -> 208.67.222.222 208.67.220.220   (VIA Rhine II Fast Ethernet Adapter) -> 
{5E517EEC-6457-48FC-8B73-B7C737EA5E23}\\NameServer -> 8.8.8.8,8.8.4.4   (VIA Rhine II Fast Ethernet Adapter) -> 
IE Styles -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Styles
"MaxScriptStatements" -> Reg Error: Invalid data type.
"Use My Stylesheet" -> Reg Error: Invalid data type.
< Winlogon settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon -> 
*Shell* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\Shell -> 
Explorer.exe -> C:\WINDOWS\explorer.exe -> [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UserInit* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UserInit -> 
C:\WINDOWS\system32\userinit.exe -> C:\WINDOWS\system32\userinit.exe -> [2008/04/14 03:42:40 | 000,026,112 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*UIHost* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\UIHost -> 
logonui.exe -> C:\WINDOWS\System32\logonui.exe -> [2008/04/14 03:42:26 | 000,514,560 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
*VMApplet* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\\VMApplet -> 
rundll32 shell32 -> C:\WINDOWS\System32\shell32.dll -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
Control_RunDLL "sysdm.cpl" -> C:\WINDOWS\System32\sysdm.cpl -> [2008/04/14 03:42:42 | 000,300,544 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ -> 
crypt32chain -> C:\WINDOWS\System32\crypt32.dll -> [2008/04/14 03:41:52 | 000,599,040 | ---- | M] (Microsoft Corporation)
cryptnet -> C:\WINDOWS\System32\cryptnet.dll -> [2008/04/14 03:41:52 | 000,064,512 | ---- | M] (Microsoft Corporation)
cscdll -> C:\WINDOWS\System32\cscdll.dll -> [2008/04/14 03:41:52 | 000,101,888 | ---- | M] (Microsoft Corporation)
dimsntfy -> C:\WINDOWS\system32\dimsntfy.dll -> [2008/04/14 03:41:54 | 000,019,456 | ---- | M] (Microsoft Corporation)
NavLogon -> C:\WINDOWS\system32\NavLogon.dll -> [2005/04/17 12:30:56 | 000,043,712 | ---- | M] (Symantec Corporation)
ScCertProp -> C:\WINDOWS\System32\wlnotify.dll -> [2008/04/14 03:42:10 | 000,092,672 | ---- | M] (Microsoft Corporation)
Schedule -> C:\WINDOWS\System32\wlnotify.dll -> [2008/04/14 03:42:10 | 000,092,672 | ---- | M] (Microsoft Corporation)
sclgntfy -> C:\WINDOWS\System32\sclgntfy.dll -> [2008/04/14 03:42:06 | 000,020,480 | ---- | M] (Microsoft Corporation)
SensLogn -> C:\WINDOWS\System32\wlnotify.dll -> [2008/04/14 03:42:10 | 000,092,672 | ---- | M] (Microsoft Corporation)
termsrv -> C:\WINDOWS\System32\wlnotify.dll -> [2008/04/14 03:42:10 | 000,092,672 | ---- | M] (Microsoft Corporation)
wlballoon -> C:\WINDOWS\System32\wlnotify.dll -> [2008/04/14 03:42:10 | 000,092,672 | ---- | M] (Microsoft Corporation)
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -> 
"{fbeb8a05-beee-4442-804e-409d6c4515e9}" [HKLM] -> C:\WINDOWS\system32\shell32.dll [CDBurn] -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
"{7849596a-48ea-486e-8937-a2a3009f31a9}" [HKLM] -> C:\WINDOWS\system32\shell32.dll [PostBootReminder] -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
"{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKLM] -> C:\WINDOWS\system32\stobject.dll [SysTray] -> [2008/04/14 03:42:08 | 000,121,856 | ---- | M] (Microsoft Corporation)
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" [HKLM] -> C:\WINDOWS\system32\webcheck.dll [WebCheck] -> [2009/03/08 03:34:48 | 000,236,544 | ---- | M] (Microsoft Corporation)
< SharedTaskScheduler [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler -> 
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}" [HKLM] -> C:\WINDOWS\system32\browseui.dll [Browseui preloader] -> [2010/04/16 16:09:05 | 001,025,024 | ---- | M] (Microsoft Corporation)
"{8C7461EF-2B13-11d2-BE35-3078302C2030}" [HKLM] -> C:\WINDOWS\system32\browseui.dll [Component Categories cache daemon] -> [2010/04/16 16:09:05 | 001,025,024 | ---- | M] (Microsoft Corporation)
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks -> 
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}" [HKLM] -> C:\WINDOWS\System32\shell32.dll [] -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
< SecurityProviders [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
*SecurityProviders* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders -> 
msapsspc.dll -> C:\WINDOWS\System32\msapsspc.dll -> [2008/04/14 03:42:00 | 000,086,016 | ---- | M] (Microsoft Corporation)
schannel.dll -> C:\WINDOWS\System32\schannel.dll -> [2010/06/30 12:31:35 | 000,149,504 | ---- | M] (Microsoft Corporation)
digest.dll -> C:\WINDOWS\System32\digest.dll -> [2008/04/14 03:41:54 | 000,068,608 | ---- | M] (Microsoft Corporation)
msnsspc.dll -> C:\WINDOWS\System32\msnsspc.dll -> [2008/04/14 03:42:02 | 000,290,816 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< LSA Authentication Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
*LSA Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages -> 
msv1_0 -> C:\WINDOWS\System32\msv1_0.dll -> [2009/09/11 14:18:39 | 000,136,192 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< LSA Security Packages [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
*LSA Security Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Security Packages -> 
kerberos -> C:\WINDOWS\System32\kerberos.dll -> [2009/06/25 08:25:26 | 000,301,568 | ---- | M] (Microsoft Corporation)
msv1_0 -> C:\WINDOWS\System32\msv1_0.dll -> [2009/09/11 14:18:39 | 000,136,192 | ---- | M] (Microsoft Corporation)
schannel -> C:\WINDOWS\System32\schannel.dll -> [2010/06/30 12:31:35 | 000,149,504 | ---- | M] (Microsoft Corporation)
wdigest -> C:\WINDOWS\System32\wdigest.dll -> [2009/06/25 08:25:26 | 000,054,272 | ---- | M] (Microsoft Corporation)
*MultiFile Done* -> -> 
< Domain Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 22:23:34 | 000,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 00:12:34 | 000,141,312 | ---- | M] (Microsoft Corporation)
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List -> 
"%windir%\Network Diagnostic\xpnetdiag.exe" -> C:\WINDOWS\network diagnostic\xpnetdiag.exe [%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000] -> [2008/04/13 22:23:34 | 000,558,080 | ---- | M] (Microsoft Corporation)
"%windir%\system32\sessmgr.exe" -> C:\WINDOWS\system32\sessmgr.exe [%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019] -> [2008/04/14 00:12:34 | 000,141,312 | ---- | M] (Microsoft Corporation)
"C:\Program Files\Bonjour\mDNSResponder.exe" -> C:\Program Files\Bonjour\mDNSResponder.exe [C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour Service] -> [2010/05/18 15:35:14 | 000,345,376 | ---- | M] (Apple Inc.)
"C:\Program Files\FileZilla\filezilla.exe" -> C:\Program Files\FileZilla\filezilla.exe [C:\Program Files\FileZilla\filezilla.exe:*:Enabled:FileZilla] -> [2004/03/04 13:25:35 | 000,460,800 | ---- | M] ()
"C:\Program Files\Google\Google Earth\client\googleearth.exe" -> C:\Program Files\Google\Google Earth\client\googleearth.exe [C:\Program Files\Google\Google Earth\client\googleearth.exe:*:Enabled:Google Earth] -> [2010/09/01 18:32:34 | 000,069,632 | ---- | M] (Google)
"C:\Program Files\InterCasino $$$\Casino.exe" -> C:\Program Files\InterCasino $$$\Casino.exe [C:\Program Files\InterCasino $$$\Casino.exe:*:Enabled:Casino] -> [2009/09/28 20:38:24 | 000,085,824 | ---- | M] (WagerLogic Inc)
"C:\Program Files\iTunes\iTunes.exe" -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes] -> [2010/06/15 15:33:40 | 010,358,072 | ---- | M] (Apple Inc.)
"C:\Program Files\Java\jre6\bin\java.exe" -> C:\Program Files\Java\jre6\bin\java.exe [C:\Program Files\Java\jre6\bin\java.exe:*:Enabled:Java(TM) Platform SE binary] -> [2010/09/15 04:50:49 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.)
"C:\Program Files\[email protected]\LookAtHost.exe" -> C:\Program Files\[email protected]\LookAtHost.exe [C:\Program Files\[email protected]\LookAtHost.exe:*:Enabled:[email protected]] -> [2003/06/18 12:00:18 | 000,335,360 | ---- | M] (Carlo Medas)
"C:\Program Files\[email protected]\LookAtLan.exe" -> C:\Program Files\[email protected]\LookAtLan.exe [C:\Program Files\[email protected]\LookAtLan.exe:*:Enabled:[email protected]] -> [2006/01/15 14:14:04 | 000,869,376 | ---- | M] (Carlo Medas)
"C:\Program Files\WinPcap\rpcapd.exe" -> C:\Program Files\WinPcap\rpcapd.exe [C:\Program Files\WinPcap\rpcapd.exe:*:Enabled:Remote Packet Capture Daemon] -> [2009/02/08 11:12:50 | 000,092,792 | ---- | M] (CACE Technologies)
"C:\WINDOWS\system32\mmc.exe" -> C:\WINDOWS\System32\mmc.exe [C:\WINDOWS\system32\mmc.exe:*:Enabled:Microsoft Management Console] -> [2008/04/14 03:42:26 | 001,414,656 | ---- | M] (Microsoft Corporation)
< SafeBoot AlternateShell [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot -> 
"AlternateShell" -> cmd.exe -> 
< CDROM Autorun Setting [HKEY_LOCAL_MACHINE]> -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom ->
"AutoRun" -> 1 -> 
"DisplayName" -> CD-ROM Driver -> 
"ImagePath" ->  [system32\DRIVERS\cdrom.sys] -> File not found
< Drives with AutoRun files > ->  -> 
C:\AUTOEXEC.BAT [] -> C:\AUTOEXEC.BAT [ NTFS ] -> [2007/12/23 20:13:51 | 000,000,000 | ---- | M] ()
F:\AUTOEXEC.BAT [] -> F:\AUTOEXEC.BAT [ NTFS ] -> [2005/11/25 11:03:29 | 000,000,000 | ---- | M] ()
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 -> 
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
 
[Registry - Additional Scans - Safe List]
< ActiveX StubPath [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{08B0E5C0-4FCB-11CF-AAA5-00401C608500} [KeyFileName] -> C:\Program Files\Java\jre6\bin\regutils.dll [(default): Java (Sun); IsInstalled: 1] -> [2010/11/20 18:37:14 | 000,278,528 | ---- | M] (Sun Microsystems, Inc.)
{10072CEC-8CC1-11D1-986E-00A0C955B42F} [HKLM] -> Reg Error: Key error. [(default): Vector Graphics Rendering (VML); IsInstalled: 01 00 00 00  [binary data]] -> File not found
{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220} [StubPath] ->  [ComponentID: NetShow; IsInstalled: 1] -> 
{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [StubPath] ->  [(default): Microsoft Windows Media Player 6.4; IsInstalled: 1] -> 
{283807B5-2C60-11D0-A31D-00AA00B92C03} [HKLM] -> Reg Error: Key error. [(default): DirectAnimation; IsInstalled: 1] -> File not found
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [StubPath] -> %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll [(default): Themes Setup; IsInstalled: 1] -> 
{36f8ec70-c29a-11d1-b5c7-0000f8051515} [HKLM] -> Reg Error: Key error. [(default): Dynamic HTML Data Binding for Java; IsInstalled: 1] -> File not found
{3af36230-a269-11d1-b5bf-0000f8051515} [HKLM] -> Reg Error: Key error. [(default): Offline Browsing Pack; IsInstalled: 1] -> File not found
{3bf42070-b3b1-11d1-b5c5-0000f8051515} [HKLM] -> Reg Error: Key error. [(default): Uniscribe; IsInstalled: 1] -> File not found
{4278c270-a269-11d1-b5bf-0000f8051515} [HKLM] -> Reg Error: Key error. [(default): Advanced Authoring; IsInstalled: 1] -> File not found
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [StubPath] -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install [(default): Microsoft Outlook Express 6; IsInstalled: 1] -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT [(default): NetMeeting 3.01; IsInstalled: 01 00 00 00  [binary data]] -> 
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(default): DirectShow; IsInstalled: 1] -> File not found
{44BBA855-CC51-11CF-AAFA-00AA00B6015F} [HKLM] -> Reg Error: Key error. [(default): DirectDrawEx; IsInstalled: 1] -> File not found
{45ea75a0-a269-11d1-b5bf-0000f8051515} [HKLM] -> Reg Error: Key error. [(default): Internet Explorer Help; IsInstalled: 1] -> File not found
{4f216970-c90c-11d1-b5c7-0000f8051515} [HKLM] -> Reg Error: Key error. [(default): DirectAnimation Java Classes; IsInstalled: 1] -> File not found
{4f645220-306d-11d2-995d-00c04f98bbc9} [HKLM] -> Reg Error: Key error. [(default): Microsoft Windows Script 5.8; IsInstalled: 1] -> File not found
{5056b317-8d4c-43ee-8543-b9d1e234b8f4} [HKLM] -> Reg Error: Key error. [(default): Security Update for Windows XP (KB923789); IsInstalled: 1] -> File not found
{5945c046-1e7d-11d1-bc44-00c04fd912be} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser [(default): Windows Messenger 4.7; IsInstalled: 1] -> 
{5A8D6EE0-3E18-11D0-821E-444553540000} [HKLM] -> Reg Error: Key error. [ComponentID: ICW; IsInstalled: 1] -> File not found
{5fd399c0-a70a-11d1-9948-00c04f98bbc9} [HKLM] -> Reg Error: Key error. [(default): Internet Explorer Setup Tools; IsInstalled: 1] -> File not found
{6BF52A52-394A-11d3-B153-00C04F79FAA6} [StubPath] -> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub [(default): Microsoft Windows Media Player; IsInstalled: 1] -> 
{6fab99d0-bab8-11d1-994a-00c04f98bbc9} [HKLM] -> Reg Error: Key error. [(default): MSN Site Access; IsInstalled: 1] -> File not found
{7131646D-CD3C-40F4-97B9-CD9E4E6262EF} [HKLM] -> Reg Error: Key error. [(default): .NET Framework] -> File not found
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} [StubPath] ->  [(default): Web Folders; IsInstalled: 1] -> 
{7790769C-0471-11d2-AF11-00C04FA35D02} [StubPath] -> "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install [(default): Address Book 6; IsInstalled: 1] -> 
{89820200-ECBD-11cf-8B85-00AA005B4340} [StubPath] -> regsvr32.exe /s /n /i:U shell32.dll [(default): Windows Desktop Update; IsInstalled: 1] -> 
{89820200-ECBD-11cf-8B85-00AA005B4383} [StubPath] -> C:\WINDOWS\system32\ie4uinit.exe -BaseSettings [(default): Internet Explorer; IsInstalled: 1] -> 
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [StubPath] -> C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install [ComponentID: DOTNETFRAMEWORKS; IsInstalled: 1] -> 
{9381D8F2-0288-11D0-9501-00AA00B911A5} [HKLM] -> Reg Error: Key error. [(default): Dynamic HTML Data Binding; IsInstalled: 1] -> File not found
{ACC563BC-4266-43f0-B6ED-9D38C4202C7E} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{B508B3F1-A24A-32C0-B310-85786919EF28} [HKLM] -> Reg Error: Key error. [(default): .NET Framework] -> File not found
{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} [HKLM] -> Reg Error: Key error. [(default): .NET Framework] -> File not found
{C9E9A340-D1F1-11D0-821E-444553540600} [HKLM] -> Reg Error: Key error. [(default): Internet Explorer Core Fonts; IsInstalled: 1] -> File not found
{CC2A9BA0-3BDD-11D0-821E-444553540000} [HKLM] -> Reg Error: Key error. [(default): Task Scheduler; IsInstalled: 1] -> File not found
{CDD7975E-60F8-41d5-8149-19E51D6F71D0} [HKLM] -> Reg Error: Key error. [ComponentID: Windows Movie Maker v2.1; IsInstalled: 01 00 00 00  [binary data]] -> File not found
{D27CDB6E-AE6D-11cf-96B8-444553540000} [HKLM] -> C:\WINDOWS\system32\Macromed\Flash\Flash10l.ocx [(default): Macromedia Shockwave Flash; IsInstalled: 1] -> [2010/11/11 11:30:45 | 006,071,760 | R--- | M] (Adobe Systems, Inc.)
{de5aed00-a4bf-11d1-9948-00c04f98bbc9} [HKLM] -> Reg Error: Key error. [(default): HTML Help; IsInstalled: 1] -> File not found
{E92B03AB-B707-11d2-9CBD-0000F87A369E} [HKLM] -> Reg Error: Key error. [(default): Active Directory Service Interface; IsInstalled: 01 00 00 00  [binary data]] -> File not found
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} [StubPath] -> C:\WINDOWS\system32\ieudinit.exe [(default): Internet Explorer Version Update; IsInstalled: 1] -> 
>{22d6f312-b0f6-11d0-94ab-0080c74c7e95} [StubPath] -> C:\WINDOWS\inf\unregmp2.exe /ShowWMP [(default): Windows Media Player; IsInstalled: 0] -> 
>{26923b43-4d38-484f-9b9e-de460746276c} [StubPath] -> C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig [(default): Internet Explorer; IsInstalled: 1] -> 
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} [StubPath] -> "C:\WINDOWS\system32\rundll32.exe" "C:\WINDOWS\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP [(default): Browser Customizations; IsInstalled: 1] -> 
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [StubPath] -> RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP [(default): Browser Customizations; IsInstalled: 1] -> 
>{881dd1c5-3dcf-431b-b061-f3f88e8be88a} [StubPath] -> %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE [(default): Outlook Express; IsInstalled: 0] -> 
< ActiveX StubPath [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-19\] > -> HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-20\] > -> HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
< ActiveX StubPath [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Active Setup\Installed Components\ -> 
{2C7339CF-2B09-4501-B3F3-F3508C9228ED} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA840-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA842-CC51-11CF-AAFA-00AA00B6015B} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{44BBA848-CC51-11CF-AAFA-00AA00B6015C} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{4b218e3e-bc98-4770-93d3-2731b9329278} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{5945c046-1e7d-11d1-bc44-00c04fd912be} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{73FA19D0-2D75-11D2-995D-00C04F98BBC9} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{7790769C-0471-11d2-AF11-00C04FA35D02} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{89820200-ECBD-11cf-8B85-00AA005B4340} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{89820200-ECBD-11cf-8B85-00AA005B4383} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
{89B4C1CD-B018-4511-B0A1-5476DBF70820} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
>{26923b43-4d38-484f-9b9e-de460746276c} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
>{60B49E34-C7CC-11D0-8953-00A0C90347FF} [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
InitiallyClear [HKLM] -> Reg Error: Key error. [(no name)] -> File not found
< App Paths [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\ -> 
AcroRd32.exe -> C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe [C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe] -> [2007/05/11 03:06:38 | 000,341,616 | ---- | M] (Adobe Systems Incorporated)
amdcpu.exe -> C:\Program Files\AMD\Athlon 64 Processor Driver\amdcpu.exe [C:\Program Files\AMD\Athlon 64 Processor Driver\amdcpu.exe] -> File not found
AutoRout.exe -> C:\Program Files\Microsoft AutoRoute\AutoRout.exe [C:\Program Files\Microsoft AutoRoute\AutoRout.exe] -> [2005/09/12 12:45:41 | 004,434,808 | ---- | M] (Microsoft Corporation)
BackItUp.EXE -> C:\Program Files\Ahead\Nero BackItUp\BackItUp.exe [C:\Program Files\Ahead\Nero BackItUp\BackItUp.exe] -> [2005/02/10 18:36:12 | 005,734,400 | ---- | M] (Ahead Software AG)
bckgzm.exe -> C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe [C:\Program Files\MSN Gaming Zone\Windows\bckgzm.exe] -> [2001/08/23 12:00:00 | 000,042,577 | ---- | M] (Microsoft Corporation)
ccApp.exe -> C:\Program Files\Common Files\Symantec Shared\ccApp.exe [C:\Program Files\Common Files\Symantec Shared\ccApp.exe] -> [2005/04/08 15:52:30 | 000,048,752 | ---- | M] (Symantec Corporation)
chkrzm.exe -> C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe [C:\Program Files\MSN Gaming Zone\Windows\chkrzm.exe] -> [2001/08/23 12:00:00 | 000,042,575 | ---- | M] (Microsoft Corporation)
cmmgr32.exe -> C:\WINDOWS\System32\cmmgr32.exe [C:\WINDOWS\system32\cmmgr32.exe] -> File not found
combofix.exe -> C:\Documents and Settings\Mike\Desktop\mike2956.exe [C:\Documents and Settings\Mike\Desktop\mike2956.exe] -> [2010/12/11 09:51:07 | 003,988,311 | R--- | M] ()
CONF.EXE -> C:\Program Files\NetMeeting\conf.exe [C:\Program Files\NetMeeting\conf.exe] -> [2008/04/14 00:12:15 | 001,032,192 | ---- | M] (Microsoft Corporation)
D: -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
dialer.exe -> C:\Program Files\Windows NT\dialer.exe [C:\Program Files\Windows NT\dialer.exe] -> [2008/04/14 00:12:17 | 000,539,136 | ---- | M] (Microsoft Corporation)
DirPrn.exe -> C:\Program Files\Karen's Power Tools\Directory Printer\DirPrn.exe [C:\Program Files\Karen's Power Tools\Directory Printer\DirPrn.exe] -> [2007/10/30 18:52:12 | 000,910,832 | ---- | M] (Karen Kenworthy)
EasyHtml.exe -> C:\Program Files\ToniArts\EasyHtml\EasyHtml.exe [C:\Program Files\ToniArts\EasyHtml\EasyHtml.exe] -> [1999/08/04 02:06:42 | 002,220,032 | ---- | M] (ToniArts)
ECOPY.EXE -> C:\Program Files\epson\Creativity Suite\Copy Utility\ECOPY.EXE [C:\Program Files\EPSON\Creativity Suite\Copy Utility\ECOPY.exe] -> [2004/10/08 00:00:02 | 000,716,800 | ---- | M] (SEIKO EPSON CORP.)
ecs_setup.exe -> C:\Program Files\Sony Ericsson\Communications Suite\ecs_setup.exe [C:\Program Files\Sony Ericsson\Communications Suite\ecs_setup.exe] -> File not found
EFileManager.exe -> C:\Program Files\epson\Creativity Suite\File Manager\EFileManager.exe [C:\Program Files\EPSON\Creativity Suite\File Manager\EFileManager.exe] -> [2004/11/15 15:15:20 | 000,282,624 | ---- | M] (SEIKO EPSON CORPORATION)
EImageClip.exe -> C:\Program Files\epson\Creativity Suite\Image Clip Palette\EImageClip.exe [C:\Program Files\EPSON\Creativity Suite\Image Clip Palette\EImageClip.exe] -> [2004/10/15 11:37:16 | 000,258,048 | ---- | M] ()
Escndv.exe -> C:\WINDOWS\twain_32\escndv\escndv.exe [C:\WINDOWS\twain_32\escndv\Escndv.exe] -> [2005/02/22 00:00:00 | 000,114,688 | ---- | M] (SEIKO EPSON CORP.)
F: -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
HijackThis.exe -> C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe [C:\Program Files\Trend Micro\HiJackThis\hijackthis.exe] -> [2010/03/25 18:42:36 | 000,388,096 | ---- | M] (Trend Micro Inc.)
hrtzzm.exe -> C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe [C:\Program Files\MSN Gaming Zone\Windows\hrtzzm.exe] -> [2001/08/23 12:00:00 | 000,042,573 | ---- | M] (Microsoft Corporation)
hypertrm.exe -> C:\Program Files\Windows NT\hypertrm.exe ["C:\Program Files\Windows NT\hypertrm.exe"] -> [2001/08/23 12:00:00 | 000,028,160 | ---- | M] (Hilgraeve, Inc.)
ImageDrive.exe -> C:\Program Files\Ahead\ImageDrive\ImageDrive.exe [C:\Program Files\Ahead\ImageDrive\ImageDrive.exe] -> [2004/11/30 12:31:36 | 000,893,016 | ---- | M] (Ahead Software AG)
ImageReady.exe -> C:\Program Files\Adobe\Photoshop 7.0\ImageReady.exe [C:\Program Files\Adobe\Photoshop 7.0\ImageReady.exe] -> [2002/04/04 00:04:10 | 013,336,651 | ---- | M] (Adobe Systems Incorporated)
install.exe -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
iTunes.exe -> C:\Program Files\iTunes\iTunes.exe [C:\Program Files\iTunes\iTunes.exe] -> [2010/06/15 15:33:40 | 010,358,072 | ---- | M] (Apple Inc.)
javaws.exe -> C:\Program Files\Java\jre6\bin\javaws.exe [C:\Program Files\Java\jre6\bin\javaws.exe] -> [2010/09/15 04:50:52 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.)
LUALL.EXE -> C:\Program Files\Symantec\LiveUpdate\LUALL.EXE [C:\Program Files\Symantec\LiveUpdate\LUALL.EXE] -> [2005/03/31 17:32:24 | 002,541,200 | ---- | M] (Symantec Corporation)
mbam.exe -> C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe [C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe] -> [2010/11/29 17:42:14 | 000,963,976 | ---- | M] (Malwarebytes Corporation)
migwiz.exe -> C:\WINDOWS\system32\usmt\migwiz.exe [%SystemRoot%\system32\usmt\migwiz.exe] -> [2008/04/14 03:42:26 | 000,245,248 | ---- | M] (Microsoft Corporation)
MiraFoto ->  [C:\WINDOWS\twain_32\Foto2_00\MiraFoto] -> File not found
moviemk.exe -> C:\Program Files\Movie Maker\moviemk.exe [C:\Program Files\Movie Maker\moviemk.exe] -> [2010/06/18 13:36:12 | 003,558,912 | ---- | M] (Microsoft Corporation)
msimn.exe -> C:\Program Files\Outlook Express\msimn.exe [%ProgramFiles%\Outlook Express\msimn.exe] -> [2008/04/14 00:12:28 | 000,060,416 | -HS- | M] (Microsoft Corporation)
MsoHtmEd.exe -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
NCoverEd.exe -> C:\Program Files\Ahead\CoverDesigner\CoverDes.exe [C:\Program Files\Ahead\CoverDesigner\CoverDes.exe] -> [2005/02/01 13:31:20 | 002,412,544 | ---- | M] (Nero AG)
ndasbind.exe -> C:\Program Files\NDAS\System\ndasbind.exe [C:\Program Files\NDAS\System\ndasbind.exe] -> [2007/11/27 17:06:52 | 000,176,616 | ---- | M] (XIMETA, Inc.)
ndasmgmt.exe -> C:\Program Files\NDAS\System\ndasmgmt.exe [C:\Program Files\NDAS\System\ndasmgmt.exe] -> [2007/11/27 17:06:54 | 000,236,520 | ---- | M] (XIMETA, Inc.)
nero.exe -> C:\Program Files\Ahead\Nero\nero.exe [C:\Program Files\Ahead\nero\nero.exe] -> [2005/03/03 16:33:29 | 015,376,451 | ---- | M] (Ahead Software AG)
NeroMediaHome.exe -> C:\Program Files\Ahead\Nero MediaHome\NeroMediaHome.exe [C:\Program Files\Ahead\Nero MediaHome\NeroMediaHome.exe] -> [2005/02/12 10:49:44 | 002,646,016 | ---- | M] (Ahead Software AG)
NeroMediaPlayer.exe -> C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe [C:\Program Files\Ahead\NeroMediaPlayer\NeroMediaPlayer.exe] -> [2005/02/04 11:57:27 | 001,150,976 | ---- | M] (Ahead software)
NeroStartSmart.exe -> C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe [C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart.exe] -> [2005/01/21 19:12:40 | 004,714,582 | ---- | M] (Ahead Software AG)
NeroVision.EXE -> C:\Program Files\Ahead\NeroVision\NeroVision.exe [C:\Program Files\Ahead\NeroVision\NeroVision.exe] -> [2005/02/17 17:39:11 | 000,434,176 | ---- | M] (Nero AG)
pbrush.exe -> C:\WINDOWS\system32\mspaint.exe [%SystemRoot%\system32\mspaint.exe] -> [2009/12/16 18:43:27 | 000,343,040 | ---- | M] (Microsoft Corporation)
Photoshop.exe -> C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe [C:\Program Files\Adobe\Photoshop 7.0\Photoshop.exe] -> [2007/12/26 13:46:59 | 015,900,672 | ---- | M] (Adobe Systems, Incorporated)
PictureViewer.exe -> C:\Program Files\QuickTime\PictureViewer.exe [C:\Program Files\QuickTime\PictureViewer.exe] -> [2010/03/18 21:16:06 | 000,557,056 | ---- | M] (Apple Inc.)
pinball.exe -> C:\Program Files\Windows NT\Pinball\pinball.exe [C:\Program Files\Windows NT\Pinball\pinball.exe] -> [2008/04/14 00:12:31 | 000,281,088 | ---- | M] (Cinematronics)
PTProfiler.exe -> C:\Program Files\Karen's Power Tools\Computer Profiler\PTProfiler.exe [C:\Program Files\Karen's Power Tools\Computer Profiler\PTProfiler.exe] -> [2007/10/27 23:03:56 | 000,562,672 | ---- | M] (Karen Kenworthy)
QuickTimePlayer.exe -> C:\Program Files\QuickTime\QuickTimePlayer.exe [C:\Program Files\QuickTime\QuickTimePlayer.exe] -> [2010/03/18 22:50:08 | 001,230,128 | ---- | M] (Apple Inc.)
RealPlay.exe -> C:\Program Files\Real\RealPlayer\realplay.exe [C:\Program Files\Real\RealPlayer\realplay.exe] -> [2008/03/15 21:05:15 | 000,214,560 | ---- | M] (RealNetworks, Inc.)
Recode.exe -> C:\Program Files\Ahead\Nero Recode\Recode.exe [C:\Program Files\Ahead\Nero Recode\Recode.exe] -> [2005/02/09 16:31:34 | 011,186,264 | ---- | M] (Ahead Software AG)
rnxproc.exe -> C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe [C:\Program Files\Common Files\Real\Update_OB\rnxproc.exe] -> [2008/03/15 21:05:14 | 000,058,952 | ---- | M] (RealNetworks, Inc.)
rvsezm.exe -> C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe [C:\Program Files\MSN Gaming Zone\Windows\rvsezm.exe] -> [2001/08/23 12:00:00 | 000,042,574 | ---- | M] (Microsoft Corporation)
setup.exe -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
ShowTime.EXE -> C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe [C:\Program Files\Ahead\Nero ShowTime\ShowTime.exe] -> [2005/02/18 16:43:00 | 003,203,072 | ---- | M] (Ahead software AG)
shvlzm.exe -> C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe [C:\Program Files\MSN Gaming Zone\Windows\shvlzm.exe] -> [2001/08/23 12:00:00 | 000,042,573 | ---- | M] (Microsoft Corporation)
smax4.exe -> C:\Program Files\Analog Devices\SoundMAX\SMax4.exe [C:\Program Files\Analog Devices\SoundMAX\smax4.exe] -> [2005/09/07 15:35:36 | 000,716,800 | ---- | M] (Analog Devices, Inc.)
smax4pnp.exe -> C:\Program Files\Analog Devices\Core\smax4pnp.exe [C:\Program Files\Analog Devices\Core\smax4pnp.exe] -> [2005/05/20 01:11:06 | 000,925,696 | R--- | M] (Analog Devices, Inc.)
smax4wiz.exe -> C:\Program Files\Analog Devices\SoundMAX\SMax4Wiz.exe [C:\Program Files\Analog Devices\SoundMAX\smax4wiz.exe] -> [2005/07/26 09:29:08 | 000,815,104 | ---- | M] (Analog Devices, Inc.)
SMaxCore -> C:\Program Files\Analog Devices\Core [C:\Program Files\Analog Devices\Core] -> [2007/12/24 00:15:51 | 000,000,000 | ---D | M]
smwdmif.dll -> C:\Program Files\Analog Devices\Core\smwdmif.dll [C:\Program Files\Analog Devices\Core\smwdmif.dll] -> [2005/10/05 09:28:14 | 000,290,816 | R--- | M] (Analog Devices, Inc.)
SoundMAX -> C:\Program Files\Analog Devices\SoundMAX [C:\Program Files\Analog Devices\SoundMAX] -> [2007/12/24 00:30:16 | 000,000,000 | ---D | M]
Sprint.exe -> C:\Program Files\ABBYY FineReader 6.0 Sprint\Sprint.exe [C:\Program Files\ABBYY FineReader 6.0 Sprint\Sprint.exe] -> [2005/03/03 17:22:04 | 000,995,328 | ---- | M] (ABBYY (BIT Software))
table30.exe -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
Update.exe -> C:\Program Files\ASUS\AsusUpdate\Update.exe [C:\Program Files\ASUS\ASUSUpdate\Update.exe] -> [2007/12/04 15:22:52 | 001,421,312 | ---- | M] (ASUSTek Computer Inc.)
VIRGIN MOBILE BROADBAND HOME.exe -> C:\Program Files\Virgin Mobile\Broadband Home\VIRGIN MOBILE BROADBAND HOME.exe [C:\Program Files\Virgin Mobile\Broadband Home\VIRGIN MOBILE BROADBAND HOME.exe] -> [2010/02/05 21:58:21 | 000,053,248 | ---- | M] ()
VPC32.exe -> C:\Program Files\Symantec AntiVirus\\VPC32.exe [C:\Program Files\Symantec AntiVirus\\VPC32.exe] -> [2005/04/17 12:30:46 | 000,268,480 | ---- | M] ()
vptray.exe -> C:\Program Files\Symantec AntiVirus\VPTray.exe [C:\PROGRA~1\SYMANT~1\VPTray.exe] -> [2005/04/17 12:30:48 | 000,085,184 | ---- | M] (Symantec Corporation)
wab.exe -> C:\Program Files\Outlook Express\wab.exe [%ProgramFiles%\Outlook Express\wab.exe] -> [2008/04/14 00:12:38 | 000,046,080 | ---- | M] (Microsoft Corporation)
wabmig.exe -> C:\Program Files\Outlook Express\wabmig.exe [%ProgramFiles%\Outlook Express\wabmig.exe] -> [2008/04/14 00:12:39 | 000,030,208 | ---- | M] (Microsoft Corporation)
winnt32.exe -> Reg Error: Value error. [Reg Error: Value error.] -> File not found
WinRAR.exe -> C:\Program Files\WinRAR\WinRAR.exe [C:\Program Files\WinRAR\WinRAR.exe] -> [2010/03/15 10:26:37 | 001,039,360 | ---- | M] ()
WMPBurn.exe -> C:\Program Files\Ahead\WMPBurn\WMPBurn.exe [C:\Program Files\Ahead\WMPBurn\WMPBurn.exe] -> [2004/01/08 16:19:24 | 001,265,664 | ---- | M] (Ahead Software AG)
WNPMGR32.exe -> C:\Program Files\Intel\Netport\Wnpmgr32.exe [C:\Program Files\Intel\Netport\WNPMGR32.exe] -> [2001/01/11 06:48:42 | 000,606,208 | ---- | M] (Intel Corporation)
WORDPAD.EXE -> C:\Program Files\Windows NT\Accessories\WORDPAD.EXE ["%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"] -> [2010/07/12 12:55:03 | 000,218,112 | ---- | M] (Microsoft Corporation)
WRITE.EXE -> C:\Program Files\Windows NT\Accessories\WORDPAD.EXE ["%ProgramFiles%\Windows NT\Accessories\WORDPAD.EXE"] -> [2010/07/12 12:55:03 | 000,218,112 | ---- | M] (Microsoft Corporation)
XPSViewer.exe -> C:\WINDOWS\System32\XPSViewer\XPSViewer.exe ["C:\WINDOWS\system32\XPSViewer\XPSViewer.exe"] -> [2008/07/29 20:26:06 | 000,301,568 | ---- | M] (Microsoft Corporation)
xtndpc.exe -> C:\Program Files\XTNDConnect PC\xtndpc.exe [C:\Program Files\XTNDConnect PC\xtndpc.exe] -> [2003/09/03 17:15:40 | 000,229,376 | ---- | M] (Extended Systems)
< Approved Shell Extensions [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved -> 
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}" [HKLM] -> C:\Program Files\Common Files\System\Ole DB\oledb32.dll [Microsoft Data Link] -> [2008/04/14 00:12:02 | 000,487,424 | ---- | M] (Microsoft Corporation)
"{32714800-2E5F-11d0-8B85-00AA0044F941}" [HKLM] -> C:\Program Files\Outlook Express\wabfind.dll [For &People...] -> [2008/04/14 00:12:08 | 000,032,768 | ---- | M] (Microsoft Corporation)
"{36A21736-36C2-4C11-8ACB-D4136F2B57BD}" [HKLM] -> C:\WINDOWS\system32\AcSignIcon.dll [AutoCAD Digital Signatures Icon Overlay Handler] -> [2010/07/24 23:02:03 | 000,043,232 | ---- | M] (Autodesk, Inc.)
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" [HKLM] ->  [Display Panning CPL Extension] -> File not found
"{4B392032-A759-43ED-9469-377C80A4472D}" [HKLM] -> C:\Program Files\Common Files\Autodesk Shared\AcDgnCOM18.dll [Autodesk Dgn File Preview] -> [2010/07/24 23:01:36 | 000,017,632 | ---- | M] (Autodesk)
"{5800AD5B-72C1-477B-9A08-CA112DF06D97}" [HKLM] -> C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll [AutoCAD DWG InfoTip Handler] -> [2010/07/24 23:01:36 | 000,131,296 | ---- | M] (Autodesk)
"{764BF0E1-F219-11ce-972D-00AA00A14F56}" [HKLM] -> Reg Error: Key error. [Shell extensions for file compression] -> File not found
"{7F1CF152-04F8-453A-B34C-E609530A9DC8}" [HKLM] -> C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalPropSheetHandler] -> [2005/01/21 14:34:06 | 001,511,424 | ---- | M] (Nero AG)
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}" [HKLM] -> Reg Error: Key error. [Encryption Context Menu] -> File not found
"{88895560-9AA2-1069-930E-00AA0030EBC8}" [HKLM] -> C:\WINDOWS\system32\hticons.dll [HyperTerminal Icon Ext] -> [2001/08/23 12:00:00 | 000,044,544 | ---- | M] (Hilgraeve, Inc.)
"{8A0BC933-7552-42E2-A228-3BE055777227}" [HKLM] -> C:\Program Files\Common Files\Autodesk Shared\AcShellEx\AcShellExtension.dll [AutoCAD DWG Column Handler] -> [2010/07/24 23:01:36 | 000,131,296 | ---- | M] (Autodesk)
"{A5110426-177D-4e08-AB3F-785F10B4439C}" [HKLM] -> C:\Program Files\Sony Ericsson\Mobile\File Manager\fmgrgui.dll [My Phones] -> [2004/09/28 14:05:06 | 000,319,488 | R--- | M] (Sony Ericsson Mobile Communications AB)
"{AC1DB655-4F9A-4c39-8AD2-A65324A4C446}" [HKLM] -> C:\Program Files\Common Files\Autodesk Shared\Thumbnail\AcThumbnail16.dll [Autodesk Drawing Preview] -> [2010/07/24 23:01:38 | 000,017,632 | ---- | M] (Autodesk, Inc.)
"{B327765E-D724-4347-8B16-78AE18552FC3}" [HKLM] -> C:\Program Files\Common Files\Ahead\Lib\NeroDigitalExt.dll [NeroDigitalIconHandler] -> [2005/01/21 14:34:06 | 001,511,424 | ---- | M] (Nero AG)
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" [HKLM] -> C:\Program Files\WinRAR\RarExt.dll [WinRAR shell extension] -> [2010/03/15 10:28:22 | 000,141,824 | ---- | M] ()
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" [HKLM] -> C:\Program Files\iTunes\iTunesMiniPlayer.dll [iTunes] -> [2010/06/15 15:33:44 | 000,123,704 | ---- | M] (Apple Inc.)
"{BC476F4C-D9D7-4100-8D4E-E043F6DEC409}" [HKLM] -> Reg Error: Key error. [Microsoft Browser Architecture] -> File not found
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" [HKLM] -> C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll [LDVP Shell Extensions] -> [2005/04/17 12:31:16 | 000,045,760 | ---- | M] (Symantec Corporation)
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" [HKLM] -> C:\Program Files\Real\RealPlayer\rpshell.dll [Shell Extensions for RealOne Player] -> [2008/03/15 21:05:16 | 000,063,040 | ---- | M] (RealNetworks, Inc.)
"{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75}" [HKLM] -> Reg Error: Key error. [IE User Assist] -> File not found
< Desktop Components > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\ -> 
0 -> [Key] -> 
0 -> FriendlyName = My Current Home Page -> 
0 -> Source = About:Home -> 
0 -> SubscribedURL = About:Home -> 
< Desktop WallPaper > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General -> 
BackupWallPaper -> C:\WINDOWS\Web\Wallpaper\Bliss.bmp -> 
< Disabled MSConfig Folder Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\ -> 
C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk -> C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe -> [1999/11/04 15:06:48 | 000,113,664 | ---- | M] (Adobe Systems, Inc.)
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ -> 
High Definition Audio Property Page Shortcut hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->  -> File not found
iTunesHelper hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\iTunes\iTunesHelper.exe -> [2010/06/15 15:33:44 | 000,141,624 | ---- | M] (Apple Inc.)
NBJ hkey=HKCU key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Ahead\Nero BackItUp\NBJ.exe -> [2005/02/10 17:00:54 | 001,937,408 | ---- | M] (Ahead Software AG)
NeroFilterCheck hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->  -> File not found
QuickTime Task hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\QuickTime\qttask.exe -> [2010/03/18 21:16:10 | 000,421,888 | ---- | M] (Apple Inc.)
SoundMAX hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Analog Devices\SoundMAX\Smax4.exe -> [2005/09/07 15:35:36 | 000,716,800 | ---- | M] (Analog Devices, Inc.)
SoundMAXPnP hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run -> C:\Program Files\Analog Devices\Core\smax4pnp.exe -> [2005/05/20 01:11:06 | 000,925,696 | R--- | M] (Analog Devices, Inc.)
WATCHPNP_Samsung hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->  -> File not found
< Disabled MSConfig State [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state -> 
"bootini" -> 0 -> 
"services" -> 0 -> 
"startup" -> 2 -> 
"system.ini" -> 0 -> 
"win.ini" -> 0 -> 
< Drivers32 [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 -> 
"msacm.iac2" -> C:\WINDOWS\system32\iac25_32.ax [C:\WINDOWS\system32\iac25_32.ax] -> [2008/04/14 03:42:44 | 000,199,680 | ---- | M] (Intel Corporation)
"msacm.l3acm" -> C:\WINDOWS\system32\l3codeca.acm [C:\WINDOWS\system32\l3codeca.acm] -> [2010/01/29 14:43:39 | 000,307,260 | ---- | M] (Fraunhofer Institut Integrierte Schaltungen IIS)
"msacm.sl_anet" -> C:\WINDOWS\System32\sl_anet.acm [sl_anet.acm] -> [2008/04/14 03:40:52 | 000,086,016 | ---- | M] (Sipro Lab Telecom Inc.)
"msacm.trspch" -> C:\WINDOWS\System32\tssoft32.acm [tssoft32.acm] -> [2001/08/23 12:00:00 | 000,008,192 | ---- | M] (DSP GROUP, INC.)
"MSVideo8" -> C:\WINDOWS\System32\vfwwdm32.dll [VfWWDM32.dll] -> [2008/04/14 00:12:08 | 000,053,760 | ---- | M] (Microsoft Corporation)
"vidc.cvid" -> C:\WINDOWS\System32\iccvid.dll [iccvid.dll] -> [2010/06/17 14:03:00 | 000,080,384 | ---- | M] (Radius Inc.)
"vidc.iv31" -> C:\WINDOWS\System32\ir32_32.dll [ir32_32.dll] -> [2001/08/23 12:00:00 | 000,199,168 | ---- | M] ()
"vidc.iv32" -> C:\WINDOWS\System32\ir32_32.dll [ir32_32.dll] -> [2001/08/23 12:00:00 | 000,199,168 | ---- | M] ()
"vidc.iv41" -> C:\WINDOWS\System32\ir41_32.ax [ir41_32.ax] -> [2008/04/14 03:42:44 | 000,848,384 | ---- | M] (Intel Corporation)
"vidc.iv50" -> C:\WINDOWS\System32\ir50_32.dll [ir50_32.dll] -> [2008/04/14 03:41:56 | 000,755,200 | ---- | M] (Intel Corporation)
< Ext (PreApproved) - [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\ -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [HKLM] -> C:\Program Files\QuickTime\QTPlugin.ocx [QuickTime Object] -> [2010/03/18 22:50:08 | 000,800,048 | ---- | M] (Apple Inc.)
{03F998B2-0E00-11D3-A498-00104B6EB52E} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{0540F132-FD03-4120-9B98-6559FE3F4F20} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{0DB074F0-617E-4EE9-912C-2965CF2AA5A4} [HKLM] -> C:\Program Files\Virtual Earth 3D\SentinelVirtualEarth3D.dll [SentinelVE3D Class] -> [2007/11/13 10:33:58 | 000,123,912 | ---- | M] (Microsoft Corporation.)
{166B1BCA-3F9C-11CF-8075-444553540000} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{1B00725B-C455-4DE6-BFB6-AD540AD427CD} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{1B1B260C-2D5A-47DD-AA70-BA2396E00D81} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support\SymXPep2.dll [SymXPep2_Collector Class] -> [2007/12/25 18:29:34 | 000,357,768 | ---- | M] (Symantec Corporation)
{233C1507-6A77-46A4-9443-F871F945D258} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{3451DEDE-631F-421c-8127-FD793AFC6CC8} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\SymAData.dll [ActiveDataInfo Class] -> [2007/11/16 14:06:28 | 000,177,552 | ---- | M] (Symantec Corporation)
{34F12AFD-E9B5-492A-85D2-40FA4535BE83} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\nprdtinf.dll [AxProdInfoCtl Class] -> [2007/11/16 14:06:20 | 000,333,176 | R--- | M] (Symantec Corporation)
{4063BE15-3B08-470D-A0D5-B37161CFFD69} [HKLM] -> C:\Program Files\QuickTime\QTPlugin.ocx [QuickTime Object] -> [2010/03/18 22:50:08 | 000,800,048 | ---- | M] (Apple Inc.)
{44990200-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\tgctlsi.dll [Symantec SmartIssue] -> [2007/11/16 14:06:30 | 001,156,496 | ---- | M] (Symantec, Inc.)
{44990301-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\tgctlsr.dll [Symantec Script Runner Class] -> [2007/11/16 14:06:30 | 000,578,960 | ---- | M] (Symantec, Inc.)
{44990400-3C9D-426D-81DF-AAB636FA4345} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{44990500-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\ssctrlln.dll [Symantec Listener Control] -> [2007/11/16 14:06:26 | 001,340,816 | ---- | M] (Symantec, Inc.)
{44990600-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe [Symantec RemoteControl Class] -> [2007/11/16 14:06:22 | 000,501,136 | ---- | M] (Symantec Corporation)
{44990701-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\ssctlbr.dll [SprtCtlBrowse Class] -> [2007/11/16 14:06:26 | 000,173,456 | ---- | M] (Symantec, Inc.)
{44990801-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\ssctlwmi.dll [SprtWMIControl Class] -> [2007/11/16 14:06:26 | 000,091,536 | ---- | M] (Symantec, Inc.)
{44990900-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\tgctlss.dll [Symantec ScreenShot Class] -> [2007/11/16 14:06:30 | 000,206,224 | ---- | M] (Symantec, Inc.)
{44990a00-3c9d-426d-81df-aab636fa4345} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{44990b00-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\tgctlcm.dll [Symantec Configuration Class] -> [2007/11/16 14:06:28 | 000,292,240 | ---- | M] (Symantec, Inc.)
{44990b0a-3c9d-426d-81df-aab636fa4345} [HKLM] -> Reg Error: Key error. [Handler for ElevationHelper Class] -> File not found
{44990b0b-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\sshelper.exe [Symantec User Helper Class] -> [2007/11/16 14:06:22 | 000,071,056 | ---- | M] (Symantec, Inc.)
{44990b0c-3c9d-426d-81df-aab636fa4345} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\tgctlcm.dll [Symantec Elevation Helper Class] -> [2007/11/16 14:06:28 | 000,292,240 | ---- | M] (Symantec, Inc.)
{4536918A-95A8-498F-B542-CB906C561A43} [HKLM] -> C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll [Google Update Plugin] -> [2010/10/16 15:23:55 | 000,219,288 | ---- | M] (Google Inc.)
{5852F5ED-8BF4-11D4-A245-0080C6F74284} [HKLM] -> C:\Program Files\Java\jre6\bin\wsdetect.dll [isInstalled Class] -> [2010/09/15 04:50:40 | 000,108,320 | ---- | M] (Sun Microsystems, Inc.)
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{A860F368-DD62-4474-8178-C585F6B48422} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\SymSupCC.dll [PSFactoryBuffer] -> [2007/11/16 14:06:28 | 000,075,152 | ---- | M] (Symantec Corporation)
{CA8A9780-280D-11CF-A24D-444553540000} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll [Adobe PDF Reader] -> [2008/10/14 21:29:50 | 000,632,168 | ---- | M] (Adobe Systems, Inc.)
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBA} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{CAFEEFAC-0015-0000-0000-ABCDEFFEDCBC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBB} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBC} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} [HKLM] -> C:\WINDOWS\system32\deployJava1.dll [Deployment Toolkit] -> [2010/09/15 04:50:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} [HKLM] -> C:\WINDOWS\system32\deployJava1.dll [Deployment Toolkit] -> [2010/09/15 04:50:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBC} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{CB927D12-4FF7-4A9E-A169-56E4B8A75598} [HKLM] -> C:\Program Files\QuickTime\QTPlugin.ocx [Behavior Object] -> [2010/03/18 22:50:08 | 000,800,048 | ---- | M] (Apple Inc.)
{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA} [HKLM] -> C:\WINDOWS\system32\rmoc3260.dll [RealPlayer G2 Control] -> [2008/03/15 21:05:20 | 000,185,944 | ---- | M] (RealNetworks, Inc.)
{D27CDB6E-AE6D-11cf-96B8-444553540000} [HKLM] -> C:\WINDOWS\system32\Macromed\Flash\Flash10l.ocx [Shockwave Flash Object] -> [2010/11/11 11:30:45 | 006,071,760 | R--- | M] (Adobe Systems, Inc.)
{D719897A-B07A-4C0C-AEA9-9B663A28DFCB} [HKLM] -> C:\Program Files\iTunes\ITDetector.ocx [iTunesDetector Class] -> [2010/06/15 15:33:36 | 000,111,416 | ---- | M] (Apple Inc.)
{DFEAF541-F3E1-4c24-ACAC-99C30715084A} [HKLM] -> C:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll [Microsoft Silverlight] -> [2010/09/16 21:24:06 | 001,023,816 | ---- | M] ( Microsoft Corporation)
{E25E440E-E206-4b9e-9CF5-FAC9779E0EEE} [HKLM] -> C:\Program Files\Common Files\Symantec Shared\Support Controls\SymSupCC.dll [ControlInstaller Class] -> [2007/11/16 14:06:28 | 000,075,152 | ---- | M] (Symantec Corporation)
{F9152AEC-3462-4632-8087-EEE3C3CDDA24} [HKLM] -> C:\Program Files\Google\Google Earth\plugin\ie\5.2.1.1588\plugin_ax.dll [GEPluginCoClass Object] -> [2010/09/01 18:34:54 | 005,220,864 | ---- | M] (Google)
< Ext (Settings) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\ -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [HKLM] -> C:\Program Files\QuickTime\QTPlugin.ocx [QuickTime Object] -> [2010/03/18 22:50:08 | 000,800,048 | ---- | M] (Apple Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/22 23:08:42 | 000,062,080 | ---- | M] (Adobe Systems Incorporated)
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> [2008/03/15 21:05:23 | 000,370,296 | ---- | M] (RealPlayer)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{AA58ED58-01DD-4D91-8333-CF10577473F7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> C:\WINDOWS\system32\Macromed\Flash\Flash10l.ocx [Shockwave Flash Object] -> [2010/11/11 11:30:45 | 006,071,760 | R--- | M] (Adobe Systems, Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{E2E2DD38-D088-4134-82B7-F2BA38496583} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{FB5F1910-F110-11D2-BB9E-00C04F795683} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< Ext (Stats) - [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\ -> 
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} [HKLM] -> C:\Program Files\QuickTime\QTPlugin.ocx [QuickTime Object] -> [2010/03/18 22:50:08 | 000,800,048 | ---- | M] (Apple Inc.)
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [Adobe PDF Reader Link Helper] -> [2006/10/22 23:08:42 | 000,062,080 | ---- | M] (Adobe Systems Incorporated)
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} [HKLM] -> Reg Error: Key error. [Reg Error: Value error.] -> File not found
{2318C2B1-4965-11D4-9B18-009027A5CD4F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{238F6F83-B8B4-11CF-8771-00A024541EE3} [HKLM] -> C:\Program Files\Citrix\ICA Client\Wfica.ocx [Citrix ICA Client] -> [2008/08/16 16:44:44 | 000,587,096 | ---- | M] (Citrix Systems, Inc.)
{3049C3E9-B461-4BC5-8870-4C09146192CA} [HKLM] -> C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll [RealPlayer Download and Record Plugin for Internet Explorer] -> [2008/03/15 21:05:23 | 000,370,296 | ---- | M] (RealPlayer)
{377B5106-3B4E-4A2D-8520-8767590CAC86} [HKLM] -> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\NPSVG3.dll [SVG Document] -> [2005/04/14 20:24:22 | 000,321,192 | ---- | M] (Adobe Systems Incorporated)
{4063BE15-3B08-470D-A0D5-B37161CFFD69} [HKLM] -> C:\Program Files\QuickTime\QTPlugin.ocx [QuickTime Object] -> [2010/03/18 22:50:08 | 000,800,048 | ---- | M] (Apple Inc.)
{4536918A-95A8-498F-B542-CB906C561A43} [HKLM] -> C:\Program Files\Google\Update\1.2.183.39\npGoogleOneClick8.dll [Google Update Plugin] -> [2010/10/16 15:23:55 | 000,219,288 | ---- | M] (Google Inc.)
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{69D72956-317C-44BD-B369-8E44D4EF9801} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{8AD9C840-044E-11D1-B3E9-00805F499D93} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{909AAEB6-C2CB-4AB5-A7BB-C33B72AB4BFB} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{92780B25-18CC-41C8-B9BE-3C9C571A8263} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{AA58ED58-01DD-4D91-8333-CF10577473F7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{BD96C556-65A3-11D0-983A-00C04FC29E36} [HKLM] -> C:\Program Files\Common Files\System\msadc\msadco.dll [RDS.DataSpace] -> [2008/04/14 00:11:58 | 000,143,360 | ---- | M] (Microsoft Corporation)
{CA8A9780-280D-11CF-A24D-444553540000} [HKLM] -> C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroPDF.dll [Adobe PDF Reader] -> [2008/10/14 21:29:50 | 000,632,168 | ---- | M] (Adobe Systems, Inc.)
{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} [HKLM] -> C:\Program Files\Java\jre6\bin\npjpi160_22.dll [Java Plug-in 1.6.0_22] -> [2010/09/15 04:50:46 | 000,141,088 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA} [HKLM] -> C:\WINDOWS\system32\deployJava1.dll [Deployment Toolkit] -> [2010/09/15 04:50:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.)
{CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA} [HKLM] -> C:\WINDOWS\system32\deployJava1.dll [Deployment Toolkit] -> [2010/09/15 04:50:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.)
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} [HKLM] -> C:\WINDOWS\system32\rmoc3260.dll [RealPlayer G2 Control] -> [2008/03/15 21:05:20 | 000,185,944 | ---- | M] (RealNetworks, Inc.)
{D27CDB6E-AE6D-11CF-96B8-444553512000} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{D27CDB6E-AE6D-11CF-96B8-444553540000} [HKLM] -> C:\WINDOWS\system32\Macromed\Flash\Flash10l.ocx [Shockwave Flash Object] -> [2010/11/11 11:30:45 | 006,071,760 | R--- | M] (Adobe Systems, Inc.)
{DE4AF3B0-F4D4-11D3-B41A-0050DA2E6C21} [HKLM] -> C:\Program Files\QuickTime\QTSystem\QuickTimeCheck.ocx [QuickTimeCheck Class] -> [2010/03/18 22:50:08 | 000,136,496 | ---- | M] (Apple Inc.)
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{DFEAF541-F3E1-4C24-ACAC-99C30715084A} [HKLM] -> C:\Program Files\Microsoft Silverlight\4.0.50917.0\npctrl.dll [Microsoft Silverlight] -> [2010/09/16 21:24:06 | 001,023,816 | ---- | M] ( Microsoft Corporation)
{E2E2DD38-D088-4134-82B7-F2BA38496583} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{EC0403E0-9158-4CF8-A2B6-3C62C3B9B6B7} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
{F9152AEC-3462-4632-8087-EEE3C3CDDA24} [HKLM] -> C:\Program Files\Google\Google Earth\plugin\ie\5.2.1.1588\plugin_ax.dll [GEPluginCoClass Object] -> [2010/09/01 18:34:54 | 005,220,864 | ---- | M] (Google)
{FB5F1910-F110-11D2-BB9E-00C04F795683} [HKLM] -> Reg Error: Key error. [Reg Error: Key error.] -> File not found
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ -> 
.bat [@ = batfile] -> "%1" %* -> 
.cmd [@ = cmdfile] -> "%1" %* -> 
.com [@ = ComFile] -> "%1" %* -> 
.exe [@ = exefile] -> "%1" %* -> 
.pif [@ = piffile] -> "%1" %* -> 
.scr [@ = scrfile] -> "%1" /S -> 
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost > -> ->
*netsvcs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\\netsvcs ->
6to4 ->  -> File not found
HidServ -> C:\WINDOWS\System32\hidserv.dll -> File not found
Ias ->  -> File not found
Iprip ->  -> File not found
Irmon ->  -> File not found
NWCWorkstation ->  -> File not found
Nwsapagent ->  -> File not found
WmdmPmSp ->  -> File not found
*MultiFile Done* -> -> 
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ -> 
ipp: [HKLM] -> No CLSID value
msdaipp: [HKLM] -> No CLSID value
< SafeBoot-Minimal Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ -> 
{36FC9E60-C465-11CF-8056-444553540000} -> Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} -> CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} -> DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} -> Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} -> Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} -> Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} -> Mouse
{4D36E977-E325-11CE-BFC1-08002BE10318} -> PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} -> SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} -> System
{4D36E980-E325-11CE-BFC1-08002BE10318} -> Floppy disk drive
{533C5B84-EC70-11D2-9505-00C04F79DEAF} -> Volume shadow copy
{71A27CDD-812A-11D0-BEC7-08002BE2092F} -> Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} -> Human Interface Devices
Base -> Driver Group
Boot Bus Extender -> Driver Group
Boot file system -> Driver Group
File system -> Driver Group
Filter -> Driver Group
klmdb.sys -> Reg Error: Value error.
PCI Configuration -> Driver Group
PNP Filter -> Driver Group
Primary disk -> Driver Group
SCSI Class -> Driver Group
sermouse.sys -> Driver
System Bus Extender -> Driver Group
vds -> Service
vga.sys -> Driver
< SafeBoot-Network Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ -> 
{36FC9E60-C465-11CF-8056-444553540000} -> Universal Serial Bus controllers
{4D36E965-E325-11CE-BFC1-08002BE10318} -> CD-ROM Drive
{4D36E967-E325-11CE-BFC1-08002BE10318} -> DiskDrive
{4D36E969-E325-11CE-BFC1-08002BE10318} -> Standard floppy disk controller
{4D36E96A-E325-11CE-BFC1-08002BE10318} -> Hdc
{4D36E96B-E325-11CE-BFC1-08002BE10318} -> Keyboard
{4D36E96F-E325-11CE-BFC1-08002BE10318} -> Mouse
{4D36E972-E325-11CE-BFC1-08002BE10318} -> Net
{4D36E973-E325-11CE-BFC1-08002BE10318} -> NetClient
{4D36E974-E325-11CE-BFC1-08002BE10318} -> NetService
{4D36E975-E325-11CE-BFC1-08002BE10318} -> NetTrans
{4D36E977-E325-11CE-BFC1-08002BE10318} -> PCMCIA Adapters
{4D36E97B-E325-11CE-BFC1-08002BE10318} -> SCSIAdapter
{4D36E97D-E325-11CE-BFC1-08002BE10318} -> System
{4D36E980-E325-11CE-BFC1-08002BE10318} -> Floppy disk drive
{71A27CDD-812A-11D0-BEC7-08002BE2092F} -> Volume
{745A17A0-74D3-11D0-B6FE-00A0C90F57DA} -> Human Interface Devices
Base -> Driver Group
Boot Bus Extender -> Driver Group
Boot file system -> Driver Group
File system -> Driver Group
Filter -> Driver Group
klmdb.sys -> Reg Error: Value error.
NDIS Wrapper -> Driver Group
NetBIOSGroup -> Driver Group
NetDDEGroup -> Driver Group
Network -> Driver Group
NetworkProvider -> Driver Group
PCI Configuration -> Driver Group
PNP Filter -> Driver Group
PNP_TDI -> Driver Group
Primary disk -> Driver Group
SCSI Class -> Driver Group
sermouse.sys -> Driver
Streams Drivers -> Driver Group
System Bus Extender -> Driver Group
TDI -> Driver Group
vga.sys -> Driver
< Security Center Settings > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center
[URL="file://\\"FirstRunDisabled"]\\"FirstRunDisabled[/URL]" ->  [1] -> File not found
[URL="file://\\"AntiVirusDisableNotify"]\\"AntiVirusDisableNotify[/URL]" ->  [0] -> File not found
[URL="file://\\"FirewallDisableNotify"]\\"FirewallDisableNotify[/URL]" ->  [0] -> File not found
[URL="file://\\"UpdatesDisableNotify"]\\"UpdatesDisableNotify[/URL]" ->  [0] -> File not found
[URL="file://\\"AntiVirusOverride"]\\"AntiVirusOverride[/URL]" ->  [0] -> File not found
[URL="file://\\"FirewallOverride"]\\"FirewallOverride[/URL]" ->  [0] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus
\Monitoring\SymantecAntiVirus\\"DisableMonitoring" ->  [1] -> File not found
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> -> 
< System Restore User Settings > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore -> 
"DisableSR" -> 0 -> 
< System Restore File Filter Service > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Sr -> 
"Start" -> 0 -> 
< System Restore Service > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SrService -> 
"Start" -> 2 -> 
< Windows Firewall Group Policy Settings > -> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile\ -> -> 
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\ -> -> 
< Windows DomainProfile Firewall Policy Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\ -> -> 
< Windows DomainProfile GloballyOpenPorts Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List
[URL="file://\\"139:TCP"]\\"139:TCP[/URL]" ->  [139:TCP:*:Enabled:@xpsp2res.dll,-22004] -> File not found
[URL="file://\\"445:TCP"]\\"445:TCP[/URL]" ->  [445:TCP:*:Enabled:@xpsp2res.dll,-22005] -> File not found
[URL="file://\\"137:UDP"]\\"137:UDP[/URL]" ->  [137:UDP:*:Enabled:@xpsp2res.dll,-22001] -> File not found
[URL="file://\\"138:UDP"]\\"138:UDP[/URL]" ->  [138:UDP:*:Enabled:@xpsp2res.dll,-22002] -> File not found
< Windows StandardProfile Firewall Policy Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
[URL="file://\\"EnableFirewall"]\\"EnableFirewall[/URL]" ->  [1] -> File not found
[URL="file://\\"DoNotAllowExceptions"]\\"DoNotAllowExceptions[/URL]" ->  [0] -> File not found
[URL="file://\\"DisableNotifications"]\\"DisableNotifications[/URL]" ->  [0] -> File not found
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> -> 
< Windows StandardProfile GloballyOpenPorts Settings > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List -> 
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
[URL="file://\\"1900:UDP"]\\"1900:UDP[/URL]" ->  [1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007] -> File not found
[URL="file://\\"2869:TCP"]\\"2869:TCP[/URL]" ->  [2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008] -> File not found
[URL="file://\\"67:UDP"]\\"67:UDP[/URL]" ->  [67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service] -> File not found
[URL="file://\\"139:TCP"]\\"139:TCP[/URL]" ->  [139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004] -> File not found
[URL="file://\\"445:TCP"]\\"445:TCP[/URL]" ->  [445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005] -> File not found
[URL="file://\\"137:UDP"]\\"137:UDP[/URL]" ->  [137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001] -> File not found
[URL="file://\\"138:UDP"]\\"138:UDP[/URL]" ->  [138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002] -> File not found
[URL="file://\\"1035:TCP"]\\"1035:TCP[/URL]" ->  [1035:TCP:*:Enabled:Akamai NetSession Interface] -> File not found
[URL="file://\\"5000:UDP"]\\"5000:UDP[/URL]" ->  [5000:UDP:*:Enabled:Akamai NetSession Interface] -> File not found
< Session Manager Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager -> 
*BootExecute* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\BootExecute -> 
autocheck autochk * ->  -> File not found
*MultiFile Done* -> -> 
"ExcludeFromKnownDlls" ->  [binary data] -> 
*ObjectDirectories* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\\ObjectDirectories -> 
\Windows -> \Windows -> [2010/12/11 10:01:49 | 000,000,000 | ---D | M]
\RPC Control ->  -> File not found
*MultiFile Done* -> -> 
< Session Manager Environment Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment -> 
"ComSpec" -> C:\WINDOWS\system32\cmd.exe -> [2008/04/14 03:42:16 | 000,389,120 | ---- | M] (Microsoft Corporation)
"TEMP" -> C:\WINDOWS\Temp -> [2010/12/11 18:09:20 | 000,000,000 | ---D | M]
"TMP" -> C:\WINDOWS\Temp -> [2010/12/11 18:09:20 | 000,000,000 | ---D | M]
"windir" -> C:\WINDOWS -> [2010/12/11 10:01:49 | 000,000,000 | ---D | M]
*Path* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path -> 
%SystemRoot%\system32 -> C:\WINDOWS\system32 -> [2010/12/11 18:10:44 | 000,000,000 | ---D | M]
%SystemRoot% -> C:\WINDOWS -> [2010/12/11 10:01:49 | 000,000,000 | ---D | M]
%SystemRoot%\system32\wbem -> C:\WINDOWS\system32\wbem -> [2010/12/07 22:28:09 | 000,000,000 | ---D | M]
C:\Program Files\Samsung\Samsung PC Studio 3 -> C:\Program Files\Samsung\Samsung PC Studio 3 -> [2008/08/25 23:19:41 | 000,000,000 | ---D | M]
C:\WINDOWS\system32\WindowsPowerShell\v1.0 -> C:\WINDOWS\system32\windowspowershell\v1.0 -> [2010/06/27 13:34:52 | 000,000,000 | ---D | M]
C:\Program Files\QuickTime\QTSystem -> C:\Program Files\QuickTime\QTSystem -> [2010/07/15 18:22:58 | 000,000,000 | ---D | M]
C:\Program Files\Overlook Fing 1.4\bin -> C:\Program Files\Overlook Fing 1.4\bin -> [2010/09/04 00:17:17 | 000,000,000 | ---D | M]
*MultiFile Done* -> -> 
*PATHEXT* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT -> 
.COM ->  -> File not found
.EXE ->  -> File not found
.BAT ->  -> File not found
.CMD ->  -> File not found
.VBS ->  -> File not found
.VBE ->  -> File not found
.JS ->  -> File not found
.JSE ->  -> File not found
.WSF ->  -> File not found
.WSH ->  -> File not found
.PSC1 ->  -> File not found
*MultiFile Done* -> -> 
< Session Manager FileRenameOperations Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\FileRenameOperations -> 
< Session Manager KnownDlls Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDlls -> 
"advapi32" -> C:\WINDOWS\System32\advapi32.dll -> [2009/02/09 12:10:48 | 000,617,472 | ---- | M] (Microsoft Corporation)
"comdlg32" -> C:\WINDOWS\System32\comdlg32.dll -> [2008/04/14 03:41:52 | 000,276,992 | ---- | M] (Microsoft Corporation)
"DllDirectory" -> C:\WINDOWS\system32 -> [2010/12/11 18:10:44 | 000,000,000 | ---D | M]
"gdi32" -> C:\WINDOWS\System32\gdi32.dll -> [2008/10/23 12:36:14 | 000,286,720 | ---- | M] (Microsoft Corporation)
"imagehlp" -> C:\WINDOWS\System32\imagehlp.dll -> [2008/04/14 03:41:56 | 000,144,384 | ---- | M] (Microsoft Corporation)
"kernel32" -> C:\WINDOWS\System32\kernel32.dll -> [2009/03/21 14:06:58 | 000,989,696 | ---- | M] (Microsoft Corporation)
"lz32" -> C:\WINDOWS\System32\lz32.dll -> [2001/08/23 12:00:00 | 000,002,560 | ---- | M] (Microsoft Corporation)
"ole32" -> C:\WINDOWS\System32\ole32.dll -> [2010/07/16 12:05:55 | 001,288,192 | ---- | M] (Microsoft Corporation)
"oleaut32" -> C:\WINDOWS\System32\oleaut32.dll -> [2008/04/14 03:42:04 | 000,551,936 | ---- | M] (Microsoft Corporation)
"olecli32" -> C:\WINDOWS\System32\olecli32.dll -> [2008/04/14 03:42:04 | 000,074,752 | ---- | M] (Microsoft Corporation)
"olecnv32" -> C:\WINDOWS\System32\olecnv32.dll -> [2008/04/14 03:42:04 | 000,037,376 | ---- | M] (Microsoft Corporation)
"olesvr32" -> C:\WINDOWS\System32\olesvr32.dll -> [2001/08/23 12:00:00 | 000,022,016 | ---- | M] (Microsoft Corporation)
"olethk32" -> C:\WINDOWS\System32\olethk32.dll -> [2001/08/23 12:00:00 | 000,069,120 | ---- | M] (Microsoft Corporation)
"rpcrt4" -> C:\WINDOWS\System32\rpcrt4.dll -> [2010/08/16 08:45:00 | 000,590,848 | ---- | M] (Microsoft Corporation)
"shell32" -> C:\WINDOWS\System32\shell32.dll -> [2010/07/27 06:30:35 | 008,462,336 | ---- | M] (Microsoft Corporation)
"url" -> C:\WINDOWS\System32\url.dll -> [2009/03/08 03:34:28 | 000,105,984 | ---- | M] (Microsoft Corporation)
"urlmon" -> C:\WINDOWS\System32\urlmon.dll -> [2010/09/10 05:58:08 | 001,210,880 | ---- | M] (Microsoft Corporation)
"user32" -> C:\WINDOWS\System32\user32.dll -> [2008/04/14 03:42:10 | 000,578,560 | ---- | M] (Microsoft Corporation)
"version" -> C:\WINDOWS\System32\version.dll -> [2008/04/14 03:42:10 | 000,018,944 | ---- | M] (Microsoft Corporation)
"wininet" -> C:\WINDOWS\System32\wininet.dll -> [2010/09/10 05:58:08 | 000,916,480 | ---- | M] (Microsoft Corporation)
"wldap32" -> C:\WINDOWS\System32\wldap32.dll -> [2008/04/14 03:42:10 | 000,172,032 | ---- | M] (Microsoft Corporation)
< Session Manager SFC Settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SFC -> 
"CommonFilesDir" -> C:\Program Files\Common Files -> [2010/12/11 10:00:33 | 000,000,000 | ---D | M]
"ProgramFilesDir" -> C:\Program Files -> [2010/12/10 22:29:55 | 000,000,000 | R--D | M]
< Registry Shell Spawning - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command -> 
batfile [open] -> "%1" %* -> 
cmdfile [open] -> "%1" %* -> 
comfile [open] -> "%1" %* -> 
exefile [open] -> "%1" %* -> 
piffile [open] -> "%1" %* -> 
scrfile [config] -> "%1" -> 
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l -> [2008/04/14 03:42:42 | 000,135,168 | ---- | M] (Microsoft Corporation)
scrfile [open] -> "%1" /S -> 
Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 -> 
Directory [find] -> %SystemRoot%\Explorer.exe -> [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L -> [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L -> [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
Drive [find] -> %SystemRoot%\Explorer.exe -> [2008/04/14 03:42:20 | 001,033,728 | ---- | M] (Microsoft Corporation)
< Winsock2 Catalogs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinSock2\Parameters\ -> 
NameSpace_Catalog5\Catalog_Entries\000000000004 [mdnsNSP] -> C:\Program Files\Bonjour\mdnsNSP.dll -> [2010/05/18 15:35:14 | 000,152,864 | ---- | M] (Apple Inc.)
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ -> 
{04B9AC25-2440-4368-8355-DA7303A133FC} -> TBO Advanced Chart Pattern Recognition
{0CB9668D-F979-4F31-B8B8-67FE90F929F8} -> Bonjour
{19ADA2D0-D577-11D2-A14E-08002BE4D8DC} -> MiraFoto
{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B} -> Cool & Quiet
{1F1C2DFC-2D24-3E06-BCB8-725134ADF989} -> Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
{1F45C0EC-17A4-4EE9-874D-A88757BD6C09} -> CapMan
{20C45B32-5AB6-46A4-94EF-58950CAF05E5} -> EPSON Attach To Email
{20D4A895-748C-4D88-871C-FDB1695B0169} -> Platform
{26A24AE4-039D-4CA4-87B4-2F83216019FF} -> Java(TM) 6 Update 22
{2A88F1BF-7041-4E42-84B1-6B4ACB83AC64} -> EPSON Scan Assistant
{314F6D08-A8B7-11D8-8446-0050BA1D384D} -> EPSON Image Clip Palette
{3248F0A8-6813-11D6-A77B-00B0D0150000} -> J2SE Runtime Environment 5.0
{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227} -> WebFldrs XP
{3675CF90-85D3-4DC2-85C9-C169BBCD2B2D} -> Sony Ericsson OCS
{3D9892BB-A751-4E48-ADC8-E4289956CE1D} -> QuickTime
{41F630B6-3A1C-40E0-8AD6-83C39C5B99E3} -> SyncThru Web Admin Service
{4286E640-B5FB-11DF-AC4B-005056C00008} -> Google Earth
{4588138D-4194-41F9-BAD7-8CB886C9AD4F} -> Sony Ericsson Mobile Networking Wizard
{45A66726-69BC-466B-A7A4-12FCBA4883D7} -> HiJackThis
{48F22622-1CC2-4A83-9C1E-644DD96F832D} -> EPSON Event Manager
{4A03706F-666A-4037-7777-5F2748764D10} -> Java Auto Updater
{4FB0FB47-8F1D-4339-8BE9-39819362AE05} -> Sony Ericsson Image Editor
{50F824C8-2CF6-4b6a-B272-359996E433C2} -> Citrix Endpoint Analysis Plugin
{5783F2D7-9028-0409-0000-0060B0CE6BBA} -> DWG TrueView 2011
{587178E7-B1DF-494E-9838-FA4DD36E873C} -> ASUSUpdate
{58FA5D40-E35A-47ED-8AFA-68CCC758559E} -> Garmin MapSource
{5A633ED0-E5D7-4D65-AB8D-53ED43510284} -> Symantec AntiVirus
{65F9E1F3-A2C1-4AA9-9F33-A3AEB0255F0E} -> Garmin USB Drivers
{67EDD823-135A-4D59-87BD-950616D6E857} -> EPSON Copy Utility 3
{6956856F-B6B3-4BE0-BA0B-8F495BE32033} -> Apple Software Update
{7299052b-02a4-4627-81f2-1818da5d550d} -> Microsoft Visual C++ 2005 Redistributable
{738B6229-A2BF-49BB-92C6-5328F49DAACD} -> NDAS Software 3.20.1528
{75B4F73F-4EB1-4126-AE4B-639F3CE6E411} -> Sony Ericsson Mobile Phone Monitor
{770657D0-A123-3C07-8E44-1C83EC895118} -> Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
{7AA828F3-BD67-495E-9742-BD9C3F196E78} -> PC Suite
{7AB3A249-FB81-416B-917A-A2A10E74C503} -> iTunes
{7FCC4EDC-6EE2-4309-ABD7-85F2667A7B90} -> WebEx Support Manager for Internet Explorer
{83E9FDFD-B4E9-4FB7-A767-8339664CDE96} -> Sony Ericsson MMS Home Studio
{83ED1E80-A1B7-4236-BCF1-AC4A88151A6B} -> Microsoft AutoRoute 2006
{85991ED2-010C-4930-96FA-52F43C2CE98A} -> Apple Mobile Device Support
{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00} -> Microsoft Silverlight
{8D20B4D7-3422-4099-9332-39F27E617A6F} -> Autodesk Design Review 2011
{8DD641C2-FFEC-4AED-A339-88BACFC60C39} -> Sony Ericsson Sound Editor
{900A92BA-19EF-4A34-86CF-7B6C85BDD971} -> VC_MergeModuleToMSI
{90110409-6000-11D3-8CFE-0150048383C9} -> Microsoft Office Professional Edition 2003
{949DBB22-2FB7-4de1-804C-23D495A988D8} -> CuteFTP 8 Home
{9743AF47-B746-4324-B4C4-512E67D04370} -> Symantec Technical Support Web Controls
{9A25302D-30C0-39D9-BD6F-21E6EC160475} -> Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7} -> Microsoft .NET Framework 3.0 Service Pack 2
{a9264802-8a7a-40fe-a135-5c6d204aed7a}.sdb -> Internet Explorer (Enable DEP)
{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2} -> Google Update Helper
{AC76BA86-7AD7-1033-7B44-A81300000003} -> Adobe Reader 8.1.6
{ACF60000-22B9-4CE9-98D6-2CCF359BAC07} -> ABBYY FineReader 6.0 Sprint
{B2D328BE-45AD-4D92-96F9-2151490A203E} -> Apple Application Support
{B8BC806D-0703-11D4-BB23-006008676AF8} -> Sony Ericsson Communications Suite
{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F} -> Microsoft .NET Framework 2.0 Service Pack 2
{C151CE54-E7EA-4804-854B-F515368B0798} -> Athlon 64 Processor Driver
{C4A4722E-79F9-417C-BD72-8D359A090C97} -> Samsung PC Studio 3
{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9} -> Microsoft .NET Framework 3.5 SP1
{D5CF3710-211B-11D4-B9B9-00105AE05C5D} -> XTNDConnect PC
{D642ACC5-F7E9-48F3-A7EE-B49C5447A10E} -> Samsung PC Studio 3
{D76D1828-BBA0-4BD9-8181-5ACC617DC5F2} -> Virtual Earth 3D (Beta)
{E86BC406-944E-41F6-ADE6-2C136734C96B} -> EPSON File Manager
{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76} -> Citrix XenApp Web Plugin
{F00B1D05-AB7C-4E0A-87A0-CC25D82D7F1D} -> Sony Ericsson File Manager
{F0A37341-D692-11D4-A984-009027EC0A9C} -> SoundMAX
{F2CE6BD0-54CD-4A53-BBB5-409D74B28EDD} -> Sony Ericsson Sync Station
{F7338FA3-DAB5-49B2-900D-0AFB5760C166} -> PC Probe II
{F8DF73E6-97CC-4950-96FC-0022EA737497} -> SyncThru Web Admin Service Driver Management
{FB4A5F2C-01AD-420E-9569-0CF5431C3638} -> 3D Home Designer Deluxe
49CF605F02C7954F4E139D18828DE298CD59217C -> Windows Driver Package - Garmin (grmnusb) GARMIN Devices  (06/03/2009 2.3.0.0)
Adobe Acrobat 5.0 -> Adobe Acrobat 5.0
Adobe Flash Player ActiveX -> Adobe Flash Player 10 ActiveX
Adobe Photoshop 7.0 -> Adobe Photoshop 7.0
Adobe SVG Viewer -> Adobe SVG Viewer 3.0
Advanced IP Scanner v1.5 -> Advanced IP Scanner v1.5
Autodesk Design Review 2011 -> Autodesk Design Review 2011
AviSynth -> AviSynth 2.5
CutePDF Writer Installation -> CutePDF Writer 2.7
Desktop Lawyer -> Desktop Lawyer
DVD Decrypter -> DVD Decrypter (Remove Only)
DVD Shrink_is1 -> DVD Shrink 3.2
DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5_is1 -> DVDFab (Platinum/Gold/HD Decrypter) (Option: Mobile) 5.1.1.0
DVDFab Express_is1 -> DVDFab Express 2.9.8.3
DWG TrueView 2011 -> DWG TrueView 2011
EasyHtml -> EasyHtml
EPSON Scanner -> EPSON Scan
EXIF Date Changer_is1 -> EXIF Date Changer v1.1
ExpressRip -> Express Rip
FileZilla -> FileZilla (remove only)
Free DVD Decrypter_is1 -> Free DVD Decrypter version 1.3
Free Internet Window Washer -> Free Internet Window Washer
Free IP Scanner -> Free IP Scanner
FTDICOMM -> SEMC DSS-20 SyncStation Driver
HijackThis -> HijackThis 1.99.1
IBP10_is1 -> IBP 10.0.1
ie8 -> Windows Internet Explorer 8
ImgBurn -> ImgBurn
InstallShield_{20C45B32-5AB6-46A4-94EF-58950CAF05E5} -> EPSON Attach To Email
InstallShield_{20D4A895-748C-4D88-871C-FDB1695B0169} -> VIA Platform Device Manager
InstallShield_{FB4A5F2C-01AD-420E-9569-0CF5431C3638} -> 3D Home Designer Deluxe Edition
Intel NetportExpress Software -> Intel NetportExpress Software
InterCasinoV9EnglishUSD -> InterCasino
Karen's Computer Profiler -> Karen's Computer Profiler
Karen's Directory Printer -> Karen's Directory Printer
LiveUpdate -> LiveUpdate 2.6 (Symantec Corporation)
[EMAIL="[email protected]_1.0"][email protected]_1.0[/EMAIL] -> [EMAIL="[email protected]"][email protected][/EMAIL] 2.50 Build 35
Magic DVD Copier_is1 -> Magic DVD Copier Version 4.9.3
Magic DVD Ripper_is1 -> Magic DVD Ripper V5.4.2
Malwarebytes' Anti-Malware_is1 -> Malwarebytes' Anti-Malware
Microsoft .NET Framework 3.5 SP1 -> Microsoft .NET Framework 3.5 SP1
NeroMultiInstaller!UninstallKey -> Nero Suite
No-IP.com DUC -> No-IP.com DUC (remove only)
Overlook Fing 1.4 ->  Overlook Fing
PC Magazine DiskAction 2_is1 -> PC Magazine DiskAction v2.3.1
Perf3490P_3590P User's Guide -> Perf3490P_3590P User's Guide
RealPlayer 6.0 -> RealPlayer
SAMSUNG CDMA Modem -> SAMSUNG CDMA Modem Driver Set
Samsung ML-7300 PCL 6 -> Samsung ML-7300 Driver
SAMSUNG Mobile Composite Device -> SAMSUNG Mobile Composite Device Software
Samsung Mobile phone USB driver -> Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem -> SAMSUNG Mobile USB Modem Software
SAMSUNG Mobile USB Modem 1.0 -> SAMSUNG Mobile USB Modem 1.0 Software
Switch -> Switch Sound File Converter
T610-616-630-637 USB-Handset Manager -> T610-616-630-637 USB-Handset Manager
TightVNC_is1 -> TightVNC 1.3.10
TomTom HOME -> TomTom HOME
Uninstall_is1 -> Uninstall 1.0.0.1
VIA Chrome9 HC IGP Display -> VIA/S3G Display Driver 6.14.10.0071
VIA Chrome9 HC IGP Family Display -> VIA Chrome9 HC IGP Family Display
VIA/S3G DeltaChrome IGP Win2K/XP/Server2003 Display -> VIA/S3G Display Driver
VIRGIN MOBILE BROADBAND HOME -> VIRGIN MOBILE BROADBAND HOME
VN_VUIns_Rhine_VIA -> VIA Rhine-Family Fast Ethernet Adapter
WavePad -> WavePad Sound Editor
winpcap-overlook -> winpcap-overlook 4.02
WinRAR archiver -> WinRAR archiver
< EventViewer Logs - Last 10 Errors > -> Event Information -> Description
System [ Error ] 10/12/2010 18:24:27 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7034 -> Description = The Symantec Event Manager service terminated unexpectedly.  It has done this 1 time(s).
System [ Error ] 10/12/2010 18:24:27 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7034 -> Description = The SyncThru Web Admin Service Driver Management service terminated unexpectedly.  It has done this 1 time(s).
System [ Error ] 10/12/2010 18:24:27 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7034 -> Description = The Application Layer Gateway Service service terminated unexpectedly.  It has done this 1 time(s).
System [ Error ] 10/12/2010 18:24:27 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7034 -> Description = The NDAS Service service terminated unexpectedly.  It has done this 1 time(s).
System [ Error ] 10/12/2010 18:24:27 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7034 -> Description = The Java Quick Starter service terminated unexpectedly.  It has done this 1 time(s).
System [ Error ] 10/12/2010 18:25:06 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7011 -> Description = Timeout (30000 milliseconds) waiting for a transaction response from the Symantec AntiVirus service.
System [ Error ] 10/12/2010 18:33:35 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   aec6710D
System [ Error ] 11/12/2010 05:32:28 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   aec6710D
System [ Error ] 11/12/2010 10:03:39 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   aec6710D
System [ Error ] 11/12/2010 14:06:58 Computer Name = MIKES-COMPUTER | Source = Service Control Manager | ID = 7026 -> Description = The following boot-start or system-start driver(s) failed to load:   aec6710D
 
[Files/Folders - Created Within 90 Days]
 OTS.exe -> C:\Documents and Settings\Mike\Desktop\OTS.exe -> [2010/12/11 17:00:28 | 000,642,048 | ---- | C] (OldTimer Tools)
 RECYCLER -> C:\RECYCLER -> [2010/12/11 13:39:09 | 000,000,000 | -HSD | C]
 mike2956 -> C:\mike2956 -> [2010/12/11 09:54:16 | 000,000,000 | ---D | C]
 rsit -> C:\rsit -> [2010/12/10 14:16:51 | 000,000,000 | ---D | C]
 delete -> C:\Documents and Settings\Mike\Desktop\delete -> [2010/12/08 16:41:24 | 000,000,000 | ---D | C]
 deployJava1.dll -> C:\WINDOWS\System32\deployJava1.dll -> [2010/12/07 23:49:36 | 000,472,808 | ---- | C] (Sun Microsystems, Inc.)
 javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/12/07 23:49:36 | 000,153,376 | ---- | C] (Sun Microsystems, Inc.)
 javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/12/07 23:49:36 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
 java.exe -> C:\WINDOWS\System32\java.exe -> [2010/12/07 23:49:36 | 000,145,184 | ---- | C] (Sun Microsystems, Inc.)
 Sun -> C:\Documents and Settings\LocalService\Application Data\Sun -> [2010/12/07 21:00:44 | 000,000,000 | ---D | C]
 Macromedia -> C:\Documents and Settings\LocalService\Application Data\Macromedia -> [2010/12/07 12:37:32 | 000,000,000 | ---D | C]
 Adobe -> C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe -> [2010/12/07 12:31:03 | 000,000,000 | ---D | C]
 cmdcons -> C:\cmdcons -> [2010/12/06 21:07:52 | 000,000,000 | RHSD | C]
 SWXCACLS.exe -> C:\WINDOWS\SWXCACLS.exe -> [2010/12/06 21:03:44 | 000,212,480 | ---- | C] (SteelWerX)
 SWREG.exe -> C:\WINDOWS\SWREG.exe -> [2010/12/06 21:03:44 | 000,161,792 | ---- | C] (SteelWerX)
 SWSC.exe -> C:\WINDOWS\SWSC.exe -> [2010/12/06 21:03:44 | 000,136,704 | ---- | C] (SteelWerX)
 NIRCMD.exe -> C:\WINDOWS\NIRCMD.exe -> [2010/12/06 21:03:44 | 000,031,232 | ---- | C] (NirSoft)
 ERDNT -> C:\WINDOWS\ERDNT -> [2010/12/06 21:03:27 | 000,000,000 | ---D | C]
 Qoobox -> C:\Qoobox -> [2010/12/06 21:02:17 | 000,000,000 | ---D | C]
 NyDtpHFB -> C:\Documents and Settings\Mike\Desktop\NyDtpHFB -> [2010/12/06 10:42:59 | 000,000,000 | ---D | C]
 Trend Micro -> C:\Program Files\Trend Micro -> [2010/12/05 23:14:58 | 000,000,000 | ---D | C]
 {00032D85-7853-429E-AF5A-DB8CCDA19A17} -> C:\Documents and Settings\Mike\Local Settings\Application Data\{00032D85-7853-429E-AF5A-DB8CCDA19A17} -> [2010/12/04 02:18:32 | 000,000,000 | ---D | C]
 test.exe -> C:\Documents and Settings\Mike\Desktop\test.exe -> [2010/12/04 01:23:18 | 000,045,568 | ---- | C] (Microsoft Corporation)
 ftser2k.sys -> C:\WINDOWS\System32\drivers\ftser2k.sys -> [2010/11/17 12:30:36 | 000,050,396 | ---- | C] (FTDI Ltd.)
 ftserui2.dll -> C:\WINDOWS\System32\ftserui2.dll -> [2010/11/17 12:30:36 | 000,048,631 | ---- | C] (FTDI Ltd.)
 ftlund.sys -> C:\WINDOWS\System32\drivers\ftlund.sys -> [2010/11/17 12:30:36 | 000,006,828 | ---- | C] (FTDI Ltd.)
 lbrtfdc.sys -> C:\WINDOWS\System32\drivers\lbrtfdc.sys -> [2010/09/15 21:41:19 | 000,034,688 | ---- | C] (Toshiba Corp.)
 lbrtfdc.sys -> C:\WINDOWS\System32\dllcache\lbrtfdc.sys -> [2010/09/15 21:41:19 | 000,034,688 | ---- | C] (Toshiba Corp.)
 i2omgmt.sys -> C:\WINDOWS\System32\dllcache\i2omgmt.sys -> [2010/09/15 21:41:18 | 000,008,576 | ---- | C] (Microsoft Corporation)
 fetnd5.sys -> C:\WINDOWS\System32\dllcache\fetnd5.sys -> [2010/09/15 21:41:05 | 000,027,165 | ---- | C] (VIA Technologies, Inc.              )
 changer.sys -> C:\WINDOWS\System32\drivers\changer.sys -> [2010/09/15 21:41:04 | 000,008,192 | ---- | C] (Microsoft Corporation)
 changer.sys -> C:\WINDOWS\System32\dllcache\changer.sys -> [2010/09/15 21:41:04 | 000,008,192 | ---- | C] (Microsoft Corporation)
 MiniWebControl.ocx -> C:\WINDOWS\System32\MiniWebControl.ocx -> [2010/09/14 00:05:59 | 000,035,840 | ---- | C] (Cryptologic Inc.)
 pcouffin.sys -> C:\Documents and Settings\Mike\Application Data\pcouffin.sys -> [2008/04/25 21:46:35 | 000,047,360 | ---- | C] (VSO Software)
 8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 1 C:\Documents and Settings\Mike\My Documents\*.tmp files -> C:\Documents and Settings\Mike\My Documents\*.tmp -> 
 
[Files/Folders - Modified Within 90 Days]
 perfh009.dat -> C:\WINDOWS\System32\perfh009.dat -> [2010/12/11 18:10:44 | 000,435,260 | ---- | M] ()
 perfc009.dat -> C:\WINDOWS\System32\perfc009.dat -> [2010/12/11 18:10:44 | 000,068,156 | ---- | M] ()
 GoogleUpdateTaskMachineCore.job -> C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job -> [2010/12/11 18:06:00 | 000,000,880 | ---- | M] ()
 bootstat.dat -> C:\WINDOWS\bootstat.dat -> [2010/12/11 18:05:51 | 000,002,048 | --S- | M] ()
 OTS.exe -> C:\Documents and Settings\Mike\Desktop\OTS.exe -> [2010/12/11 17:00:32 | 000,642,048 | ---- | M] (OldTimer Tools)
 GoogleUpdateTaskMachineUA.job -> C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job -> [2010/12/11 16:29:00 | 000,000,884 | ---- | M] ()
 kryli67m.exe -> C:\Documents and Settings\Mike\Desktop\kryli67m.exe -> [2010/12/11 13:50:28 | 000,296,448 | ---- | M] ()
 hosts -> C:\WINDOWS\System32\drivers\etc\hosts -> [2010/12/11 10:01:44 | 000,000,027 | ---- | M] ()
 mike2956.exe -> C:\Documents and Settings\Mike\Desktop\mike2956.exe -> [2010/12/11 09:51:07 | 003,988,311 | R--- | M] ()
 RSIT.exe -> C:\Documents and Settings\Mike\Desktop\RSIT.exe -> [2010/12/10 14:16:39 | 000,339,991 | ---- | M] ()
 Susan Egg balance calc.xls -> C:\Documents and Settings\Mike\My Documents\Susan Egg balance calc.xls -> [2010/12/10 13:55:05 | 000,014,336 | ---- | M] ()
 AppleSoftwareUpdate.job -> C:\WINDOWS\tasks\AppleSoftwareUpdate.job -> [2010/12/09 18:57:01 | 000,000,284 | ---- | M] ()
 NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2010/12/09 13:28:42 | 000,000,116 | ---- | M] ()
 Phone 10 12 09.pbf -> C:\Documents and Settings\Mike\My Documents\Phone 10 12 09.pbf -> [2010/12/09 11:07:01 | 000,014,911 | ---- | M] ()
 Section 38 Cookridge Ave proposed B.doc -> C:\Documents and Settings\Mike\My Documents\Section 38 Cookridge Ave proposed B.doc -> [2010/12/09 11:05:51 | 000,044,544 | ---- | M] ()
 Section 38 Cookridge Ave proposed A.doc -> C:\Documents and Settings\Mike\My Documents\Section 38 Cookridge Ave proposed A.doc -> [2010/12/09 11:02:56 | 000,043,520 | ---- | M] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Mike\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2010/12/09 10:07:29 | 000,014,848 | ---- | M] ()
 Section 38 Cookridge ave as existing.doc -> C:\Documents and Settings\Mike\My Documents\Section 38 Cookridge ave as existing.doc -> [2010/12/08 23:05:12 | 000,032,768 | ---- | M] ()
 delete.zip -> C:\Documents and Settings\Mike\Desktop\delete.zip -> [2010/12/08 16:40:15 | 000,000,275 | ---- | M] ()
 Granny Grand Susan 2010.doc -> C:\Documents and Settings\Mike\My Documents\Granny Grand Susan 2010.doc -> [2010/12/08 15:39:42 | 000,031,232 | ---- | M] ()
 Screenshot.jpg -> C:\Documents and Settings\Mike\Desktop\Screenshot.jpg -> [2010/12/08 15:14:19 | 000,112,959 | ---- | M] ()
 Screenshot.bmp -> C:\Documents and Settings\Mike\Desktop\Screenshot.bmp -> [2010/12/08 15:11:26 | 001,440,054 | ---- | M] ()
 CF-Submit.htm -> C:\CF-Submit.htm -> [2010/12/08 11:31:54 | 000,001,286 | ---- | M] ()
 FNTCACHE.DAT -> C:\WINDOWS\System32\FNTCACHE.DAT -> [2010/12/07 23:45:35 | 000,322,728 | ---- | M] ()
 Launch Microsoft Office Outlook.lnk -> C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk -> [2010/12/07 22:28:13 | 000,000,792 | ---- | M] ()
 ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2010/12/07 21:49:59 | 000,000,490 | ---- | M] ()
 tdsskiller.exe -> C:\Documents and Settings\Mike\Desktop\tdsskiller.exe -> [2010/12/07 21:16:48 | 001,344,600 | ---- | M] (Kaspersky Lab ZAO)
 boot.ini -> C:\boot.ini -> [2010/12/06 21:07:57 | 000,000,327 | RHS- | M] ()
 mike2956.exe -> C:\Documents and Settings\Mike\My Documents\mike2956.exe -> [2010/12/06 20:59:19 | 003,985,074 | R--- | M] ()
 HiJackThis.lnk -> C:\Documents and Settings\Mike\Desktop\HiJackThis.lnk -> [2010/12/05 23:14:59 | 000,002,799 | ---- | M] ()
 Ufupanowetu.bin -> C:\WINDOWS\Ufupanowetu.bin -> [2010/12/04 08:00:02 | 000,000,000 | ---- | M] ()
 rkill.com -> C:\Documents and Settings\Mike\Desktop\rkill.com -> [2010/12/04 01:53:18 | 000,660,741 | ---- | M] ()
 shell.reg -> C:\Documents and Settings\Mike\Desktop\shell.reg -> [2010/12/04 01:44:32 | 000,000,228 | ---- | M] ()
 wpa.dbl -> C:\WINDOWS\System32\wpa.dbl -> [2010/12/03 08:59:18 | 000,002,206 | ---- | M] ()
 Inesse Cepurnaja reference.doc -> C:\Documents and Settings\Mike\My Documents\Inesse Cepurnaja reference.doc -> [2010/12/02 15:34:12 | 000,031,232 | ---- | M] ()
 mbamswissarmy.sys -> C:\WINDOWS\System32\drivers\mbamswissarmy.sys -> [2010/11/29 17:42:18 | 000,038,224 | ---- | M] (Malwarebytes Corporation)
 mbam.sys -> C:\WINDOWS\System32\drivers\mbam.sys -> [2010/11/29 17:42:06 | 000,020,952 | ---- | M] (Malwarebytes Corporation)
 Thesis_-_Joel_Callow.pdf -> C:\Documents and Settings\Mike\My Documents\Thesis_-_Joel_Callow.pdf -> [2010/11/27 00:34:04 | 008,732,036 | ---- | M] ()
 ductinglowprofile.pdf -> C:\Documents and Settings\Mike\My Documents\ductinglowprofile.pdf -> [2010/11/26 23:34:18 | 000,255,019 | ---- | M] ()
 Yearplanner_Maker_V2_1.xls -> C:\Documents and Settings\Mike\My Documents\Yearplanner_Maker_V2_1.xls -> [2010/11/25 15:13:16 | 000,121,344 | ---- | M] ()
 Daewoo payment record.xls -> C:\Documents and Settings\Mike\My Documents\Daewoo payment record.xls -> [2010/11/24 16:22:36 | 000,014,848 | ---- | M] ()
 Dawoo insurance.xls -> C:\Documents and Settings\Mike\My Documents\Dawoo insurance.xls -> [2010/11/24 16:16:36 | 000,015,360 | ---- | M] ()
 Leeds hospital fund benefits.xls -> C:\Documents and Settings\Mike\My Documents\Leeds hospital fund benefits.xls -> [2010/11/24 16:16:10 | 000,016,384 | ---- | M] ()
 nana.doc -> C:\Documents and Settings\Mike\My Documents\nana.doc -> [2010/11/19 14:57:40 | 000,026,624 | ---- | M] ()
 Granny Grand Sarah 2010.doc -> C:\Documents and Settings\Mike\My Documents\Granny Grand Sarah 2010.doc -> [2010/11/19 14:57:37 | 000,034,304 | ---- | M] ()
 ~$nana.doc -> C:\Documents and Settings\Mike\My Documents\~$nana.doc -> [2010/11/17 10:21:49 | 000,000,162 | -H-- | M] ()
 218.html -> C:\Documents and Settings\Mike\My Documents\218.html -> [2010/11/15 20:45:26 | 000,030,281 | ---- | M] ()
 MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/11/08 01:20:24 | 000,089,088 | ---- | M] ()
 Default.rdp -> C:\Documents and Settings\Mike\My Documents\Default.rdp -> [2010/10/26 13:24:43 | 000,001,854 | -H-- | M] ()
 transact.doc -> C:\Documents and Settings\Mike\My Documents\transact.doc -> [2010/10/26 11:47:25 | 000,024,064 | ---- | M] ()
 optical prescriptions.xls -> C:\Documents and Settings\Mike\My Documents\optical prescriptions.xls -> [2010/10/21 20:49:15 | 000,015,872 | ---- | M] ()
 Gints CV.rtf -> C:\Documents and Settings\Mike\My Documents\Gints CV.rtf -> [2010/10/20 09:29:47 | 000,200,280 | ---- | M] ()
 I Cured My Gout.doc -> C:\Documents and Settings\Mike\My Documents\I Cured My Gout.doc -> [2010/10/17 22:39:49 | 000,174,592 | ---- | M] ()
 Cyprus bag contents.xls -> C:\Documents and Settings\Mike\My Documents\Cyprus bag contents.xls -> [2010/10/17 10:42:10 | 000,016,896 | ---- | M] ()
 imsins.BAK -> C:\WINDOWS\imsins.BAK -> [2010/10/16 10:28:50 | 000,001,393 | ---- | M] ()
 Eric expenses.xls -> C:\Documents and Settings\Mike\My Documents\Eric expenses.xls -> [2010/10/13 09:04:15 | 000,019,456 | ---- | M] ()
 Phone 10 10 10.pbf -> C:\Documents and Settings\Mike\My Documents\Phone 10 10 10.pbf -> [2010/10/10 16:28:17 | 000,014,819 | ---- | M] ()
 Kristaps Muravjovs reference.doc -> C:\Documents and Settings\Mike\My Documents\Kristaps Muravjovs reference.doc -> [2010/10/10 16:27:43 | 000,031,232 | ---- | M] ()
 Sergejs Fjodorovs reference.doc -> C:\Documents and Settings\Mike\My Documents\Sergejs Fjodorovs reference.doc -> [2010/10/07 10:59:31 | 000,031,232 | ---- | M] ()
 hosts.20101204-022338.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20101204-022338.backup -> [2010/10/04 15:41:03 | 000,420,575 | R--- | M] ()
 FILES LIST.xls -> C:\Documents and Settings\Mike\My Documents\FILES LIST.xls -> [2010/10/03 18:22:55 | 000,036,352 | ---- | M] ()
 brian bill.xls -> C:\Documents and Settings\Mike\My Documents\brian bill.xls -> [2010/10/03 14:23:56 | 000,016,384 | ---- | M] ()
 Google Earth.lnk -> C:\Documents and Settings\All Users\Desktop\Google Earth.lnk -> [2010/10/02 22:32:08 | 000,001,915 | ---- | M] ()
 Phone 100921.pbf -> C:\Documents and Settings\Mike\My Documents\Phone 100921.pbf -> [2010/09/21 09:14:07 | 000,014,819 | ---- | M] ()
 mfc42u.dll -> C:\WINDOWS\System32\mfc42u.dll -> [2010/09/18 11:23:26 | 000,974,848 | ---- | M] (Microsoft Corporation)
 mfc42u.dll -> C:\WINDOWS\System32\dllcache\mfc42u.dll -> [2010/09/18 11:23:26 | 000,974,848 | ---- | M] (Microsoft Corporation)
 mfc42.dll -> C:\WINDOWS\System32\mfc42.dll -> [2010/09/18 06:53:25 | 000,974,848 | ---- | M] (Microsoft Corporation)
 mfc42.dll -> C:\WINDOWS\System32\dllcache\mfc42.dll -> [2010/09/18 06:53:25 | 000,974,848 | ---- | M] (Microsoft Corporation)
 mfc40.dll -> C:\WINDOWS\System32\mfc40.dll -> [2010/09/18 06:53:25 | 000,954,368 | ---- | M] (Microsoft Corporation)
 mfc40.dll -> C:\WINDOWS\System32\dllcache\mfc40.dll -> [2010/09/18 06:53:25 | 000,954,368 | ---- | M] (Microsoft Corporation)
 mfc40u.dll -> C:\WINDOWS\System32\mfc40u.dll -> [2010/09/18 06:53:25 | 000,953,856 | ---- | M] (Microsoft Corporation)
 mfc40u.dll -> C:\WINDOWS\System32\dllcache\mfc40u.dll -> [2010/09/18 06:53:25 | 000,953,856 | ---- | M] (Microsoft Corporation)
 Spuwa.dat -> C:\WINDOWS\Spuwa.dat -> [2010/09/15 23:43:18 | 000,000,120 | ---- | M] ()
 wininit.ini -> C:\WINDOWS\wininit.ini -> [2010/09/15 23:27:09 | 000,000,155 | ---- | M] ()
 hosts.20101004-164103.backup -> C:\WINDOWS\System32\drivers\etc\hosts.20101004-164103.backup -> [2010/09/15 22:43:16 | 000,419,339 | R--- | M] ()
 javaws.exe -> C:\WINDOWS\System32\javaws.exe -> [2010/09/15 04:50:52 | 000,153,376 | ---- | M] (Sun Microsystems, Inc.)
 javaw.exe -> C:\WINDOWS\System32\javaw.exe -> [2010/09/15 04:50:51 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.)
 java.exe -> C:\WINDOWS\System32\java.exe -> [2010/09/15 04:50:49 | 000,145,184 | ---- | M] (Sun Microsystems, Inc.)
 deployJava1.dll -> C:\WINDOWS\System32\deployJava1.dll -> [2010/09/15 04:50:37 | 000,472,808 | ---- | M] (Sun Microsystems, Inc.)
 javacpl.cpl -> C:\WINDOWS\System32\javacpl.cpl -> [2010/09/15 02:29:49 | 000,073,728 | ---- | M] (Sun Microsystems, Inc.)
 InterCasino USD.lnk -> C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\InterCasino USD.lnk -> [2010/09/14 00:05:59 | 000,001,617 | ---- | M] ()
 InterCasino USD.lnk -> C:\Documents and Settings\Mike\Desktop\InterCasino USD.lnk -> [2010/09/14 00:05:59 | 000,001,599 | ---- | M] ()
 8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> 
 1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> 
 1 C:\Documents and Settings\Mike\My Documents\*.tmp files -> C:\Documents and Settings\Mike\My Documents\*.tmp -> 
 
[Files - No Company Name]
 kryli67m.exe -> C:\Documents and Settings\Mike\Desktop\kryli67m.exe -> [2010/12/11 13:50:27 | 000,296,448 | ---- | C] ()
 RSIT.exe -> C:\Documents and Settings\Mike\Desktop\RSIT.exe -> [2010/12/10 14:16:29 | 000,339,991 | ---- | C] ()
 Phone 10 12 09.pbf -> C:\Documents and Settings\Mike\My Documents\Phone 10 12 09.pbf -> [2010/12/09 11:07:01 | 000,014,911 | ---- | C] ()
 Section 38 Cookridge Ave proposed B.doc -> C:\Documents and Settings\Mike\My Documents\Section 38 Cookridge Ave proposed B.doc -> [2010/12/08 22:31:35 | 000,044,544 | ---- | C] ()
 Section 38 Cookridge Ave proposed A.doc -> C:\Documents and Settings\Mike\My Documents\Section 38 Cookridge Ave proposed A.doc -> [2010/12/08 21:10:51 | 000,043,520 | ---- | C] ()
 delete.zip -> C:\Documents and Settings\Mike\Desktop\delete.zip -> [2010/12/08 16:40:14 | 000,000,275 | ---- | C] ()
 Granny Grand Susan 2010.doc -> C:\Documents and Settings\Mike\My Documents\Granny Grand Susan 2010.doc -> [2010/12/08 15:36:03 | 000,031,232 | ---- | C] ()
 Screenshot.jpg -> C:\Documents and Settings\Mike\Desktop\Screenshot.jpg -> [2010/12/08 15:14:09 | 000,112,959 | ---- | C] ()
 Screenshot.bmp -> C:\Documents and Settings\Mike\Desktop\Screenshot.bmp -> [2010/12/08 15:11:25 | 001,440,054 | ---- | C] ()
 CF-Submit.htm -> C:\CF-Submit.htm -> [2010/12/08 11:31:54 | 000,001,286 | ---- | C] ()
 mike2956.exe -> C:\Documents and Settings\Mike\Desktop\mike2956.exe -> [2010/12/08 09:21:57 | 003,988,311 | R--- | C] ()
 Section 38 Cookridge ave as existing.doc -> C:\Documents and Settings\Mike\My Documents\Section 38 Cookridge ave as existing.doc -> [2010/12/07 23:28:58 | 000,032,768 | ---- | C] ()
 Boot.bak -> C:\Boot.bak -> [2010/12/06 21:07:57 | 000,000,211 | ---- | C] ()
 cmldr -> C:\cmldr -> [2010/12/06 21:07:55 | 000,260,272 | RHS- | C] ()
 PEV.exe -> C:\WINDOWS\PEV.exe -> [2010/12/06 21:03:44 | 000,256,512 | ---- | C] ()
 sed.exe -> C:\WINDOWS\sed.exe -> [2010/12/06 21:03:44 | 000,098,816 | ---- | C] ()
 MBR.exe -> C:\WINDOWS\MBR.exe -> [2010/12/06 21:03:44 | 000,089,088 | ---- | C] ()
 grep.exe -> C:\WINDOWS\grep.exe -> [2010/12/06 21:03:44 | 000,080,412 | ---- | C] ()
 zip.exe -> C:\WINDOWS\zip.exe -> [2010/12/06 21:03:44 | 000,068,096 | ---- | C] ()
 mike2956.exe -> C:\Documents and Settings\Mike\My Documents\mike2956.exe -> [2010/12/06 20:59:07 | 003,985,074 | R--- | C] ()
 rkill.com -> C:\Documents and Settings\Mike\Desktop\rkill.com -> [2010/12/04 01:53:34 | 000,660,741 | ---- | C] ()
 shell.reg -> C:\Documents and Settings\Mike\Desktop\shell.reg -> [2010/12/04 01:47:59 | 000,000,228 | ---- | C] ()
 Inesse Cepurnaja reference.doc -> C:\Documents and Settings\Mike\My Documents\Inesse Cepurnaja reference.doc -> [2010/12/02 13:51:02 | 000,031,232 | ---- | C] ()
 Thesis_-_Joel_Callow.pdf -> C:\Documents and Settings\Mike\My Documents\Thesis_-_Joel_Callow.pdf -> [2010/11/27 00:34:04 | 008,732,036 | ---- | C] ()
 ductinglowprofile.pdf -> C:\Documents and Settings\Mike\My Documents\ductinglowprofile.pdf -> [2010/11/26 23:34:16 | 000,255,019 | ---- | C] ()
 Susan Egg balance calc.xls -> C:\Documents and Settings\Mike\My Documents\Susan Egg balance calc.xls -> [2010/11/22 17:34:30 | 000,014,336 | ---- | C] ()
 Granny Grand Sarah 2010.doc -> C:\Documents and Settings\Mike\My Documents\Granny Grand Sarah 2010.doc -> [2010/11/19 14:51:23 | 000,034,304 | ---- | C] ()
 ~$nana.doc -> C:\Documents and Settings\Mike\My Documents\~$nana.doc -> [2010/11/17 10:21:49 | 000,000,162 | -H-- | C] ()
 nana.doc -> C:\Documents and Settings\Mike\My Documents\nana.doc -> [2010/11/16 22:14:44 | 000,026,624 | ---- | C] ()
 218.html -> C:\Documents and Settings\Mike\My Documents\218.html -> [2010/11/15 20:45:21 | 000,030,281 | ---- | C] ()
 transact.doc -> C:\Documents and Settings\Mike\My Documents\transact.doc -> [2010/10/26 11:47:24 | 000,024,064 | ---- | C] ()
 Gints CV.rtf -> C:\Documents and Settings\Mike\My Documents\Gints CV.rtf -> [2010/10/20 09:21:26 | 000,200,280 | ---- | C] ()
 I Cured My Gout.doc -> C:\Documents and Settings\Mike\My Documents\I Cured My Gout.doc -> [2010/10/17 22:39:49 | 000,174,592 | ---- | C] ()
 Daewoo payment record.xls -> C:\Documents and Settings\Mike\My Documents\Daewoo payment record.xls -> [2010/10/10 16:48:53 | 000,014,848 | ---- | C] ()
 Phone 10 10 10.pbf -> C:\Documents and Settings\Mike\My Documents\Phone 10 10 10.pbf -> [2010/10/10 16:28:17 | 000,014,819 | ---- | C] ()
 Kristaps Muravjovs reference.doc -> C:\Documents and Settings\Mike\My Documents\Kristaps Muravjovs reference.doc -> [2010/10/10 16:22:53 | 000,031,232 | ---- | C] ()
 Sergejs Fjodorovs reference.doc -> C:\Documents and Settings\Mike\My Documents\Sergejs Fjodorovs reference.doc -> [2010/10/07 10:58:12 | 000,031,232 | ---- | C] ()
 Google Earth.lnk -> C:\Documents and Settings\All Users\Desktop\Google Earth.lnk -> [2010/10/02 22:32:08 | 000,001,915 | ---- | C] ()
 Phone 100921.pbf -> C:\Documents and Settings\Mike\My Documents\Phone 100921.pbf -> [2010/09/21 09:06:13 | 000,014,819 | ---- | C] ()
 Spuwa.dat -> C:\WINDOWS\Spuwa.dat -> [2010/09/15 21:42:20 | 000,000,120 | ---- | C] ()
 Ufupanowetu.bin -> C:\WINDOWS\Ufupanowetu.bin -> [2010/09/15 21:42:20 | 000,000,000 | ---- | C] ()
 InterCasino USD.lnk -> C:\Documents and Settings\Mike\Application Data\Microsoft\Internet Explorer\Quick Launch\InterCasino USD.lnk -> [2010/09/14 00:05:59 | 000,001,617 | ---- | C] ()
 InterCasino USD.lnk -> C:\Documents and Settings\Mike\Desktop\InterCasino USD.lnk -> [2010/09/14 00:05:59 | 000,001,599 | ---- | C] ()
 FontCache3.0.0.0.dat -> C:\Documents and Settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat -> [2010/07/25 00:02:46 | 000,440,280 | ---- | C] ()
 atscie.msi -> C:\Documents and Settings\All Users\Application Data\atscie.msi -> [2010/06/26 01:44:19 | 008,892,928 | ---- | C] ()
 Wnpmgr32.INI -> C:\WINDOWS\Wnpmgr32.INI -> [2010/06/24 00:10:21 | 000,000,000 | ---- | C] ()
 Dmiapi.dll -> C:\WINDOWS\System32\Dmiapi.dll -> [2010/06/24 00:01:51 | 000,036,800 | ---- | C] ()
 metaLib.dll -> C:\WINDOWS\System32\metaLib.dll -> [2009/05/29 21:19:50 | 000,417,792 | ---- | C] ()
 pthreadVC.dll -> C:\WINDOWS\System32\pthreadVC.dll -> [2009/02/08 11:12:50 | 000,053,299 | ---- | C] ()
 wininit.ini -> C:\WINDOWS\wininit.ini -> [2009/01/15 08:47:43 | 000,000,155 | ---- | C] ()
 scanusds.dll -> C:\WINDOWS\System32\scanusds.dll -> [2009/01/04 12:35:57 | 000,053,248 | ---- | C] ()
 hibit_ser.dll -> C:\WINDOWS\System32\hibit_ser.dll -> [2008/10/26 15:11:49 | 000,204,907 | ---- | C] ()
 LauncherAccess.dt -> C:\Documents and Settings\All Users\Application Data\LauncherAccess.dt -> [2008/08/25 23:19:44 | 000,000,000 | ---- | C] ()
 StarOpen.sys -> C:\WINDOWS\System32\drivers\StarOpen.sys -> [2008/08/25 23:17:29 | 000,005,632 | ---- | C] ()
 pcouffin.log -> C:\Documents and Settings\Mike\Application Data\pcouffin.log -> [2008/04/25 21:46:38 | 000,000,034 | ---- | C] ()
 ezpinst.exe -> C:\Documents and Settings\Mike\Application Data\ezpinst.exe -> [2008/04/25 21:46:35 | 000,081,920 | ---- | C] ()
 pcouffin.cat -> C:\Documents and Settings\Mike\Application Data\pcouffin.cat -> [2008/04/25 21:46:35 | 000,007,887 | ---- | C] ()
 pcouffin.inf -> C:\Documents and Settings\Mike\Application Data\pcouffin.inf -> [2008/04/25 21:46:35 | 000,001,144 | ---- | C] ()
 DEBUGSM.INI -> C:\WINDOWS\DEBUGSM.INI -> [2008/04/11 14:47:58 | 000,000,029 | ---- | C] ()
 PICSDK.ini -> C:\WINDOWS\System32\PICSDK.ini -> [2008/01/03 21:22:47 | 000,000,099 | ---- | C] ()
 CDE P34903590EF.ini -> C:\WINDOWS\CDE P34903590EF.ini -> [2008/01/03 21:20:10 | 000,000,027 | ---- | C] ()
 ph401.dll -> C:\WINDOWS\ph401.dll -> [2007/12/27 16:39:09 | 000,000,058 | ---- | C] ()
 cpwmon2k.dll -> C:\WINDOWS\System32\cpwmon2k.dll -> [2007/12/27 16:17:38 | 000,087,552 | ---- | C] ()
 DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> C:\Documents and Settings\Mike\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini -> [2007/12/27 13:45:56 | 000,014,848 | ---- | C] ()
 NeroDigital.ini -> C:\WINDOWS\NeroDigital.ini -> [2007/12/25 22:41:10 | 000,000,116 | ---- | C] ()
 NMOCOD.DLL -> C:\WINDOWS\System32\NMOCOD.DLL -> [2007/12/24 12:31:51 | 000,240,640 | ---- | C] ()
 ODBC.INI -> C:\WINDOWS\ODBC.INI -> [2007/12/24 12:22:30 | 000,000,490 | ---- | C] ()
 vpc32.INI -> C:\WINDOWS\vpc32.INI -> [2007/12/24 11:52:42 | 000,000,000 | ---- | C] ()
 AsIO.dll -> C:\WINDOWS\System32\AsIO.dll -> [2007/12/24 00:32:48 | 000,024,576 | R--- | C] ()
 AsIO.sys -> C:\WINDOWS\System32\drivers\AsIO.sys -> [2007/12/24 00:32:48 | 000,004,962 | R--- | C] ()
 AsInsHelp64.sys -> C:\WINDOWS\System32\drivers\AsInsHelp64.sys -> [2007/12/24 00:32:46 | 000,005,120 | ---- | C] ()
 AsInsHelp32.sys -> C:\WINDOWS\System32\drivers\AsInsHelp32.sys -> [2007/12/24 00:32:46 | 000,003,328 | ---- | C] ()
 AmdK8.sys -> C:\WINDOWS\System32\drivers\AmdK8.sys -> [2007/12/24 00:14:21 | 000,036,352 | ---- | C] ()
 s3gcil_inv.dll -> C:\WINDOWS\System32\s3gcil_inv.dll -> [2007/12/24 00:13:36 | 002,702,848 | ---- | C] ()
 s3gcil_csr.dll -> C:\WINDOWS\System32\s3gcil_csr.dll -> [2007/12/24 00:13:33 | 001,979,392 | R--- | C] ()
 vuins32.dll -> C:\WINDOWS\System32\vuins32.dll -> [2007/12/24 00:01:51 | 000,061,440 | ---- | C] ()
 vusetup.dll -> C:\WINDOWS\System32\vusetup.dll -> [2007/12/23 23:58:35 | 000,045,056 | ---- | C] ()
 Ascd_tmp.ini -> C:\WINDOWS\Ascd_tmp.ini -> [2007/12/23 23:57:13 | 000,017,227 | ---- | C] ()
 ASACPI.sys -> C:\WINDOWS\System32\drivers\ASACPI.sys -> [2007/12/23 23:57:13 | 000,005,810 | R--- | C] ()
 ASUSHWIO.SYS -> C:\WINDOWS\System32\drivers\ASUSHWIO.SYS -> [2007/12/23 23:57:11 | 000,005,824 | ---- | C] ()
 ODBCINST.INI -> C:\WINDOWS\ODBCINST.INI -> [2007/12/23 20:01:33 | 000,004,161 | ---- | C] ()
 sx7.dll -> C:\WINDOWS\System32\sx7.dll -> [2006/06/23 11:16:26 | 000,098,304 | ---- | C] ()
 zlib.dll -> C:\WINDOWS\System32\zlib.dll -> [2005/07/20 10:48:10 | 000,059,904 | ---- | C] ()
 OUTLPERF.INI -> C:\WINDOWS\System32\OUTLPERF.INI -> [2003/01/07 15:05:08 | 000,002,695 | ---- | C] ()
 ftdiun2k.ini -> C:\WINDOWS\System32\ftdiun2k.ini -> [2002/12/20 15:11:10 | 000,000,092 | ---- | C] ()
 3dg32.dll -> C:\WINDOWS\System32\3dg32.dll -> [1996/05/21 18:13:34 | 000,374,784 | ---- | C] ()
 3dr.ini -> C:\WINDOWS\System32\3dr.ini -> [1996/04/17 08:48:40 | 000,000,250 | ---- | C] ()
 
[File - Lop Check]
 Autodesk -> C:\Documents and Settings\All Users\Application Data\Autodesk -> [2010/07/24 23:02:31 | 000,000,000 | ---D | M]
 DeskSoft -> C:\Documents and Settings\All Users\Application Data\DeskSoft -> [2008/08/15 23:28:07 | 000,000,000 | ---D | M]
 GARMIN -> C:\Documents and Settings\All Users\Application Data\GARMIN -> [2010/04/12 23:55:43 | 000,000,000 | ---D | M]
 GlobalSCAPE -> C:\Documents and Settings\All Users\Application Data\GlobalSCAPE -> [2009/08/25 22:56:15 | 000,000,000 | ---D | M]
 Karen's Power Tools -> C:\Documents and Settings\All Users\Application Data\Karen's Power Tools -> [2007/12/27 17:01:08 | 000,000,000 | ---D | M]
 My Pictures -> C:\Documents and Settings\All Users\Application Data\My Pictures -> [2009/10/31 18:12:05 | 000,000,000 | ---D | M]
 NCH Swift Sound -> C:\Documents and Settings\All Users\Application Data\NCH Swift Sound -> [2009/11/19 11:03:19 | 000,000,000 | ---D | M]
 Overlook -> C:\Documents and Settings\All Users\Application Data\Overlook -> [2010/09/04 00:16:52 | 000,000,000 | ---D | M]
 PC Drivers HeadQuarters -> C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters -> [2008/02/02 00:50:34 | 000,000,000 | ---D | M]
 Viewpoint -> C:\Documents and Settings\All Users\Application Data\Viewpoint -> [2010/06/29 23:01:34 | 000,000,000 | ---D | M]
 vsosdk -> C:\Documents and Settings\All Users\Application Data\vsosdk -> [2010/02/09 10:50:57 | 000,000,000 | ---D | M]
 {429CAD59-35B1-4DBC-BB6D-1DB246563521} -> C:\Documents and Settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521} -> [2010/07/15 18:26:30 | 000,000,000 | ---D | M]
 {755AC846-7372-4AC8-8550-C52491DAA8BD} -> C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD} -> [2009/11/19 21:45:41 | 000,000,000 | ---D | M]
 {8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> C:\Documents and Settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906} -> [2009/05/22 11:32:28 | 000,000,000 | ---D | M]
 Autodesk -> C:\Documents and Settings\Mike\Application Data\Autodesk -> [2010/07/24 23:03:11 | 000,000,000 | ---D | M]
 AutoTransfer -> C:\Documents and Settings\Mike\Application Data\AutoTransfer -> [2008/06/15 12:59:24 | 000,000,000 | ---D | M]
 Citrix -> C:\Documents and Settings\Mike\Application Data\Citrix -> [2010/07/10 09:46:25 | 000,000,000 | ---D | M]
 DeskSoft -> C:\Documents and Settings\Mike\Application Data\DeskSoft -> [2008/12/18 23:42:11 | 000,000,000 | ---D | M]
 ElevatedDiagnostics -> C:\Documents and Settings\Mike\Application Data\ElevatedDiagnostics -> [2010/06/27 13:23:10 | 000,000,000 | ---D | M]
 EPSON -> C:\Documents and Settings\Mike\Application Data\EPSON -> [2008/04/17 09:20:55 | 000,000,000 | ---D | M]
 GARMIN -> C:\Documents and Settings\Mike\Application Data\GARMIN -> [2010/04/13 00:26:37 | 000,000,000 | ---D | M]
 GlobalSCAPE -> C:\Documents and Settings\Mike\Application Data\GlobalSCAPE -> [2009/08/25 22:56:15 | 000,000,000 | ---D | M]
 IBP -> C:\Documents and Settings\Mike\Application Data\IBP -> [2010/04/21 01:11:46 | 000,000,000 | ---D | M]
 ICAClient -> C:\Documents and Settings\Mike\Application Data\ICAClient -> [2010/07/10 10:45:58 | 000,000,000 | ---D | M]
 ImgBurn -> C:\Documents and Settings\Mike\Application Data\ImgBurn -> [2008/12/29 23:50:23 | 000,000,000 | ---D | M]
 InterTrust -> C:\Documents and Settings\Mike\Application Data\InterTrust -> [2007/12/24 11:07:14 | 000,000,000 | ---D | M]
 MobileAction -> C:\Documents and Settings\Mike\Application Data\MobileAction -> [2007/12/27 17:20:22 | 000,000,000 | ---D | M]
 NCH Swift Sound -> C:\Documents and Settings\Mike\Application Data\NCH Swift Sound -> [2009/11/19 11:02:28 | 000,000,000 | ---D | M]
 NeoDownloader -> C:\Documents and Settings\Mike\Application Data\NeoDownloader -> [2007/12/27 17:11:42 | 000,000,000 | ---D | M]
 Netscape -> C:\Documents and Settings\Mike\Application Data\Netscape -> [2010/07/10 09:46:25 | 000,000,000 | ---D | M]
 Overlook -> C:\Documents and Settings\Mike\Application Data\Overlook -> [2010/09/04 00:22:50 | 000,000,000 | ---D | M]
 PC Magazine Utilities -> C:\Documents and Settings\Mike\Application Data\PC Magazine Utilities -> [2007/12/27 14:09:29 | 000,000,000 | ---D | M]
 RipIt4Me -> C:\Documents and Settings\Mike\Application Data\RipIt4Me -> [2010/01/26 15:59:21 | 000,000,000 | ---D | M]
 Samsung -> C:\Documents and Settings\Mike\Application Data\Samsung -> [2008/08/25 23:21:31 | 000,000,000 | ---D | M]
 TomTom -> C:\Documents and Settings\Mike\Application Data\TomTom -> [2008/01/10 11:06:47 | 000,000,000 | ---D | M]
 Uniblue -> C:\Documents and Settings\Mike\Application Data\Uniblue -> [2008/02/11 15:56:47 | 000,000,000 | ---D | M]
 Vso -> C:\Documents and Settings\Mike\Application Data\Vso -> [2009/12/04 23:42:29 | 000,000,000 | ---D | M]
 
[File - Purity Scan]
 
< End of report >
```


----------



## dvk01 (Dec 14, 2002)

it looks like only registry entries & combofix was getting confused 
Start *OTS*. Copy/Paste the information in the Code box below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill All Processes]
[Unregister Dlls]
[Registry - All]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: "ProxyEnable" -> 1
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:5577
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: "ProxyEnable" -> 1
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:5577
< Run [HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\] > -> HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "{24C4E14A-76E2-82F4-60F0-D7298167A66A}" -> C:\Documents and Settings\Mike\Application Data\Monu\ciru.exe ["C:\Documents and Settings\Mike\Application Data\Monu\ciru.exe"]
[Files/Folders - Created Within 90 Days]
NY ->  delete -> C:\Documents and Settings\Mike\Desktop\delete
NY ->  NyDtpHFB -> C:\Documents and Settings\Mike\Desktop\NyDtpHFB
NY ->  test.exe -> C:\Documents and Settings\Mike\Desktop\test.exe
NY ->  8 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp
NY ->  1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
NY ->  1 C:\Documents and Settings\Mike\My Documents\*.tmp files -> C:\Documents and Settings\Mike\My Documents\*.tmp
[Files/Folders - Modified Within 90 Days]
NY ->  kryli67m.exe -> C:\Documents and Settings\Mike\Desktop\kryli67m.exe
NY ->  delete.zip -> C:\Documents and Settings\Mike\Desktop\delete.zip
NY ->  Ufupanowetu.bin -> C:\WINDOWS\Ufupanowetu.bin
[Files - No Company Name]
NY ->  Spuwa.dat -> C:\WINDOWS\Spuwa.dat
NY ->  Ufupanowetu.bin -> C:\WINDOWS\Ufupanowetu.bin
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new OTS scan*.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## mike2956 (Dec 6, 2010)

Fix run went OK, here is log.

New scan to follow.

Mike

All Processes Killed
[Registry - All]
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable deleted successfully.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer deleted successfully.
Unable to delete registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable .
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer not found.
Registry value HKEY_USERS\S-1-5-21-1935655697-1085031214-725345543-1003\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\{24C4E14A-76E2-82F4-60F0-D7298167A66A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{24C4E14A-76E2-82F4-60F0-D7298167A66A}\ not found.
[Files/Folders - Created Within 90 Days]
C:\Documents and Settings\Mike\Desktop\delete folder moved successfully.
C:\Documents and Settings\Mike\Desktop\NyDtpHFB folder moved successfully.
C:\Documents and Settings\Mike\Desktop\test.exe moved successfully.
C:\WINDOWS\003285_.tmp deleted successfully.
C:\WINDOWS\DUMP8e55.tmp deleted successfully.
C:\WINDOWS\SET3.tmp deleted successfully.
C:\WINDOWS\SET4.tmp deleted successfully.
C:\WINDOWS\SET8.tmp deleted successfully.
C:\WINDOWS\SETE6.tmp deleted successfully.
C:\WINDOWS\SETE9.tmp deleted successfully.
C:\WINDOWS\SETF5.tmp deleted successfully.
C:\WINDOWS\System32\CONFIG.TMP deleted successfully.
C:\Documents and Settings\Mike\My Documents\~WRL0002.tmp deleted successfully.
[Files/Folders - Modified Within 90 Days]
C:\Documents and Settings\Mike\Desktop\kryli67m.exe moved successfully.
C:\Documents and Settings\Mike\Desktop\delete.zip moved successfully.
C:\WINDOWS\Ufupanowetu.bin moved successfully.
[Files - No Company Name]
C:\WINDOWS\Spuwa.dat moved successfully.
File C:\WINDOWS\Ufupanowetu.bin not found!
[Empty Temp Folders]

User: All Users


----------



## mike2956 (Dec 6, 2010)

Here is latest OTS full scan.


----------



## dvk01 (Dec 14, 2002)

that looks clear now

*Follow these steps to uninstall Combofix and the other tools it downloaded to remove the malware*
* Click *START* then * RUN*
* Now type *Combofix /Uninstall * in the runbox and click *OK*. Note the *space *between the *X* and the */U*, it needs to be there.









This will also purge the restore folder and clear any malware that has been put in there. Now Empty Recycle bin on desktop Then reboot.

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer and update whatever it suggests

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

Note:
if Combofix doesn't uninstall or you get a can't find combofix message then use this uninstall command instead

"c:\documents and settings\Mike\Desktop\mike2956.exe" /uninstall

then make sure you also delete the version of combofix you renamed in my documents


----------



## mike2956 (Dec 6, 2010)

Thank you very much. Sorry this was such an awkward one for you but we got there in the end.


Mike


----------

