Sign in to follow this  
gcole_5

AV Security Suite Malware/Redirect

Recommended Posts

Visited a site and Win Media Player window popped-open in the background - next thing I know I am getting 'AV Security Suite' pop-ups for flase anti-virus warnings. Running AdAware Pro - latest version.

I immediately restarted in safe mode - did a system restore - ran AdAware and MB Anti-Malware, removing several items. Ran Registry Tuner and restarted. System now starts up with explorer.exe using 50% cpu and everything is sloooooooow. Get the following when I try to run HiJackThis:

fbacfa1f.sys - process that accessed the file was Win32.TrojanPWS.Agent(14100552)


Logfile of HijackThis v1.99.1
Scan saved at 3:33:06 PM, on 7/6/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\xampp\filezillaftp\filezillaserver.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\PayPal Payment Request Wizard\QB US edition\OEHook.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Documents and Settings\Greg Cole\Application Data\Dropbox\bin\Dropbox.exe
C:\xampp\mysql\bin\winmysqladmin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [AdobeVersionCue] C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] *DISABLED*C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] *DISABLED*"C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] *DISABLED*"C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~1\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [cdloader] *DISABLED*"C:\Documents and Settings\Greg Cole\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RTReminder] C:\Program Files\Lavasoft\Lavasoft Registry Tuner\RegistryTuner.exe -rem
O4 - Startup: Dropbox.lnk = Greg Cole\Application Data\Dropbox\bin\Dropbox.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: QuickBooks US Plugin.lnk = ?
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_19.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\npjpi160_19.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - [url="http://support.dell.com/systemprofiler/SysPro.CAB"]http://support.dell.com/systemprofiler/SysPro.CAB[/url]
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - [url="http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab"]http://upload.facebook.com/controls/2008.1...toUploader5.cab[/url]
O16 - DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} (FTUploaderCtlX Control) - [url="http://www.fototime.com/ftweb/activeX/WebUploadControl.cab"]http://www.fototime.com/ftweb/activeX/WebUploadControl.cab[/url]
O16 - DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} (Photo Upload Plugin Class) - [url="http://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab"]http://www.costcophotocenter.com/upload/ac...veX_Control.cab[/url]
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - [url="http://www.costcophotocenter.com/CostcoActivia.cab"]http://www.costcophotocenter.com/CostcoActivia.cab[/url]
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - [url="http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab"]http://dlm.tools.akamai.com/dlmanager/vers...vex-2.2.4.1.cab[/url]
O16 - DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} (Cisco AnyConnect VPN Client Web Control) - [url="https://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab"]https://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab[/url]
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - [url="http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB"]http://h50203.www5.hp.com/HPISWeb/Customer...SWebManager.CAB[/url]
O16 - DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} (LinksysViewer Control) - [url="http://67.40.90.115:1024/img/LinksysViewer.cab"]http://67.40.90.115:1024/img/LinksysViewer.cab[/url]
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - [url="http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab"]http://upload.facebook.com/controls/2009.0...oUploader55.cab[/url]
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - [url="http://offers.e-centives.com/cif/download/bin/actxcab.cab"]http://offers.e-centives.com/cif/download/bin/actxcab.cab[/url]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [url="http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab"]http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab[/url]
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS4 - Unknown owner - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service (file missing)
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Apache2.2 - Unknown owner - C:\xampp\apache\bin\apache.exe" -k runservice (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: AST Service (astcc) - Nalpeiron Ltd. - C:\WINDOWS\SYSTEM32\astsrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Comsdrbqnv - CMD Technology, Inc. - (no file)
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - c:\xampp\filezillaftp\filezillaserver.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: mysql - Unknown owner - C:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\WINDOWS\system32\Wacom_Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Cisco AnyConnect VPN Agent (vpnagent) - Cisco Systems, Inc. - C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe

I have made a system restore point, registry back-up with erunt, ran ATF-Cleaner and tried to run gmer - always results in blue screen...

Any help much appreciated.

Share this post


Link to post
Share on other sites
Hi,

Download DDS and save it to your desktop from [url="http://download.bleepingcomputer.com/sUBs/dds.com"][b][color="seagreen"]here[/color][/b][/url] or [url="http://download.bleepingcomputer.com/sUBs/dds.scr"][b][color="seagreen"]here[/color][/b][/url] or [url="http://www.forospyware.com/sUBs/dds"][b][color="seagreen"]here[/color][/b][/url].
Disable any script blocker, and then double click [b]dds.scr [/b]to run the tool. [list]
[*]When done, DDS will open two (2) logs: [list=1]
[*] DDS.txt
[*] Attach.txt
[/list]
[*]Save both reports to your desktop. Post them back to your topic.
[/list]

Share this post


Link to post
Share on other sites
Thank you so much for your assistance. DDS.txt below - Attatch.txt(zio) attached.


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Greg Cole at 9:07:26.04 on Wed 07/07/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1627 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning enabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Greg Cole\Desktop\dds.com

============== Pseudo HJT Report ===============

BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [cdloader] *DISABLED*"c:\documents and settings\greg cole\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [RTReminder] c:\program files\lavasoft\lavasoft registry tuner\RegistryTuner.exe -rem
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\gregco~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\greg cole\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\gregco~1\startm~1\programs\startup\winmys~1.lnk - c:\xampp\mysql\bin\winmysqladmin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wpn311\wlancfg5.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\paypal payment request wizard\qb us edition\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} - hxxp://www.fototime.com/ftweb/activeX/WebUploadControl.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://67.40.90.115:1024/img/LinksysViewer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregco~1\applic~1\mozilla\firefox\profiles\fpoi5nus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\greg cole\application data\mozilla\firefox\profiles\fpoi5nus.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-31 64288]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-30 95024]
S1 fbacfa1f;fbacfa1f;c:\windows\system32\drivers\fbacfa1f.sys [2009-10-20 79872]
S1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-3-31 13360]
S2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-3-5 16896]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1352832]
S2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-3-31 69936]
S2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-4-15 1373480]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-28 24652]
S2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-9-4 25728]
S3 Comsdrbqnv;Comsdrbqnv; [x]
S3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\greg cole\application data\nvidia\hwaccess.sys --> c:\documents and settings\greg cole\application data\nvidia\HWAccess.sys [?]

=============== Created Last 30 ================

2010-07-07 15:23:05 0 d-----w- c:\windows\system32\NtmsData
2010-07-06 18:58:18 0 d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-07-06 18:58:07 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-05 21:53:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 21:53:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 20:57:37 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-05 20:14:12 120 ----a-w- c:\windows\Tnesev.dat
2010-07-05 20:14:12 0 ----a-w- c:\windows\Iyalec.bin
2010-07-03 03:50:12 17866752 ----a-w- c:\documents and settings\greg cole\ntuser.bak
2010-06-28 18:36:04 0 d-----w- C:\e94576507cc035ae65d4
2010-06-26 15:47:11 0 d-----w- C:\1a40bef8e097f6157b5803
2010-06-15 23:27:24 0 d-----w- c:\docume~1\gregco~1\applic~1\Dropbox
2010-06-10 03:01:27 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll
2010-06-07 22:55:26 1719336 ----a-w- c:\docume~1\alluse~1\applic~1\YugmaSE-Uninstaller.exe
2010-06-07 22:50:12 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-07 22:47:50 0 d-----r- c:\program files\Skype
2010-06-07 22:23:35 0 d-----w- c:\program files\DemoForge
2010-06-07 22:23:25 0 ----a-w- c:\windows\GREG_COLE_ESPER206424F9
2010-06-07 22:23:09 0 d--h--w- c:\program files\Zero G Registry
2010-06-07 22:22:54 0 d--h--w- c:\documents and settings\greg cole\InstallAnywhere
2010-06-07 22:19:46 0 d-----w- c:\documents and settings\greg cole\Yugma

==================== Find3M ====================

2010-07-07 13:30:13 79872 ----a-w- c:\windows\system32\drivers\fbacfa1f.sys
2010-07-06 21:35:55 90112 ----a-w- c:\windows\DUMP3ae6.tmp
2010-07-05 21:28:51 90112 ----a-w- c:\windows\DUMP7668.tmp
2010-06-15 15:53:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-03 15:52:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-20 20:49:27 61304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-20 04:14:14 93112 ----a-w- c:\windows\fonts\STOMPER_.TTF
2010-05-19 21:51:42 90112 ----a-w- c:\windows\DUMP5beb.tmp
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-02-23 03:51:21 35 ----a-w- c:\program files\FlashDetector.ini
2006-03-31 21:38:26 469824 ----a-w- c:\windows\inf\wpn311\WPN311.sys
2006-03-31 21:38:24 35232 ----a-w- c:\windows\inf\wpn311\ME_INST.EXE
2006-03-31 21:38:24 26112 ----a-w- c:\windows\inf\wpn311\install.exe
2009-06-10 21:06:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061020090611\index.dat

============= FINISH: 9:09:13.92 ===============

Share this post


Link to post
Share on other sites
Hi again,

Please visit this webpage for download links, and instructions for running ComboFix tool:

[url="http://www.bleepingcomputer.com/combofix/how-to-use-combofix"]http://www.bleepingcomputer.com/combofix/how-to-use-combofix[/url]

[color="Blue"]Please ensure you read this guide carefully first.[/color]

Please continue as follows:
[list=1]
[*][b]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix[/b], [url="http://www.bleepingcomputer.com/forums/topic114351.html"]link[/url]
Remember to re-enable them afterwards.


[*]Click [b]Yes[/b] to allow ComboFix to continue scanning for malware.
[/list]
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

[b]C:\ComboFix.txt
New dds log.[/b]

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.[/b][/color]

Share this post


Link to post
Share on other sites
Followed the instructions, but ComboFix never seems to finish... It installed Recovery Consloe, began scan, reported Rootkit activity and said it needed to restart. After restart, it is still saying 'preparing to scan - should take 10 minutes on average machine, etc'. Has been no activity for over an hour... What should I do next, please? Just letting it 'run' (?) right now... Never showed any 'Step 1...' etc. as in the instructions either.

THANKS!

Share this post


Link to post
Share on other sites
Hi,

Did you run ComboFix in normal or safe mode? Please give it another attempt (in safe mode if you ran in normal mode earlier) making sure antivirus protection is disabled.

Share this post


Link to post
Share on other sites
I ran it in SafeMode - but when the computer restarted after the rootkit warning, I did not go back into safe mode - I simply let it restart... I'll try again in Safe Mode and see what happens. Also, when I go into Ad Aware Pro and disable Ad Watch Live, Windows Security Center is still reporting that it is active (as my anti-virus software) - no process is running for it and re-checking via AdAware Manager shows it is disabled/off - but ComboFix still tells me it is active no matter what I try (have reviewed the instructions and followed the steps to disable it, etc.). Should I run it anyway even if still getting this notification?

Share this post


Link to post
Share on other sites
Yes, run it even if ComboFix notifies again.

Share this post


Link to post
Share on other sites
Restarted in Safe Mode - made sure Ad Watch Live was disabled - running in Safe Mode - No Networking - so no firewall/windows security...

Run ComboFix and get warning that Ad Watch Live is active. Click OK to Continue... Warning again... Click OK to continue...

Registry back-up processes and scan begins. Rootkit warning and ComboFix restarts the system. This time I boot back into Safe Mode. Blue console is open and states:

Please wait,
ComboFix is preparing to run...

No HD activity or progress - just hangs...waiting...

--edit--

This is the same thing it did previously. I let it run for over 3 hours and it never updated, etc. It has been running for almost an hour now and no change/feedback/progress indication, etc... Should I re-start, or...??? Edited by gcole_5

Share this post


Link to post
Share on other sites
Hi,

Let's try to make GMER run:

Download [url="http://www.gmer.net"][color="blue"]GMER[/color][/url] here by clicking download exe -button and then saving it your desktop:[list]
[*]Double-click [b].exe[/b] that you downloaded
[*]Click [b]rootkit[/b]-tab, uncheck files option and then click [b]scan.[/b]
[*][color="red"][b]Don't check
Show All
box while scanning in progress![/color][/b]
[*]When scanning is ready, click [b]Copy[/b].
[*]This copies log to clipboard
[*]Post log (if the log is long, archive it into a zip file and attach instead of posting) in your reply.
[/list]

Share this post


Link to post
Share on other sites
UPDATE - just got a warning error from ComboFix stating it had been compromised and I might have a file patching virus 'Virut' - re-download ComboFix and try again...

Now what? GMER, or???

THANKS!

PS - I downloaded GMER previosly - should I use that or re-download? I assume if new download, I sould be in Safe Mode with Networking, right? Edited by gcole_5

Share this post


Link to post
Share on other sites
GMER 1.0.15.15281 - [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-07-07 16:09:47
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\GREGCO~1\LOCALS~1\Temp\kxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF764787E]
SSDT 89F75E36 ZwQuerySystemInformation
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF7647BFE]

Code 89F762CC pIofCallDriver
Code 89F7572E pIofCompleteRequest

---- User code sections - GMER 1.0.15 ----

.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] USER32.dll!PeekMessageW 7E41929B 6 Bytes PUSH 003A7D91; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!getaddrinfo 71AB2A6F 6 Bytes PUSH 003AC3C5; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!inet_addr 71AB2EE1 6 Bytes PUSH 003AC4FA; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!sendto 71AB2F51 6 Bytes PUSH 003A916A; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!send 71AB4C27 6 Bytes PUSH 003A913B; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes PUSH 003A6DB0; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!gethostbyname 71AB5355 6 Bytes PUSH 003AC477; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!recv 71AB676F 6 Bytes PUSH 003A6D36; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 34ABA38F
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WININET.dll!HttpSendRequestW 3D94FABE 6 Bytes PUSH 003AE3DA; RET
.text C:\Documents and Settings\Greg Cole\Desktop\gmer\gmer.exe[1388] WININET.dll!HttpSendRequestA 3D95EE89 6 Bytes PUSH 003AE406; RET
.text C:\WINDOWS\Explorer.EXE[1564] USER32.dll!PeekMessageW 7E41929B 6 Bytes PUSH 00C07D91; RET
.text C:\WINDOWS\Explorer.EXE[1564] WININET.dll!HttpSendRequestW 3D94FABE 6 Bytes PUSH 00C0E3DA; RET
.text C:\WINDOWS\Explorer.EXE[1564] WININET.dll!HttpSendRequestA 3D95EE89 6 Bytes PUSH 00C0E406; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!getaddrinfo 71AB2A6F 6 Bytes PUSH 00C0C3C5; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!inet_addr 71AB2EE1 6 Bytes PUSH 00C0C4FA; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!sendto 71AB2F51 6 Bytes PUSH 00C0916A; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!send 71AB4C27 6 Bytes PUSH 00C0913B; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!WSARecv 71AB4CB5 6 Bytes PUSH 00C06DB0; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!gethostbyname 71AB5355 6 Bytes PUSH 00C0C477; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!recv 71AB676F 6 Bytes PUSH 00C06D36; RET
.text C:\WINDOWS\Explorer.EXE[1564] WS2_32.dll!WSASend 71AB68FA 6 Bytes JMP 34AC298F

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B7AACD20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Threads - GMER 1.0.15 ----

Thread System [4:192] 89F754CC
Thread System [4:880] 89F764F8
Thread System [4:940] 89F76782

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] %SystemRoot%\System32\IoLogMsg.dll
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\iaStor.sys
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] %SystemRoot%\System32\spmsg.dll
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] C:\WINDOWS\system32\w32time.dll
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] %SystemRoot%\System32\netevent.dll
Reg HKLM\SYSTEM\ControlSet001\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] %SystemRoot%\System32\IoLogMsg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\iaStor.sys
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] %SystemRoot%\System32\spmsg.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] C:\WINDOWS\system32\w32time.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] %SystemRoot%\System32\netevent.dll
Reg HKLM\SYSTEM\ControlSet002\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] %SystemRoot%\System32\IoLogMsg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] %SystemRoot%\System32\IoLogMsg.dll;%SystemRoot%\System32\drivers\iaStor.sys
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] %SystemRoot%\System32\spmsg.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] 7
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] C:\WINDOWS\system32\w32time.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] %SystemRoot%\System32\netevent.dll
Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\System\[email protected] 7
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\VxDs
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\[email protected]_32 Name 2455350:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install\VxDs
Reg HKLM\SOFTWARE\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install\[email protected] -12:{3C7DA433-1047-9FC4-00BA-978A09424856}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version 1.1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version [email protected] 806585365:{CC23126B-3651-A598-1B83-0D07D9FA0C7E}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}@ComponentGUID {077ACEC7-979C-40AB-9835-435BA1511E0D}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{077ACEC7-979C-40AB-9835-435BA1511E0D}\MPPRE10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{077ACEC7-979C-40AB-9835-435BA1511E0D}\mppre10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}@ComponentGUID {30C7234B-6482-4A55-A11D-ECD9030313F2}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\WMDM10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{30C7234B-6482-4A55-A11D-ECD9030313F2}\wmdm10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}@ComponentGUID {3FDF25EE-E592-4495-8391-6E9C504DAC2B}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\WMSET10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\wmset10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}@ComponentGUID {60204BB3-7078-4F70-8F69-68297621941C}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}\MPSTUB10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{60204BB3-7078-4F70-8F69-68297621941C}\mpstub10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}@ComponentGUID {981FB688-E76B-4246-987B-92083185B90A}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\WPD10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{981FB688-E76B-4246-987B-92083185B90A}\wpd10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}@ComponentGUID {A47B3654-48EE-48A5-B629-97D70175E58F}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\codecs10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{A47B3654-48EE-48A5-B629-97D70175E58F}\codecs10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}@ComponentGUID {AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\WMFSDK10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\wmfsdk10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}@ComponentGUID {C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\DRM10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drm10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}@ComponentGUID {CFB4B314-0328-45E1-94AF-45A3F5F48E0B}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\MPCD10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\mpcd10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}@FriendlyName Windows Media Files
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}@ComponentGUID {DD90D410-1823-43EB-9A16-A2331BF08799}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}@Version 655360
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}@Sub-Version 3646
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}@ExceptionInfName C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\WMP10.inf
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}@ExceptionCatalogName C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}\wmp10.cat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\[email protected] 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}\Install
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}\Install\xga-3v5
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}\Install\xga-3v5\dat
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}\Install\xga-3v5\[email protected] 518022258:{5673937F-442A-408C-6551-F5EB079B6E31}
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version 3.x
Reg HKLM\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version [email protected] 1767914624:{7BBA061A-84F8-12B1-0872-56B2564CC278}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Mass Storage
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Mass [email protected] {53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Portable Audio Players
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Portable Audio [email protected] {F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Portable Audio [email protected] UseExtendedWmdm
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows [email protected] {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE RNDIS
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE [email protected] {ad498944-762f-11d0-8dcb-00c04fc3358c}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDevices\WinCEDevice
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDevices\[email protected] {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDevices\[email protected] {067B4B81-B1EC-489f-B111-940EBDC44EBE}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDevices\WinCEDeviceRNDIS
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDevices\[email protected] {ad498944-762f-11d0-8dcb-00c04fc3358c}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\KnownDevices\[email protected] {067B4B81-B1EC-489f-B111-940EBDC44EBE}
Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\Plugins\SCP\[email protected] MsScp.SCPTRANS.1
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smase._dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[email protected] 10)#31?3f73??le133?
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[email protected] {376004F2-57D6-9811-1B01-4B82A757C373}
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\[email protected] 0xE2 0x63 0x26 0xF1 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\[email protected] 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\[email protected] 0xFF 0x7C 0x85 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\[email protected] 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\[email protected] 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\[email protected] 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\[email protected] 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version
Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\[email protected] 0x4B 0xE3 0x89 0x55 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\[email protected] 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\[email protected] 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\[email protected] 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\[email protected] 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\[email protected] 0xFA 0xEA 0x66 0x7F ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88FB3F27-689B-DC23-D5B4-6AD11229544C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88FB3F27-689B-DC23-D5B4-6AD11229544C}@palhnimeideegdhhpmenbjiaigmikofo 0x6A 0x61 0x66 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88FB3F27-689B-DC23-D5B4-6AD11229544C}@laaikkecocbflonlhpkgmcdm 0x62 0x61 0x69 0x67 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}@oacmgfkcknlimkdgfgifmeogcdkgpe 0x69 0x61 0x69 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}@naammdphhiofghcfebjdobbmbejd 0x69 0x61 0x69 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}@oacmgfkcknlimkdgfgifmeogddbgmj 0x6A 0x61 0x68 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}@naammdphhiofghcfebjdobamalel 0x6A 0x61 0x68 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}@oacmgfkcknlimkdgfgifmeogocggdi 0x69 0x61 0x69 0x62 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}@naammdphhiofghcfebjdobnlffnh 0x69 0x61 0x69 0x62 ...

---- EOF - GMER 1.0.15 ----

Share this post


Link to post
Share on other sites
Hi,

Could you give ComboFix one more attempt (rename it to something.exe)? Please post fresh dds.txt log (taken in normal mode).

Share this post


Link to post
Share on other sites
OK - downloaded ComoboFix and saved as something.exe. Ran it with no firewall/anti-virus. It makes a new restore point, backs-up the registry and starts to scan. Gives Rootkit warning/notification and says it needs to restart. Restart system and blue Auto Scan console appears - begins scan. Gets to 'Completed Stage_5' and then seems to hang. Has been like this for over an hour now. No noticeable HD activity or indication of progress.

Please advise...

Share this post


Link to post
Share on other sites
Hi,

Please move renamed ComboFix (something.exe) to root of your c: drive (c:\) and try to run it from there.

Share this post


Link to post
Share on other sites
Same steps after moving to C: (registry back-up/rootkit warning/restart/scanning) But this time it appears to be frozen after 'Completed Stage_2'... No activity for 20 minutes now...

Share this post


Link to post
Share on other sites
Hi,

Uninstall Ad-Aware and Lavasoft Registry Tuner for now. Then run ComboFix in safe mode again and post back its report + fresh dds logs (if CF fails again please post fresh dds logs contents anyway).

Share this post


Link to post
Share on other sites
Was just geting ready to edit last post... Ran it again and it is progressing now. Just completed Stage_50. Will post logs next...

Share this post


Link to post
Share on other sites
ComboFix 10-07-07.02 - Greg Cole 07/08/2010 11:25:56.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1548 [GMT -7:00]
Running from: C:\something.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\vlc-1.0.1-win32.exe
c:\documents and settings\Greg Cole\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\Greg Cole\g2mdlhlpx.exe
C:\Thumbs.db
c:\windows\My.ini
c:\windows\system32\BSTIEPrintCtl1.dll
c:\windows\system32\drivers\fbacfa1f.sys
c:\windows\system32\lsprst7.dll
c:\windows\system32\ssprs.dll
c:\windows\xpsp1hfm.log

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_fbacfa1f


((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 15:48 . 2010-07-08 15:48 3728433 ----a-r- C:\something.exe
2010-07-07 22:31 . 2010-07-07 22:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-07 15:25 . 2010-07-07 15:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-07 15:23 . 2010-07-07 15:23 -------- d-----w- c:\windows\system32\NtmsData
2010-07-06 18:58 . 2010-07-06 18:58 -------- d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-07-06 18:58 . 2010-07-06 18:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-05 21:53 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 21:53 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 20:57 . 2010-07-05 20:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-07-05 20:14 . 2010-07-05 20:14 120 ----a-w- c:\windows\Tnesev.dat
2010-07-05 20:14 . 2010-07-05 20:14 0 ----a-w- c:\windows\Iyalec.bin
2010-07-05 20:14 . 2010-07-05 20:57 -------- d-----w- c:\documents and settings\Greg Cole\Local Settings\Application Data\{1DE04EFC-14B1-49AE-A7DE-39E52F8DBD99}
2010-06-28 18:36 . 2010-06-28 18:36 -------- d-----w- C:\e94576507cc035ae65d4
2010-06-28 16:35 . 2010-06-28 16:35 -------- d-----w- c:\documents and settings\Greg Cole\Local Settings\Application Data\PCHealth
2010-06-26 15:47 . 2010-06-26 15:47 -------- d-----w- C:\1a40bef8e097f6157b5803
2010-06-15 23:27 . 2010-07-08 18:42 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\Dropbox
2010-06-10 03:01 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 18:40 . 2010-04-15 16:13 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\WTablet
2010-07-08 18:40 . 2010-04-18 15:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-07-06 21:35 . 2007-03-21 17:53 90112 ----a-w- c:\windows\DUMP3ae6.tmp
2010-07-06 19:27 . 2007-03-20 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2010-07-06 19:25 . 2009-11-10 16:29 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-05 21:53 . 2010-04-02 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-05 21:28 . 2007-03-21 17:53 90112 ----a-w- c:\windows\DUMP7668.tmp
2010-06-24 03:44 . 2006-03-19 00:28 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\Lavasoft
2010-06-24 03:44 . 2006-03-19 00:28 -------- d-----w- c:\program files\Lavasoft
2010-06-15 15:53 . 2010-03-31 18:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-09 17:00 . 2010-01-06 02:26 -------- d-----w- c:\program files\Citrix
2010-06-08 03:19 . 2010-06-07 22:48 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\Skype
2010-06-07 23:00 . 2008-03-21 19:52 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\skypePM
2010-06-07 22:50 . 2010-06-07 22:50 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-07 22:48 . 2010-06-07 22:47 -------- d-----r- c:\program files\Skype
2010-06-07 22:47 . 2010-06-07 22:47 -------- d-----w- c:\program files\Common Files\Skype
2010-06-07 22:47 . 2008-03-21 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-07 22:23 . 2010-06-07 22:23 -------- d-----w- c:\program files\DemoForge
2010-06-07 22:23 . 2010-06-07 22:23 -------- d--h--w- c:\program files\Zero G Registry
2010-06-03 15:52 . 2010-03-31 18:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-02 23:04 . 2010-06-02 23:04 -------- d-----w- c:\program files\GenArts
2010-05-20 20:49 . 2009-11-05 22:11 61304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-20 18:40 . 2005-10-04 22:37 83112 ----a-w- c:\documents and settings\Greg Cole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-19 21:51 . 2007-03-21 17:53 90112 ----a-w- c:\windows\DUMP5beb.tmp
2010-05-17 20:22 . 2009-10-20 19:27 -------- d-----w- c:\program files\Showit
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-02-23 03:51 . 2008-02-23 03:51 35 ----a-w- c:\program files\FlashDetector.ini
2007-12-03 03:05 . 2007-12-02 19:24 72 --sh--w- c:\windows\SAA957F3F.tmp
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups10\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTReminder"="c:\program files\Lavasoft\Lavasoft Registry Tuner\RegistryTuner.exe" [2007-12-20 1912672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-15 135168]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 53248]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-23 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]

c:\documents and settings\Greg Cole\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2005-4-4 936448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
QuickBooks US Plugin.lnk - c:\program files\PayPal Payment Request Wizard\QB US edition\OEHook.exe [2009-4-29 888987]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-3-22 98304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Macromedia\\HomeSite+\\HomeSite+.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.00\\Program\\Swift3D.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\1Click DVD Ripper\\1ClickDr.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ruby\\bin\\ruby.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects 7.0\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Greg Cole\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Greg Cole\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58745:TCP"= 58745:TCP:PORT_58745
"11743:TCP"= 11743:TCP:PORT_11743
"62949:TCP"= 62949:TCP:PORT_62949
"61555:TCP"= 61555:TCP:PORT_61555
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/31/2010 11:02 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/31/2010 11:03 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/30/2009 12:03 PM 95024]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [3/5/2007 3:23 AM 16896]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/31/2010 11:03 AM 69936]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [4/15/2010 9:12 AM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/28/2007 2:45 PM 24652]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 3:32 PM 497856]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/4/2009 4:38 PM 25728]
S3 Comsdrbqnv;Comsdrbqnv; [x]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/5/2010 2:03 AM 1352832]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\Greg Cole\Application Data\NVIDIA\HWAccess.sys --> c:\documents and settings\Greg Cole\Application Data\NVIDIA\HWAccess.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\Ad-Aware Scan (Weekly smart scan).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{5A5DADE2-3614-4B86-95A6-BBCEE45A8885}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} - hxxp://www.fototime.com/ftweb/activeX/WebUploadControl.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://67.40.90.115:1024/img/LinksysViewer.cab
FF - ProfilePath - c:\documents and settings\Greg Cole\Application Data\Mozilla\Firefox\Profiles\fpoi5nus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Greg Cole\Application Data\Mozilla\Firefox\Profiles\fpoi5nus.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
HKCU-Run-cdloader - *DISABLED*c:\documents and settings\Greg Cole\Application Data\mjusbsp\cdloader2.exe
SafeBoot-fbacfa1f.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-07-08 11:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\Local AppWizard-Generated Applications\MMDiag]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88FB3F27-689B-DC23-D5B4-6AD11229544C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"palhnimeideegdhhpmenbjiaigmikofo"=hex:6a,61,66,67,69,6b,6c,6e,6f,64,6c,62,6c,
6b,70,6e,6f,65,6f,6b,00,00
"laaikkecocbflonlhpkgmcdm"=hex:62,61,69,67,00,23

[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oacmgfkcknlimkdgfgifmeogcdkgpe"=hex:69,61,69,62,70,69,6e,63,6a,66,6b,65,66,62,
63,68,67,62,00,00
"naammdphhiofghcfebjdobbmbejd"=hex:69,61,69,62,70,69,6e,63,6a,66,6b,65,66,62,
63,68,67,62,00,00
"oacmgfkcknlimkdgfgifmeogddbgmj"=hex:6a,61,68,62,6f,67,6a,65,65,64,6c,70,6f,61,
66,61,63,6f,6a,65,00,6f
"naammdphhiofghcfebjdobamalel"=hex:6a,61,68,62,6f,67,6a,65,65,64,6c,70,6f,61,
66,61,63,6f,6a,65,00,6f
"oacmgfkcknlimkdgfgifmeogocggdi"=hex:69,61,69,62,70,69,6d,63,69,67,6a,65,69,69,
6e,69,62,63,00,00
"naammdphhiofghcfebjdobnlffnh"=hex:69,61,69,62,70,69,6d,63,69,67,6a,65,69,69,
6e,69,62,63,00,00

[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\MusicMatch, Inc.\Musicmatch for WMP]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\BVRP Software\Modem Helper]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:4b,e3,89,55,8b,ea,08,72,a7,b8,6d,75,8a,6d,fb,46,10,27,25,93,9a,
fa,ba,b0,d5,11,9d,5d,9f,34,cd,59,c1,3b,11,e5,ce,20,fd,ba,c2,ab,53,09,36,09,\

[HKEY_LOCAL_MACHINE\software\GenArts\Sapphire AE\Install-{EC3F6705-85EF-4FB1-4E30-80781324E273}\Data*]
@DACL=
"DefaultSettings"="99:{C6DDA450-F687-55DF-CA23-1A5083308C5D}"

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\DMIX\Hlp]
@DACL=(02 0000)
"NetworkAddress"="adapter_adv_laa"
"CPUSaver"="adapter_adv_adap_perf_tune"
"NumRxDescriptors"="adapter_adv_rx_descriptors"
"AdaptiveIFS"="adapter_adv_adap_ifs"
"ChecksumRxIp"="adapter_adv_offload_tcpip_checksum"
"NumTxDescriptors"="adapter_adv_tx_descriptors"
"ChecksumRxTcp"="adapter_adv_offload_rx_tcp_checksum"
"ChecksumTxIp"="adapter_adv_offload_tx_ip_checksum"
"ChecksumTxTcp"="adapter_adv_offload_tx_tcp_checksum"
"TcpSegmentation"="adapter_adv_offload_tcp_segmentation"
"EnablePME"="adapter_adv_enable_pme"
"FlowControl"="adapter_adv_flow_control"
"LogLinkStateEvent"="adapter_adv_log_link"
"MaxFrameSize"="adapter_adv_jumbo_frames"
"TaggingMode"="adapter_adv_qos_tagging"
"Adaptive_IFS"="adapter_adv_adap_ifs"
"WakeOn"="adapter_adv_wake_on_settings"
"WakeOnLink"="adapter_adv_wake_on_link"
"ConfigIFS"="adapter_adv_retransmit_ifs"
"HPQPriorityLevel"="adapter_adv_priority_leveL"
"NumCoalesce"="adapter_adv_laa"
"NumRfd"="adapter_adv_rx_descriptors"
"NumTcb"="adapter_adv_tx_descriptors"
"Threshold"="adapter_adv_adap_tx_thresh"
"Coalesce"="adapter_adv_coalesce_buff"
"AlwaysConnectGoal"="adapter_adv_low_resource"
"UcodeSW"="adapter_adv_adap_tech"
"Power Saver Options"="adapter_adv_dlog_power"
"Offloading Options"="adapter_adv_dlog_offload"
"Performance Options"="adapter_adv_dlog_performance"
"Wake On LAN"="adapter_adv_dlog_wol"
"PCI Bus Efficiency"="adapter_adv_pci_bus"

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\DMIX\uninst]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\DMIX\uninst\PROSet]
@DACL=(02 0000)
"DisplayName"="Intel® PRO Network Connections Drivers"
"UninstallString"="Prounstl.exe"
"DisplayIcon"=expand:"%SystemRoot%\\system32\\Prounstl.exe"

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Agents]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Agents\TeamAgnt\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Agents\VlanAgnt\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Wmi]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectInput\Compatibility\CLIENT2._EXE35FEFABD00088200*]
@DACL=
"MaxDeviceNameLen"="10??23Þ0000Ã?6d96y"
"NoPollSucceed"="{99C020F8-0019-9BA1-5B71-3E2E71109ECF}"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\10.0]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Player\Schemes]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\services]
@DACL=(02 0000)
"NoServices"=dword:00000000
"ServiceExtra"="Partner=Dell&MachineID=5WYWK81????iŸ'?6'??\1d?''?6???6????????????'?'?? ????Ÿ'''?6???6?14?6???6?????'????'???????6'??3?''???6???6??????????????e???6?6a?????''???6?6?6??8??????????e?????? ???'?????6'???61???'?6???'?????'????P"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Subscriptions]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{EC9B8ACF-09C1-4C7B-A6BA-F5CBC478CA71}]
@DACL=(02 0000)
"FriendlyName"="res://MMRadioWMPPlugin.dll/RT_STRING/#102"
"Description"="res://MMRadioWMPPlugin.dll/RT_STRING/#103"
"Capabilities"=dword:c2000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install*Loc\VxDs]
@DACL=
"CTE_32 Name"="2455350:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install*Loc\VxDs]
@DACL=
"DefaultSettings"="-12:{3C7DA433-1047-9FC4-00BA-978A09424856}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Install*Loc\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version 1.1]
@DACL=
"dat"="806585365:{CC23126B-3651-A598-1B83-0D07D9FA0C7E}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{077ACEC7-979C-40AB-9835-435BA1511E0D}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{077ACEC7-979C-40AB-9835-435BA1511E0D}\\MPPRE10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{077ACEC7-979C-40AB-9835-435BA1511E0D}\\mppre10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{30C7234B-6482-4A55-A11D-ECD9030313F2}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{30C7234B-6482-4A55-A11D-ECD9030313F2}\\WMDM10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{30C7234B-6482-4A55-A11D-ECD9030313F2}\\wmdm10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{3FDF25EE-E592-4495-8391-6E9C504DAC2B}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\\WMSET10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\\wmset10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{60204BB3-7078-4F70-8F69-68297621941C}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{60204BB3-7078-4F70-8F69-68297621941C}\\MPSTUB10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{60204BB3-7078-4F70-8F69-68297621941C}\\mpstub10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{981FB688-E76B-4246-987B-92083185B90A}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{981FB688-E76B-4246-987B-92083185B90A}\\WPD10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{981FB688-E76B-4246-987B-92083185B90A}\\wpd10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{A47B3654-48EE-48A5-B629-97D70175E58F}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A47B3654-48EE-48A5-B629-97D70175E58F}\\codecs10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A47B3654-48EE-48A5-B629-97D70175E58F}\\codecs10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\\WMFSDK10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\\wmfsdk10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\\DRM10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\\drm10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\\MPCD10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\\mpcd10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{DD90D410-1823-43EB-9A16-A2331BF08799}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{DD90D410-1823-43EB-9A16-A2331BF08799}\\WMP10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{DD90D410-1823-43EB-9A16-A2331BF08799}\\wmp10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash]
@DACL=(02 0000)
@SACL=
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\z*\{{05FF8CB8-4942-FCF6-301D-6930181DE865}}]
@DACL=
"DefaultSettings"="2455364:{37C8840C-72FD-B1F6-4FC1-23A6EF5B6255}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}*\Install*Loc\xga-3v5\dat]
@DACL=
"default"="518022258:{5673937F-442A-408C-6551-F5EB079B6E31}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Install VBX*\Current*Version\Install*Loc\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version 3.x]
@DACL=
"dat"="1767914624:{7BBA061A-84F8-12B1-0872-56B2564CC278}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Mass Storage]
@DACL=(02 0000)
"DeviceInterface"="{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Portable Audio Players]
@DACL=(02 0000)
"DeviceInterface"="{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}"
"FilterParameter"="UseExtendedWmdm"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE]
@DACL=(02 0000)
"DeviceInterface"="{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE RNDIS]
@DACL=(02 0000)
"DeviceInterface"="{ad498944-762f-11d0-8dcb-00c04fc3358c}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDevices]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDevices\WinCEDevice]
@DACL=(02 0000)
"DeviceInterface"="{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}"
"WMDMSPCLSID"="{067B4B81-B1EC-489f-B111-940EBDC44EBE}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDevices\WinCEDeviceRNDIS]
@DACL=(02 0000)
"DeviceInterface"="{ad498944-762f-11d0-8dcb-00c04fc3358c}"
"WMDMSPCLSID"="{067B4B81-B1EC-489f-B111-940EBDC44EBE}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\Plugins\SCP\SCPTRANS]
@DACL=(02 0000)
"ProgID"="MsScp.SCPTRANS.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smase._dll*]
@DACL=
"AplicationGoo"="10)#31¾3f73?ále133Ö"
"ChkAppHelp"="{376004F2-57D6-9811-1B01-4B82A757C373}"

[HKEY_LOCAL_MACHINE\software\Microsoft\WinXGA*\Providers*\{D41D8CD9-8F00-B204-E980-0998ECF8427E}\Current*Set\xga-3v5\ver]
@DACL=
"KnownSvcs"="925610637:{4BAAA063-DECA-4010-C078-0AB72138E48E}"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:4b,e3,89,55,8b,ea,08,72,a7,b8,6d,75,8a,6d,fb,46,10,27,25,93,9a,
fa,ba,b0,d5,11,9d,5d,9f,34,cd,59,c1,3b,11,e5,ce,20,fd,ba,c2,ab,53,09,36,09,\

[HKEY_LOCAL_MACHINE\software\XBMga*\UUIDs\{D267FD78-5B38-7F95-267D-28AED7CD122A}\xga-3v5\Install*Loc]
@DACL=
"{19620715-0001-1211-574574-30001}"="232780633:{3FED4A7B-BDD7-2422-14D2-655D030616D2}"

[HKEY_LOCAL_MACHINE\software\xGenArts\Sapphire AE\DLL ver*\{A6D90D08-68DD-2B46-E2AC-5782669B2696}]
@DACL=
"CTE_32 Name"="9:{19C42D30-D844-8A07-12A4-E783E7D228F7}"

[HKEY_LOCAL_MACHINE\software\xGenArts\Sapphire AE\DLL ver*\{B08ECCAD-FEC0-A273-8DFD-B47BE795EE25}]
@DACL=
"DefaultSettings"="12:{5351C505-4E6C-6ECA-E5BD-7AE84A571B0A}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3404)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\astsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\xampp\filezillaftp\filezillaserver.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\xampp\mysql\bin\mysqld-nt.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-08 11:51:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 18:51

Pre-Run: 77,801,349,120 bytes free
Post-Run: 77,916,950,528 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - 8D6905118E85A6E97CD7D525448E3D5D

Share this post


Link to post
Share on other sites
DDS (Ver_10-03-17.01) - NTFSx86
Run by Greg Cole at 11:54:27.67 on Thu 07/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1396 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\xampp\filezillaftp\filezillaserver.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PayPal Payment Request Wizard\QB US edition\OEHook.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Documents and Settings\Greg Cole\Application Data\Dropbox\bin\Dropbox.exe
C:\xampp\mysql\bin\winmysqladmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Greg Cole\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [RTReminder] c:\program files\lavasoft\lavasoft registry tuner\RegistryTuner.exe -rem
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
StartupFolder: c:\docume~1\gregco~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\greg cole\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\gregco~1\startm~1\programs\startup\winmys~1.lnk - c:\xampp\mysql\bin\winmysqladmin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\paypal payment request wizard\qb us edition\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\npjpi160_19.dll
Trusted Zone: intuit.com\ttlc
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} - hxxp://www.fototime.com/ftweb/activeX/WebUploadControl.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://67.40.90.115:1024/img/LinksysViewer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregco~1\applic~1\mozilla\firefox\profiles\fpoi5nus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\greg cole\application data\mozilla\firefox\profiles\fpoi5nus.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-31 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-3-31 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-30 95024]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-3-5 16896]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-3-31 69936]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-4-15 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-28 24652]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-9-4 25728]
S3 Comsdrbqnv;Comsdrbqnv; [x]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1352832]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\greg cole\application data\nvidia\hwaccess.sys --> c:\documents and settings\greg cole\application data\nvidia\HWAccess.sys [?]

=============== Created Last 30 ================

2010-07-08 18:41:39 58 ----a-w- c:\windows\my.ini
2010-07-08 15:48:35 3728433 ----a-r- C:\something.exe
2010-07-07 17:20:31 0 d-sha-r- C:\cmdcons
2010-07-07 17:16:34 98816 ----a-w- c:\windows\sed.exe
2010-07-07 17:16:34 77312 ----a-w- c:\windows\MBR.exe
2010-07-07 17:16:34 256512 ----a-w- c:\windows\PEV.exe
2010-07-07 17:16:34 161792 ----a-w- c:\windows\SWREG.exe
2010-07-07 15:23:05 0 d-----w- c:\windows\system32\NtmsData
2010-07-06 18:58:18 0 d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-07-06 18:58:07 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-05 21:53:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 21:53:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 20:57:37 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-05 20:14:12 120 ----a-w- c:\windows\Tnesev.dat
2010-07-05 20:14:12 0 ----a-w- c:\windows\Iyalec.bin
2010-07-03 03:50:12 17866752 ----a-w- c:\documents and settings\greg cole\ntuser.bak
2010-06-28 18:36:04 0 d-----w- C:\e94576507cc035ae65d4
2010-06-26 15:47:11 0 d-----w- C:\1a40bef8e097f6157b5803
2010-06-15 23:27:24 0 d-----w- c:\docume~1\gregco~1\applic~1\Dropbox
2010-06-10 03:01:27 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-07-06 21:35:55 90112 ----a-w- c:\windows\DUMP3ae6.tmp
2010-07-05 21:28:51 90112 ----a-w- c:\windows\DUMP7668.tmp
2010-06-15 15:53:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-03 15:52:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-20 20:49:27 61304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-20 04:14:14 93112 ----a-w- c:\windows\fonts\STOMPER_.TTF
2010-05-19 21:51:42 90112 ----a-w- c:\windows\DUMP5beb.tmp
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-02-23 03:51:21 35 ----a-w- c:\program files\FlashDetector.ini
2006-03-31 21:38:26 469824 ----a-w- c:\windows\inf\wpn311\WPN311.sys
2006-03-31 21:38:24 35232 ----a-w- c:\windows\inf\wpn311\ME_INST.EXE
2006-03-31 21:38:24 26112 ----a-w- c:\windows\inf\wpn311\install.exe
2009-06-10 21:06:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061020090611\index.dat

============= FINISH: 11:54:37.76 ===============

Share this post


Link to post
Share on other sites
Good. Let's continue then.

Open notepad and copy/paste the text in the quotebox below into it:

[code]Driver::
Comsdrbqnv
File::
c:\windows\Tnesev.dat
c:\windows\Iyalec.bin
Regnull::
[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{88FB3F27-689B-DC23-D5B4-6AD11229544C}*]
[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B9E3BC41-111C-6DBD-BB9B-1DA124CE3D0C}*][/code]


Save this as
CFScript

[color="#ff0000"][b]A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.[/b][/color]

[img]http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif[/img]

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


[b]Uninstall old Adobe Reader versions[/b] and get the latest one with updates (9.3 and updates 9.3.2 & 9.3.3) [url="http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows"]here[/url] or get Foxit Reader [url="http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm"]here[/url]. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced [url="http://pdfreaders.org/"]here[/url].

Uninstall your current [b]Adobe shockwave player[/b] and get the fresh one [url="http://get.adobe.com/shockwave/"]here[/url] if needed.


[b][color="blue"]Your Java is out of date.[/color][/b] Older versions have vulnerabilities that malware can use to infect your system. [b]Please follow these steps to remove older version Java components and update to the latest version...[/b]

[b][color="blue"]Updating Java:[/color][/b][list]
[*]Download the latest version of [b][url="http://java.sun.com/javase/downloads/index.jsp"]Java Runtime Environment (JRE) 6 Update 20[/url][/b].
[*]Click the
[b]Download[/b]
button to the right.
[*]Select Windows on platform combobox and check the box that says:
[b][i]Accept[/b] License Agreement[/i]. Click continue.

[*]The page will refresh.
[*]Click on the link to download [i]Windows Offline Installation[/i] with or without Multi-language and save to your desktop.
[*]Close any programs you may have running - especially your web browser.
[*]Go to [b]Start[/b] > [b]Control Panel[/b] double-click on [b]Add/Remove[/b] programs and remove all older versions of Java.
[*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
[*]Click the [b]Remove[/b] or [b]Change/Remove[/b] button.
[*]Repeat as many times as necessary to remove each Java versions.
[*]Reboot your computer once all Java components are removed.
[*]Then from your desktop double-click on [b]jre-6u20-windows-i586-p.exe[/b] to install the newest version. Uncheck Carbonite online backup trial if it's offered there.
[/list]


Download [color="Blue"][u][url="http://www.atribune.org/ccount/click.php?id=1"]ATF (Atribune Temp File) Cleaner© by Atribune[/url][/u][/color] to your desktop.

Double-click [color="green"]ATF Cleaner.exe[/color] to open it

Under [b]Main[/b] choose:
[color="blue"]Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache[/color]
*[i]The other boxes are optional[/i]*
Then click the [color="blue"]Empty Selected[/color] button.

[color="Green"]If you use Firefox:[/color]
Click [color="blue"]Firefox[/color] at the top and choose: [color="blue"]Select All[/color]
Click the [color="blue"]Empty Selected[/color] button.
[color="green"]NOTE:[/color] If you would like to keep your saved passwords, please click [color="blue"]NO[/color] at the prompt.

[color="green"]If you use Opera:[/color]
Click [color="blue"]Opera[/color] at the top and choose: [color="blue"]Select All[/color]
Click the [color="blue"]Empty Selected[/color] button.
[color="green"]NOTE:[/color] If you would like to keep your saved passwords, please click [color="blue"]NO[/color] at the prompt.

Click [color="green"]Exit[/color] on the [color="blue"]Main menu[/color] to close the program.


Please run an online scan with [url="http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html"][b]Kaspersky Online Scanner[/b][/url] as instructed in the screenshot [url="http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif"]here[/url].


Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Share this post


Link to post
Share on other sites
Here is the new ComboFix log. Performing remaining steps now. Not sure it matters, but I received a pop-up 'exception Unknown exception in PEV.exe' during the scan. I dismissed it and everything seemed to run without issue. Thanks again for all of your help. I'll post the next round of logs soon. Please let me know when to re-enable Ad Watch/Firewall.

ComboFix 10-07-07.02 - Greg Cole 07/08/2010 12:14:34.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1449 [GMT -7:00]
Running from: C:\something.exe
Command switches used :: c:\documents and settings\Greg Cole\Desktop\CFScript.txt
AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

FILE ::
"c:\windows\Iyalec.bin"
"c:\windows\Tnesev.dat"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Greg Cole\Local Settings\Application Data\{1DE04EFC-14B1-49AE-A7DE-39E52F8DBD99}
c:\documents and settings\Greg Cole\Local Settings\Application Data\{1DE04EFC-14B1-49AE-A7DE-39E52F8DBD99}\chrome\content\_cfg.js
c:\documents and settings\Greg Cole\Local Settings\Application Data\{1DE04EFC-14B1-49AE-A7DE-39E52F8DBD99}\chrome\content\overlay.xul
c:\documents and settings\Greg Cole\Local Settings\Application Data\{1DE04EFC-14B1-49AE-A7DE-39E52F8DBD99}\install.rdf
c:\windows\Iyalec.bin
c:\windows\My.ini
c:\windows\Tnesev.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_Comsdrbqnv


((((((((((((((((((((((((( Files Created from 2010-06-08 to 2010-07-08 )))))))))))))))))))))))))))))))
.

2010-07-08 15:48 . 2010-07-08 15:48 3728433 ----a-r- C:\something.exe
2010-07-07 22:31 . 2010-07-07 22:31 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-07 15:25 . 2010-07-07 15:25 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-07-07 15:23 . 2010-07-07 15:23 -------- d-----w- c:\windows\system32\NtmsData
2010-07-06 18:58 . 2010-07-06 18:58 -------- d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-07-06 18:58 . 2010-07-06 18:58 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-07-05 21:53 . 2010-04-29 22:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 21:53 . 2010-04-29 22:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 20:57 . 2010-07-05 20:57 -------- d-----w- c:\windows\system32\wbem\Repository
2010-06-28 18:36 . 2010-06-28 18:36 -------- d-----w- C:\e94576507cc035ae65d4
2010-06-28 16:35 . 2010-06-28 16:35 -------- d-----w- c:\documents and settings\Greg Cole\Local Settings\Application Data\PCHealth
2010-06-26 15:47 . 2010-06-26 15:47 -------- d-----w- C:\1a40bef8e097f6157b5803
2010-06-15 23:27 . 2010-07-08 18:42 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\Dropbox
2010-06-10 03:01 . 2010-05-06 10:41 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-08 19:23 . 2010-04-15 16:13 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\WTablet
2010-07-08 19:23 . 2010-04-18 15:51 -------- d-----w- c:\documents and settings\LocalService\Application Data\WTablet
2010-07-06 21:35 . 2007-03-21 17:53 90112 ----a-w- c:\windows\DUMP3ae6.tmp
2010-07-06 19:27 . 2007-03-20 23:02 -------- d-----w- c:\documents and settings\Administrator\Application Data\Gtek
2010-07-06 19:25 . 2009-11-10 16:29 -------- d-----w- c:\program files\NVIDIA Corporation
2010-07-05 21:53 . 2010-04-02 20:50 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-05 21:28 . 2007-03-21 17:53 90112 ----a-w- c:\windows\DUMP7668.tmp
2010-06-24 03:44 . 2006-03-19 00:28 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\Lavasoft
2010-06-24 03:44 . 2006-03-19 00:28 -------- d-----w- c:\program files\Lavasoft
2010-06-15 15:53 . 2010-03-31 18:15 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-09 17:00 . 2010-01-06 02:26 -------- d-----w- c:\program files\Citrix
2010-06-08 03:19 . 2010-06-07 22:48 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\Skype
2010-06-07 23:00 . 2008-03-21 19:52 -------- d-----w- c:\documents and settings\Greg Cole\Application Data\skypePM
2010-06-07 22:50 . 2010-06-07 22:50 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2010-06-07 22:48 . 2010-06-07 22:47 -------- d-----r- c:\program files\Skype
2010-06-07 22:47 . 2010-06-07 22:47 -------- d-----w- c:\program files\Common Files\Skype
2010-06-07 22:47 . 2008-03-21 19:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-06-07 22:23 . 2010-06-07 22:23 -------- d-----w- c:\program files\DemoForge
2010-06-07 22:23 . 2010-06-07 22:23 -------- d--h--w- c:\program files\Zero G Registry
2010-06-03 15:52 . 2010-03-31 18:02 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-06-02 23:04 . 2010-06-02 23:04 -------- d-----w- c:\program files\GenArts
2010-05-20 20:49 . 2009-11-05 22:11 61304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-20 18:40 . 2005-10-04 22:37 83112 ----a-w- c:\documents and settings\Greg Cole\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-19 21:51 . 2007-03-21 17:53 90112 ----a-w- c:\windows\DUMP5beb.tmp
2010-05-17 20:22 . 2009-10-20 19:27 -------- d-----w- c:\program files\Showit
2010-05-06 10:41 . 2004-08-10 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22 . 2004-08-10 17:51 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-04-20 05:30 . 2004-08-10 17:50 285696 ----a-w- c:\windows\system32\atmfd.dll
2008-02-23 03:51 . 2008-02-23 03:51 35 ----a-w- c:\program files\FlashDetector.ini
2007-12-03 03:05 . 2007-12-02 19:24 72 --sh--w- c:\windows\SAA957F3F.tmp
.

------- Sigcheck -------

[7] 2008-04-13 . 9F3A2F5AA6875C72BF062C712CFA2674 . 96512 . . [5.1.2600.5512] . . c:\windows\ServicePackFiles\i386\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\drivers\atapi.sys
[-] 2004-08-04 . CDFE4411A69C224BD1D11B2DA92DAC51 . 95360 . . [5.1.2600.2180] . . c:\windows\system32\ReinstallBackups10\DriverFiles\i386\atapi.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTReminder"="c:\program files\Lavasoft\Lavasoft Registry Tuner\RegistryTuner.exe" [2007-12-20 1912672]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\iaanotif.exe" [2005-04-25 139264]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"MMTray"="c:\program files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-15 135168]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 81920]
"AdobeVersionCue"="c:\program files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe" [2003-10-13 1732608]
"mmtask"="c:\program files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2005-03-15 53248]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-06-21 35328]
"WD Button Manager"="WDBtnMgr.exe" [2007-03-23 339968]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SSBkgdUpdate"="c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4"="c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2009-03-11 611712]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 339968]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-03-26 142120]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-08-06 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-08-06 13877248]

c:\documents and settings\Greg Cole\Start Menu\Programs\Startup\
Dropbox.lnk - c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\Dropbox.exe [2010-2-25 21979992]
WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2005-4-4 936448]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2009-9-16 972064]
QuickBooks US Plugin.lnk - c:\program files\PayPal Payment Request Wizard\QB US edition\OEHook.exe [2009-4-29 888987]
WD Backup Monitor.lnk - c:\program files\My Book\WD Backup\uBBMonitor.exe [2007-3-22 98304]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"SQLAgent$MICROSOFTSMLBIZ"=3 (0x3)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$MICROSOFTSMLBIZ"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\GlobalSCAPE\\CuteFTP\\cutftp32.exe"=
"c:\\Program Files\\FileZilla\\FileZilla.exe"=
"c:\\Program Files\\Macromedia\\HomeSite+\\HomeSite+.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Electric Rain\\Swift 3D\\Version 4.00\\Program\\Swift3D.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\1Click DVD Ripper\\1ClickDr.exe"=
"c:\\Program Files\\Sorenson Media\\Sorenson Squeeze\\Squeeze.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\ruby\\bin\\ruby.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects 7.0\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Documents and Settings\\Greg Cole\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2007\\QBDBMgrN.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Common Files\\Adobe\\Adobe Version Cue CS4\\Server\\bin\\VersionCueCS4.exe"=
"c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Adobe\\Adobe After Effects CS4\\Support Files\\AfterFX.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Documents and Settings\\Greg Cole\\Application Data\\Dropbox\\bin\\Dropbox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58745:TCP"= 58745:TCP:PORT_58745
"11743:TCP"= 11743:TCP:PORT_11743
"62949:TCP"= 62949:TCP:PORT_62949
"61555:TCP"= 61555:TCP:PORT_61555
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3703:TCP"= 3703:TCP:Adobe Version Cue CS4 Server
"3704:TCP"= 3704:TCP:Adobe Version Cue CS4 Server
"51000:TCP"= 51000:TCP:Adobe Version Cue CS4 Server
"51001:TCP"= 51001:TCP:Adobe Version Cue CS4 Server

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [3/31/2010 11:02 AM 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [3/31/2010 11:03 AM 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [10/30/2009 12:03 PM 95024]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [3/5/2007 3:23 AM 16896]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [3/31/2010 11:03 AM 69936]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [4/15/2010 9:12 AM 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/28/2007 2:45 PM 24652]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [12/17/2009 3:32 PM 497856]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe [8/15/2008 5:46 AM 288112]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [9/4/2009 4:38 PM 25728]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/5/2010 2:03 AM 1352832]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\Greg Cole\Application Data\NVIDIA\HWAccess.sys --> c:\documents and settings\Greg Cole\Application Data\NVIDIA\HWAccess.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-07-08 c:\windows\Tasks\Ad-Aware Scan (Weekly smart scan).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-08 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-05 20:43]

2010-07-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2010-07-08 c:\windows\Tasks\User_Feed_Synchronization-{5A5DADE2-3614-4B86-95A6-BBCEE45A8885}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
Trusted Zone: intuit.com\ttlc
DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} - hxxp://www.fototime.com/ftweb/activeX/WebUploadControl.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://67.40.90.115:1024/img/LinksysViewer.cab
FF - ProfilePath - c:\documents and settings\Greg Cole\Application Data\Mozilla\Firefox\Profiles\fpoi5nus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\Greg Cole\Application Data\Mozilla\Firefox\Profiles\fpoi5nus.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\WINNT_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\QuickTime\Plugins\npqtplugin8.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----

c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]
Rootkit scan 2010-07-08 12:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\Local AppWizard-Generated Applications\MMDiag]
@DACL=(02 0000)

[HKEY_USERS\S-1-5-21-1860907778-2254648140-3792588654-1008\Software\MusicMatch, Inc.\Musicmatch for WMP]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\BVRP Software\Modem Helper]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version*Version]
"Version"=hex:4b,e3,89,55,8b,ea,08,72,a7,b8,6d,75,8a,6d,fb,46,10,27,25,93,9a,
fa,ba,b0,d5,11,9d,5d,9f,34,cd,59,c1,3b,11,e5,ce,20,fd,ba,c2,ab,53,09,36,09,\

[HKEY_LOCAL_MACHINE\software\GenArts\Sapphire AE\Install-{EC3F6705-85EF-4FB1-4E30-80781324E273}\Data*]
@DACL=
"DefaultSettings"="99:{C6DDA450-F687-55DF-CA23-1A5083308C5D}"

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\DMIX\Hlp]
@DACL=(02 0000)
"NetworkAddress"="adapter_adv_laa"
"CPUSaver"="adapter_adv_adap_perf_tune"
"NumRxDescriptors"="adapter_adv_rx_descriptors"
"AdaptiveIFS"="adapter_adv_adap_ifs"
"ChecksumRxIp"="adapter_adv_offload_tcpip_checksum"
"NumTxDescriptors"="adapter_adv_tx_descriptors"
"ChecksumRxTcp"="adapter_adv_offload_rx_tcp_checksum"
"ChecksumTxIp"="adapter_adv_offload_tx_ip_checksum"
"ChecksumTxTcp"="adapter_adv_offload_tx_tcp_checksum"
"TcpSegmentation"="adapter_adv_offload_tcp_segmentation"
"EnablePME"="adapter_adv_enable_pme"
"FlowControl"="adapter_adv_flow_control"
"LogLinkStateEvent"="adapter_adv_log_link"
"MaxFrameSize"="adapter_adv_jumbo_frames"
"TaggingMode"="adapter_adv_qos_tagging"
"Adaptive_IFS"="adapter_adv_adap_ifs"
"WakeOn"="adapter_adv_wake_on_settings"
"WakeOnLink"="adapter_adv_wake_on_link"
"ConfigIFS"="adapter_adv_retransmit_ifs"
"HPQPriorityLevel"="adapter_adv_priority_leveL"
"NumCoalesce"="adapter_adv_laa"
"NumRfd"="adapter_adv_rx_descriptors"
"NumTcb"="adapter_adv_tx_descriptors"
"Threshold"="adapter_adv_adap_tx_thresh"
"Coalesce"="adapter_adv_coalesce_buff"
"AlwaysConnectGoal"="adapter_adv_low_resource"
"UcodeSW"="adapter_adv_adap_tech"
"Power Saver Options"="adapter_adv_dlog_power"
"Offloading Options"="adapter_adv_dlog_offload"
"Performance Options"="adapter_adv_dlog_performance"
"Wake On LAN"="adapter_adv_dlog_wol"
"PCI Bus Efficiency"="adapter_adv_pci_bus"

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\DMIX\uninst]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\DMIX\uninst\PROSet]
@DACL=(02 0000)
"DisplayName"="Intel® PRO Network Connections Drivers"
"UninstallString"="Prounstl.exe"
"DisplayIcon"=expand:"%SystemRoot%\\system32\\Prounstl.exe"

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Agents]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Agents\TeamAgnt\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Agents\VlanAgnt\Settings]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\INTEL\Network_Services\NCS2\Wmi]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Advanced INF Setup\IEHomePageInfo\RegBackup]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\DirectInput\Compatibility\CLIENT2._EXE35FEFABD00088200*]
@DACL=
"MaxDeviceNameLen"="10??23Þ0000Ã?6d96y"
"NoPollSucceed"="{99C020F8-0019-9BA1-5B71-3E2E71109ECF}"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\10.0]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Player\Schemes]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\services]
@DACL=(02 0000)
"NoServices"=dword:00000000
"ServiceExtra"="Partner=Dell&MachineID=5WYWK81????iŸ'?6'??\1d?''?6???6????????????'?'?? ????Ÿ'''?6???6?14?6???6?????'????'???????6'??3?''???6???6??????????????e???6?6a?????''???6?6?6??8??????????e?????? ???'?????6'???61???'?6???'?????'????P"

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Settings]
@DACL=(02 0000)
@SACL=

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\Subscriptions]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\MediaPlayer\UIPlugins\{EC9B8ACF-09C1-4C7B-A6BA-F5CBC478CA71}]
@DACL=(02 0000)
"FriendlyName"="res://MMRadioWMPPlugin.dll/RT_STRING/#102"
"Description"="res://MMRadioWMPPlugin.dll/RT_STRING/#103"
"Capabilities"=dword:c2000001

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install*Loc\VxDs]
@DACL=
"CTE_32 Name"="2455350:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install*Loc\VxDs]
@DACL=
"DefaultSettings"="-12:{3C7DA433-1047-9FC4-00BA-978A09424856}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Install*Loc\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version 1.1]
@DACL=
"dat"="806585365:{CC23126B-3651-A598-1B83-0D07D9FA0C7E}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\•€|ÿÿÿÿ"•€|ù•Ôw*]
"5E7CEC10DF0760D4F8DAFB12FDC06CCD"="02:\\Software\\Adobe\\FeatureSubscriptions\\DVAAdobeDocMeta\\{01CEC7E5-70FD-4D06-8FAD-BF21DF0CC6DC}\\Registered"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{077ACEC7-979C-40AB-9835-435BA1511E0D}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{077ACEC7-979C-40AB-9835-435BA1511E0D}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{077ACEC7-979C-40AB-9835-435BA1511E0D}\\MPPRE10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{077ACEC7-979C-40AB-9835-435BA1511E0D}\\mppre10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{30C7234B-6482-4A55-A11D-ECD9030313F2}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{30C7234B-6482-4A55-A11D-ECD9030313F2}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{30C7234B-6482-4A55-A11D-ECD9030313F2}\\WMDM10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{30C7234B-6482-4A55-A11D-ECD9030313F2}\\wmdm10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{3FDF25EE-E592-4495-8391-6E9C504DAC2B}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\\WMSET10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{3FDF25EE-E592-4495-8391-6E9C504DAC2B}\\wmset10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{60204BB3-7078-4F70-8F69-68297621941C}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{60204BB3-7078-4F70-8F69-68297621941C}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{60204BB3-7078-4F70-8F69-68297621941C}\\MPSTUB10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{60204BB3-7078-4F70-8F69-68297621941C}\\mpstub10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{981FB688-E76B-4246-987B-92083185B90A}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{981FB688-E76B-4246-987B-92083185B90A}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{981FB688-E76B-4246-987B-92083185B90A}\\WPD10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{981FB688-E76B-4246-987B-92083185B90A}\\wpd10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{A47B3654-48EE-48A5-B629-97D70175E58F}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{A47B3654-48EE-48A5-B629-97D70175E58F}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A47B3654-48EE-48A5-B629-97D70175E58F}\\codecs10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{A47B3654-48EE-48A5-B629-97D70175E58F}\\codecs10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\\WMFSDK10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}\\wmfsdk10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\\DRM10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\\drm10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\\MPCD10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{CFB4B314-0328-45E1-94AF-45A3F5F48E0B}\\mpcd10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{DD90D410-1823-43EB-9A16-A2331BF08799}]
@DACL=(02 0000)
"FriendlyName"="Windows Media Files"
"ComponentGUID"="{DD90D410-1823-43EB-9A16-A2331BF08799}"
"Version"=dword:000a0000
"Sub-Version"=dword:00000e3e
"ExceptionInfName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{DD90D410-1823-43EB-9A16-A2331BF08799}\\WMP10.inf"
"ExceptionCatalogName"=expand:"c:\\WINDOWS\\RegisteredPackages\\{DD90D410-1823-43EB-9A16-A2331BF08799}\\wmp10.cat"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash]
@DACL=(02 0000)
@SACL=
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\z*\{{05FF8CB8-4942-FCF6-301D-6930181DE865}}]
@DACL=
"DefaultSettings"="2455364:{37C8840C-72FD-B1F6-4FC1-23A6EF5B6255}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\{17874181-D77E-39CC-9D3D-7FC6F20E54FB}*\Install*Loc\xga-3v5\dat]
@DACL=
"default"="518022258:{5673937F-442A-408C-6551-F5EB079B6E31}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Install VBX*\Current*Version\Install*Loc\xga-1-{1CC55961-C5EE-31FD-E8B2-AB29A24907CA}\Version 3.x]
@DACL=
"dat"="1767914624:{7BBA061A-84F8-12B1-0872-56B2564CC278}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Mass Storage]
@DACL=(02 0000)
"DeviceInterface"="{53F5630D-B6BF-11D0-94F2-00A0C91EFB8B}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Portable Audio Players]
@DACL=(02 0000)
"DeviceInterface"="{F33FDC04-D1AC-4E8E-9A30-19BBD4B108AE}"
"FilterParameter"="UseExtendedWmdm"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE]
@DACL=(02 0000)
"DeviceInterface"="{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDeviceClasses\Windows CE RNDIS]
@DACL=(02 0000)
"DeviceInterface"="{ad498944-762f-11d0-8dcb-00c04fc3358c}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDevices]
@DACL=(02 0000)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDevices\WinCEDevice]
@DACL=(02 0000)
"DeviceInterface"="{25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}"
"WMDMSPCLSID"="{067B4B81-B1EC-489f-B111-940EBDC44EBE}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\KnownDevices\WinCEDeviceRNDIS]
@DACL=(02 0000)
"DeviceInterface"="{ad498944-762f-11d0-8dcb-00c04fc3358c}"
"WMDMSPCLSID"="{067B4B81-B1EC-489f-B111-940EBDC44EBE}"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows Media Device Manager\Plugins\SCP\SCPTRANS]
@DACL=(02 0000)
"ProgID"="MsScp.SCPTRANS.1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smase._dll*]
@DACL=
"AplicationGoo"="10)#31¾3f73?ále133Ö"
"ChkAppHelp"="{376004F2-57D6-9811-1B01-4B82A757C373}"

[HKEY_LOCAL_MACHINE\software\Microsoft\WinXGA*\Providers*\{D41D8CD9-8F00-B204-E980-0998ECF8427E}\Current*Set\xga-3v5\ver]
@DACL=
"KnownSvcs"="925610637:{4BAAA063-DECA-4010-C078-0AB72138E48E}"

[HKEY_LOCAL_MACHINE\software\Minnetonka Audio Software\SurCode Dolby Digital Premiere\Version*Version]
"Version"=hex:4b,e3,89,55,8b,ea,08,72,a7,b8,6d,75,8a,6d,fb,46,10,27,25,93,9a,
fa,ba,b0,d5,11,9d,5d,9f,34,cd,59,c1,3b,11,e5,ce,20,fd,ba,c2,ab,53,09,36,09,\

[HKEY_LOCAL_MACHINE\software\XBMga*\UUIDs\{D267FD78-5B38-7F95-267D-28AED7CD122A}\xga-3v5\Install*Loc]
@DACL=
"{19620715-0001-1211-574574-30001}"="232780633:{3FED4A7B-BDD7-2422-14D2-655D030616D2}"

[HKEY_LOCAL_MACHINE\software\xGenArts\Sapphire AE\DLL ver*\{A6D90D08-68DD-2B46-E2AC-5782669B2696}]
@DACL=
"CTE_32 Name"="9:{19C42D30-D844-8A07-12A4-E783E7D228F7}"

[HKEY_LOCAL_MACHINE\software\xGenArts\Sapphire AE\DLL ver*\{B08ECCAD-FEC0-A273-8DFD-B47BE795EE25}]
@DACL=
"DefaultSettings"="12:{5351C505-4E6C-6ECA-E5BD-7AE84A571B0A}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3308)
c:\windows\system32\WININET.dll
c:\program files\ScanSoft\OmniPageSE4.0\OpHookSE4.dll
c:\documents and settings\Greg Cole\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\windows\SYSTEM32\astsrv.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\xampp\filezillaftp\filezillaserver.exe
c:\program files\Intel\Intel Matrix Storage Manager\iaantmon.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\xampp\mysql\bin\mysqld-nt.exe
c:\windows\system32\WTablet\Wacom_TabletUser.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\WDBtnMgr.exe
c:\windows\stsystra.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-07-08 12:33:41 - machine was rebooted
ComboFix-quarantined-files.txt 2010-07-08 19:33
ComboFix2.txt 2010-07-08 18:51

Pre-Run: 77,936,152,576 bytes free
Post-Run: 77,914,914,816 bytes free

Current=4 Default=4 Failed=3 LastKnownGood=5 Sets=1,2,3,4,5
- - End Of File - - F9FEE5FD763718EA41841D9FB9C2FE09

Share this post


Link to post
Share on other sites
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, July 8, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, July 08, 2010 16:09:46
Records in database: 4242510
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan statistics:
Objects scanned: 414400
Threats found: 12
Infected objects found: 20
Suspicious objects found: 0
Scan duration: 07:14:51


File name / Threat / Threats count
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\827568A28AD44457A81ABC08309D7D62\lib\DskHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\827568A28AD44457A81ABC08309D7D62\lib\YugmaPlugin.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\14\203e9bce-4d7ae7fb Infected: Exploit.Java.Agent.an 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\14\203e9bce-4d7ae7fb Infected: Exploit.Java.Agent.am 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\25\36342599-4251d95d Infected: Exploit.Java.Agent.aq 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\25\36342599-4251d95d Infected: Exploit.Java.Agent.ap 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\25\36342599-4251d95d Infected: Exploit.Java.Agent.ao 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\55\6aa22eb7-7c0556e3 Infected: Trojan-Downloader.Java.Agent.ao 1
C:\Documents and Settings\Greg Cole\Application Data\Sun\Java\Deployment\cache\6.0\60\64b09dbc-18865b43 Infected: Trojan-Downloader.Java.Agent.ff 1
C:\Documents and Settings\Greg Cole\Yugma\4.1\lib\DskHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\Documents and Settings\Greg Cole\Yugma\4.1\lib\YugmaPlugin.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\Program Files\GlobalSCAPE\CuteFTP\cutftp32.exe Infected: not-a-virus:NetTool.Win32.ZXProxy.pa 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\fbacfa1f.sys.vir Infected: Trojan-PSW.Win32.Agent.oww 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP227\A0055604.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP227\A0055604.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1360 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP262\A0077590.sys Infected: Trojan-PSW.Win32.Agent.oww 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP262\A0077595.sys Infected: Trojan-PSW.Win32.Agent.oww 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP263\A0079239.sys Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP263\A0080491.sys Infected: Trojan-PSW.Win32.Agent.oww 1
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP263\A0080499.sys Infected: Trojan-PSW.Win32.Agent.oww 1

Selected area has been scanned.

Share this post


Link to post
Share on other sites
DDS (Ver_10-03-17.01) - NTFSx86
Run by Greg Cole at 22:12:46.90 on Thu 07/08/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1447 [GMT -7:00]

AV: Lavasoft Ad-Watch Live! Anti-Virus *On-access scanning disabled* (Updated) {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\acs.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\SYSTEM32\astsrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\xampp\filezillaftp\filezillaserver.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\WTablet\Wacom_TabletUser.exe
C:\WINDOWS\system32\Wacom_Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Adobe\Adobe Version Cue\ControlPanel\VersionCueTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\PayPal Payment Request Wizard\QB US edition\OEHook.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Documents and Settings\Greg Cole\Application Data\Dropbox\bin\Dropbox.exe
C:\xampp\mysql\bin\winmysqladmin.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\Greg Cole\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
uRun: [RTReminder] c:\program files\lavasoft\lavasoft registry tuner\RegistryTuner.exe -rem
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [AdobeVersionCue] c:\program files\adobe\adobe version cue\controlpanel\VersionCueTray.exe
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [WD Button Manager] WDBtnMgr.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4.0\OpwareSE4.exe"
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [Adobe_ID0ENQBO] c:\progra~1\common~1\adobe\adobev~1\server\bin\VERSIO~2.EXE
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\gregco~1\startm~1\programs\startup\dropbox.lnk - c:\documents and settings\greg cole\application data\dropbox\bin\Dropbox.exe
StartupFolder: c:\docume~1\gregco~1\startm~1\programs\startup\winmys~1.lnk - c:\xampp\mysql\bin\winmysqladmin.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - c:\program files\common files\intuit\quickbooks\qbupdate\qbupdate.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~2.lnk - c:\program files\paypal payment request wizard\qb us edition\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\wdback~1.lnk - c:\program files\my book\wd backup\uBBMonitor.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
Trusted Zone: intuit.com\ttlc
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/8/b/d/8bd77752-5704-4d68-a152-f7252adaa4f2/LegitCheckControl.cab
DPF: {2119940C-F1CE-4258-8B96-41ECCA2BB184} - hxxp://www.fototime.com/ftweb/activeX/WebUploadControl.cab
DPF: {26B2A5DA-BFD6-422F-A89A-28A54C74B12B} - hxxp://www.costcophotocenter.com/upload/activex/v3_0_0_4/PhotoCenter_ActiveX_Control.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www.costcophotocenter.com/CostcoActivia.cab
DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} - hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://63.170.254.21/CACHE/stc/1/binaries/vpnweb.cab
DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} - hxxp://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
DPF: {7B133798-FAA8-4A7E-950D-BEB35D3363AF} - hxxp://67.40.90.115:1024/img/LinksysViewer.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\gregco~1\applic~1\mozilla\firefox\profiles\fpoi5nus.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\greg cole\application data\mozilla\firefox\profiles\fpoi5nus.default\extensions\{e3f6c2cc-d8db-498c-af6c-499fb211db97}\platform\winnt_x86-msvc\components\pagespeed.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npqtplugin8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\quicktime\plugins\npqtplugin8.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-3-31 64288]
R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-3-31 13360]
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-30 95024]
R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2007-3-5 16896]
R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-3-31 69936]
R2 TabletServiceWacom;TabletServiceWacom;c:\windows\system32\Wacom_Tablet.exe [2010-4-15 1373480]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-11-28 24652]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-12-17 497856]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [2005-11-25 31896]
S3 Adobe Version Cue CS4;Adobe Version Cue CS4;c:\program files\common files\adobe\adobe version cue cs4\server\bin\VersionCueCS4.exe [2008-8-15 288112]
S3 androidusb;ADB Interface Driver;c:\windows\system32\drivers\androidusb.sys [2009-9-4 25728]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-5 1352832]
S3 NVIDIAHWAccess;NVIDIAHWAccess;\??\c:\documents and settings\greg cole\application data\nvidia\hwaccess.sys --> c:\documents and settings\greg cole\application data\nvidia\HWAccess.sys [?]

=============== Created Last 30 ================

2010-07-08 19:56:54 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-07-08 19:56:54 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-08 19:25:23 58 ----a-w- c:\windows\my.ini
2010-07-08 15:48:35 3728433 ----a-r- C:\something.exe
2010-07-07 17:20:31 0 d-sha-r- C:\cmdcons
2010-07-07 17:16:34 98816 ----a-w- c:\windows\sed.exe
2010-07-07 17:16:34 77312 ----a-w- c:\windows\MBR.exe
2010-07-07 17:16:34 256512 ----a-w- c:\windows\PEV.exe
2010-07-07 17:16:34 161792 ----a-w- c:\windows\SWREG.exe
2010-07-07 15:23:05 0 d-----w- c:\windows\system32\NtmsData
2010-07-06 18:58:18 0 d-----w- c:\windows\C5C1C0F0D62F4DBF81D4D7EF397C228B.TMP
2010-07-06 18:58:07 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-07-05 21:53:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-05 21:53:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-05 20:57:37 0 d-----w- c:\windows\system32\wbem\Repository
2010-07-03 03:50:12 17866752 ----a-w- c:\documents and settings\greg cole\ntuser.bak
2010-06-28 18:36:04 0 d-----w- C:\e94576507cc035ae65d4
2010-06-26 15:47:11 0 d-----w- C:\1a40bef8e097f6157b5803
2010-06-15 23:27:24 0 d-----w- c:\docume~1\gregco~1\applic~1\Dropbox
2010-06-10 03:01:27 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll

==================== Find3M ====================

2010-07-06 21:35:55 90112 ----a-w- c:\windows\DUMP3ae6.tmp
2010-07-05 21:28:51 90112 ----a-w- c:\windows\DUMP7668.tmp
2010-06-15 15:53:03 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-06-03 15:52:20 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-05-20 20:49:27 61304 ---ha-w- c:\windows\system32\mlfcache.dat
2010-05-20 04:14:14 93112 ----a-w- c:\windows\fonts\STOMPER_.TTF
2010-05-19 21:51:42 90112 ----a-w- c:\windows\DUMP5beb.tmp
2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys
2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll
2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll
2008-02-23 03:51:21 35 ----a-w- c:\program files\FlashDetector.ini
2006-03-31 21:38:26 469824 ----a-w- c:\windows\inf\wpn311\WPN311.sys
2006-03-31 21:38:24 35232 ----a-w- c:\windows\inf\wpn311\ME_INST.EXE
2006-03-31 21:38:24 26112 ----a-w- c:\windows\inf\wpn311\install.exe
2009-06-10 21:06:45 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009061020090611\index.dat

============= FINISH: 22:13:38.68 ===============

Share this post


Link to post
Share on other sites
OK - all requested scans/steps complete and logs attached. Thank you for your continued help with this!

Sorry - one question while I am thinking of it if you don't mind... I have an external back-up drive that has not been connected for some time. What is the best/safest/recommended way to connect that drive again and scan the volume for issues, please? THANKS! Edited by gcole_5

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this