Thread: Malware issues-Trojans?
View Single Post
Old 05-12-2008, 06:34 AM   #5 (permalink)
amateur
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: Rhode Island, USA
Posts: 3,254
OS: XP Home SP3, XP MCE SP3, XP Pro SP3


Re: Malware issues-Trojans?
Hi,

Thanks for the logs but we prefer them copy/pasted here rather than attached, unless specifically asked to do so. I'll do that now for convenience and will get back to you when I checked them.

ComboFix 08-05-11.1 - Chris XXXX 2008-05-12 20:49:59.1 - NTFSx86
Microsoft® Windows Vista™ Home Basic 6.0.6000.0.1252.1.1033.18.1211 [GMT 8:00]
Running from: C:\Users\Chris XXXX\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\NetProject
C:\Program Files\NetProject\scu.exe
C:\Users\Chris XXXX\AppData\Roaming\macromedia\Flash Player\#SharedObjects\WNDWQTDR\www.inter-focus.cn
C:\Users\Chris XXXX\AppData\Roaming\macromedia\Flash Player\#SharedObjects\WNDWQTDR\www.inter-focus.cn\IFFLASHAD_PLAYER.sol
C:\Users\Chris XXXX\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn
C:\Users\Chris XXXX\AppData\Roaming\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.inter-focus.cn\settings.sol
C:\Windows\Downloaded Program Files\setup.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-12 to 2008-05-12 )))))))))))))))))))))))))))))))
.

2008-05-12 20:49 . 2008-05-12 20:49 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{2b66d403-2018-11dd-ad96-001c23921aa3}.TMContainer00000000000000000002.regtrans-ms
2008-05-12 20:49 . 2008-05-12 20:49 524,288 --ahs---- C:\Users\Public\NTUSER.DAT{2b66d403-2018-11dd-ad96-001c23921aa3}.TMContainer00000000000000000001.regtrans-ms
2008-05-12 20:49 . 2008-05-12 20:49 65,536 --ahs---- C:\Users\Public\NTUSER.DAT{2b66d403-2018-11dd-ad96-001c23921aa3}.TM.blf
2008-05-07 19:30 . 2008-05-07 19:31 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-05-06 20:14 . 2008-05-07 14:52 <DIR> d-------- C:\Users\All Users\NVIDIA
2008-05-06 20:14 . 2008-05-07 14:52 <DIR> d-------- C:\ProgramData\NVIDIA
2008-05-06 17:55 . 2008-05-06 17:55 <DIR> d-------- C:\Deckard
2008-05-06 17:39 . 2008-05-06 17:39 <DIR> d-------- C:\Windows\nvtmpinst
2008-05-06 16:21 . 2008-05-06 16:21 <DIR> d-------- C:\Program Files\Panda Security
2008-04-25 17:48 . 2008-04-25 17:48 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-21 20:34 . 2008-04-21 20:34 <DIR> d-------- C:\Users\Chris XXXX\AppData\Roaming\Sibelius Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 08:18 --------- d-----w C:\Users\Chris XXXX\AppData\Roaming\uTorrent
2008-05-06 09:52 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-06 07:57 27,715 ----a-w C:\Users\Chris XXXX\AppData\Roaming\nvModes.dat
2008-05-05 13:19 --------- d-----w C:\Program Files\ESET
2008-04-20 03:53 --------- d-----w C:\Program Files\World of Warcraft
2008-04-11 17:26 --------- d-----w C:\Program Files\Warcraft III
2008-04-11 00:55 22,328 ----a-w C:\Windows\system32\drivers\PnkBstrK.sys
2008-04-11 00:54 103,736 ----a-w C:\Windows\System32\PnkBstrB.exe
2008-04-10 07:57 --------- d-----w C:\Program Files\Steam
2008-04-09 13:40 2,829 ----a-w C:\Windows\War3Unin.pif
2008-04-09 13:40 139,264 ----a-w C:\Windows\War3Unin.exe
2008-04-09 10:02 --------- d-----w C:\Program Files\Windows Mail
2008-04-09 01:18 --------- d-----w C:\Program Files\Common Files\Steam
2008-04-03 04:37 --------- d-----w C:\Program Files\iTunes
2008-04-03 04:37 --------- d-----w C:\Program Files\iPod
2008-04-03 04:35 --------- d-----w C:\Program Files\QuickTime
2008-03-27 13:41 --------- d-----w C:\Program Files\BitComet
2008-03-26 10:02 --------- d-----w C:\Program Files\uTorrent
2008-03-20 12:12 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-19 11:25 --------- d-----w C:\Users\Chris XXXX\AppData\Roaming\dvdcss
2008-03-14 02:56 --------- d-----w C:\Users\Chris XXXX\AppData\Roaming\Apple Computer
2008-02-29 06:51 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 06:39 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:39 371,712 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:38 313,856 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 06:38 16,384 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 06:34 7,168 ----a-w C:\Windows\System32\f3ahvoas.dll
2008-02-29 04:16 2,027,008 ----a-w C:\Windows\System32\win32k.sys
2008-02-21 04:43 826,368 ----a-w C:\Windows\System32\wininet.dll
2008-02-21 04:43 56,320 ----a-w C:\Windows\System32\iesetup.dll
2008-02-21 04:43 52,736 ----a-w C:\Windows\AppPatch\iebrshim.dll
2008-02-21 04:43 296,448 ----a-w C:\Windows\System32\gdi32.dll
2008-02-21 04:43 26,624 ----a-w C:\Windows\System32\ieUnatt.exe
2008-02-19 05:10 620,088 ----a-w C:\Windows\System32\ci.dll
2008-02-14 23:19 944,184 ----a-w C:\Windows\System32\winload.exe
2008-02-13 13:37 194,560 ----a-w C:\Windows\System32\WebClnt.dll
2008-02-13 13:34 3,504,696 ----a-w C:\Windows\System32\ntkrnlpa.exe
2008-02-13 13:34 3,470,392 ----a-w C:\Windows\System32\ntoskrnl.exe
2008-02-13 13:33 537,600 ----a-w C:\Windows\AppPatch\AcLayers.dll
2008-02-13 13:33 449,536 ----a-w C:\Windows\AppPatch\AcSpecfc.dll
2008-02-13 13:33 4,247,552 ----a-w C:\Windows\System32\GameUXLegacyGDFs.dll
2008-02-13 13:33 24,064 ----a-w C:\Windows\System32\netcfg.exe
2008-02-13 13:33 22,016 ----a-w C:\Windows\System32\netiougc.exe
2008-02-13 13:33 2,560 ----a-w C:\Windows\AppPatch\AcRes.dll
2008-02-13 13:33 2,144,256 ----a-w C:\Windows\AppPatch\AcGenral.dll
2008-02-13 13:33 173,056 ----a-w C:\Windows\AppPatch\AcXtrnal.dll
2008-02-13 13:33 167,424 ----a-w C:\Windows\System32\tcpipcfg.dll
2008-02-13 13:33 1,686,528 ----a-w C:\Windows\System32\gameux.dll
2007-11-10 13:21 22,328 ----a-w C:\Users\Chris XXXX\AppData\Roaming\PnkBstrK.sys
2007-08-29 09:51 174 --sha-w C:\Program Files\desktop.ini
2006-12-28 20:35 1,572,307 ----a-w C:\Users\Chris XXXX\war3.exe
2007-08-23 01:59 76 --sh--r C:\Windows\CT4CET.bin
2008-01-13 22:18 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Feeds Cache\index.dat
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-11-02 20:34 201728]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-02-28 23:06 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2007-08-23 17:36 1006264]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 08:35 857648]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [2007-05-09 17:01 36864]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-06-25 13:17 405504]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [2007-08-23 09:54 77824]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 11:37 81920]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-10-19 14:10 949376]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 09:24 16384]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2007-06-18 15:10 271360]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-10-04 21:24 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-10-04 21:24 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-10-04 21:24 81920]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [2007-10-04 21:24 86016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 10:17 1241088]

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-11-03 17:55:50 703280]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-23 09:55:30 50688]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [2007-08-23 09:57:29 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{C91DCFF4-280D-41F8-8C6E-DD76B2C07C00}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C5F924CC-B9A3-414B-9B12-7208D816E798}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{55D2A231-A557-4F24-98A4-200ADC580D72}"= UDP:C:\Program Files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"{7E36591A-7CE7-4687-94F6-E77347D9E5A3}"= C:\Program Files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{10C49D85-44EF-4DF8-9866-FC1CEE193B1B}"= C:\Program Files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{91875EC0-58FA-446F-99E3-50DE79754D2F}"= C:\Program Files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{FC4F2E49-6958-4C32-B4FF-6DA6297584F6}"= C:\Program Files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{11FA9F28-D21A-4CC9-8AD8-A58DC07B10CD}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{5D36B1AD-F5C6-41A6-81AF-1BF3BE7500D9}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{E86E1777-46E6-4908-892E-4D73461E495F}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{F6711347-3C1B-4486-891A-E4998ED8DC27}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{FB60859A-4343-4049-A501-D59CDA4FCCCB}"= UDP:25530:BitComet 25530 TCP
"{7A94BC56-C64E-44AE-8B38-7135C3890C2F}"= TCP:25530:BitComet 25530 UDP
"TCP Query User{F9BA6AEA-7967-41FB-B961-98A181E29862}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{19B8B246-BF74-4623-8F53-85A03B01274A}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{EE3ECDB6-44F1-43A6-9EF3-67FF19264BEA}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{0726BEFB-9DA9-4377-B8E9-68A959D5F2C2}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{680B88FF-345D-47B8-83D5-9B1C7AFA3A79}C:\\program files\\america's army\\system\\armyops.exe"= UDP:C:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{7CD7E604-5B4B-4C5E-8375-2768C4A0ACC6}C:\\program files\\america's army\\system\\armyops.exe"= TCP:C:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{0209D51B-3962-43F4-B970-F9961ED2B8CE}C:\\program files\\warcraft iii\\v1.21a loader\\files\\war3.exe"= UDP:C:\program files\warcraft iii\v1.21a loader\files\war3.exe:Warcraft III
"UDP Query User{3170E044-970E-40BF-B6D5-37F427C795E4}C:\\program files\\warcraft iii\\v1.21a loader\\files\\war3.exe"= TCP:C:\program files\warcraft iii\v1.21a loader\files\war3.exe:Warcraft III
"{3809109D-F894-4130-A936-D907488C4146}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{2BB9AEA8-04F6-49C0-8119-38C87A907882}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes
"TCP Query User{AF2A77E1-B5FB-403F-B720-F44598DAA1A8}C:\\program files\\warcraft iii\\v1.21a loader\\files\\war3.exe"= UDP:C:\program files\warcraft iii\v1.21a loader\files\war3.exe:Warcraft III
"UDP Query User{26413011-56AB-4912-9BA5-99A0D1EB9086}C:\\program files\\warcraft iii\\v1.21a loader\\files\\war3.exe"= TCP:C:\program files\warcraft iii\v1.21a loader\files\war3.exe:Warcraft III
"TCP Query User{C587F129-E5FD-4531-8372-4538CF1ACA3E}C:\\program files\\bitcomet\\bitcomet.exe"= UDP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{E49D8EE6-5B8E-43B6-9B38-C57ACA417302}C:\\program files\\bitcomet\\bitcomet.exe"= TCP:C:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"{B2CB20FD-CF4F-4726-8183-961B2AAA8004}"= UDP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{5ACBBA5C-972A-4C2B-892A-62596922F92C}"= TCP:C:\Windows\System32\PnkBstrA.exe:PnkBstrA
"{954E40C8-CD3C-4D61-A703-46A61B753470}"= UDP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"{0A0FDBB2-7831-4859-90BD-A6513837D8CA}"= TCP:C:\Windows\System32\PnkBstrB.exe:PnkBstrB
"TCP Query User{DA79717C-9B47-48B2-8ACA-BCC0D8694816}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= UDP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"UDP Query User{E5593DC3-1495-4D77-8E31-E692C21CC6B1}C:\\program files\\world of warcraft\\backgrounddownloader.exe"= TCP:C:\program files\world of warcraft\backgrounddownloader.exe:Blizzard Downloader
"TCP Query User{FB18A7B1-8A89-45F1-B371-909DB4ECBC33}C:\\program files\\world of warcraft\\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe"= UDP:C:\program files\world of warcraft\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe:Blizzard Downloader
"UDP Query User{0A6F25E8-76F5-4BA2-86C2-8C0BDB9A897A}C:\\program files\\world of warcraft\\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe"= TCP:C:\program files\world of warcraft\wow-2.2.3.7359-to-2.3.0.7561-enus-downloader.exe:Blizzard Downloader
"TCP Query User{BF81AA7A-9B2D-4B98-B2B0-77EAB5FD2659}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= UDP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"UDP Query User{80AF8330-56DF-4613-8FE6-9C2A06BFF507}C:\\program files\\veoh networks\\veoh\\veohclient.exe"= TCP:C:\program files\veoh networks\veoh\veohclient.exe:Veoh Client
"TCP Query User{514B3732-8EE1-4DB8-9095-2B3CFA9D4F64}C:\\program files\\videolan\\vlc\\vlc.exe"= UDP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"UDP Query User{55198656-D1F7-4DFE-9A5B-4389E2B5D35F}C:\\program files\\videolan\\vlc\\vlc.exe"= TCP:C:\program files\videolan\vlc\vlc.exe:VLC media player
"{3F4D97C9-99A7-4356-9469-B6E71F6279C3}"= UDP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars Demo\etqw.exe:Enemy Territory - QUAKE Wars(TM) Demo
"{C4FAAD2D-D50B-4D1A-B51E-A15F6FB4E907}"= TCP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars Demo\etqw.exe:Enemy Territory - QUAKE Wars(TM) Demo
"{E9B2EF85-FE56-40DE-B54F-F85FFFF22C2C}"= UDP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars Demo\etqwded.exe:etqwded.exe
"{B5EF2DAB-F2EF-4A2E-823D-6428F43F5FE0}"= TCP:C:\Program Files\id Software\Enemy Territory - QUAKE Wars Demo\etqwded.exe:etqwded.exe
"{CE0F2049-8CF0-4EE9-B92B-47DC5D8E9583}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{14BC0292-6697-4CD5-B227-5E23EE538B0B}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{F26DE78A-1EB7-4611-87A6-45DB31634184}C:\\program files\\america's army\\system\\armyops.exe"= UDP:C:\program files\america's army\system\armyops.exe:ArmyOps
"UDP Query User{FCC37AE1-28D1-4034-B63F-BC116E2F5C21}C:\\program files\\america's army\\system\\armyops.exe"= TCP:C:\program files\america's army\system\armyops.exe:ArmyOps
"TCP Query User{6DB7F88F-D73C-4BD6-8E1C-3C49F2CA9CD7}C:\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= UDP:C:\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:Blizzard Downloader
"UDP Query User{9E2E295D-DF90-42D9-A41F-53D6CFF5B065}C:\\downloads\\wow-burningcrusade-trial-enus-installer-downloader.exe"= TCP:C:\downloads\wow-burningcrusade-trial-enus-installer-downloader.exe:Blizzard Downloader
"{2B41687C-5CA7-4138-ACD6-7F3C6470F27C}"= UDP:25530:BitComet 25530 TCP
"{E8678E2E-D139-449A-95AE-56BDE5F3759B}"= TCP:25530:BitComet 25530 UDP
"{23876FED-78C0-4BED-8830-F16FC5578F4E}"= UDP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"{7A64F7D9-CBFA-44BC-8B35-49DFF171E876}"= TCP:C:\Program Files\Bonjour\mDNSResponder.exe:Bonjour
"TCP Query User{CF68C341-584F-46A7-B994-BE2502E46CA4}C:\\program files\\warcraft iii\\war3.exe"= UDP:C:\program files\warcraft iii\war3.exe:Warcraft III
"UDP Query User{7D9FE110-A2BC-4B6A-A853-49FF270C7253}C:\\program files\\warcraft iii\\war3.exe"= TCP:C:\program files\warcraft iii\war3.exe:Warcraft III
"{BF116FD1-E142-4504-A604-8E1C1D6CF333}"= UDP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{CAA43138-6FB7-42BF-940B-49428F22DE91}"= TCP:C:\Program Files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{61BE840C-6CF2-4B55-95BD-57C73B8074E2}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{73AC6103-D9DE-4F73-9C32-292C95F2DEA4}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{CD865EDE-306A-4E56-9572-4FE0D7F8CB15}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{570A23BB-BF05-4211-8245-026A1F2DB65E}"= UDP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{136E4B94-2993-4700-90BE-2A6547B266F3}"= TCP:C:\Program Files\uTorrent\uTorrent.exe:µTorrent
"{EC81768D-6791-4433-A001-F0E06CD217AE}"= UDP:C:\Program Files\iTunes\iTunes.exe:iTunes
"{B265E2C4-2138-4CFB-8FCC-984482F90AF9}"= TCP:C:\Program Files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2006-08-05 08:39]
R3 OEM02Dev;Creative Camera OEM002 Driver;C:\Windows\system32\DRIVERS\OEM02Dev.sys [2007-10-10 17:03]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\Windows\system32\DRIVERS\OEM02Vfx.sys [2007-03-06 10:45]
S3 btwaudio;Bluetooth Audio Device Service;C:\Windows\system32\drivers\btwaudio.sys [2006-11-07 09:37]
S3 btwavdt;Bluetooth AVDT Service;C:\Windows\system32\drivers\btwavdt.sys [2006-11-07 07:13]
S3 btwrchid;btwrchid;C:\Windows\system32\DRIVERS\btwrchid.sys [2006-11-07 07:13]
S3 R300;R300;C:\Windows\system32\DRIVERS\atikmdag.sys [2006-11-02 15:36]
S3 Steam Client Service;Steam Client Service;C:\Program Files\Common Files\Steam\SteamService.exe [2008-04-08 19:16]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5955062a-cf8f-11dc-a462-001c23921aa3}]
\shell\Setup\command - F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667213d7-a2c0-11dc-8e03-001c23921aa3}]
\shell\Setup\command - F:\setup.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-05-12 12:04:00 C:\Windows\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-05-12 11:16:03 C:\Windows\Tasks\User_Feed_Synchronization-{FEF40003-6E0B-4FDA-AAA7-F92B03538323}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 20:53:04
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-12 20:54:13
ComboFix-quarantined-files.txt 2008-05-12 12:53:54

Pre-Run: 18,795,626,496 bytes free
Post-Run: 18,855,424,000 bytes free

232 --- E O F --- 2008-05-09 08:11:18

Deckard's System Scanner v20071014.68
Run by Chris XXXX on 2008-05-12 21:11:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-05-12 21:11:38
Platform: Windows Vista (6.00.6000)
MSIE: Internet Explorer (7.00.6000.16386)
Boot mode: Normal

Running processes:
C:\Windows\System32\dwm.exe
C:\Windows\System32\taskeng.exe
C:\Windows\explorer.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\OEM02Mon.exe
C:\Program Files\Sigmatel\C-Major Audio\WDM\sttray.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\ESET\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Windows\System32\SearchFilterHost.exe
C:\Windows\System32\conime.exe
C:\Users\Chris XXXX\Desktop\dss.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7C109800-A5D5-438F-9640-18D17E168B88} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\microsoft shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "c:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NVHotkey] rundll32.exe C:\Windows\system32\nvHotkey.dll,Start
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O4 - Global Startup: Bluetooth.lnk = C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: QuickSet.lnk = ?
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - (file missing)
O9 - Extra button: (no name) - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} () - http://www.fileplanet.com/fpdlmgr/ca..._2.3.2.100.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: ms-help - {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\microsoft shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\Windows Live\Messenger\msgrapp.8.5.1302.1018.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\ESET\nod32krn.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\System32\PnkBstrA.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Windows\System32\stacsv.exe
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files\Common Files\Steam\SteamService.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\System32\drivers\XAudio.exe

--
End of file - 9905 bytes

-- Files created between 2008-04-12 and 2008-05-12 -----------------------------

2008-05-12 20:48:58 68096 --a------ C:\Windows\zip.exe
2008-05-12 20:48:58 49152 --a------ C:\Windows\VFind.exe
2008-05-12 20:48:58 161792 --a------ C:\Windows\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-12 20:48:58 98816 --a------ C:\Windows\sed.exe
2008-05-12 20:48:58 80412 --a------ C:\Windows\grep.exe
2008-05-12 20:48:58 73728 --a------ C:\Windows\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-12 20:48:57 212480 --a------ C:\Windows\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-12 20:48:57 136704 --a------ C:\Windows\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-07 19:30:57 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-06 20:14:42 0 d-------- C:\Users\All Users\NVIDIA
2008-05-06 17:39:27 0 d-------- C:\Windows\nvtmpinst
2008-05-06 16:21:09 0 d-------- C:\Program Files\Panda Security
2008-04-25 17:48:01 0 d-------- C:\Program Files\Apple Software Update

-- Find3M Report ---------------------------------------------------------------

2008-05-12 20:59:29 0 d-------- C:\Program Files\Common Files\Adobe
2008-05-12 20:57:03 27715 --a------ C:\Users\Chris XXXX\AppData\Roaming\nvModes.001
2008-05-12 20:55:46 12 --a------ C:\Windows\bthservsdp.dat
2008-05-12 16:18:41 0 d-------- C:\Users\Chris XXXX\AppData\Roaming\uTorrent
2008-05-06 15:57:56 27715 --a------ C:\Users\Chris XXXX\AppData\Roaming\nvModes.dat
2008-04-21 20:34:44 0 d-------- C:\Users\Chris XXXX\AppData\Roaming\Sibelius Software
2008-04-20 11:53:30 0 d-------- C:\Program Files\World of Warcraft
2008-04-12 01:26:34 0 d-------- C:\Program Files\Warcraft III
2008-04-10 15:57:03 0 d-------- C:\Program Files\Steam
2008-04-09 21:53:17 76582 --a------ C:\Windows\War3Unin.dat
2008-04-09 21:40:38 2829 --a------ C:\Windows\War3Unin.pif
2008-04-09 21:40:38 139264 --a------ C:\Windows\War3Unin.exe <Not Verified; Blizzard Entertainment; Warcraft III Uninstaller>
2008-04-09 18:02:39 0 d-------- C:\Program Files\Windows Mail
2008-04-09 09:18:32 0 d-------- C:\Program Files\Common Files\Steam
2008-04-08 19:14:32 0 d-------- C:\Program Files\Common Files
2008-04-03 12:37:30 0 d-------- C:\Program Files\iTunes
2008-04-03 12:37:23 0 d-------- C:\Program Files\iPod
2008-04-03 12:35:39 0 d-------- C:\Program Files\QuickTime
2008-03-27 21:41:10 0 d-------- C:\Program Files\BitComet
2008-03-26 18:02:58 0 d-------- C:\Program Files\uTorrent
2008-03-19 19:25:12 0 d-------- C:\Users\Chris XXXX\AppData\Roaming\dvdcss
2008-03-14 10:56:30 0 d-------- C:\Users\Chris XXXX\AppData\Roaming\Apple Computer
2008-02-13 21:23:25 238266 --a------ C:\Users\Chris XXXX\AppData\Roaming\NMM-MetaData.db

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C109800-A5D5-438F-9640-18D17E168B88}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [08/23/2007 05:36 PM]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [04/28/2007 08:35 AM]
"OEM02Mon.exe"="C:\Windows\OEM02Mon.exe" [05/09/2007 05:01 PM]
"SigmatelSysTrayApp"="C:\Program Files\SigmaTel\C-Major Audio\WDM\sttray.exe" [06/25/2007 01:17 PM]
"SunJavaUpdateSched"="c:\Program Files\Java\jre1.6.0\bin\jusched.exe" [08/23/2007 09:54 AM]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [10/03/2006 11:37 AM]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [10/19/2007 02:10 PM]
"dscactivate"="C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe" [11/15/2007 09:24 AM]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [03/09/2007 11:09 AM]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [06/18/2007 03:10 PM]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [03/28/2008 11:37 PM]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [03/30/2008 10:36 AM]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [10/04/2007 09:24 PM]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [10/04/2007 09:24 PM]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [10/04/2007 09:24 PM]
"NVHotkey"="C:\Windows\system32\nvHotkey.dll" [10/04/2007 09:24 PM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [11/02/2006 08:34 PM]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [11/3/2006 5:55:50 PM]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [8/23/2007 9:55:30 AM]
QuickSet.lnk - C:\Windows\Installer\{7F0C4457-8E64-491B-8D7B-991504365D1E}\NewShortcut2_53A01CC614B04512A2E710D39BF83DC4.exe [8/23/2007 9:57:29 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"=2 (0x2)
"EnableLUA"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AppInfo]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\KeyIso]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NTDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ProfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SWPRV]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TabletInputService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TBS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\VDS]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgr.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\volmgrx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{6BDD1FC1-810F-11D0-BEC7-08002BE2092F}]
@="IEEE 1394 Bus host controllers"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D48179BE-EC20-11D1-B6B8-00C04FA372A7}]
@="SBP2 IEEE 1394 Devices"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{D94EE5D8-D189-4994-83D2-F68D7D41B0E6}]
@="SecurityDevices"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService nsi lltdsvc SSDPSRV upnphost SCardSvr w32time EventSystem RemoteRegistry WinHttpAutoProxySvc lanmanworkstation TBS SLUINotify THREADORDER fdrespub netprofm fdphost wcncsvc QWAVE WebClient
LocalSystemNetworkRestricted hidserv UxSms WdiSystemHost Netman trkwks AudioEndpointBuilder WUDFSvc irmon sysmain IPBusEnum dot3svc PcaSvc wlansvc EMDMgmt TabletInputService WPDBusEnum
LocalServiceNoNetwork PLA DPS BFE mpssvc
bthsvcs BthServ

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5955062a-cf8f-11dc-a462-001c23921aa3}]
Setup\command- F:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{667213d7-a2c0-11dc-8e03-001c23921aa3}]
Setup\command- F:\setup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
C:\Windows\system32\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
%SystemRoot%\system32\unregmp2.exe /FirstLogon /Shortcuts /RegBrowsers /ResetMUI

-- End of Deckard's System Scanner: finished at 2008-05-12 21:11:54 ------------
__________________
My services are free. However, you can donate to TSF to help keep it running and prospering.
ASAP

amateur is offline