Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help
Reload this Page Removal of Malware or Virus Help Needed
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Virus/Trojan/Spyware Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
LinkBack Thread Tools
Old 08-22-2009, 01:24 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Removal of Malware or Virus Help Needed
I believe I have Malware creating problems on my Vista 32 system.
I think I have inadvertely clicked on a window or program that has created this.
I keep getting multiple windows opening, even windows requesting me eliminate virius windows.
When I try to begin browsing, this redirect window keeps trying to load
"http://%22http//media2.tmlatn.com/images/defaults41/approved/404.html%22"

I have attached the ATTACH.zip as requested.
I had trouble running the other it was locking down my computer and had to several times restart in safe mode to run.

Please help,
I have followed your instructions and have received the following info:


DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Administrator at 14:32:01.69 on Sat 08/22/2009
Internet Explorer: 8.0.6001.18813 BrowserJavaVersion: 1.6.0_13
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1585 [GMT -4:00]

SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\notepad.exe
C:\Users\Administrator\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextAllSelling&ssPageName=STRK:ME:LNLK:MESX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5411E
mDefault_Page_URL = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5411E
uInternet Settings,ProxyOverride = <local>
mSearchAssistant = hxxp://www.gateway.com/g/sidepanel.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5411E
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\engine\16.7.2.10\IPSBHO.DLL
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Tunebite_WebRipPlugin Class: {aa102584-3b97-47e7-b9bc-75d54c110a7d} - c:\program files\tunebite\plugins\ie\TB_WebRipIePlugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [AnyDVD] c:\program files\slysoft\anydvd\AnyDVDtray.exe
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [NswUiTray] c:\program files\norton systemworks\NswUiTray.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] sttray.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [WrtMon.exe] c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [CloneCDTray] "c:\program files\slysoft\clonecd\CloneCDTray.exe" /s
mRun: [<NO NAME>]
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles
mRunServices: [SSDPSRV] c:\windows\system32\ssdpsrv.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LogitechDesktopMessenger.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {5E638779-1818-4754-A595-EF1C63B87A56} - c:\program files\norton systemworks\norton cleanup\WCQuick.lnk
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: bmnet.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} - file:///C:/Program%20Files/Trivial%20Pursuit%20-%2090's%20Edition/Images/stg_drm.ocx
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} - file:///C:/Program%20Files/Trivial%20Pursuit%20-%2090's%20Edition/Images/armhelper.ocx
DPF: {D27CDB70-AE6D-11cf-96B8-444553540000} -
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\CardGames32.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-8-21 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1007020.00a\SymEFA.sys [2009-8-20 310320]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-8-21 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-8-21 39200]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-8-21 159600]
R3 MaplomL;MaplomL;c:\windows\system32\drivers\maploml.sys [2008-9-30 41920]
S1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1007020.00a\BHDrvx86.sys [2009-8-20 259632]
S1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1007020.00a\cchpx86.sys [2009-8-20 482432]
S1 IDSVix86;IDSVix86;c:\programdata\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090810.001\IDSvix86.sys [2009-8-12 293424]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\engine\16.7.2.10\ccSvcHst.exe [2009-8-20 117640]
S2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-8-21 1153368]
S2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-5-19 121344]
S3 CAATT;AT&T Con App Svc;c:\program files\at&t\communication manager\ConAppsSvc.exe [2009-5-19 125440]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [2009-1-5 16640]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-6-4 101936]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2009-7-15 36608]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-2-9 33752]
S3 IntelDH;IntelDH Driver;c:\windows\system32\drivers\IntelDH.sys [2007-3-13 5504]
S3 MovRVDrv32;MovRVDrv32;c:\windows\system32\drivers\MovRVDrv32.sys [2008-1-29 3768]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2006-11-2 2589184]
S3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-8-21 64392]
S3 QtsDongle;USB Software Key;c:\windows\system32\qtsusk.sys [2009-4-23 10752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools\spyware doctor\pctsAuxs.exe [2009-8-21 348752]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\system32\drivers\silabenm.sys [2008-7-17 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\system32\drivers\silabser.sys [2008-7-17 60544]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [2009-1-12 23096]
S3 SndTVideo;SndTVideo;c:\windows\system32\drivers\SndTVideo.sys [2009-1-12 3768]
S3 SYMNDISV;Symantec Network Filter Driver;c:\windows\system32\drivers\nav\1007020.00a\symndisv.sys [2009-8-20 48688]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-8-21 33056]
S3 ThreatFire;ThreatFire;c:\program files\pc tools\spyware doctor\tfengine\tfservice.exe service --> c:\program files\pc tools\spyware doctor\tfengine\TFService.exe service [?]

=============== Created Last 30 ================

2009-08-22 01:48 564 a--sh--- c:\windows\system32\GroupPolicy000.dat
2009-08-22 01:48 <DIR> --dsh--- c:\windows\system32\LocalService
2009-08-21 22:57 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-08-21 22:57 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-08-21 22:57 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-08-21 22:57 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-08-21 22:39 <DIR> a-dshr-- C:\autorun.inf
2009-08-21 22:32 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-08-21 22:32 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-08-21 22:32 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-21 22:32 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-08-21 22:32 <DIR> --d----- c:\program files\common files\PC Tools
2009-08-21 22:32 <DIR> --d----- c:\users\admini~1\appdata\roaming\PC Tools
2009-08-21 22:32 <DIR> --d----- c:\program files\PC Tools
2009-08-21 15:25 26,256 a------- c:\windows\system\CTL3D.DLL
2009-08-21 13:36 499,712 a------- c:\windows\system32\kerberos.dll
2009-08-21 13:36 1,256,448 a------- c:\windows\system32\lsasrv.dll
2009-08-21 13:36 213,504 a------- c:\windows\system32\msv1_0.dll
2009-08-21 13:36 175,104 a------- c:\windows\system32\wdigest.dll
2009-08-21 13:36 439,896 a------- c:\windows\system32\drivers\ksecdd.sys
2009-08-21 13:36 270,848 a------- c:\windows\system32\schannel.dll
2009-08-21 13:36 72,704 a------- c:\windows\system32\secur32.dll
2009-08-21 13:36 9,728 a------- c:\windows\system32\lsass.exe
2009-08-21 09:06 0 a------- c:\windows\system32\3C0E.tmp
2009-08-21 09:06 0 a------- c:\windows\system32\372D.tmp
2009-08-20 11:33 25,648 a----r-- c:\windows\system32\drivers\SymIMV.sys
2009-08-19 17:27 <DIR> --d----- c:\users\admini~1\appdata\roaming\iWin
2009-08-19 17:21 <DIR> --d----- c:\users\admini~1\appdata\roaming\SpinTop
2009-08-19 15:35 615 a------- c:\windows\system32\yNpGakc8fIJ8Jp3.vbs
2009-08-19 15:34 1,372 a------- c:\windows\system32\YlpcDXyke8jTL.vbs
2009-08-19 14:46 <DIR> -cd----- c:\programdata\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-19 14:46 <DIR> -cd----- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-18 19:23 13,330 a------- c:\windows\GnuHashes.ini
2009-08-18 19:13 1,372 a------- c:\windows\system32\wYpevLz.vbs
2009-08-18 19:13 1,372 a------- c:\windows\system32\TFgtRFp.vbs
2009-08-18 19:13 615 a------- c:\windows\system32\DtXoeDT.vbs
2009-08-18 19:12 1,372 a------- c:\windows\system32\rGL6930.vbs
2009-08-18 19:12 1,372 a------- c:\windows\system32\wlP1vpb.vbs
2009-08-18 19:12 123,392 a------- c:\windows\system32\CardGames32.dll
2009-08-18 19:12 1,372 a------- c:\windows\system32\sOZNMdD.vbs
2009-08-18 18:51 <DIR> --d----- c:\users\administrator\Incomplete
2009-08-18 18:51 <DIR> --d----- c:\users\admini~1\appdata\roaming\LimeWire
2009-08-18 18:50 <DIR> --d----- c:\users\administrator\Shared
2009-08-18 17:48 <DIR> --d----- c:\program files\Free FLV Converter
2009-08-17 13:15 0 a---h--- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-17 13:13 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-08-14 00:50 <DIR> --d----- c:\users\administrator\{ea3f0019-0745-4377-b0b3-4ba4d63f7f33}
2009-08-14 00:49 <DIR> --d----- c:\program files\common files\PCSuite
2009-08-14 00:49 <DIR> --d----- c:\program files\common files\Nokia
2009-08-14 00:47 18,816 a------- c:\windows\system32\drivers\pccsmcfd.sys
2009-08-12 14:41 71,680 a------- c:\windows\system32\atl.dll
2009-08-12 14:41 160,256 a------- c:\windows\system32\wkssvc.dll
2009-08-12 14:40 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-08-12 14:40 91,136 a------- c:\windows\system32\avifil32.dll
2009-08-12 14:40 313,344 a------- c:\windows\system32\wmpdxm.dll
2009-08-12 14:40 7,680 a------- c:\windows\system32\spwmp.dll
2009-08-12 14:40 4,096 a------- c:\windows\system32\msdxm.ocx
2009-08-12 14:40 4,096 a------- c:\windows\system32\dxmasf.dll
2009-08-12 14:40 8,147,456 a------- c:\windows\system32\wmploc.DLL
2009-08-12 14:40 43,520 a------- c:\windows\system32\msdxm.tlb
2009-08-12 14:40 18,432 a------- c:\windows\system32\amcompat.tlb
2009-08-05 14:01 104,512 a------- c:\windows\system32\drivers\AnyDVD.sys
2009-08-04 13:43 <DIR> --d----- c:\program files\Nokia
2009-08-04 13:42 <DIR> --d----- c:\programdata\Installations
2009-07-30 18:05 <DIR> --d----- c:\users\admini~1\appdata\roaming\Bytemobile
2009-07-30 18:04 <DIR> --d----- c:\users\admini~1\appdata\roaming\Sierra Wireless
2009-07-30 18:00 26,496 a------- c:\windows\system32\drivers\RimSerial.sys
2009-07-30 17:59 <DIR> --d----- c:\program files\common files\Motorola Shared
2009-07-30 17:58 <DIR> --d----- c:\program files\common files\PctelEapPeer Authentication
2009-07-30 17:58 <DIR> --d----- C:\Research in Motion
2009-07-30 17:58 <DIR> --d----- c:\program files\common files\Research in Motion
2009-07-30 17:58 <DIR> --d----- c:\programdata\AT&T
2009-07-30 17:58 <DIR> --d----- c:\program files\Sierra Wireless Inc
2009-07-30 17:58 <DIR> --d----- c:\program files\AT&T
2009-07-30 17:58 <DIR> --d----- c:\progra~2\AT&T
2009-07-30 17:52 <DIR> --d----- c:\program files\Option
2009-07-30 16:46 <DIR> --d----- c:\users\admini~1\appdata\roaming\HpUpdate
2009-07-30 16:45 <DIR> --d----- c:\windows\Hewlett-Packard

==================== Find3M ====================

2009-08-21 23:00 239,616 a------- c:\windows\inf\infstrng.dat
2009-08-21 23:00 86,016 a------- c:\windows\inf\infpub.dat
2009-08-21 22:52 262,144 a------- C:\ntuser.dat
2009-08-21 11:25 143,360 a------- c:\windows\inf\infstor.dat
2009-08-20 07:33 124,976 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-20 07:33 7,456 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-20 07:33 806 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-06 15:49 299,008 a------- c:\windows\system32\TubeFinder.exe
2009-07-21 17:52 915,456 a------- c:\windows\system32\wininet.dll
2009-07-21 17:47 109,056 a------- c:\windows\system32\iesysprep.dll
2009-07-21 17:47 71,680 a------- c:\windows\system32\iesetup.dll
2009-07-21 16:13 133,632 a------- c:\windows\system32\ieUnatt.exe
2009-07-21 11:18 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-06-24 11:12 0 a---h--- c:\windows\system32\drivers\Msft_Kernel_LUsbFilt_01005.Wdf
2009-06-15 11:24 156,672 a------- c:\windows\system32\t2embed.dll
2009-06-15 11:20 72,704 a------- c:\windows\system32\fontsub.dll
2009-06-15 11:20 10,240 a------- c:\windows\system32\dciman32.dll
2009-06-15 08:52 289,792 a------- c:\windows\system32\atmfd.dll
2009-06-03 11:51 149,185 a------- c:\windows\hpwins05.dat
2009-05-26 11:56 164,265 a------- c:\windows\hpqins00.dat
2009-05-25 08:01 89,256 a------- c:\windows\system32\ElbyCDIO.dll
2009-04-24 14:58 87,608 a------- c:\users\admini~1\appdata\roaming\inst.exe
2009-04-24 14:58 47,360 a------- c:\users\admini~1\appdata\roaming\pcouffin.sys
2009-03-20 19:30 61,224 a------- c:\users\administrator\GoToAssistDownloadHelper.exe
2008-09-22 10:03 174 a--sh--- c:\program files\desktop.ini
2008-09-21 11:35 665,600 a------- c:\windows\inf\drvindex.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 08:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 08:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 05:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 05:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat

============= FINISH: 14:32:31.27 ===============
Attach.zip

Gmer.txt
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-23-2009, 11:08 AM   #2 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: Removal of Malware or Virus Help Needed
Howdy there and welcome to TSF Forums

I'm Steve and I will be helping you thoughout this fix.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. It is IMPORTANT that you don't miss a step. Please perform everything in the correct order/sequence.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription

Please note that the forum is very busy and if I don't hear from you within three days from this initial post then thread will be closed.

We need to disable your TeaTimer as it may interfere with the fixes that we need to make.

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.

After all of the fixes are complete it is very important that you enable TeaTimer again, I will let you know when it is safe to do so.

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As.

* Save it to your Desktop.
* Double-click ResetTeaTimer.zip
* Double-click ResetTeaTimer.bat and click Run to remove all entries set by TeaTimer.

A Tutorial for Tea Timer can be found here -> http://russelltexas.com/malware/teatimer.htm

Please scan with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-24-2009, 09:54 AM   #3 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Re: Removal of Malware or Virus Help Needed
OK, I got your reply and will follow your instructions...JB Carilli
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-24-2009, 09:57 AM   #4 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Re: Removal of Malware or Virus Help Needed
I downloaded the resetteatimer and get the screen with an error .. unsupported version??? Help
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-24-2009, 10:49 AM   #5 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: Removal of Malware or Virus Help Needed
Hi there jbcarilli

For now, skip the resetteatimer and carry on with the rest of the fix. Just ensure that teatimer is disabled as shown in the tutorial link
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
Last edited by sjb007; 08-24-2009 at 10:50 AM.
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-24-2009, 09:15 PM   #6 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Re: Removal of Malware or Virus Help Needed
OK, I ran the ComboFix and was I supposed to run the Skybot fully or just change the settings and do I now reactivate my Norton and firewall???

Here is the report from ComboFix

ComboFix 09-08-23.01 - Administrator 08/24/2009 20:26.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1114 [GMT -4:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\-1811077409
c:\users\Administrator\AppData\Roaming\02000000623cbead658C.manifest
c:\users\Administrator\AppData\Roaming\02000000623cbead658O.manifest
c:\users\Administrator\AppData\Roaming\02000000623cbead658P.manifest
c:\users\Administrator\AppData\Roaming\02000000623cbead658S.manifest
c:\users\Administrator\AppData\Roaming\inst.exe
c:\users\Office Vista\AppData\Roaming\02000000623cbead658C.manifest
c:\users\Office Vista\AppData\Roaming\02000000623cbead658O.manifest
c:\users\Office Vista\AppData\Roaming\02000000623cbead658P.manifest
c:\users\Office Vista\AppData\Roaming\02000000623cbead658S.manifest
c:\windows\GnuHashes.ini
c:\windows\Installer\3e8240.msi
c:\windows\Installer\8e7feb.msi
c:\windows\isppsvrw.dll
c:\windows\system32\DtXoeDT.vbs
c:\windows\system32\GroupPolicy000.dat
c:\windows\system32\rGL6930.vbs
c:\windows\system32\sOZNMdD.vbs
c:\windows\system32\TFgtRFp.vbs
c:\windows\system32\wlP1vpb.vbs
c:\windows\system32\wYpevLz.vbs
c:\windows\system32\YlpcDXyke8jTL.vbs
c:\windows\system32\yNpGakc8fIJ8Jp3.vbs

.
((((((((((((((((((((((((( Files Created from 2009-07-25 to 2009-08-25 )))))))))))))))))))))))))))))))
.

2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\users\TEST\AppData\Local\temp
2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\users\Office Vista\AppData\Local\temp
2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-25 02:47 . 2009-08-25 02:47 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-08-22 05:48 . 2009-08-22 05:48 -------- d-sh--w- c:\windows\system32\LocalService
2009-08-22 05:19 . 2009-08-22 05:19 -------- d-----w- c:\users\Office Vista\AppData\Local\AT&T
2009-08-22 05:19 . 2009-08-22 05:27 -------- d-----w- c:\users\Office Vista\AppData\Roaming\Nokia
2009-08-22 02:57 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-08-22 02:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-22 02:32 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-22 02:32 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-22 02:32 . 2009-08-22 02:34 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-22 02:32 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-22 02:32 . 2009-08-22 02:32 -------- d-----w- c:\users\Administrator\AppData\Roaming\PC Tools
2009-08-22 02:32 . 2009-08-22 02:32 -------- d-----w- c:\program files\PC Tools
2009-08-21 19:25 . 1995-04-04 12:32 26256 ----a-w- c:\windows\system\CTL3D.DLL
2009-08-21 17:36 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-21 17:36 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-21 17:36 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-21 17:36 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-21 17:36 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-21 17:36 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-21 17:36 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-21 17:36 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-20 15:33 . 2009-08-18 18:59 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-20 12:31 . 2009-08-20 12:31 -------- d-----w- c:\users\Office Vista\AppData\Roaming\Bytemobile
2009-08-20 12:31 . 2009-08-20 12:31 -------- d-----w- c:\users\Office Vista\AppData\Roaming\PC Suite
2009-08-20 12:29 . 2009-08-20 12:29 -------- d-----w- c:\users\TEST\AppData\Roaming\Bytemobile
2009-08-20 12:29 . 2009-08-20 12:29 -------- d-----w- c:\users\TEST\AppData\Roaming\PC Suite
2009-08-19 21:27 . 2009-08-19 21:27 -------- d-----w- c:\users\Administrator\AppData\Roaming\iWin
2009-08-19 21:21 . 2009-08-19 21:21 -------- d-----w- c:\users\Administrator\AppData\Roaming\SpinTop
2009-08-19 18:46 . 2009-08-19 18:46 -------- dc----w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-18 23:12 . 2009-08-18 23:12 123392 ----a-w- c:\windows\system32\CardGames32.dll
2009-08-18 22:51 . 2009-08-22 18:07 -------- d-----w- c:\users\Administrator\Incomplete
2009-08-18 22:51 . 2009-08-18 23:02 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-08-18 22:50 . 2009-08-18 23:01 -------- d-----w- c:\users\Administrator\Shared
2009-08-18 21:48 . 2009-08-18 22:06 -------- d-----w- c:\program files\Free FLV Converter
2009-08-14 04:50 . 2009-08-14 04:50 -------- d-----w- c:\users\Administrator\{ea3f0019-0745-4377-b0b3-4ba4d63f7f33}
2009-08-14 04:49 . 2009-08-14 04:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-14 04:49 . 2009-08-18 22:14 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-14 04:47 . 2008-08-26 14:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-08-12 23:21 . 2009-08-18 23:18 -------- d-----w- c:\users\Administrator\AppData\Roaming\Nokia
2009-08-12 18:41 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 18:41 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 18:40 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 18:40 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 18:40 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 18:40 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 18:40 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 18:40 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-05 18:01 . 2009-08-05 18:01 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-08-04 17:43 . 2009-08-14 04:49 -------- d-----w- c:\program files\Nokia
2009-08-04 17:42 . 2009-08-14 04:40 -------- d-----w- c:\progra~2\Installations
2009-07-30 22:05 . 2009-07-30 22:05 -------- d-----w- c:\users\Administrator\AppData\Roaming\Bytemobile
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Local\DBUpdater
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Local\AT&T
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sierra Wireless
2009-07-30 22:00 . 2007-01-18 14:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2009-07-30 21:59 . 2009-07-30 21:59 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- C:\Research in Motion
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Sierra Wireless Inc
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\AT&T
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\progra~2\AT&T
2009-07-30 21:52 . 2009-07-30 21:52 -------- d-----w- c:\program files\Option
2009-07-30 20:46 . 2009-08-06 21:48 -------- d-----w- c:\users\Administrator\AppData\Roaming\HpUpdate
2009-07-30 20:45 . 2009-07-30 20:45 -------- d-----w- c:\windows\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-25 02:49 . 2009-07-15 22:45 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-22 05:18 . 2008-01-23 03:06 169576 ----a-w- c:\users\Office Vista\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-22 03:00 . 2008-08-17 00:20 -------- d-----w- c:\progra~2\PC Tools
2009-08-22 02:52 . 2009-02-09 19:32 262144 ----a-w- C:\ntuser.dat
2009-08-22 02:15 . 2009-06-12 16:59 -------- d-----w- c:\users\Administrator\AppData\Roaming\Move Networks
2009-08-21 19:24 . 2008-01-23 19:10 -------- d-----w- c:\program files\Serif
2009-08-21 16:33 . 2009-01-23 17:20 169576 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-21 15:28 . 2007-03-13 22:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 15:24 . 2009-07-15 19:05 -------- d-----w- c:\users\Administrator\AppData\Roaming\Samsung
2009-08-21 15:21 . 2009-04-17 04:41 -------- d-----w- c:\program files\PokerStars
2009-08-21 15:18 . 2008-08-19 13:30 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-21 14:46 . 2008-08-19 13:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-21 13:06 . 2009-08-21 13:06 0 ----a-w- c:\windows\system32\3C0E.tmp
2009-08-21 13:06 . 2009-08-21 13:06 0 ----a-w- c:\windows\system32\372D.tmp
2009-08-20 15:54 . 2007-03-13 22:32 -------- d-----w- c:\program files\Microsoft Works
2009-08-20 15:54 . 2008-10-16 01:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-20 11:33 . 2008-11-07 14:16 -------- d-----w- c:\program files\Symantec
2009-08-20 11:33 . 2008-11-07 14:28 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-20 11:33 . 2008-11-07 14:28 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-20 11:33 . 2008-11-07 14:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 16:14 . 2009-07-22 16:10 -------- d-----w- c:\program files\PC Connectivity Solution
2009-08-19 16:07 . 2008-11-07 14:16 -------- d-----w- c:\program files\Norton SystemWorks
2009-08-18 21:29 . 2009-04-24 18:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\Vso
2009-08-17 17:15 . 2009-08-17 17:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-17 17:14 . 2009-07-15 19:10 -------- d-----w- c:\users\Administrator\AppData\Roaming\PC Suite
2009-08-17 17:14 . 2009-07-15 19:10 -------- d-----w- c:\progra~2\PC Suite
2009-08-17 17:13 . 2009-08-17 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-08-14 04:47 . 2007-03-13 22:21 -------- d-----w- c:\program files\DIFX
2009-08-12 22:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-12 17:35 . 2008-01-31 14:35 -------- d-----w- c:\progra~2\eBay
2009-08-06 19:49 . 2009-01-15 11:47 299008 ----a-w- c:\windows\system32\TubeFinder.exe
2009-07-31 17:49 . 2008-08-19 15:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 21:52 . 2009-07-29 21:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 21:05 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 21:05 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 21:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 15:18 . 2009-07-21 15:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-07-17 22:14 . 2008-09-24 21:34 -------- d-----w- c:\program files\EA SPORTS
2009-07-14 17:22 . 2009-07-14 17:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 17:22 . 2009-02-09 20:04 38208 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-07-14 17:18 . 2009-07-14 17:18 -------- d-----w- c:\users\Administrator\AppData\Roaming\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2009-07-14 17:18 . 2009-07-14 17:18 -------- d-----w- c:\program files\FOX News Live
2009-07-14 17:15 . 2009-07-14 17:15 319488 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-07-10 21:34 . 2009-03-26 22:52 163696 ----a-w- c:\users\TEST\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-10 19:46 . 2009-07-10 17:51 -------- d-----w- c:\program files\Tunebite
2009-07-10 19:46 . 2009-07-10 17:51 -------- d-----w- c:\progra~2\RapidSolution
2009-07-10 17:54 . 2009-07-10 17:54 -------- d-----w- c:\program files\PixiePack Codec Pack
2009-07-08 18:44 . 2009-07-08 18:44 -------- d-----w- c:\progra~2\vsosdk
2009-07-06 17:26 . 2009-03-04 17:50 -------- d-----w- c:\users\Administrator\AppData\Roaming\Image Zone Express
2009-07-06 16:55 . 2009-03-04 16:38 -------- d-----w- c:\program files\HP
2009-07-06 16:55 . 2009-07-06 16:55 45056 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
2009-07-06 16:55 . 2009-07-06 16:55 45056 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
2009-07-06 16:51 . 2009-03-30 17:33 10134 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-02 14:35 . 2007-03-13 22:30 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-23 17:43 . 2008-09-30 16:13 39360 ----a-w- c:\windows\system32\drivers\maplom.sys
2009-06-23 17:42 . 2008-09-30 16:13 41920 ----a-w- c:\windows\system32\drivers\maploml.sys
2009-06-15 15:24 . 2009-07-15 15:16 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-15 15:16 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-15 15:16 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-15 15:16 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-03 15:51 . 2009-03-04 16:32 149185 ----a-w- c:\windows\hpwins05.dat
2008-01-23 17:19 . 2008-01-23 16:51 72 --sha-w- c:\windows\S1EFC7D19.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-08-08 2980800]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-04-11 26704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-23 198160]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-05-19 33280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-03-01 303104]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\CardGames32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Office Vista^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2686836897-4051696175-1842154270-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2686836897-4051696175-1842154270-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FF38887D-163D-451A-8980-4BEFD87F9138}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{66568335-F2B9-4C45-90B7-E1EA56E815B8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C6CD4C0A-201F-43FF-82CF-06757680A597}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"TCP Query User{1E38349B-0A4C-4946-9290-97AC9BEAEDC7}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{ECA872F0-18AB-43CD-9CA0-1DB43E4124D4}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8A388FA3-A976-4995-B1C0-BB4C8D897EA0}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{0D3EAA32-62F3-4E69-960D-22061C189373}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{B25CFDD0-BE2A-42FD-A91E-B7F35B1C03AE}"= UDP:c:\program files\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{D9B5FEDB-395E-40B0-9071-54EABA43EF89}"= TCP:c:\program files\Tunebite\TunebiteHelper.exe:TunebiteHelper
"TCP Query User{EE04D9BA-C156-44AE-AA89-28404DB372CD}c:\\program files\\orbitdownloadervideo\\orbitnet.exe"= UDP:c:\program files\orbitdownloadervideo\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{DFDA9EE1-CBEF-4697-B638-9056E0090983}c:\\program files\\orbitdownloadervideo\\orbitnet.exe"= TCP:c:\program files\orbitdownloadervideo\orbitnet.exe:P2P service of Orbit Downloader
"TCP Query User{B08C778E-6190-425A-BF07-366F25D9787C}c:\\windows\\system32\\msiexec.exe"= UDP:c:\windows\system32\msiexec.exe:Windows® installer
"UDP Query User{6462FE3B-2F44-4D9A-AAB0-6C4F425C277D}c:\\windows\\system32\\msiexec.exe"= TCP:c:\windows\system32\msiexec.exe:Windows® installer
"TCP Query User{35FA4DAA-86E8-456D-B824-A7BF83135C2F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{FADC6367-5F2A-4884-A778-817446B3F181}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{8D72D9CC-4325-4FC3-8677-B02CF4EE0F03}c:\\program files\\nbc direct\\storefrontplayer.exe"= UDP:c:\program files\nbc direct\storefrontplayer.exe:NBC Direct Beta
"UDP Query User{143808E4-056B-4424-A485-057DB29CC445}c:\\program files\\nbc direct\\storefrontplayer.exe"= TCP:c:\program files\nbc direct\storefrontplayer.exe:NBC Direct Beta
"{4180965B-01DF-4EE6-8996-22735632B745}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{E44FFAE3-EE49-4151-9279-06551BE3F7AF}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{EB74A35C-1DC2-459C-853A-344F30BC3DCB}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FFE059F0-37EB-4C3F-B0CD-28402E8A40DF}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{FBB43494-7F48-421A-BEBB-F99C53AEB387}c:\\users\\office vista\\appdata\\local\\temp\\emc\\emcinstall.exe"= UDP:c:\users\office vista\appdata\local\temp\emc\emcinstall.exe:emcinstall.exe
"UDP Query User{3EB8670B-F8ED-406A-ACA2-16FDF51B0932}c:\\users\\office vista\\appdata\\local\\temp\\emc\\emcinstall.exe"= TCP:c:\users\office vista\appdata\local\temp\emc\emcinstall.exe:emcinstall.exe
"{53A6FF59-5263-4ACE-B096-C786BC19DB63}"= UDP:56929:PandoRest Listening Port
"{A3D26CA4-504A-4F58-B8B6-1DFDDEA3E56B}"= UDP:56907:PandoRest Listening Port
"{31438816-8573-4C18-82FC-D124C61656EA}"= UDP:c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:PandoRest Application Name
"{506B3BA8-4637-4EBB-B1F8-97043584C38C}"= TCP:c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:PandoRest Application Name
"{442DE2DD-645A-42BD-8753-4DB01732D091}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{86656FA7-CDA6-45D3-BA7D-4A854811C0EF}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{51C6DA60-635C-4CE9-AFF2-3841841B752C}c:\\windows\\lmi6ad5.tmp\\lmi_rescue.exe"= UDP:c:\windows\lmi6ad5.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{A8219F85-B63E-40E9-AC63-57B377D37A4F}c:\\windows\\lmi6ad5.tmp\\lmi_rescue.exe"= TCP:c:\windows\lmi6ad5.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{0B36A796-5F5A-4ED5-A055-6D3D6508F31D}c:\\program files\\orbitdownloadervideo\\orbitdm.exe"= UDP:c:\program files\orbitdownloadervideo\orbitdm.exe:Orbit Downloader
"UDP Query User{25016C86-130A-466B-B204-BF95436BAFE1}c:\\program files\\orbitdownloadervideo\\orbitdm.exe"= TCP:c:\program files\orbitdownloadervideo\orbitdm.exe:Orbit Downloader
"TCP Query User{E86F5760-83E0-4911-A131-73E965A8D821}c:\\program files\\ws_ftp\\ws_ftp95.exe"= UDP:c:\program files\ws_ftp\ws_ftp95.exe:WS_FTP 95
"UDP Query User{F2D26243-3687-4550-9222-ED73A5B92A47}c:\\program files\\ws_ftp\\ws_ftp95.exe"= TCP:c:\program files\ws_ftp\ws_ftp95.exe:WS_FTP 95
"{5491FE53-6F95-41A7-BDFC-A871E65F68E6}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{3D8C4165-40CC-44E6-B61F-B2421AAA44CC}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{71BB124B-C811-416B-B951-5324341802B1}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{C6A0D11C-7D07-4889-B6A7-4EA84E1354D5}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{4CF8DF3A-E796-46E7-9B8E-D2370DAB89C7}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{80D67FF7-106B-4F37-93F5-99AA6DFFC5EC}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"TCP Query User{B996FF00-E593-48CC-9450-7E6746C5B31B}c:\\users\\office vista\\appdata\\local\\temp\\lmi2944.tmp\\lmi_rescue.exe"= UDP:c:\users\office vista\appdata\local\temp\lmi2944.tmp\lmi_rescue.exe:lmi_rescue.exe
"UDP Query User{44FF80A0-E7E8-4DD2-9E92-73DAFEDA8049}c:\\users\\office vista\\appdata\\local\\temp\\lmi2944.tmp\\lmi_rescue.exe"= TCP:c:\users\office vista\appdata\local\temp\lmi2944.tmp\lmi_rescue.exe:lmi_rescue.exe
"{752E87F6-6178-43F5-B6CA-CA009171373F}"= UDP:c:\program files\Lexmark 9500 Series\lxdoamon.exe:Lexmark Device Monitor
"{595C4726-EEBA-4050-9A1A-6803A2B2B23C}"= TCP:c:\program files\Lexmark 9500 Series\lxdoamon.exe:Lexmark Device Monitor
"{FBBB68B0-9A26-40D6-A69A-2EF47FDF874B}"= UDP:c:\program files\Lexmark 9500 Series\frun.exe:Lexmark Productivity Studio
"{BBBC07E5-911A-4CD1-9BFC-E109CE180E3C}"= TCP:c:\program files\Lexmark 9500 Series\frun.exe:Lexmark Productivity Studio
"{DFE087B0-1C65-47F8-819F-7CE5E949A448}"= UDP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{BC11D4B7-08D0-436E-84FD-6F709D3BEFAB}"= TCP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{E77ACBAC-6664-4F7F-BEE6-8C92659B3D2C}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{3E7289D0-74C1-47F6-9DC9-F23BF71EB33A}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{D667E366-0E93-4E05-BE8E-11796E6B4A49}"= UDP:445:LenovoNotebook
"{B1E05999-912D-454C-B8FC-264422A54B9B}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{0E07810D-AA63-47B3-B545-6B46648A7381}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{9CF7A363-61BB-4470-9F8B-FA01E89A345F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{F72C30E8-B561-4D9D-805B-9DA730F2A68E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{9571D52A-6F8D-4AF2-AC8A-885A0C76733F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{96170530-F947-42F8-8997-4572539D105F}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{017FD4AB-537F-45F2-9183-BB644FFC3D4C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{3F7519C3-90AD-4C40-8049-24E9A74AC894}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{7A6E09C4-C557-4115-97EF-338BD3709B92}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{1A4056A2-B3D6-40F7-AE9D-477E48537DC6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{FB7494D6-4B13-4B0E-B61E-851C9248A8C3}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{0AFFC8F4-CFAC-42C5-B842-F800FCDC4E3E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{8F58A572-A1CD-4FE7-B9B3-DF7E25FF3579}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{F92577EA-CFD5-4709-9083-1ACF8A09580B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4DD0B7FB-01EE-4D0D-94F8-1B74091DF7A1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{3C2292B7-C411-4A0A-836F-5625DE3E2867}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{744E6EEC-430F-4EF9-B314-C67822B477DD}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AA668CD6-279E-4072-988A-59EE987FEB44}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{73D1732A-97F1-4704-B438-D3FA2754B829}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{A4920420-85C4-478E-B7CB-09F56A7691CE}"= UDP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{267C0C14-9F23-467F-9E89-4B8FB72F2D39}"= TCP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{86455992-9FC8-4D0B-953E-BD5A311A5A07}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{8F590059-7BFF-4BD5-BF4B-C175A20C0FD5}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{BF300C40-1C1B-46CD-BE5E-CC6D7E6B402D}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"{0B25C5A1-F6E9-4785-935E-44572072D577}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"TCP Query User{FE4796AF-96EB-46AF-8410-7A766350446F}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{E13421B1-F522-49D8-9A0F-1791AEBB4AD2}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"{4CB25E07-9406-42F8-BA05-4B4B89DAFAD0}"= UDP:c:\windows\explorer.exe:Windows Shell
"{DF000DDF-FAAD-40C8-9524-FE11E1070770}"= TCP:c:\windows\explorer.exe:Windows Shell

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [8/21/2009 10:32 PM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1007020.00A\SymEFA.sys [8/20/2009 7:33 AM 310320]
R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [8/21/2009 10:57 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [8/21/2009 10:57 PM 39200]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NAV\1007020.00A\BHDrvx86.sys [8/20/2009 7:33 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1007020.00A\cchpx86.sys [8/20/2009 7:33 AM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys [8/12/2009 10:08 AM 293424]
R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [8/21/2009 10:32 PM 159600]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.7.2.10\ccSvcHst.exe [8/20/2009 7:33 AM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [8/21/2009 10:43 AM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/4/2009 11:40 AM 101936]
R3 MaplomL;MaplomL;c:\windows\System32\drivers\maploml.sys [9/30/2008 12:13 PM 41920]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NAV\1007020.00A\symndisv.sys [8/20/2009 7:33 AM 48688]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/19/2009 2:57 PM 121344]
S3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [5/19/2009 2:57 PM 125440]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\System32\drivers\DsAudioDevice_310.sys [1/5/2009 5:50 PM 16640]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [7/15/2009 3:05 PM 36608]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2/9/2009 12:55 PM 33752]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [3/13/2007 6:22 PM 5504]
S3 MovRVDrv32;MovRVDrv32;c:\windows\System32\drivers\MovRVDrv32.sys [1/29/2008 10:57 AM 3768]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 6:25 AM 2589184]
S3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [8/21/2009 10:32 PM 64392]
S3 QtsDongle;USB Software Key;c:\windows\System32\qtsusk.sys [4/23/2009 3:49 PM 10752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\Spyware Doctor\pctsAuxs.exe [8/21/2009 10:32 PM 348752]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\System32\drivers\silabenm.sys [7/17/2008 6:37 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\System32\drivers\silabser.sys [7/17/2008 6:37 PM 60544]
S3 SndTAudio;SndTAudio;c:\windows\System32\drivers\SndTAudio.sys [1/12/2009 3:32 PM 23096]
S3 SndTVideo;SndTVideo;c:\windows\System32\drivers\SndTVideo.sys [1/12/2009 3:10 PM 3768]
S3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [8/21/2009 10:57 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\PC Tools\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextAllSelling&ssPageName=STRK:ME:LNLK:MESX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5411E
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-24 22:53
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.7.2.10\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.7.2.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,41,ec,18,db,0c,dc,4d,bf,50,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,41,ec,18,db,0c,dc,4d,bf,50,d5,\

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\anim.exe"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\IPE.EXE"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(736)
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(1176)
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\brss01a.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\windows\System32\dllhost.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
.
**************************************************************************
.
Completion time: 2009-08-25 23:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-25 03:05

Pre-Run: 79,917,928,448 bytes free
Post-Run: 94,010,527,744 bytes free

491 --- E O F --- 2009-08-21 17:37
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-25-2009, 11:18 AM   #7 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: Removal of Malware or Virus Help Needed
Hi there

Yes you may re-activate your security settings once the tool has completed its job, and yes just apply the settings to spybot, there is no need to run the software as yet.

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
c:\windows\system32\CardGames32.dll
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply

Once done.....

Please ensure Java is current and up to date.

Java(TM) 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner.

Please note that this may take some time to complete

**Vista users - right click IE/Firefox icon and run as administrator

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

This animation will guide you through the process:


**Note**

To optimize scanning time and produce a more sensible report for review:
Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan. You may disconnect from the internet once you begin the scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post back in your next reply with:
The new combofix log
The log from Kasperksy
An update on how things are running
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-26-2009, 01:09 PM   #8 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Re: Removal of Malware or Virus Help Needed
I have completed the tasks you ask me to do.
Everything appears to be running without problems, and I am not getting redirected pages when I browse.
Here are the results you requested...

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
ComboFix 09-08-25.04 - Administrator 08/26/2009 9:38.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.1042 [GMT -4:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
PEV Error: CacheFolder

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Administrator\Documents\REGISTRYbackup.01.23.2009.reg
c:\users\Administrator\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Administrator\NTUSER.LMIRescue.TMP{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Default\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Office Vista\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\users\Office Vista\NTUSER.DAT{609fb6fd-e95e-11dd-b330-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms
c:\users\Office Vista\ntuser.dat{7fd30aee-d03b-11dd-83a8-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms
c:\users\Office Vista\NTUSER.DAT{d668d656-1239-11de-9c4a-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms
c:\users\Office Vista\NTUSER.LMIRescue.TMP{7fd30aee-d03b-11dd-83a8-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms
c:\users\Public\NTUSER.DAT{8a6e830b-8e68-11dd-aace-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms
c:\users\Public\NTUSER.DAT{ee44339d-c9e6-11dc-abfe-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms
c:\users\TEST\NTUSER.DAT{3a539871-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms
c:\windows\system32\config\systemprofile\ntuser.dat{29ac4dfb-f9a3-11da-ba07-806e6f6e6963}.TMContainer00000000000000000001.regtrans-ms
c:\users\Administrator\NTUSER.DAT{b54acac7-e972-11dd-8698-0019d12c2aed}.TMContainer00000000000000000001.regtrans-ms . . . . failed to delete
c:\windows\ServiceProfiles\LocalService\NTUSER.DAT{3a539869-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms . . . . failed to delete
c:\windows\ServiceProfiles\NetworkService\NTUSER.DAT{3a539865-6a70-11db-887c-d362bd253390}.TMContainer00000000000000000001.regtrans-ms . . . . failed to delete

.
((((((((((((((((((((((((( Files Created from 2009-07-26 to 2009-08-26 )))))))))))))))))))))))))))))))
.

2009-08-26 13:51 . 2009-08-26 13:51 -------- d-----w- c:\users\TEST\AppData\Local\temp
2009-08-26 13:51 . 2009-08-26 13:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2009-08-26 13:51 . 2009-08-26 13:51 -------- d-----w- c:\users\Office Vista\AppData\Local\temp
2009-08-26 13:51 . 2009-08-26 13:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-26 13:51 . 2009-08-26 13:51 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-08-22 05:48 . 2009-08-22 05:48 -------- d-sh--w- c:\windows\system32\LocalService
2009-08-22 05:19 . 2009-08-22 05:19 -------- d-----w- c:\users\Office Vista\AppData\Local\AT&T
2009-08-22 05:19 . 2009-08-22 05:27 -------- d-----w- c:\users\Office Vista\AppData\Roaming\Nokia
2009-08-22 02:57 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-08-22 02:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-22 02:32 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-22 02:32 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-22 02:32 . 2009-08-22 02:34 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-22 02:32 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-22 02:32 . 2009-08-22 02:32 -------- d-----w- c:\users\Administrator\AppData\Roaming\PC Tools
2009-08-22 02:32 . 2009-08-22 02:32 -------- d-----w- c:\program files\PC Tools
2009-08-21 19:25 . 1995-04-04 12:32 26256 ----a-w- c:\windows\system\CTL3D.DLL
2009-08-21 17:36 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-21 17:36 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-21 17:36 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-21 17:36 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-21 17:36 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-21 17:36 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-21 17:36 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-21 17:36 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-20 15:33 . 2009-08-18 18:59 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-20 12:31 . 2009-08-20 12:31 -------- d-----w- c:\users\Office Vista\AppData\Roaming\Bytemobile
2009-08-20 12:31 . 2009-08-20 12:31 -------- d-----w- c:\users\Office Vista\AppData\Roaming\PC Suite
2009-08-20 12:29 . 2009-08-20 12:29 -------- d-----w- c:\users\TEST\AppData\Roaming\Bytemobile
2009-08-20 12:29 . 2009-08-20 12:29 -------- d-----w- c:\users\TEST\AppData\Roaming\PC Suite
2009-08-19 21:27 . 2009-08-19 21:27 -------- d-----w- c:\users\Administrator\AppData\Roaming\iWin
2009-08-19 21:21 . 2009-08-19 21:21 -------- d-----w- c:\users\Administrator\AppData\Roaming\SpinTop
2009-08-19 18:46 . 2009-08-19 18:46 -------- dc----w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-18 23:12 . 2009-08-18 23:12 123392 ----a-w- c:\windows\system32\CardGames32.dll
2009-08-18 22:51 . 2009-08-22 18:07 -------- d-----w- c:\users\Administrator\Incomplete
2009-08-18 22:51 . 2009-08-18 23:02 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-08-18 22:50 . 2009-08-18 23:01 -------- d-----w- c:\users\Administrator\Shared
2009-08-18 21:48 . 2009-08-18 22:06 -------- d-----w- c:\program files\Free FLV Converter
2009-08-14 04:50 . 2009-08-14 04:50 -------- d-----w- c:\users\Administrator\{ea3f0019-0745-4377-b0b3-4ba4d63f7f33}
2009-08-14 04:49 . 2009-08-14 04:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-14 04:49 . 2009-08-18 22:14 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-14 04:47 . 2008-08-26 14:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-08-12 23:21 . 2009-08-18 23:18 -------- d-----w- c:\users\Administrator\AppData\Roaming\Nokia
2009-08-12 18:41 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 18:41 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 18:40 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 18:40 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 18:40 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 18:40 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 18:40 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 18:40 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-05 18:01 . 2009-08-05 18:01 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-08-04 17:43 . 2009-08-14 04:49 -------- d-----w- c:\program files\Nokia
2009-08-04 17:42 . 2009-08-14 04:40 -------- d-----w- c:\progra~2\Installations
2009-07-30 22:05 . 2009-07-30 22:05 -------- d-----w- c:\users\Administrator\AppData\Roaming\Bytemobile
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Local\DBUpdater
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Local\AT&T
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sierra Wireless
2009-07-30 22:00 . 2007-01-18 14:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2009-07-30 21:59 . 2009-07-30 21:59 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- C:\Research in Motion
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Sierra Wireless Inc
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\AT&T
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\progra~2\AT&T
2009-07-30 21:52 . 2009-07-30 21:52 -------- d-----w- c:\program files\Option
2009-07-30 20:46 . 2009-08-06 21:48 -------- d-----w- c:\users\Administrator\AppData\Roaming\HpUpdate
2009-07-30 20:45 . 2009-07-30 20:45 -------- d-----w- c:\windows\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-26 13:52 . 2009-07-15 22:45 12 ----a-w- c:\windows\bthservsdp.dat
2009-08-22 05:18 . 2008-01-23 03:06 169576 ----a-w- c:\users\Office Vista\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-22 03:00 . 2008-08-17 00:20 -------- d-----w- c:\progra~2\PC Tools
2009-08-22 02:52 . 2009-02-09 19:32 262144 ----a-w- C:\ntuser.dat
2009-08-22 02:15 . 2009-06-12 16:59 -------- d-----w- c:\users\Administrator\AppData\Roaming\Move Networks
2009-08-21 19:24 . 2008-01-23 19:10 -------- d-----w- c:\program files\Serif
2009-08-21 16:33 . 2009-01-23 17:20 169576 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-21 15:28 . 2007-03-13 22:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 15:24 . 2009-07-15 19:05 -------- d-----w- c:\users\Administrator\AppData\Roaming\Samsung
2009-08-21 15:21 . 2009-04-17 04:41 -------- d-----w- c:\program files\PokerStars
2009-08-21 15:18 . 2008-08-19 13:30 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-21 14:46 . 2008-08-19 13:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-21 13:06 . 2009-08-21 13:06 0 ----a-w- c:\windows\system32\3C0E.tmp
2009-08-21 13:06 . 2009-08-21 13:06 0 ----a-w- c:\windows\system32\372D.tmp
2009-08-20 15:54 . 2007-03-13 22:32 -------- d-----w- c:\program files\Microsoft Works
2009-08-20 15:54 . 2008-10-16 01:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-20 11:33 . 2008-11-07 14:16 -------- d-----w- c:\program files\Symantec
2009-08-20 11:33 . 2008-11-07 14:28 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-20 11:33 . 2008-11-07 14:28 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-20 11:33 . 2008-11-07 14:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 16:14 . 2009-07-22 16:10 -------- d-----w- c:\program files\PC Connectivity Solution
2009-08-19 16:07 . 2008-11-07 14:16 -------- d-----w- c:\program files\Norton SystemWorks
2009-08-18 21:29 . 2009-04-24 18:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\Vso
2009-08-17 17:15 . 2009-08-17 17:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-17 17:14 . 2009-07-15 19:10 -------- d-----w- c:\users\Administrator\AppData\Roaming\PC Suite
2009-08-17 17:14 . 2009-07-15 19:10 -------- d-----w- c:\progra~2\PC Suite
2009-08-17 17:13 . 2009-08-17 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-08-14 04:47 . 2007-03-13 22:21 -------- d-----w- c:\program files\DIFX
2009-08-12 22:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-12 17:35 . 2008-01-31 14:35 -------- d-----w- c:\progra~2\eBay
2009-08-06 19:49 . 2009-01-15 11:47 299008 ----a-w- c:\windows\system32\TubeFinder.exe
2009-07-31 17:49 . 2008-08-19 15:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 21:52 . 2009-07-29 21:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 21:05 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 21:05 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 21:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 15:18 . 2009-07-21 15:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-07-17 22:14 . 2008-09-24 21:34 -------- d-----w- c:\program files\EA SPORTS
2009-07-14 17:22 . 2009-07-14 17:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 17:22 . 2009-02-09 20:04 38208 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-07-14 17:18 . 2009-07-14 17:18 -------- d-----w- c:\users\Administrator\AppData\Roaming\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2009-07-14 17:18 . 2009-07-14 17:18 -------- d-----w- c:\program files\FOX News Live
2009-07-14 17:15 . 2009-07-14 17:15 319488 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-07-10 21:34 . 2009-03-26 22:52 163696 ----a-w- c:\users\TEST\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-10 19:46 . 2009-07-10 17:51 -------- d-----w- c:\program files\Tunebite
2009-07-10 19:46 . 2009-07-10 17:51 -------- d-----w- c:\progra~2\RapidSolution
2009-07-10 17:54 . 2009-07-10 17:54 -------- d-----w- c:\program files\PixiePack Codec Pack
2009-07-08 18:44 . 2009-07-08 18:44 -------- d-----w- c:\progra~2\vsosdk
2009-07-06 17:26 . 2009-03-04 17:50 -------- d-----w- c:\users\Administrator\AppData\Roaming\Image Zone Express
2009-07-06 16:55 . 2009-03-04 16:38 -------- d-----w- c:\program files\HP
2009-07-06 16:55 . 2009-07-06 16:55 45056 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
2009-07-06 16:55 . 2009-07-06 16:55 45056 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
2009-07-06 16:51 . 2009-03-30 17:33 10134 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-02 14:35 . 2007-03-13 22:30 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-23 17:43 . 2008-09-30 16:13 39360 ----a-w- c:\windows\system32\drivers\maplom.sys
2009-06-23 17:42 . 2008-09-30 16:13 41920 ----a-w- c:\windows\system32\drivers\maploml.sys
2009-06-15 15:24 . 2009-07-15 15:16 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-15 15:16 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-15 15:16 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-15 15:16 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-03 15:51 . 2009-03-04 16:32 149185 ----a-w- c:\windows\hpwins05.dat
2008-01-23 17:19 . 2008-01-23 16:51 72 --sha-w- c:\windows\S1EFC7D19.tmp
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-08-08 2980800]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-04-11 26704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-23 198160]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-05-19 33280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-03-01 303104]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\System32\CardGames32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Office Vista^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2686836897-4051696175-1842154270-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2686836897-4051696175-1842154270-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FF38887D-163D-451A-8980-4BEFD87F9138}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{66568335-F2B9-4C45-90B7-E1EA56E815B8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C6CD4C0A-201F-43FF-82CF-06757680A597}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"TCP Query User{1E38349B-0A4C-4946-9290-97AC9BEAEDC7}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{ECA872F0-18AB-43CD-9CA0-1DB43E4124D4}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8A388FA3-A976-4995-B1C0-BB4C8D897EA0}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{0D3EAA32-62F3-4E69-960D-22061C189373}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{B25CFDD0-BE2A-42FD-A91E-B7F35B1C03AE}"= UDP:c:\program files\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{D9B5FEDB-395E-40B0-9071-54EABA43EF89}"= TCP:c:\program files\Tunebite\TunebiteHelper.exe:TunebiteHelper
"TCP Query User{EE04D9BA-C156-44AE-AA89-28404DB372CD}c:\\program files\\orbitdownloadervideo\\orbitnet.exe"= UDP:c:\program files\orbitdownloadervideo\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{DFDA9EE1-CBEF-4697-B638-9056E0090983}c:\\program files\\orbitdownloadervideo\\orbitnet.exe"= TCP:c:\program files\orbitdownloadervideo\orbitnet.exe:P2P service of Orbit Downloader
"TCP Query User{B08C778E-6190-425A-BF07-366F25D9787C}c:\\windows\\system32\\msiexec.exe"= UDP:c:\windows\system32\msiexec.exe:Windows® installer
"UDP Query User{6462FE3B-2F44-4D9A-AAB0-6C4F425C277D}c:\\windows\\system32\\msiexec.exe"= TCP:c:\windows\system32\msiexec.exe:Windows® installer
"TCP Query User{35FA4DAA-86E8-456D-B824-A7BF83135C2F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{FADC6367-5F2A-4884-A778-817446B3F181}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{8D72D9CC-4325-4FC3-8677-B02CF4EE0F03}c:\\program files\\nbc direct\\storefrontplayer.exe"= UDP:c:\program files\nbc direct\storefrontplayer.exe:NBC Direct Beta
"UDP Query User{143808E4-056B-4424-A485-057DB29CC445}c:\\program files\\nbc direct\\storefrontplayer.exe"= TCP:c:\program files\nbc direct\storefrontplayer.exe:NBC Direct Beta
"{4180965B-01DF-4EE6-8996-22735632B745}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{E44FFAE3-EE49-4151-9279-06551BE3F7AF}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{EB74A35C-1DC2-459C-853A-344F30BC3DCB}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FFE059F0-37EB-4C3F-B0CD-28402E8A40DF}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{FBB43494-7F48-421A-BEBB-F99C53AEB387}c:\\users\\office vista\\appdata\\local\\temp\\emc\\emcinstall.exe"= UDP:c:\users\office vista\appdata\local\temp\emc\emcinstall.exe:emcinstall.exe
"UDP Query User{3EB8670B-F8ED-406A-ACA2-16FDF51B0932}c:\\users\\office vista\\appdata\\local\\temp\\emc\\emcinstall.exe"= TCP:c:\users\office vista\appdata\local\temp\emc\emcinstall.exe:emcinstall.exe
"{53A6FF59-5263-4ACE-B096-C786BC19DB63}"= UDP:56929:PandoRest Listening Port
"{A3D26CA4-504A-4F58-B8B6-1DFDDEA3E56B}"= UDP:56907:PandoRest Listening Port
"{31438816-8573-4C18-82FC-D124C61656EA}"= UDP:c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:PandoRest Application Name
"{506B3BA8-4637-4EBB-B1F8-97043584C38C}"= TCP:c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:PandoRest Application Name
"{442DE2DD-645A-42BD-8753-4DB01732D091}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{86656FA7-CDA6-45D3-BA7D-4A854811C0EF}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{51C6DA60-635C-4CE9-AFF2-3841841B752C}c:\\windows\\lmi6ad5.tmp\\lmi_rescue.exe"= UDP:c:\windows\lmi6ad5.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{A8219F85-B63E-40E9-AC63-57B377D37A4F}c:\\windows\\lmi6ad5.tmp\\lmi_rescue.exe"= TCP:c:\windows\lmi6ad5.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{0B36A796-5F5A-4ED5-A055-6D3D6508F31D}c:\\program files\\orbitdownloadervideo\\orbitdm.exe"= UDP:c:\program files\orbitdownloadervideo\orbitdm.exe:Orbit Downloader
"UDP Query User{25016C86-130A-466B-B204-BF95436BAFE1}c:\\program files\\orbitdownloadervideo\\orbitdm.exe"= TCP:c:\program files\orbitdownloadervideo\orbitdm.exe:Orbit Downloader
"TCP Query User{E86F5760-83E0-4911-A131-73E965A8D821}c:\\program files\\ws_ftp\\ws_ftp95.exe"= UDP:c:\program files\ws_ftp\ws_ftp95.exe:WS_FTP 95
"UDP Query User{F2D26243-3687-4550-9222-ED73A5B92A47}c:\\program files\\ws_ftp\\ws_ftp95.exe"= TCP:c:\program files\ws_ftp\ws_ftp95.exe:WS_FTP 95
"{5491FE53-6F95-41A7-BDFC-A871E65F68E6}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{3D8C4165-40CC-44E6-B61F-B2421AAA44CC}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{71BB124B-C811-416B-B951-5324341802B1}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{C6A0D11C-7D07-4889-B6A7-4EA84E1354D5}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{4CF8DF3A-E796-46E7-9B8E-D2370DAB89C7}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{80D67FF7-106B-4F37-93F5-99AA6DFFC5EC}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"TCP Query User{B996FF00-E593-48CC-9450-7E6746C5B31B}c:\\users\\office vista\\appdata\\local\\temp\\lmi2944.tmp\\lmi_rescue.exe"= UDP:c:\users\office vista\appdata\local\temp\lmi2944.tmp\lmi_rescue.exe:lmi_rescue.exe
"UDP Query User{44FF80A0-E7E8-4DD2-9E92-73DAFEDA8049}c:\\users\\office vista\\appdata\\local\\temp\\lmi2944.tmp\\lmi_rescue.exe"= TCP:c:\users\office vista\appdata\local\temp\lmi2944.tmp\lmi_rescue.exe:lmi_rescue.exe
"{752E87F6-6178-43F5-B6CA-CA009171373F}"= UDP:c:\program files\Lexmark 9500 Series\lxdoamon.exe:Lexmark Device Monitor
"{595C4726-EEBA-4050-9A1A-6803A2B2B23C}"= TCP:c:\program files\Lexmark 9500 Series\lxdoamon.exe:Lexmark Device Monitor
"{FBBB68B0-9A26-40D6-A69A-2EF47FDF874B}"= UDP:c:\program files\Lexmark 9500 Series\frun.exe:Lexmark Productivity Studio
"{BBBC07E5-911A-4CD1-9BFC-E109CE180E3C}"= TCP:c:\program files\Lexmark 9500 Series\frun.exe:Lexmark Productivity Studio
"{DFE087B0-1C65-47F8-819F-7CE5E949A448}"= UDP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{BC11D4B7-08D0-436E-84FD-6F709D3BEFAB}"= TCP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{E77ACBAC-6664-4F7F-BEE6-8C92659B3D2C}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{3E7289D0-74C1-47F6-9DC9-F23BF71EB33A}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{D667E366-0E93-4E05-BE8E-11796E6B4A49}"= UDP:445:LenovoNotebook
"{B1E05999-912D-454C-B8FC-264422A54B9B}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{0E07810D-AA63-47B3-B545-6B46648A7381}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{9CF7A363-61BB-4470-9F8B-FA01E89A345F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{F72C30E8-B561-4D9D-805B-9DA730F2A68E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{9571D52A-6F8D-4AF2-AC8A-885A0C76733F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{96170530-F947-42F8-8997-4572539D105F}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{017FD4AB-537F-45F2-9183-BB644FFC3D4C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{3F7519C3-90AD-4C40-8049-24E9A74AC894}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{7A6E09C4-C557-4115-97EF-338BD3709B92}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{1A4056A2-B3D6-40F7-AE9D-477E48537DC6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{FB7494D6-4B13-4B0E-B61E-851C9248A8C3}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{0AFFC8F4-CFAC-42C5-B842-F800FCDC4E3E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{8F58A572-A1CD-4FE7-B9B3-DF7E25FF3579}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{F92577EA-CFD5-4709-9083-1ACF8A09580B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4DD0B7FB-01EE-4D0D-94F8-1B74091DF7A1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{3C2292B7-C411-4A0A-836F-5625DE3E2867}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{744E6EEC-430F-4EF9-B314-C67822B477DD}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AA668CD6-279E-4072-988A-59EE987FEB44}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{73D1732A-97F1-4704-B438-D3FA2754B829}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{A4920420-85C4-478E-B7CB-09F56A7691CE}"= UDP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{267C0C14-9F23-467F-9E89-4B8FB72F2D39}"= TCP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{86455992-9FC8-4D0B-953E-BD5A311A5A07}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{8F590059-7BFF-4BD5-BF4B-C175A20C0FD5}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{BF300C40-1C1B-46CD-BE5E-CC6D7E6B402D}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"{0B25C5A1-F6E9-4785-935E-44572072D577}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"TCP Query User{FE4796AF-96EB-46AF-8410-7A766350446F}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{E13421B1-F522-49D8-9A0F-1791AEBB4AD2}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"{4CB25E07-9406-42F8-BA05-4B4B89DAFAD0}"= UDP:c:\windows\explorer.exe:Windows Shell
"{DF000DDF-FAAD-40C8-9524-FE11E1070770}"= TCP:c:\windows\explorer.exe:Windows Shell

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [8/21/2009 10:32 PM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1007020.00A\SymEFA.sys [8/20/2009 7:33 AM 310320]
R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [8/21/2009 10:57 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [8/21/2009 10:57 PM 39200]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NAV\1007020.00A\BHDrvx86.sys [8/20/2009 7:33 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1007020.00A\cchpx86.sys [8/20/2009 7:33 AM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys [8/12/2009 10:08 AM 293424]
R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [8/21/2009 10:32 PM 159600]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.7.2.10\ccSvcHst.exe [8/20/2009 7:33 AM 117640]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [8/21/2009 10:43 AM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/4/2009 11:40 AM 101936]
R3 MaplomL;MaplomL;c:\windows\System32\drivers\maploml.sys [9/30/2008 12:13 PM 41920]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NAV\1007020.00A\symndisv.sys [8/20/2009 7:33 AM 48688]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/19/2009 2:57 PM 121344]
S3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [5/19/2009 2:57 PM 125440]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\System32\drivers\DsAudioDevice_310.sys [1/5/2009 5:50 PM 16640]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [7/15/2009 3:05 PM 36608]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2/9/2009 12:55 PM 33752]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [3/13/2007 6:22 PM 5504]
S3 MovRVDrv32;MovRVDrv32;c:\windows\System32\drivers\MovRVDrv32.sys [1/29/2008 10:57 AM 3768]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 6:25 AM 2589184]
S3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [8/21/2009 10:32 PM 64392]
S3 QtsDongle;USB Software Key;c:\windows\System32\qtsusk.sys [4/23/2009 3:49 PM 10752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\Spyware Doctor\pctsAuxs.exe [8/21/2009 10:32 PM 348752]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\System32\drivers\silabenm.sys [7/17/2008 6:37 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\System32\drivers\silabser.sys [7/17/2008 6:37 PM 60544]
S3 SndTAudio;SndTAudio;c:\windows\System32\drivers\SndTAudio.sys [1/12/2009 3:32 PM 23096]
S3 SndTVideo;SndTVideo;c:\windows\System32\drivers\SndTVideo.sys [1/12/2009 3:10 PM 3768]
S3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [8/21/2009 10:57 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\PC Tools\Spyware Doctor\TFEngine\TFService.exe service [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextAllSelling&ssPageName=STRK:ME:LNLK:MESX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5411E
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-26 09:57
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\TEMP\SEP7EC4.tmp
c:\windows\TEMP\SEP9B6A.tmp 0 bytes

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.7.2.10\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.7.2.10\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,41,ec,18,db,0c,dc,4d,bf,50,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,bd,41,ec,18,db,0c,dc,4d,bf,50,d5,\

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AIFF"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asf\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASF"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.ASX"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gif\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\anim.exe"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.HTM"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.jpg\UserChoice]
@Denied: (2) (Administrator)
"Progid"="Applications\\IPE.EXE"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mhtml\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.MHT"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.MOD\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mp2v\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mpv2\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.MPEG"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.AU"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.url\UserChoice]
@Denied: (2) (Administrator)
"Progid"="IE.AssocFile.URL"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMD"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMS"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WMZ"

[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wpl\UserChoice]
@Denied: (2) (Administrator)
"Progid"="WMP11.AssocFile.WPL"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0004\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(684)
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(852)
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Nokia\Nokia PC Suite 7\PhoneBrowser.dll
c:\program files\Nokia\Nokia PC Suite 7\NGSCM.DLL
c:\program files\Nokia\Nokia PC Suite 7\Lang\PhoneBrowser_eng-us.nlr
c:\program files\Nokia\Nokia PC Suite 7\Resource\PhoneBrowser_Nokia.ngr
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\audiodg.exe
c:\windows\System32\Ati2evxx.exe
c:\windows\System32\brss01a.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\System32\stacsv.exe
c:\windows\System32\drivers\XAudio.exe
c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\ehome\ehmsas.exe
c:\windows\System32\spool\drivers\w32x86\3\WrtProc.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\windows\System32\dllhost.exe
c:\program files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
c:\program files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\servicing\TrustedInstaller.exe
c:\windows\ehome\mcupdate.exe
.
**************************************************************************
.
Completion time: 2009-08-26 10:08 - machine was rebooted
ComboFix-quarantined-files.txt 2009-08-26 14:07
ComboFix2.txt 2009-08-25 03:05

Pre-Run: 108,498,317,312 bytes free
Post-Run: 108,252,770,304 bytes free

502 --- E O F --- 2009-08-21 17:37

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HERE IS THE KASP SCAN RESULTS
+++++++++++++++++++++++++++++++++++++++++++++++

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Wednesday, August 26, 2009
Operating system: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, August 26, 2009 17:11:18
Records in database: 2689808
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Z:\

Scan statistics:
Objects scanned: 173378
Threats found: 2
Infected objects found: 1
Suspicious objects found: 1
Scan duration: 03:15:23


File name / Threat / Threats count
C:\Users\Office Vista\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\617A5D7F-00002F3F.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\WINDOWS\System32\CardGames32.dll Infected: Trojan-Downloader.Win32.Delf.vmd 1

Selected area has been scanned.
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-27-2009, 10:13 AM   #9 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: Removal of Malware or Virus Help Needed
Hi there

I want you to grab a fresh copy of combofix, first delete the version that you are currently running and download a fresh copy from one of the links below:

Link 1
Link 2#

Close any open browsers.

Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
c:\windows\system32\CardGames32.dll
c:\windows\system32\3C0E.tmp
c:\windows\system32\372D.tmp
c:\windows\S1EFC7D19.tmp
c:\windows\TEMP\SEP7EC4.tmp
c:\windows\TEMP\SEP9B6A.tm
C:\Users\Office Vista\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\617A5D7F-00002F3F.eml

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""

Reglock::
[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Internet Explorer\User Preferences]
[HKEY_USERS\S-1-5-21-2686836897-4051696175-1842154270-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts]
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
Save this as CFScript.txt, in the same location as ComboFix.exe



Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-29-2009, 12:01 PM   #10 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Re: Removal of Malware or Virus Help Needed
Here are the results as per your request...




ComboFix 09-08-28.01 - Administrator 08/28/2009 16:08.1.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.2045.991 [GMT -4:00]
Running from: c:\users\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\users\Administrator\Desktop\CFScript.txt
SP: AVG Anti-Spyware *disabled* (Outdated) {48F2E28D-ED66-4646-9C11-B3055B0AF604}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

FILE ::
"c:\users\Office Vista\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\617A5D7F-00002F3F.eml"
"c:\windows\S1EFC7D19.tmp"
"c:\windows\system32\372D.tmp"
"c:\windows\system32\3C0E.tmp"
"c:\windows\system32\CardGames32.dll"
"c:\windows\TEMP\SEP7EC4.tmp"
"c:\windows\TEMP\SEP9B6A.tm"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Office Vista\AppData\Local\Microsoft\Windows Mail\Local Folders\Deleted Items\617A5D7F-00002F3F.eml
c:\windows\S1EFC7D19.tmp
c:\windows\system32\372D.tmp
c:\windows\system32\3C0E.tmp
c:\windows\system32\CardGames32.dll
c:\windows\system32\LocalService\261.crack.zip
c:\windows\system32\LocalService\261.crack.zip.kwd
c:\windows\system32\LocalService\262.keygen.zip
c:\windows\system32\LocalService\262.keygen.zip.kwd
c:\windows\system32\LocalService\263.serial.zip
c:\windows\system32\LocalService\263.serial.zip.kwd
c:\windows\system32\LocalService\264.setup.zip
c:\windows\system32\LocalService\264.setup.zip.kwd
c:\windows\system32\LocalService\265.music.au
c:\windows\system32\LocalService\265.music.au.kwd
c:\windows\system32\LocalService\266.music2.au
c:\windows\system32\LocalService\266.music2.au.kwd
c:\windows\system32\LocalService\267.MUSIC3.AU
c:\windows\system32\LocalService\267.music3.au.kwd
c:\windows\system32\LocalService\268.music.snd
c:\windows\system32\LocalService\268.music.snd.kwd

.
((((((((((((((((((((((((( Files Created from 2009-07-28 to 2009-08-28 )))))))))))))))))))))))))))))))
.

2009-08-28 20:21 . 2009-08-28 20:21 -------- d-----w- c:\users\TEST\AppData\Local\temp
2009-08-28 20:21 . 2009-08-28 20:21 -------- d-----w- c:\users\Office Vista\AppData\Local\temp
2009-08-28 20:21 . 2009-08-28 20:21 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-08-28 20:21 . 2009-08-28 20:21 -------- d-----w- c:\users\Administrator\AppData\Local\temp
2009-08-26 15:03 . 2009-08-26 19:28 -------- d-----w- c:\users\Administrator\AppData\Local\Adobe
2009-08-26 14:31 . 2009-06-22 10:22 2048 ----a-w- c:\windows\system32\tzres.dll
2009-08-25 18:12 . 2009-06-05 12:34 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2009-08-25 18:12 . 2009-06-05 10:08 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2009-08-22 05:48 . 2009-08-28 20:20 -------- d-sh--w- c:\windows\system32\LocalService
2009-08-22 05:19 . 2009-08-22 05:19 -------- d-----w- c:\users\Office Vista\AppData\Local\AT&T
2009-08-22 05:19 . 2009-08-22 05:27 -------- d-----w- c:\users\Office Vista\AppData\Roaming\Nokia
2009-08-22 02:57 . 2009-03-31 15:23 39200 ----a-w- c:\windows\system32\drivers\TfSysMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 33056 ----a-w- c:\windows\system32\drivers\TfNetMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 12576 ----a-w- c:\windows\system32\drivers\TfKbMon.sys
2009-08-22 02:57 . 2009-03-31 15:23 51488 ----a-w- c:\windows\system32\drivers\TfFsMon.sys
2009-08-22 02:32 . 2008-12-11 12:38 159600 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2009-08-22 02:32 . 2009-04-03 14:18 130936 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2009-08-22 02:32 . 2008-12-18 15:16 73840 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2009-08-22 02:32 . 2009-08-22 02:34 -------- d-----w- c:\program files\Common Files\PC Tools
2009-08-22 02:32 . 2008-12-10 15:36 64392 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2009-08-22 02:32 . 2009-08-22 02:32 -------- d-----w- c:\users\Administrator\AppData\Roaming\PC Tools
2009-08-22 02:32 . 2009-08-22 02:32 -------- d-----w- c:\program files\PC Tools
2009-08-21 19:25 . 1995-04-04 12:32 26256 ----a-w- c:\windows\system\CTL3D.DLL
2009-08-21 17:36 . 2009-06-15 15:21 499712 ----a-w- c:\windows\system32\kerberos.dll
2009-08-21 17:36 . 2009-06-15 15:24 175104 ----a-w- c:\windows\system32\wdigest.dll
2009-08-21 17:36 . 2009-06-15 15:23 1256448 ----a-w- c:\windows\system32\lsasrv.dll
2009-08-21 17:36 . 2009-06-15 15:22 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-08-21 17:36 . 2009-06-15 18:20 439896 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-08-21 17:36 . 2009-06-15 15:24 270848 ----a-w- c:\windows\system32\schannel.dll
2009-08-21 17:36 . 2009-06-15 15:24 72704 ----a-w- c:\windows\system32\secur32.dll
2009-08-21 17:36 . 2009-06-15 12:57 9728 ----a-w- c:\windows\system32\lsass.exe
2009-08-20 15:33 . 2009-08-18 18:59 25648 ----a-r- c:\windows\system32\drivers\SymIMV.sys
2009-08-20 12:31 . 2009-08-20 12:31 -------- d-----w- c:\users\Office Vista\AppData\Roaming\Bytemobile
2009-08-20 12:31 . 2009-08-20 12:31 -------- d-----w- c:\users\Office Vista\AppData\Roaming\PC Suite
2009-08-20 12:29 . 2009-08-20 12:29 -------- d-----w- c:\users\TEST\AppData\Roaming\Bytemobile
2009-08-20 12:29 . 2009-08-20 12:29 -------- d-----w- c:\users\TEST\AppData\Roaming\PC Suite
2009-08-19 21:27 . 2009-08-19 21:27 -------- d-----w- c:\users\Administrator\AppData\Roaming\iWin
2009-08-19 21:21 . 2009-08-19 21:21 -------- d-----w- c:\users\Administrator\AppData\Roaming\SpinTop
2009-08-19 18:46 . 2009-08-19 18:46 -------- dc----w- c:\progra~2\{EF63305C-BAD7-4144-9208-D65528260864}
2009-08-18 22:51 . 2009-08-22 18:07 -------- d-----w- c:\users\Administrator\Incomplete
2009-08-18 22:51 . 2009-08-18 23:02 -------- d-----w- c:\users\Administrator\AppData\Roaming\LimeWire
2009-08-18 22:50 . 2009-08-18 23:01 -------- d-----w- c:\users\Administrator\Shared
2009-08-18 21:48 . 2009-08-18 22:06 -------- d-----w- c:\program files\Free FLV Converter
2009-08-14 04:50 . 2009-08-14 04:50 -------- d-----w- c:\users\Administrator\{ea3f0019-0745-4377-b0b3-4ba4d63f7f33}
2009-08-14 04:49 . 2009-08-14 04:49 -------- d-----w- c:\program files\Common Files\PCSuite
2009-08-14 04:49 . 2009-08-18 22:14 -------- d-----w- c:\program files\Common Files\Nokia
2009-08-14 04:47 . 2008-08-26 14:26 18816 ----a-w- c:\windows\system32\drivers\pccsmcfd.sys
2009-08-12 23:21 . 2009-08-28 17:09 -------- d-----w- c:\users\Administrator\AppData\Roaming\Nokia
2009-08-12 18:41 . 2009-07-17 14:35 71680 ----a-w- c:\windows\system32\atl.dll
2009-08-12 18:41 . 2009-06-10 12:12 160256 ----a-w- c:\windows\system32\wkssvc.dll
2009-08-12 18:40 . 2009-06-04 12:34 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-08-12 18:40 . 2009-06-10 12:07 91136 ----a-w- c:\windows\system32\avifil32.dll
2009-08-12 18:40 . 2009-07-14 13:00 313344 ----a-w- c:\windows\system32\wmpdxm.dll
2009-08-12 18:40 . 2009-07-14 12:58 7680 ----a-w- c:\windows\system32\spwmp.dll
2009-08-12 18:40 . 2009-07-14 12:59 4096 ----a-w- c:\windows\system32\dxmasf.dll
2009-08-12 18:40 . 2009-07-14 10:59 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2009-08-05 18:01 . 2009-08-05 18:01 104512 ----a-w- c:\windows\system32\drivers\AnyDVD.sys
2009-08-04 17:43 . 2009-08-14 04:49 -------- d-----w- c:\program files\Nokia
2009-08-04 17:42 . 2009-08-14 04:40 -------- d-----w- c:\progra~2\Installations
2009-07-30 22:05 . 2009-07-30 22:05 -------- d-----w- c:\users\Administrator\AppData\Roaming\Bytemobile
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Local\DBUpdater
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Local\AT&T
2009-07-30 22:04 . 2009-07-30 22:04 -------- d-----w- c:\users\Administrator\AppData\Roaming\Sierra Wireless
2009-07-30 22:00 . 2007-01-18 14:24 26496 ----a-w- c:\windows\system32\drivers\RimSerial.sys
2009-07-30 21:59 . 2009-07-30 21:59 -------- d-----w- c:\program files\Common Files\Motorola Shared
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Common Files\PctelEapPeer Authentication
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- C:\Research in Motion
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Common Files\Research in Motion
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\Sierra Wireless Inc
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\program files\AT&T
2009-07-30 21:58 . 2009-07-30 21:58 -------- d-----w- c:\progra~2\AT&T
2009-07-30 21:52 . 2009-07-30 21:52 -------- d-----w- c:\program files\Option
2009-07-30 20:46 . 2009-08-06 21:48 -------- d-----w- c:\users\Administrator\AppData\Roaming\HpUpdate
2009-07-30 20:45 . 2009-07-30 20:45 -------- d-----w- c:\windows\Hewlett-Packard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-27 17:19 . 2009-07-15 22:45 836 ----a-w- c:\windows\bthservsdp.dat
2009-08-22 05:18 . 2008-01-23 03:06 169576 ----a-w- c:\users\Office Vista\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-22 03:00 . 2008-08-17 00:20 -------- d-----w- c:\progra~2\PC Tools
2009-08-22 02:52 . 2009-02-09 19:32 262144 ----a-w- C:\ntuser.dat
2009-08-22 02:15 . 2009-06-12 16:59 -------- d-----w- c:\users\Administrator\AppData\Roaming\Move Networks
2009-08-21 19:24 . 2008-01-23 19:10 -------- d-----w- c:\program files\Serif
2009-08-21 16:33 . 2009-01-23 17:20 169576 ----a-w- c:\users\Administrator\AppData\Local\GDIPFONTCACHEV1.DAT
2009-08-21 15:28 . 2007-03-13 22:25 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-21 15:24 . 2009-07-15 19:05 -------- d-----w- c:\users\Administrator\AppData\Roaming\Samsung
2009-08-21 15:21 . 2009-04-17 04:41 -------- d-----w- c:\program files\PokerStars
2009-08-21 15:18 . 2008-08-19 13:30 -------- d-----w- c:\progra~2\Spybot - Search & Destroy
2009-08-21 14:46 . 2008-08-19 13:30 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-08-20 15:54 . 2007-03-13 22:32 -------- d-----w- c:\program files\Microsoft Works
2009-08-20 15:54 . 2008-10-16 01:06 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-20 11:33 . 2008-11-07 14:16 -------- d-----w- c:\program files\Symantec
2009-08-20 11:33 . 2008-11-07 14:28 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-20 11:33 . 2008-11-07 14:28 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-20 11:33 . 2008-11-07 14:28 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-19 16:14 . 2009-07-22 16:10 -------- d-----w- c:\program files\PC Connectivity Solution
2009-08-19 16:07 . 2008-11-07 14:16 -------- d-----w- c:\program files\Norton SystemWorks
2009-08-18 21:29 . 2009-04-24 18:58 -------- d-----w- c:\users\Administrator\AppData\Roaming\Vso
2009-08-17 17:15 . 2009-08-17 17:15 0 ---ha-w- c:\windows\system32\drivers\Msft_User_PCCSWpdDriver_01_07_00.Wdf
2009-08-17 17:14 . 2009-07-15 19:10 -------- d-----w- c:\users\Administrator\AppData\Roaming\PC Suite
2009-08-17 17:14 . 2009-07-15 19:10 -------- d-----w- c:\progra~2\PC Suite
2009-08-17 17:13 . 2009-08-17 17:13 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_ccdcmb_01007.Wdf
2009-08-14 04:47 . 2007-03-13 22:21 -------- d-----w- c:\program files\DIFX
2009-08-12 22:51 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-08-12 17:35 . 2008-01-31 14:35 -------- d-----w- c:\progra~2\eBay
2009-08-06 19:49 . 2009-01-15 11:47 299008 ----a-w- c:\windows\system32\TubeFinder.exe
2009-07-31 17:49 . 2008-08-19 15:38 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-21 21:52 . 2009-07-29 21:05 915456 ----a-w- c:\windows\system32\wininet.dll
2009-07-21 21:47 . 2009-07-29 21:05 109056 ----a-w- c:\windows\system32\iesysprep.dll
2009-07-21 21:47 . 2009-07-29 21:05 71680 ----a-w- c:\windows\system32\iesetup.dll
2009-07-21 20:13 . 2009-07-29 21:05 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2009-07-21 15:18 . 2009-07-21 15:18 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2009-07-17 22:14 . 2008-09-24 21:34 -------- d-----w- c:\program files\EA SPORTS
2009-07-14 17:22 . 2009-07-14 17:22 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-07-14 17:22 . 2009-02-09 20:04 38208 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\http://www.macromedia.com\bin\airapp...pinstaller.exe
2009-07-14 17:18 . 2009-07-14 17:18 -------- d-----w- c:\users\Administrator\AppData\Roaming\FoxPlayerAIR.01F2E49DE175CC541F416F2DF78BDD5E63AD0096.1
2009-07-14 17:18 . 2009-07-14 17:18 -------- d-----w- c:\program files\FOX News Live
2009-07-14 17:15 . 2009-07-14 17:15 319488 ----a-w- c:\users\Administrator\AppData\Roaming\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
2009-07-10 21:34 . 2009-03-26 22:52 163696 ----a-w- c:\users\TEST\AppData\Local\GDIPFONTCACHEV1.DAT
2009-07-10 19:46 . 2009-07-10 17:51 -------- d-----w- c:\program files\Tunebite
2009-07-10 19:46 . 2009-07-10 17:51 -------- d-----w- c:\progra~2\RapidSolution
2009-07-10 17:54 . 2009-07-10 17:54 -------- d-----w- c:\program files\PixiePack Codec Pack
2009-07-08 18:44 . 2009-07-08 18:44 -------- d-----w- c:\progra~2\vsosdk
2009-07-06 17:26 . 2009-03-04 17:50 -------- d-----w- c:\users\Administrator\AppData\Roaming\Image Zone Express
2009-07-06 16:55 . 2009-03-04 16:38 -------- d-----w- c:\program files\HP
2009-07-06 16:55 . 2009-07-06 16:55 45056 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut2_E14B8A0842B346769E911D39F8158DA1.exe
2009-07-06 16:55 . 2009-07-06 16:55 45056 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{E14B8A08-42B3-4676-9E91-1D39F8158DA1}\NewShortcut1_E14B8A0842B346769E911D39F8158DA1.exe
2009-07-06 16:51 . 2009-03-30 17:33 10134 ----a-r- c:\users\Administrator\AppData\Roaming\Microsoft\Installer\{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}\ARPPRODUCTICON.exe
2009-07-02 14:35 . 2007-03-13 22:30 -------- d-----w- c:\progra~2\Microsoft Help
2009-06-23 17:43 . 2008-09-30 16:13 39360 ----a-w- c:\windows\system32\drivers\maplom.sys
2009-06-23 17:42 . 2008-09-30 16:13 41920 ----a-w- c:\windows\system32\drivers\maploml.sys
2009-06-15 15:24 . 2009-07-15 15:16 156672 ----a-w- c:\windows\system32\t2embed.dll
2009-06-15 15:20 . 2009-07-15 15:16 72704 ----a-w- c:\windows\system32\fontsub.dll
2009-06-15 15:20 . 2009-07-15 15:16 10240 ----a-w- c:\windows\system32\dciman32.dll
2009-06-15 12:52 . 2009-07-15 15:16 289792 ----a-w- c:\windows\system32\atmfd.dll
2009-06-03 15:51 . 2009-03-04 16:32 149185 ----a-w- c:\windows\hpwins05.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2009-08-08 2980800]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2009-06-25 1414144]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"NswUiTray"="c:\program files\Norton SystemWorks\NswUiTray.exe" [2008-09-25 85360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2006-12-12 98304]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2006-12-12 106496]
"Persistence"="c:\windows\system32\igfxpers.exe" [2006-12-12 81920]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2009-02-04 61440]
"WrtMon.exe"="c:\windows\system32\spool\drivers\w32x86\3\WrtMon.exe" [2007-04-11 26704]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-11 49152]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-23 198160]
"CloneCDTray"="c:\program files\SlySoft\CloneCD\CloneCDTray.exe" [2009-01-29 57344]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-05-19 33280]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2008-02-29 76304]
"SigmatelSysTrayApp"="sttray.exe" - c:\windows\sttray.exe [2007-03-01 303104]

c:\progra~2\MICROS~1\Windows\STARTM~1\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2008-3-25 214360]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe [2009-1-2 91440]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-2-24 805392]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Orbit.lnk]
backup=c:\windows\pss\Orbit.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Office Vista^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2686836897-4051696175-1842154270-1001]
"EnableNotificationsRef"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2686836897-4051696175-1842154270-500]
"EnableNotificationsRef"=dword:00000002

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{FF38887D-163D-451A-8980-4BEFD87F9138}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{66568335-F2B9-4C45-90B7-E1EA56E815B8}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{C6CD4C0A-201F-43FF-82CF-06757680A597}"= UDP:c:\program files\Common Files\McAfee\MNA\McNASvc.exe:McAfee Network Agent
"TCP Query User{1E38349B-0A4C-4946-9290-97AC9BEAEDC7}c:\\program files\\mozilla firefox\\firefox.exe"= UDP:c:\program files\mozilla firefox\firefox.exe:Firefox
"UDP Query User{ECA872F0-18AB-43CD-9CA0-1DB43E4124D4}c:\\program files\\mozilla firefox\\firefox.exe"= TCP:c:\program files\mozilla firefox\firefox.exe:Firefox
"TCP Query User{8A388FA3-A976-4995-B1C0-BB4C8D897EA0}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{0D3EAA32-62F3-4E69-960D-22061C189373}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{B25CFDD0-BE2A-42FD-A91E-B7F35B1C03AE}"= UDP:c:\program files\Tunebite\TunebiteHelper.exe:TunebiteHelper
"{D9B5FEDB-395E-40B0-9071-54EABA43EF89}"= TCP:c:\program files\Tunebite\TunebiteHelper.exe:TunebiteHelper
"TCP Query User{EE04D9BA-C156-44AE-AA89-28404DB372CD}c:\\program files\\orbitdownloadervideo\\orbitnet.exe"= UDP:c:\program files\orbitdownloadervideo\orbitnet.exe:P2P service of Orbit Downloader
"UDP Query User{DFDA9EE1-CBEF-4697-B638-9056E0090983}c:\\program files\\orbitdownloadervideo\\orbitnet.exe"= TCP:c:\program files\orbitdownloadervideo\orbitnet.exe:P2P service of Orbit Downloader
"TCP Query User{B08C778E-6190-425A-BF07-366F25D9787C}c:\\windows\\system32\\msiexec.exe"= UDP:c:\windows\system32\msiexec.exe:Windows® installer
"UDP Query User{6462FE3B-2F44-4D9A-AAB0-6C4F425C277D}c:\\windows\\system32\\msiexec.exe"= TCP:c:\windows\system32\msiexec.exe:Windows® installer
"TCP Query User{35FA4DAA-86E8-456D-B824-A7BF83135C2F}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{FADC6367-5F2A-4884-A778-817446B3F181}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{8D72D9CC-4325-4FC3-8677-B02CF4EE0F03}c:\\program files\\nbc direct\\storefrontplayer.exe"= UDP:c:\program files\nbc direct\storefrontplayer.exe:NBC Direct Beta
"UDP Query User{143808E4-056B-4424-A485-057DB29CC445}c:\\program files\\nbc direct\\storefrontplayer.exe"= TCP:c:\program files\nbc direct\storefrontplayer.exe:NBC Direct Beta
"{4180965B-01DF-4EE6-8996-22735632B745}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{E44FFAE3-EE49-4151-9279-06551BE3F7AF}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{EB74A35C-1DC2-459C-853A-344F30BC3DCB}"= UDP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"{FFE059F0-37EB-4C3F-B0CD-28402E8A40DF}"= TCP:c:\program files\BitTorrent\bittorrent.exe:BitTorrent
"TCP Query User{FBB43494-7F48-421A-BEBB-F99C53AEB387}c:\\users\\office vista\\appdata\\local\\temp\\emc\\emcinstall.exe"= UDP:c:\users\office vista\appdata\local\temp\emc\emcinstall.exe:emcinstall.exe
"UDP Query User{3EB8670B-F8ED-406A-ACA2-16FDF51B0932}c:\\users\\office vista\\appdata\\local\\temp\\emc\\emcinstall.exe"= TCP:c:\users\office vista\appdata\local\temp\emc\emcinstall.exe:emcinstall.exe
"{53A6FF59-5263-4ACE-B096-C786BC19DB63}"= UDP:56929:PandoRest Listening Port
"{A3D26CA4-504A-4F58-B8B6-1DFDDEA3E56B}"= UDP:56907:PandoRest Listening Port
"{31438816-8573-4C18-82FC-D124C61656EA}"= UDP:c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:PandoRest Application Name
"{506B3BA8-4637-4EBB-B1F8-97043584C38C}"= TCP:c:\program files\OpenCase\OpenCASE Media Agent\PandoBinaries\NBCPandoREST.exe:PandoRest Application Name
"{442DE2DD-645A-42BD-8753-4DB01732D091}"= UDP:c:\program files\DNA\btdna.exe:DNA (TCP-In)
"{86656FA7-CDA6-45D3-BA7D-4A854811C0EF}"= TCP:c:\program files\DNA\btdna.exe:DNA (UDP-In)
"TCP Query User{51C6DA60-635C-4CE9-AFF2-3841841B752C}c:\\windows\\lmi6ad5.tmp\\lmi_rescue.exe"= UDP:c:\windows\lmi6ad5.tmp\lmi_rescue.exe:LogMeIn Rescue
"UDP Query User{A8219F85-B63E-40E9-AC63-57B377D37A4F}c:\\windows\\lmi6ad5.tmp\\lmi_rescue.exe"= TCP:c:\windows\lmi6ad5.tmp\lmi_rescue.exe:LogMeIn Rescue
"TCP Query User{0B36A796-5F5A-4ED5-A055-6D3D6508F31D}c:\\program files\\orbitdownloadervideo\\orbitdm.exe"= UDP:c:\program files\orbitdownloadervideo\orbitdm.exe:Orbit Downloader
"UDP Query User{25016C86-130A-466B-B204-BF95436BAFE1}c:\\program files\\orbitdownloadervideo\\orbitdm.exe"= TCP:c:\program files\orbitdownloadervideo\orbitdm.exe:Orbit Downloader
"TCP Query User{E86F5760-83E0-4911-A131-73E965A8D821}c:\\program files\\ws_ftp\\ws_ftp95.exe"= UDP:c:\program files\ws_ftp\ws_ftp95.exe:WS_FTP 95
"UDP Query User{F2D26243-3687-4550-9222-ED73A5B92A47}c:\\program files\\ws_ftp\\ws_ftp95.exe"= TCP:c:\program files\ws_ftp\ws_ftp95.exe:WS_FTP 95
"{5491FE53-6F95-41A7-BDFC-A871E65F68E6}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{3D8C4165-40CC-44E6-B61F-B2421AAA44CC}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{71BB124B-C811-416B-B951-5324341802B1}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{C6A0D11C-7D07-4889-B6A7-4EA84E1354D5}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{4CF8DF3A-E796-46E7-9B8E-D2370DAB89C7}"= UDP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"{80D67FF7-106B-4F37-93F5-99AA6DFFC5EC}"= TCP:c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe:Logitech Desktop Messenger
"TCP Query User{B996FF00-E593-48CC-9450-7E6746C5B31B}c:\\users\\office vista\\appdata\\local\\temp\\lmi2944.tmp\\lmi_rescue.exe"= UDP:c:\users\office vista\appdata\local\temp\lmi2944.tmp\lmi_rescue.exe:lmi_rescue.exe
"UDP Query User{44FF80A0-E7E8-4DD2-9E92-73DAFEDA8049}c:\\users\\office vista\\appdata\\local\\temp\\lmi2944.tmp\\lmi_rescue.exe"= TCP:c:\users\office vista\appdata\local\temp\lmi2944.tmp\lmi_rescue.exe:lmi_rescue.exe
"{752E87F6-6178-43F5-B6CA-CA009171373F}"= UDP:c:\program files\Lexmark 9500 Series\lxdoamon.exe:Lexmark Device Monitor
"{595C4726-EEBA-4050-9A1A-6803A2B2B23C}"= TCP:c:\program files\Lexmark 9500 Series\lxdoamon.exe:Lexmark Device Monitor
"{FBBB68B0-9A26-40D6-A69A-2EF47FDF874B}"= UDP:c:\program files\Lexmark 9500 Series\frun.exe:Lexmark Productivity Studio
"{BBBC07E5-911A-4CD1-9BFC-E109CE180E3C}"= TCP:c:\program files\Lexmark 9500 Series\frun.exe:Lexmark Productivity Studio
"{DFE087B0-1C65-47F8-819F-7CE5E949A448}"= UDP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{BC11D4B7-08D0-436E-84FD-6F709D3BEFAB}"= TCP:c:\program files\Abbyy FineReader 6.0 Sprint\Scan\ScanMan6.exe:ABBYY FineReader
"{E77ACBAC-6664-4F7F-BEE6-8C92659B3D2C}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{3E7289D0-74C1-47F6-9DC9-F23BF71EB33A}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{D667E366-0E93-4E05-BE8E-11796E6B4A49}"= UDP:445:LenovoNotebook
"{B1E05999-912D-454C-B8FC-264422A54B9B}"= c:\program files\Windows Live\Sync\WindowsLiveSync.exe:Windows Live Sync
"{0E07810D-AA63-47B3-B545-6B46648A7381}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{9CF7A363-61BB-4470-9F8B-FA01E89A345F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{F72C30E8-B561-4D9D-805B-9DA730F2A68E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{9571D52A-6F8D-4AF2-AC8A-885A0C76733F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{96170530-F947-42F8-8997-4572539D105F}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{017FD4AB-537F-45F2-9183-BB644FFC3D4C}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{3F7519C3-90AD-4C40-8049-24E9A74AC894}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{7A6E09C4-C557-4115-97EF-338BD3709B92}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{1A4056A2-B3D6-40F7-AE9D-477E48537DC6}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{FB7494D6-4B13-4B0E-B61E-851C9248A8C3}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{0AFFC8F4-CFAC-42C5-B842-F800FCDC4E3E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{8F58A572-A1CD-4FE7-B9B3-DF7E25FF3579}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{F92577EA-CFD5-4709-9083-1ACF8A09580B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{4DD0B7FB-01EE-4D0D-94F8-1B74091DF7A1}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{3C2292B7-C411-4A0A-836F-5625DE3E2867}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{744E6EEC-430F-4EF9-B314-C67822B477DD}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{AA668CD6-279E-4072-988A-59EE987FEB44}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{73D1732A-97F1-4704-B438-D3FA2754B829}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{A4920420-85C4-478E-B7CB-09F56A7691CE}"= UDP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{267C0C14-9F23-467F-9E89-4B8FB72F2D39}"= TCP:c:\program files\Rhapsody\rhapsody.exe:Rhapsody Media Player
"{86455992-9FC8-4D0B-953E-BD5A311A5A07}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{8F590059-7BFF-4BD5-BF4B-C175A20C0FD5}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsasvr.exe:KTF MUSIC AoD Server
"{BF300C40-1C1B-46CD-BE5E-CC6D7E6B402D}"= UDP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"{0B25C5A1-F6E9-4785-935E-44572072D577}"= TCP:c:\program files\Samsung\Samsung New PC Studio\npsvsvr.exe:KTF MUSIC VoD Server
"TCP Query User{FE4796AF-96EB-46AF-8410-7A766350446F}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{E13421B1-F522-49D8-9A0F-1791AEBB4AD2}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"{4CB25E07-9406-42F8-BA05-4B4B89DAFAD0}"= UDP:c:\windows\explorer.exe:Windows Shell
"{DF000DDF-FAAD-40C8-9524-FE11E1070770}"= TCP:c:\windows\explorer.exe:Windows Shell

R0 PCTCore;PCTools KDS;c:\windows\System32\drivers\PCTCore.sys [8/21/2009 10:32 PM 130936]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NAV\1007020.00A\SymEFA.sys [8/20/2009 7:33 AM 310320]
R0 TfFsMon;TfFsMon;c:\windows\System32\drivers\TfFsMon.sys [8/21/2009 10:57 PM 51488]
R0 TfSysMon;TfSysMon;c:\windows\System32\drivers\TfSysMon.sys [8/21/2009 10:57 PM 39200]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NAV\1007020.00A\BHDrvx86.sys [8/20/2009 7:33 AM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NAV\1007020.00A\cchpx86.sys [8/20/2009 7:33 AM 482432]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSvix86.sys [8/12/2009 10:08 AM 293424]
R1 pctgntdi;pctgntdi;c:\windows\System32\drivers\pctgntdi.sys [8/21/2009 10:32 PM 159600]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [8/21/2009 10:43 AM 1153368]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/4/2009 11:40 AM 101936]
R3 MaplomL;MaplomL;c:\windows\System32\drivers\maploml.sys [9/30/2008 12:13 PM 41920]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NAV\1007020.00A\symndisv.sys [8/20/2009 7:33 AM 48688]
S2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.7.2.10\ccSvcHst.exe [8/20/2009 7:33 AM 117640]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [5/19/2009 2:57 PM 121344]
S3 CAATT;AT&T Con App Svc;c:\program files\AT&T\Communication Manager\ConAppsSvc.exe [5/19/2009 2:57 PM 125440]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\System32\drivers\DsAudioDevice_310.sys [1/5/2009 5:50 PM 16640]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\System32\FsUsbExDisk.Sys [7/15/2009 3:05 PM 36608]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2/9/2009 12:55 PM 33752]
S3 IntelDH;IntelDH Driver;c:\windows\System32\drivers\IntelDH.sys [3/13/2007 6:22 PM 5504]
S3 MovRVDrv32;MovRVDrv32;c:\windows\System32\drivers\MovRVDrv32.sys [1/29/2008 10:57 AM 3768]
S3 NETw2v32;Intel(R) PRO/Wireless 2200BG Network Connection Driver for Windows Vista;c:\windows\System32\drivers\NETw2v32.sys [11/2/2006 6:25 AM 2589184]
S3 pctplsg;pctplsg;c:\windows\System32\drivers\pctplsg.sys [8/21/2009 10:32 PM 64392]
S3 QtsDongle;USB Software Key;c:\windows\System32\qtsusk.sys [4/23/2009 3:49 PM 10752]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools\Spyware Doctor\pctsAuxs.exe [8/21/2009 10:32 PM 348752]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\System32\drivers\silabenm.sys [7/17/2008 6:37 PM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\System32\drivers\silabser.sys [7/17/2008 6:37 PM 60544]
S3 SndTAudio;SndTAudio;c:\windows\System32\drivers\SndTAudio.sys [1/12/2009 3:32 PM 23096]
S3 SndTVideo;SndTVideo;c:\windows\System32\drivers\SndTVideo.sys [1/12/2009 3:10 PM 3768]
S3 TfNetMon;TfNetMon;c:\windows\System32\drivers\TfNetMon.sys [8/21/2009 10:57 PM 33056]
S3 ThreatFire;ThreatFire;c:\program files\PC Tools\Spyware Doctor\TFEngine\TFService.exe service --> c:\program files\PC Tools\Spyware Doctor\TFEngine\TFService.exe service [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ERASERUTILDRV10920
*Deregistered* - EraserUtilDrv10920

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
bthsvcs REG_MULTI_SZ BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.ebay.com/ws/eBayISAPI.dll?MyEbayBeta&CurrentPage=MyeBayNextAllSelling&ssPageName=STRK:ME:LNLK:MESX
mStart Page = hxxp://www.gateway.com/g/startpage.html?Ch=Retail&Br=GTW&Loc=ENG_US&Sys=DTP&M=GT5411E
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
LSP: bmnet.dll
Trusted Zone: real.com\rhap-app-4-0
Trusted Zone: real.com\rhapreg
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-28 16:22
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.7.2.10\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.7.2.10\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(800)
c:\windows\system32\bmnet.dll

- - - - - - - > 'Explorer.exe'(5836)
c:\program files\SlySoft\AnyDVD\ADvdDiscHlp.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2009-08-28 16:27
ComboFix-quarantined-files.txt 2009-08-28 20:27
ComboFix2.txt 2009-08-26 14:08
ComboFix3.txt 2009-08-25 03:05

Pre-Run: 99,358,191,616 bytes free
Post-Run: 99,406,192,640 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
399 --- E O F --- 2009-08-26 14:33
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 08-31-2009, 01:30 AM   #11 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: Removal of Malware or Virus Help Needed
Hi there

All is looking good from myside of things, Regarding AntiVirus, I can see that you have previously had norton on your system but does not appear to be running, your system is showing as having no anti virus on board. I would highly advise that you download and install an alternative antivirus otherwise infection will re-occurr. A good free anti virus software to start with is AntiVir® or AVG Free®. Once you have installed an antivirus pI would advise that you update the definitions and run a scan across all system drives.

Your Java is out of date.

Java(TM) 6 Update 13 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Now that you appear to be free from malware lets help you stay that way!

IMPORTANT

The following will uninstall combofix and implement some cleanup procedures as well as reset System Restore points:

Windows XP Users: Click Start > Select Run and copy/paste the following bolded text below into the Run box and click OK:

Windows Vista Users: Press the Windows key and r to bring up the run dialogue, copy and paste the text below into the run box and click OK:

ComboFix /u

Update windows on a regular basis - If you do not have automatic updates enabled then visit Microsoft's Update Page and update your computer from there.

Update your virus checker on a regular basis - It is no use having a virus checker with out of date definitions.
Keep an eye on your firewall. check what it wants to allow, do not simply allow everything, If there is any processes that you are unsure of then dont be afraid to ask for advice. For more information on firewalls read this article here

Safer Browsing
Use software such as Web of Trust to help you stay away from unsuspecting sites that have malicious purposes.
Use Spywareblaster to help prevent the installation of unwanted BHO's (Browser Helper Objects)

Use an alternative browser
Other browsers tend to be more secure than IE as they do not make use of active x objects, active x objects can be used by spyware as an infection point on your computer. Safer non active x browsers include Opera browser and, more recently, Firefox browser.

NB: Please note that although your browser may be more secure without active x it will not throw a ring of steel around your computer. If you purposly visit sites that are dubious in nature then infection will prevail.

Computer Maintenance
Malware can breed in temporary locations. Use a program such as ccleaner slim to clear out temporary files your computer on a regular basis.

Scan your computer regularly for malware
Scan on a regular basis to keep your computer clean, free software such as Spybot's Search & Destroy can help you stay clear. Other alternative software that runs under licience and monitors your computer continuously in the background for malware is Malwarebytes Anti-Malware (MBAM) and SUPERAntiSpyware- Please note that these products can also be run as free without a licience as a scan on demand scanner.

Secure your router
Change your routers default username and password, do not leave it at factory preset, doing so makes it easy for unauthorised access.

Encrypt your network. Set your wireless network encryption to a minimum level of WPA-PSK [TKIP]. This will help prevent any unauthorised users "piggybacking" onto your network and stealing your bandwidth which you have rightly paid for.

I have included some security related articles that I advise you read through in your own time. These articles will give you tips and advice on preveting malware, and how to stay safe whilst browsing the internet.

-> So How Did I Get Infected In First Place - By TonyKlein
-> How to prevent Malware - By miekiemoes
-> I'm not pulling your leg, honest - By Sandi Hardmeie

**Kindly respond one more time and let me know if we may consider this thread resolved.
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-03-2009, 05:14 AM   #12 (permalink)
Registered User
 
Join Date: Aug 2009
Posts: 7
OS: vista


Re: Removal of Malware or Virus Help Needed
OK, I have now, removed my Norton and installed AVG Virus Program.
I have also downloaded Foxfire and use that as my browser.
I have done several scans and let the programs correct any errors.

We changed the TEATIMER setting and you said we would take care of this later. What should be done with this???

Should I do anything else after the previous steps you requested me to do???

Please advise...Thanks
jbcarilli is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Old 09-04-2009, 11:31 AM   #13 (permalink)
Analyst, Security Team
 
sjb007's Avatar
 
Join Date: Dec 2007
Location: Lincoln UK
Posts: 2,265
OS: Windows 7 Premium x64

My System

Re: Removal of Malware or Virus Help Needed
Hi there

Sorry for any delay but I overlooked your initial reply.

Yes you can now reactivate tea timer once again. Just reverse the settings we used to deactivate it. Apart from that, unless you have any other problems you are good to go
__________________
If we have helped you then please consider donating

Proud Member of ASAP & UNITE Since 2007
sjb007 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 10:32 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85