Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Malware on my system[moved from xp]
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 08-10-2007, 01:27 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: XP


Malware on my system[moved from xp]
Hi my p.c is running horrible slow, and booting up slow also, it's taking about 4 minutes to start up.

Thanks in advance

Atky

HijackThis Log

Logfile of HijackThisv1.99.1
Scan saved at 17:23:22, on 08/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pnefans.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SoftickPPP] "C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {7C405D1B-4007-11D3-8B8E-00104B3E656F} (SBCRecorderPlayer Control) - https://www.vodafone.net/VoiceRecorder/SBCRP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.co.uk/SnapfishUKUpload.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4186E197-6FBF-469C-BA34-7DCA99579DE6}: NameServer = 194.106.56.6 194.106.33.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ComboFix Log

ComboFix 07-08-07.6 - "nigel" 2007-08-08 12:39:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.268 [GMT 1:00]

Rootkit driver pe386 is present. ... attempting disinfection
pe386 ...... driver unloaded successfully.
ADS removed - system32: deleted 54474 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\WinAntiSpyware 2007 Free


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NTIO256
-------\ntio256


((((((((((((((((((((((((( Files Created from 2007-07-08 to 2007-08-08 )))))))))))))))))))))))))))))))


2007-08-08 12:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 01:16 <DIR> d-------- C:\Program Files\Softick
2007-08-07 23:50 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-05 21:32 <DIR> d-------- C:\Program Files\CCleaner
2007-08-02 17:27 <DIR> d-------- C:\Program Files\EA SPORTS
2007-07-31 13:11 532,480 --a------ C:\WINDOWS\system32\The Simpsons Movie.scr
2007-07-31 13:11 <DIR> d-------- C:\WINDOWS\system32\The Simpsons Movie dir
2007-07-28 15:15 94,208 --a------ C:\WINDOWS\system32\PixZip.dll
2007-07-28 15:15 74,240 --a------ C:\WINDOWS\system32\PixService.dll
2007-07-28 15:15 73,216 --a------ C:\WINDOWS\system32\LFFAX12N.DLL
2007-07-28 15:15 67,584 --a------ C:\WINDOWS\system32\PixiNet.dll
2007-07-28 15:15 53,248 --a------ C:\WINDOWS\system32\LFPCT12N.DLL
2007-07-28 15:15 51,712 --a------ C:\WINDOWS\system32\PixEPrint.dll
2007-07-28 15:15 434,176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL
2007-07-28 15:15 388,608 --a------ C:\WINDOWS\system32\LTKRN12N.DLL
2007-07-28 15:15 36,864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL
2007-07-28 15:15 341,504 --a------ C:\WINDOWS\system32\LFCMP12N.DLL
2007-07-28 15:15 32,256 --a------ C:\WINDOWS\system32\PixologyIRISS.dll
2007-07-28 15:15 30,720 --a------ C:\WINDOWS\system32\LFBMP12N.DLL
2007-07-28 15:15 26,624 --a------ C:\WINDOWS\system32\LFPCX12N.DLL
2007-07-28 15:15 258,560 --a------ C:\WINDOWS\system32\LTDIS12N.DLL
2007-07-28 15:15 230,400 --a------ C:\WINDOWS\system32\DC265.DLL
2007-07-28 15:15 207,872 --a------ C:\WINDOWS\system32\LTEFX12N.DLL
2007-07-28 15:15 19,968 --a------ C:\WINDOWS\system32\LFPCD12N.DLL
2007-07-28 15:15 165,888 --a------ C:\WINDOWS\system32\LTIMG12N.DLL
2007-07-28 15:15 149,504 --a------ C:\WINDOWS\system32\LFPNG12N.DLL
2007-07-28 15:15 141,824 --a------ C:\WINDOWS\system32\LFTIF12N.DLL
2007-07-28 15:15 130,048 --a------ C:\WINDOWS\system32\LTFIL12N.DLL
2007-07-28 15:15 106,496 --a------ C:\WINDOWS\system32\PixText.dll
2007-07-28 15:15 <DIR> d-------- C:\Program Files\Boots F2CD


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 02:53 --------- d-------- C:\DOCUME~1\nigel\APPLIC~1\Azureus
2007-08-07 23:47 --------- d-------- C:\Program Files\Opanda
2007-08-04 21:33 --------- d-------- C:\Program Files\PokerRoom.com
2007-07-20 23:55 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-07-01 13:17 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-06-08 23:09 --------- d-------- C:\Program Files\Microsoft Works
2007-06-08 23:08 --------- d-------- C:\Program Files\MSBuild
2007-06-08 23:05 --------- d-------- C:\Program Files\Microsoft.NET
2007-06-08 22:57 --------- d-------- C:\Program Files\Microsoft Visual Studio 8
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-07-28 11:09 94080 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ezplay.sys
2006-07-28 11:09 81920 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ezpinst.exe
2005-04-23 21:20 2492 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ViewerApp.dat
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:43 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:44 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
2006-05-10 19:07:24 1,497,600 --sh--w C:\WINDOWS\system32\vssms32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-07-15 11:42 C:\WINDOWS\system32\nwiz.exe]
"CnxDslTaskBar"="C:\Program Files\Zoom\CnxDslTb.exe" [2002-08-22 12:09]
"SoundMan"="SOUNDMAN.EXE" [2002-08-15 11:46 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"SoftickPPP"="C:\Program Files\Softick\PPP\Bin\PPPGate.exe" [2004-10-20 23:05]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^nigel^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]
Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)

R0 BTHidMgr;Bluetooth HID Manager Service;C:\WINDOWS\system32\Drivers\BTHidMgr.sys
R0 prohlp02;StarForce Protection Helper Driver v2;C:\WINDOWS\system32\drivers\prohlp02.sys
R0 prosync1;StarForce Protection Synchronization Driver v1;C:\WINDOWS\system32\drivers\prosync1.sys
R0 sfhlp01;StarForce Protection Helper Driver;C:\WINDOWS\system32\drivers\sfhlp01.sys
R0 Vax347b;Vax347b;C:\WINDOWS\system32\DRIVERS\Vax347b.sys
R0 Vax347s;Vax347s;C:\WINDOWS\system32\Drivers\Vax347s.sys
R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R1 prodrv06;StarForce Protection Environment Driver v6;C:\WINDOWS\system32\drivers\prodrv06.sys
R2 enodpl;enodpl;C:\WINDOWS\system32\drivers\enodpl.sys
R2 tandpl;tandpl;C:\WINDOWS\system32\drivers\tandpl.sys
R3 BlueletAudio;Bluetooth Audio Service;C:\WINDOWS\system32\DRIVERS\blueletaudio.sys
R3 BT;Bluetooth PAN Network Adapter;C:\WINDOWS\system32\DRIVERS\btnetdrv.sys
R3 BTHidEnum;Bluetooth HID Enumerator;C:\WINDOWS\system32\DRIVERS\vbtenum.sys
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys
R3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS
R3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys
R3 ms_mpu401;Microsoft MPU-401 MIDI UART Driver;C:\WINDOWS\system32\drivers\msmpu401.sys
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
R3 ROOTMODEM;Microsoft Legacy Modem Driver;C:\WINDOWS\system32\Drivers\RootMdm.sys
R3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
R3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
R3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
R3 VComm;Virtual Serial port driver;C:\WINDOWS\system32\DRIVERS\VComm.sys
R3 VcommMgr;Bluetooth VComm Manager Service;C:\WINDOWS\system32\Drivers\VcommMgr.sys
S3 Btcsrusb;Bluetooth USB For Bluetooth Service;C:\WINDOWS\system32\Drivers\btcusb.sys
S3 ezplay;VSO Software ezplay;C:\WINDOWS\system32\Drivers\ezplay.sys
S3 Microsoft Office Groove Audit Service;Microsoft Office Groove Audit Service;"C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe"
S3 msgame;Sidewinder HID to Joystick Port Enabler;C:\WINDOWS\system32\DRIVERS\msgame.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\nigel\LOCALS~1\Temp\nsysaudm.sys
S3 odserv;Microsoft Office Diagnostics Service;"C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE"
S3 ssm_bus;Samsung Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;Samsung Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;Samsung Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys


Contents of the 'Scheduled Tasks' folder
2006-03-02 17:42:03 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-08 12:56:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:000001d7

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-08 12:59:47 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-08 12:59

--- E O F ---

KASPERSKY ONLINE SCANNER REPORT

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, August 09, 2007 3:43:38 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 8/08/2007
Kaspersky Anti-Virus database records: 377213
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics:
Total number of scanned objects: 137544
Number of viruses found: 5
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 06:17:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nigel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\nigel\Local Settings\Application Data\Identities\{CCE119B9-E87F-426E-928D-654FF93DE4CD}\Microsoft\Outlook Express\alt.angst.xibo.sexalt.magick.sex.dbx/[From sexyjay@hotmail.com][Date Sat, 20 Nov 2004 04:49:21 GMT]/CWINDOWSDesktopsexpicslockercam.scr Infected: Backdoor.Win32.Loony.m skipped
C:\Documents and Settings\nigel\Local Settings\Application Data\Identities\{CCE119B9-E87F-426E-928D-654FF93DE4CD}\Microsoft\Outlook Express\alt.angst.xibo.sexalt.magick.sex.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\nigel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\nigel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\nigel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nigel\Local Settings\History\History.IE5\MSHist012007080820070809\index.dat Object is locked skipped
C:\Documents and Settings\nigel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\nigel\ntuser.dat Object is locked skipped
C:\Documents and Settings\nigel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\nigel\UserData\index.dat Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-08-08.17-19-12.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\VundoFix Backups\dodklqol.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\fccyyya.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\mljjiij.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\opnmkkk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\pmnlm.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ig skipped
C:\VundoFix Backups\ssqolkl.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\upbwvcxl.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped
C:\VundoFix Backups\vqbiesxh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ir skipped
C:\VundoFix Backups\yayywwv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acgenral.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\aclayers.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\aclua.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acspecfc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acverfyr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\acxtrnal.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\apphelp.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\apps.chm Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\d3d8.dll Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\drvmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\msimain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\udfs.sys Object is locked skipped
C:\WINDOWS\$NtUninstallApplication Compatibility Update$\vbscript.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\shgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307274$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\guitrn_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migapp.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\migwiz_a.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\script_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ307869$\sysmod_a.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ308276$\smlogsvc.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308276$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308276$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ308677$\userenv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309376$\rdbss.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ309376$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309376$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ309495$\msi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ309495$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ309495$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ310437$\ups.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\aec.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\dxmrtp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\splitter.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ310507$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ311889$\termsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312368$\syssetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ312370$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ312370$\usbhub.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ312370$\usbport.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\qmgr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ314862$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\netsetup.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.exe Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\spuninst\spuninst.inf Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\ssdpsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ315000$\upnp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ318966$\spuninst\Q318966.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\Internet Logs\YOUR-DV9ZEVNZEK.ldb Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ZoomDslWz.log Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5cc.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT0559b.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT055ae.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
atkypne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-10-2007, 06:30 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,328
OS: N/A


Re: Malware on my system[moved from xp]
Do these tasks in the order as I laid out:

1. Delete this folder - C:\VundoFix Backups


2. Download & run this tool > SafeBootKeyRepair-CF
It shall only take a short moment for it to finish running. A log shall be produced at C:\SafeBoot_Repair.txt. Please post that in your next reply


3. Delete you exisiting copy of ComboFix & grab a new one from here >http://download.bleepingcomputer.com...a/ComboFix.exe
Post the log that it produces.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2007, 01:16 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: XP


Re: Malware on my system[moved from xp]
Cheers for the reply, I've done what you asked. Please find below the new logs.

Thanks in advance.

ComboFix 07-08-12 - "nigel" 2007-08-11 20:09:19.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.170 [GMT 1:00]


((((((((((((((((((((((((( Files Created from 2007-07-11 to 2007-08-11 )))))))))))))))))))))))))))))))


2007-08-11 11:10 <DIR> d-------- C:\Program Files\Sports Interactive
2007-08-09 12:25 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-08-09 12:25 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-08-09 12:12 <DIR> d-------- C:\DOCUME~1\nigel\APPLIC~1\Sunbelt Software
2007-08-09 12:12 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-08-09 12:10 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-08-09 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-08 15:51 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-08-08 13:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-08 13:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-08 13:08 <DIR> d-------- C:\Rustbfix
2007-08-08 12:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 01:16 <DIR> d-------- C:\Program Files\Softick
2007-08-07 23:50 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-05 21:32 <DIR> d-------- C:\Program Files\CCleaner
2007-08-02 17:27 <DIR> d-------- C:\Program Files\EA SPORTS
2007-07-31 13:11 532,480 --a------ C:\WINDOWS\system32\The Simpsons Movie.scr
2007-07-31 13:11 <DIR> d-------- C:\WINDOWS\system32\The Simpsons Movie dir
2007-07-28 15:15 94,208 --a------ C:\WINDOWS\system32\PixZip.dll
2007-07-28 15:15 74,240 --a------ C:\WINDOWS\system32\PixService.dll
2007-07-28 15:15 73,216 --a------ C:\WINDOWS\system32\LFFAX12N.DLL
2007-07-28 15:15 67,584 --a------ C:\WINDOWS\system32\PixiNet.dll
2007-07-28 15:15 53,248 --a------ C:\WINDOWS\system32\LFPCT12N.DLL
2007-07-28 15:15 51,712 --a------ C:\WINDOWS\system32\PixEPrint.dll
2007-07-28 15:15 434,176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL
2007-07-28 15:15 388,608 --a------ C:\WINDOWS\system32\LTKRN12N.DLL
2007-07-28 15:15 36,864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL
2007-07-28 15:15 341,504 --a------ C:\WINDOWS\system32\LFCMP12N.DLL
2007-07-28 15:15 32,256 --a------ C:\WINDOWS\system32\PixologyIRISS.dll
2007-07-28 15:15 30,720 --a------ C:\WINDOWS\system32\LFBMP12N.DLL
2007-07-28 15:15 26,624 --a------ C:\WINDOWS\system32\LFPCX12N.DLL
2007-07-28 15:15 258,560 --a------ C:\WINDOWS\system32\LTDIS12N.DLL
2007-07-28 15:15 230,400 --a------ C:\WINDOWS\system32\DC265.DLL
2007-07-28 15:15 207,872 --a------ C:\WINDOWS\system32\LTEFX12N.DLL
2007-07-28 15:15 19,968 --a------ C:\WINDOWS\system32\LFPCD12N.DLL
2007-07-28 15:15 165,888 --a------ C:\WINDOWS\system32\LTIMG12N.DLL
2007-07-28 15:15 149,504 --a------ C:\WINDOWS\system32\LFPNG12N.DLL
2007-07-28 15:15 141,824 --a------ C:\WINDOWS\system32\LFTIF12N.DLL
2007-07-28 15:15 130,048 --a------ C:\WINDOWS\system32\LTFIL12N.DLL
2007-07-28 15:15 106,496 --a------ C:\WINDOWS\system32\PixText.dll
2007-07-28 15:15 <DIR> d-------- C:\Program Files\Boots F2CD


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-11 11:17 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-11 10:58 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-10 23:49 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-08-09 13:16 --------- d-------- C:\DOCUME~1\nigel\APPLIC~1\Azureus
2007-08-09 11:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-09 10:59 --------- d-------- C:\Program Files\Zoom
2007-08-07 23:47 --------- d-------- C:\Program Files\Opanda
2007-08-04 21:33 --------- d-------- C:\Program Files\PokerRoom.com
2007-06-15 14:37 27376 --a------ C:\WINDOWS\system32\SBBD.exe
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-07-28 11:09 94080 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ezplay.sys
2006-07-28 11:09 81920 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ezpinst.exe
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:43 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:44 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
2006-05-10 19:07:24 1,497,600 --sh--w C:\WINDOWS\system32\vssms32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-07-15 11:42 C:\WINDOWS\system32\nwiz.exe]
"CnxDslTaskBar"="C:\Program Files\Zoom\CnxDslTb.exe" [2002-08-22 12:09]
"SoundMan"="SOUNDMAN.EXE" [2002-08-15 11:46 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^nigel^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]
Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]
"C:\Program Files\Softick\PPP\Bin\PPPGate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys
R3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS
R3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\nigel\LOCALS~1\Temp\nsysaudm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 ssm_bus;Samsung Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;Samsung Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;Samsung Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys


Contents of the 'Scheduled Tasks' folder
2006-03-02 17:42:03 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-11 20:15:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-11 20:17:50
C:\ComboFix-quarantined-files.txt ... 2007-08-11 20:17
C:\ComboFix2.txt ... 2007-08-09 11:57
C:\ComboFix3.txt ... 2007-08-08 12:59

--- E O F ---
Reg export of SafeBoot key after repair:
========================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot]
"AlternateShell"="cmd.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Minimal\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SBCSSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sharedaccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\Network\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\AFD]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\AppMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Base]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Boot Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Boot file system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Browser]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\CryptSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\DcomLaunch]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Dhcp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\dmadmin]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\dmboot.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\dmio.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\dmload.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\dmserver]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\DnsCache]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\EventLog]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\HelpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\ip6fw.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\ipnat.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\LanmanServer]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\LanmanWorkstation]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\LmHosts]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Messenger]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NDIS]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NDIS Wrapper]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Ndisuio]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NetBIOS]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NetBIOSGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NetBT]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NetDDEGroup]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Netlogon]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NetMan]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Network]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NetworkProvider]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\NtLmSsp]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\PCI Configuration]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\PlugPlay]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\PNP Filter]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\PNP_TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Primary disk]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\rdpcdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\rdpdd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\rdpwd.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\rdsessmgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\RpcSs]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\SCSI Class]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\sermouse.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\sharedaccess]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\sr.sys]
@="FSFilter System Recovery"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\SRService]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Streams Drivers]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\System Bus Extender]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\Tcpip]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\TDI]
@="Driver Group"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\tdpipe.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\tdtcp.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\termservice]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\UploadMgr]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\vga.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\WinMgmt]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\WZCSVC]
@="Service"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{36FC9E60-C465-11CF-8056-444553540000}]
@="Universal Serial Bus controllers"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E965-E325-11CE-BFC1-08002BE10318}]
@="CD-ROM Drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E969-E325-11CE-BFC1-08002BE10318}]
@="Standard floppy disk controller"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E972-E325-11CE-BFC1-08002BE10318}]
@="Net"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E973-E325-11CE-BFC1-08002BE10318}]
@="NetClient"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E974-E325-11CE-BFC1-08002BE10318}]
@="NetService"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E975-E325-11CE-BFC1-08002BE10318}]
@="NetTrans"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E977-E325-11CE-BFC1-08002BE10318}]
@="PCMCIA Adapters"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E97B-E325-11CE-BFC1-08002BE10318}]
@="SCSIAdapter"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{4D36E980-E325-11CE-BFC1-08002BE10318}]
@="Floppy disk drive"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx\{745A17A0-74D3-11D0-B6FE-00A0C90F57DA}]
@="Human Interface Devices"

========================

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc
atkypne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-11-2007, 01:36 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,328
OS: N/A


Re: Malware on my system[moved from xp]
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
  • SpyHunter
Please note any other programs that you dont recognize in that list in your next response


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
File::
C:\WINDOWS\system32\SBRC.dat
C:\WINDOWS\system32\SBFC.dat
Folder::
C:\Program Files\Enigma Software Group
C:\Rustbfix
Registry::
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\network.xxx]
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Perform an online scan with Internet Explorer at - http://www.pandasoftware.com/products/activescan.htm
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-13-2007, 06:22 AM   #5 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: XP


Re: Malware on my system[moved from xp]
Thanks again for the reply, I've done everything you asked. I couldn't see SpyHunter in add/remove programs, ComboFix seems to have removed it I think.

The Panda online scan didn't find anything either, here are the two logs from HJT and Combo.

Thanks again.

Atky

Logfile of HijackThis v1.99.1
Scan saved at 13:25:47, on 13/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Zoom\CnxDslTb.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Hijack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.pnefans.net/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CnxDslTaskBar] C:\Program Files\Zoom\CnxDslTb.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com...45/yacscom.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...1/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX28.cab
O16 - DPF: {7C405D1B-4007-11D3-8B8E-00104B3E656F} (SBCRecorderPlayer Control) - https://www.vodafone.net/VoiceRecorder/SBCRP.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.snapfish.co.uk/SnapfishUKUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/...chsettings.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4186E197-6FBF-469C-BA34-7DCA99579DE6}: NameServer = 194.106.56.6 194.106.33.42
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

ComboFix 07-08-12 - "nigel" 2007-08-13 13:04:11.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.163 [GMT 1:00]
Command switches used :: C:\Documents and Settings\nigel\Desktop\CFScript.txt

FILE::
C:\WINDOWS\system32\SBRC.dat
C:\WINDOWS\system32\SBFC.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\Rustbfix
C:\Rustbfix\1run.bat
C:\Rustbfix\2run.bat
C:\Rustbfix\avenger.exe
C:\Rustbfix\chkrustb.bat
C:\Rustbfix\LS.exe
C:\Rustbfix\pelog.txt
C:\Rustbfix\SF.exe
C:\Rustbfix\streamtools.zip
C:\Rustbfix\swreg.exe
C:\Rustbfix\tmp1.txt
C:\WINDOWS\system32\SBFC.dat
C:\WINDOWS\system32\SBRC.dat


((((((((((((((((((((((((( Files Created from 2007-07-13 to 2007-08-13 )))))))))))))))))))))))))))))))


2007-08-11 11:10 <DIR> d-------- C:\Program Files\Sports Interactive
2007-08-09 12:12 <DIR> d-------- C:\DOCUME~1\nigel\APPLIC~1\Sunbelt Software
2007-08-09 10:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-08-08 13:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-08 13:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-08 12:29 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 01:16 <DIR> d-------- C:\Program Files\Softick
2007-08-07 23:50 <DIR> d-------- C:\Program Files\Smart Projects
2007-08-05 21:32 <DIR> d-------- C:\Program Files\CCleaner
2007-08-02 17:27 <DIR> d-------- C:\Program Files\EA SPORTS
2007-07-31 13:11 532,480 --a------ C:\WINDOWS\system32\The Simpsons Movie.scr
2007-07-31 13:11 <DIR> d-------- C:\WINDOWS\system32\The Simpsons Movie dir
2007-07-28 15:15 53,248 --a------ C:\WINDOWS\system32\LFPCT12N.DLL
2007-07-28 15:15 434,176 --a------ C:\WINDOWS\system32\DC120V15_32.DLL
2007-07-28 15:15 388,608 --a------ C:\WINDOWS\system32\LTKRN12N.DLL
2007-07-28 15:15 36,864 --a------ C:\WINDOWS\system32\LFPSD12N.DLL
2007-07-28 15:15 341,504 --a------ C:\WINDOWS\system32\LFCMP12N.DLL
2007-07-28 15:15 30,720 --a------ C:\WINDOWS\system32\LFBMP12N.DLL
2007-07-28 15:15 26,624 --a------ C:\WINDOWS\system32\LFPCX12N.DLL
2007-07-28 15:15 258,560 --a------ C:\WINDOWS\system32\LTDIS12N.DLL
2007-07-28 15:15 230,400 --a------ C:\WINDOWS\system32\DC265.DLL
2007-07-28 15:15 207,872 --a------ C:\WINDOWS\system32\LTEFX12N.DLL
2007-07-28 15:15 165,888 --a------ C:\WINDOWS\system32\LTIMG12N.DLL
2007-07-28 15:15 149,504 --a------ C:\WINDOWS\system32\LFPNG12N.DLL
2007-07-28 15:15 130,048 --a------ C:\WINDOWS\system32\LTFIL12N.DLL
2007-07-28 15:15 <DIR> d-------- C:\Program Files\Boots F2CD


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-13 12:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-11 11:17 163644 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-10 23:49 --------- d-------- C:\Program Files\Windows Live Safety Center
2007-08-09 13:16 --------- d-------- C:\DOCUME~1\nigel\APPLIC~1\Azureus
2007-08-09 11:00 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-09 10:59 --------- d-------- C:\Program Files\Zoom
2007-08-07 23:47 --------- d-------- C:\Program Files\Opanda
2007-08-04 21:33 --------- d-------- C:\Program Files\PokerRoom.com
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 --a--c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 510976 --a--c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 --a--c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-07-28 11:09 94080 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ezplay.sys
2006-07-28 11:09 81920 --a--c--- C:\DOCUME~1\nigel\APPLIC~1\ezpinst.exe
2001-08-18 12:00:00 94,784 -csh--w C:\WINDOWS\twain.dll
2004-08-04 07:56:43 54,784 --sh--w C:\WINDOWS\system32\msvcirt.dll
2004-08-04 07:56:44 553,472 --sh--w C:\WINDOWS\system32\oleaut32.dll
2004-08-04 07:56:44 83,456 --sh--w C:\WINDOWS\system32\olepro32.dll
2004-08-04 07:56:55 11,776 --sh--w C:\WINDOWS\system32\regsvr32.exe
2006-05-10 19:07:24 1,497,600 --sh--w C:\WINDOWS\system32\vssms32.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-07-15 11:42 C:\WINDOWS\system32\nwiz.exe]
"CnxDslTaskBar"="C:\Program Files\Zoom\CnxDslTb.exe" [2002-08-22 12:09]
"SoundMan"="SOUNDMAN.EXE" [2002-08-15 11:46 C:\WINDOWS\SOUNDMAN.EXE]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-06-16 06:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 06:03]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-03-09 00:02]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
backup=C:\WINDOWS\pss\BlueSoleil.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^nigel^Start Menu^Programs^Startup^Adobe Gamma.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Agent]
C:\Program Files\Medion\PowerCinema\My_TV\Agent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boots Insert Detect]
C:\Program Files\Boots F2CD\Picture Suite\InsDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CapFax]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dit]
Dit.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
rundll32.exe nview.dll,nViewLoadHook

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoftickPPP]
"C:\Program Files\Softick\PPP\Bin\PPPGate.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BlueSoleil Hid Service"=2 (0x2)

R1 cdrbsvsd;cdrbsvsd;C:\WINDOWS\system32\drivers\cdrbsvsd.sys
R1 oreans32;oreans32;\??\C:\WINDOWS\system32\drivers\oreans32.sys
R1 papycpu2;papycpu2;C:\WINDOWS\system32\DRIVERS\papycpu2.sys
R1 papyjoy;papyjoy;C:\WINDOWS\system32\DRIVERS\papyjoy.sys
R3 Cap7134;MEDION (7134) WDM Video Capture;C:\WINDOWS\system32\DRIVERS\Cap7134.sys
R3 CnxEtP;Conexant AccessRunner USB ADSL WAN Adapter Filter Driver;C:\WINDOWS\system32\DRIVERS\CnxEtP.sys
R3 CnxEtU;Conexant AccessRunner USB ADSL Interface Device Driver;C:\WINDOWS\system32\DRIVERS\CnxEtU.sys
R3 CnxTgN;Conexant AccessRunner USB ADSL WAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\CnxTgN.sys
R3 ICAM8USB;Intel(r) PC Camera CS120;C:\WINDOWS\system32\Drivers\Icm8D2.SYS
R3 Intels51;Creatix V.9X DSP Data Fax Modem;C:\WINDOWS\system32\DRIVERS\ctxs51.sys
R3 PhTVTune;MEDION TV-TUNER 7134 MK2/3;C:\WINDOWS\system32\DRIVERS\PhTVTune.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\nigel\LOCALS~1\Temp\nsysaudm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 ssm_bus;Samsung Mobile USB Device II 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
S3 ssm_mdfl;Samsung Mobile USB Modem II 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
S3 ssm_mdm;Samsung Mobile USB Modem II 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
S3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 usbprint;Microsoft USB PRINTER Class;C:\WINDOWS\system32\DRIVERS\usbprint.sys


Contents of the 'Scheduled Tasks' folder
2006-03-02 17:42:03 C:\WINDOWS\Tasks\Symantec NetDetect.job - C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-13 13:10:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-13 13:11:29
C:\ComboFix-quarantined-files.txt ... 2007-08-13 13:11
C:\ComboFix2.txt ... 2007-08-11 20:17
C:\ComboFix3.txt ... 2007-08-09 11:57

--- E O F ---
atkypne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-13-2007, 06:36 AM   #6 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,328
OS: N/A


Re: Malware on my system[moved from xp]
Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

  1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start → Run → type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  2. DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  3. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  4. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html


  5. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  6. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html


  7. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-13-2007, 06:51 AM   #7 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 15
OS: XP


Re: Malware on my system[moved from xp]
Thanks for the fast reply, it's good news my computer is now clean.

Unfortunately my computer is still running below performance and it's starting up slow still too. I've taken note of all the advice given and I'll take up on this.

Where do I go from now, thanks again.

Atky
atkypne is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 02:37 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85