Ntoskrnl-hook

[davep88]

hi
In the last few days i have been unable to log on to my laptop, it wil load succesfully to my login page, and either here or shortly after entering my password, a blue screen appears for a short time then the laptop shuts down. On restart it will say a unsuccessful shut down occured and ask if i would like to go to safe mode.

I have entered safe mofe, which seems to work, where i have scanned with Mcafee, the first time i can up with a number of file, some of which were quanrantined, other deleted, but the problem persisted, and after a lots of restarts, and virus scans i keep finding the file NTOSKRNL-HOOK with McAfee, and my lapwtop will not load up successfully,
any help on the matter would be much appreciated.

i have done everything that was instructed in the last post, however, when running the GMER program, an error message appeared saying the following;

LoadDriver( "c:\Users\Dave\AppData\Local\Temp\tblafakj.sys" )error
0xC000035F: this service cannot be started in Safe Mode

and as i am unable to run the computer in any other way other than in safemode i ran the scan anyway, but due to the error message (described) i was unable to check the following boxes in the GMER program
System, Devices, Modules, Processes, Threads, Libraries,

All other boxes that were meant to be checked, OR uncheck were done soand have zip and attached the result as told.

Thanks

my attached Ark and attach.txt file cannot be uploaded as i already posted them in another forum, so here are the links to them both

http://www.techsupportforum.com/atta...l-hook-ark.zip


http://www.techsupportforum.com/atta...ook-attach.zip

Dave
DDs log;


DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Dave at 17:32:25.57 on 10/03/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.44.1033.18.1013.335 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsmap.exe
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://en-gb.facebook.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [????r]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Tour]
mRun: [SetPanel]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinCast] c:\hauppauge\wintv cd 4.4\cdsetup\setup.exe -leng
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: nusextra.co.uk\www
Trusted Zone: softpedia.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: NameServer = 85.255.112.181,85.255.112.81
TCP: {97ADDA58-0C9E-4DEF-90EF-6F713ED47B1C} = 85.255.112.181,85.255.112.81
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: eNetHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\dwdhw46w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

============= SERVICES / DRIVERS ===============

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-21 206096]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-26 33752]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2008-5-20 560640]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [2008-5-20 15616]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2007-4-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-12-16 80744]

=============== Created Last 30 ================

2009-03-08 10:15 155,739,694 a------- c:\windows\MEMORY.DMP
2009-03-08 01:06 <DIR> --d----- c:\programdata\Pure Networks
2009-03-08 01:06 <DIR> --d----- c:\progra~2\Pure Networks
2009-03-07 15:40 <DIR> --d-h--- c:\programdata\CanonBJ
2009-02-15 08:11 428,544 a------- c:\windows\system32\EncDec.dll
2009-02-15 08:11 217,088 a------- c:\windows\system32\psisrndr.ax
2009-02-15 08:11 293,376 a------- c:\windows\system32\psisdecd.dll
2009-02-15 08:11 177,664 a------- c:\windows\system32\mpg2splt.ax
2009-02-15 08:11 80,896 a------- c:\windows\system32\MSNP.ax
2009-02-11 04:59 827,392 a------- c:\windows\system32\wininet.dll
2009-02-11 04:59 1,383,424 a------- c:\windows\system32\mshtml.tlb

==================== Find3M ====================

2009-03-07 14:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 16:18 148,992 a------- c:\windows\hpoins19.dat
2009-01-21 13:12 86,016 a------- c:\windows\inf\infpub.dat
2009-01-05 22:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 65,536 a------- c:\windows\system32\jdns_sd.dll
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-11-24 00:18 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-24 00:18 143,360 a------- c:\windows\inf\infstor.dat
2008-11-21 00:37 32 a------- c:\programdata\ezsid.dat
2008-11-21 00:37 32 a------- c:\progra~2\ezsid.dat
2008-06-13 14:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-24 21:04 0 a---hr-- c:\users\dave\appdata\roaming\NTICDMK7.dll
2008-04-26 06:42 174 a--sh--- c:\program files\desktop.ini
2008-01-31 00:22 87,608 a------- c:\users\dave\appdata\roaming\inst.exe
2008-01-31 00:22 47,360 a------- c:\users\dave\appdata\roaming\pcouffin.sys
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-11-02 02:17 299,060 a--shr-- c:\users\dave\appdata\roaming\server.exe
2006-11-02 02:17 299,060 a--shr-- c:\windows\server.exe
2007-10-05 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-10-05 00:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-10-05 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-11-03 17:00 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2008-11-03 17:00 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2008-11-03 17:00 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 17:33:03.66 ===============

[davep88]

BUMP please

[Ried]

Hi Dave,

This will require more than one round to take care of this infection. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt for further review.

[davep88]

hey, thanks for the reply

i followed all the instructions, i managed to get windows to open in 'normal' mode, and downloaded ComboFix and ran it as directed.
It came up with a warning telling me to note the following file as i may need it in the future, this was;

C:\windows\system32\eNetHook.dll

then during the scan the foloowing message came up;

ComboFix has detected the presence of rootkit activity and needs to reboot the machine
Kindly note down on paper, the name of each file. We may need it later

C:\windows\system32\drivers\gaopdxopcexddvfvtmqhtpdqukuuitqbajatxu.sys

C:\windows\system32\gaopdxcvoxeoiwnwatniiwmmnffeqingwvssef.dll

After clicking OK the machine reboot, and on login, a blue screen appeared, and i was unable to read the text due to the short time it was there, but i caught the fact that windows was restarting to protect the system, and the bottom few lines mentioned a memory dump.

And as before the only way i can get the computer to work is in safe mode, in which when ComboFix is run, it says that Administrative rights are needed to run and then it logs off and shuts down each time.
I tried running it by right clicking and running as an administrator, but the same thing happened,
no where can i find a saved log file,
is there any way i can get it to run in safe mode?
Thanks again for your help
Dave

[Ried]

Hi Dave,

What happens when you try to boot up into Normal Mode? I need exact details please.

In Safe Mode, you must log into an account that has Administrator priveleges.

If you can't get ComboFix to run again, please run another scan with gmer. Save the file as Ark2.txt so you can attach it in your next reply.

[davep88]

hey
When i try to boot up in normal mode, it goes through the normal screens, up to the login, i enter the user password, and then after between 5 to 45 seconds, a blue screen pops up briefly, (i managed to photograph it) and says the following;
********************************************************
A problem has been detected and windows has been shut down to prevent damage to your computer.

If this is the first time you have seen this stop error screen, restart your computer. if this screen appears again, follow these steps:

Check to make sure you have adequate disk space. If a driver is identified in the stop message, disable the driver or check with the manufacturer for driver updates. Try changing video adapters.

Check with your hardware vendor for any BIOS updates. Disable BIOS memory options such as caching or shawdowing. If you need to use safe mode to remove or disable components, restart your computer, press F8 to select advanced startup options, and then select safe mode

Technical information:
*** STOP: 0x0000008E (0xc0000005, 0x8B52F4BB, 0x000000000)

Collecting data for crash dump...
initializing disk for crash dump...
Beginning dump of physical memory.
dumping physical memory: 40

*********************************************************

Once this has finished the computer then restarts and asks if i want to restart in safe mode. This happens every tim ei try to log in normally.

In safe mode, i log in as administrator. There is only one account on the computer. When i try to run combofix, it either freezes the computer, or the previous messages that i posted come up, and it logs me out and restarts the computer.

When i run GMER, i get the following messages after clicking on the icon;

LoadDriver( "C\user\dave\appdata\local\temp\tblafakj.sys" ) error
0xC000035F: this service cannot be started in safe mode

i click OK, the GMER window opens and another error message pops up;

C:\windows\system32\config\system: the process cannot access the file because it is being used by another process.

I click Ok, then the only boxes within that program, the only boxes that are available to check are, SERVICES, REGISTRY, FILES, C:\, D:\ and ADS. All others are shaded and cannot be clicked.

I then click SCAN and get another error message;

C:\windows\system32\config\system: the process cannot access the file because it is being used by another process.

click Ok and this same message pops up twice, on the third click i get the following error message;

C:\users\dave\ntuser.dat: the process cannot access the file because it is being used by another process.

i clock Ok and get the message;

GMER hasn't found any system modifications, and the program window returns unchanged. without any logs or files.
so i then cancel the program.

Thanks again for the help
Dave

[Ried]

Let's get a more detailed look. Download OTListIt2 to your desktop.

• Double click the icon to start the tool.
• Click Run Scan and let the program run uninterrupted.

When the scan is complete, two text files will be created, OTListIt.Txt [color="Green"] and Extras.txt, on Desktop. I only need the contents of the OTListIt.txt

[davep88]

Hey

I downloaded the program and ran the scan, after about 2 mins an error messgae appeared saying;

Win32 Error. Code: 1722
The RPC server is unavailable.

At the bottom of the OTListIt2 window, it had stoped on
Scanning HKEY_CURRENT_USER\uninstall List...

i clicked ok on the error message and nothing happened, it was left for 8 hours and the scan didnt continue, so i closed the window down and tried again. The same thing happened.

Thanks
Dave

[Ried]

Ok Dave, let's try yet another scanning tool. Download rsit.exe and save it to your desktop.

• Double click on RSIT.exe to run it.
• Click Continue at the disclaimer screen.
• Once it has finished, two logs will open. Please post the contents of only the log.txt

[davep88]

hey

I downloaded the program and ran it as asked, shortly after running, an error message popped up stating,

Line -1:

Error: subscript used with non-Array Variable.

This was while the RSIT window stated "lisitng recently created files and folders".
I clicked OK on the error window and the program closed.
no files were saved or logs shown

Thanks again for the help!
Dave

[Ried]

Dave, see if dds.scr will run again. Double click to run it, then post the dds.txt.

Also--does regedit work? On your keyboard, press the Windows Logo button and the letter R to bring up the Run command box. Type in regedit and see if it opens for you.

[davep88]

Hey

Yea DDS ran and dds.txt is copied below. I also managed to open up the Registry Editor.
Thanks
******************************************************

DDS (Ver_09-02-01.01) - NTFSx86 NETWORK
Run by Dave at 8:20:17.81 on 2009-03-19
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.585 [GMT 0:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\Program Files\Windows Live\Mail\wlmail.exe
C:\Users\Dave\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSEARCH PAGE = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/sp/*http://uk.yahoo.com
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://en-gb.facebook.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
mDefault_Page_URL = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: McAfee Phishing Filter: {377c180e-6f0e-4d4c-980f-f45bd3d40cf4} - c:\progra~1\mcafee\msk\mcapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: NoExplorer - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [????r]
uRun: [ehTray.exe] c:\windows\ehome\ehTray.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_0
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Acer Tour]
mRun: [SetPanel]
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [WarReg_PopUp] c:\acer\wr_popup\WarReg_PopUp.exe
mRun: [eRecoveryService]
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [LogitechCommunicationsManager] "c:\program files\common files\logishrd\lcommgr\Communications_Helper.exe"
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [WinCast] c:\hauppauge\wintv cd 4.4\cdsetup\setup.exe -leng
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
dRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
StartupFolder: c:\users\dave\appdata\roaming\micros~1\windows\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\autost~1.lnk - c:\program files\wintv\Ir.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {7F9DB11C-E358-4ca6-A83D-ACC663939424} - {9999A076-A9E2-4C99-8A2B-632FC9429223} - c:\program files\bonjour\ExplorerPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: nusextra.co.uk\www
Trusted Zone: softpedia.com\www
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
TCP: NameServer = 85.255.112.181,85.255.112.81
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: eNetHook.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\users\dave\appdata\roaming\mozilla\firefox\profiles\dwdhw46w.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.startup.homepage - hxxp://www.facebook.com/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npBBCPlugin.dll

============= SERVICES / DRIVERS ===============

S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-12-21 206096]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\nos\bin\getPlus_HelperSvc.exe [2009-1-26 33752]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\system32\drivers\hcw95bda.sys [2008-5-20 560640]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\system32\drivers\hcw95rc.sys [2008-5-20 15616]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\system32\drivers\s125bus.sys [2007-4-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\system32\drivers\s125mdfl.sys [2007-4-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\system32\drivers\s125mdm.sys [2007-4-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s125mgmt.sys [2007-4-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\system32\drivers\s125obex.sys [2007-4-24 98696]
S3 WSVD;WSVD;c:\windows\system32\drivers\WSVD.sys [2007-12-16 80744]

=============== Created Last 30 ================

2009-03-18 22:21 <DIR> --d----- c:\program files\trend micro
2009-03-15 17:41 318,976 a------- c:\windows\system32\CF8345.exe
2009-03-15 17:41 <DIR> --d----- C:\ComboFix
2009-03-15 17:36 318,976 a------- c:\windows\system32\CF7469.exe
2009-03-15 17:15 318,976 a------- c:\windows\system32\CF3276.exe
2009-03-08 10:15 104,123,558 a------- c:\windows\MEMORY.DMP
2009-03-08 01:06 <DIR> --d----- c:\programdata\Pure Networks
2009-03-08 01:06 <DIR> --d----- c:\progra~2\Pure Networks
2009-03-07 15:40 <DIR> --d-h--- c:\programdata\CanonBJ

==================== Find3M ====================

2009-03-15 14:19 318,976 a------- c:\windows\system32\CF1498.exe
2009-03-07 14:16 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-05 16:18 148,992 a------- c:\windows\hpoins19.dat
2009-01-21 13:12 86,016 a------- c:\windows\inf\infpub.dat
2009-01-15 06:11 827,392 a------- c:\windows\system32\wininet.dll
2009-01-05 22:33 3,751,995 a------- c:\windows\system32\GPhotos.scr
2008-11-24 00:18 143,360 a------- c:\windows\inf\infstrng.dat
2008-11-24 00:18 143,360 a------- c:\windows\inf\infstor.dat
2008-11-21 00:37 32 a------- c:\programdata\ezsid.dat
2008-11-21 00:37 32 a------- c:\progra~2\ezsid.dat
2008-06-13 14:55 665,600 a------- c:\windows\inf\drvindex.dat
2008-05-24 21:04 0 a---hr-- c:\users\dave\appdata\roaming\NTICDMK7.dll
2008-04-26 06:42 174 a--sh--- c:\program files\desktop.ini
2008-01-31 00:22 87,608 a------- c:\users\dave\appdata\roaming\inst.exe
2008-01-31 00:22 47,360 a------- c:\users\dave\appdata\roaming\pcouffin.sys
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 12:42 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 12:42 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2006-11-02 02:17 299,060 a--shr-- c:\users\dave\appdata\roaming\server.exe
2006-11-02 02:17 299,060 a--shr-- c:\windows\server.exe
2007-10-05 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2007-10-05 00:02 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2007-10-05 00:02 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-11-03 17:00 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\cookies\index.dat
2008-11-03 17:00 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\history\history.ie5\index.dat
2008-11-03 17:00 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 8:21:07.70 ===============

[Ried]

Hi Dave,

Download querySvc.exe. Double click to run it, then post the contents.

[davep88]

Hi Ried,

Ran the program, here are the results it came back with;


------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- LocalService - nsi, lltdsvc, SSDPSRV, upnphost, SCardSvr, w32time, EventSystem, RemoteRegistry, WinHttpAutoProxySvc, lanmanworkstation, TBS, SLUINotify, THREADORDER, fdrespub, netprofm, fdphost, wcncsvc, QWAVE, Mcx2Svc, WebClient, SstpSvc
- LocalSystemNetworkRestricted - hidserv, UxSms, WdiSystemHost, Netman, trkwks, AudioEndpointBuilder, WUDFSvc, irmon, sysmain, IPBusEnum, dot3svc, PcaSvc, EMDMgmt, TabletInputService, wlansvc, WPDBusEnum
- NetworkServiceNetworkRestricted - PolicyAgent
- LocalServiceNoNetwork - PLA, DPS, BFE, mpssvc, ehstart
- NetworkService - CryptSvc, DHCP, TermService, KtmRm, DNSCache, NapAgent, nlasvc, WinRM, WECSVC, Tapisrv
- termsvcs - TermService
- WerSvcGroup - wersvc
- swprv - swprv
- LocalServiceNetworkRestricted - DHCP, eventlog, AudioSrv, LmHosts, wscsvc, p2pimsvc, PNRPSvc, p2psvc, WPCSvc, PnrpAutoReg
- rpcss - RpcSs
- regsvc - RemoteRegistry
- wcssvc - WcsPlugInService
- DcomLaunch - PlugPlay, DcomLaunch
- wdisvc - WdiServiceHost
- sdrsvc - sdrsvc
- imgsvc - StiSvc
- secsvcs - WinDefend
- HPZ12 - Pml Driver HPZ12, Net Driver HPZ12
- hpdevmgmt - hpqcxs08, hpqddsvc
- netsvcs - AeLookupSvc, wercplsupport, Themes, CertPropSvc, SCPolicySvc, lanmanserver, gpsvc, IKEEXT, AudioSrv, FastUserSwitchingCompatibility, Ias, Irmon, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, SENS, Sharedaccess, SRService, Tapisrv, Wmi, WmdmPmSp, TermService, wuauserv, BITS, ShellHWDetection, LogonHours, PCAudit, helpsvc, uploadmgr, iphlpsvc, seclogon, AppInfo, msiscsi, MMCSS, ProfSvc, EapHost, winmgmt, schedule, SessionEnv, browser, hkmsvc

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Notification Packages REG_MULTI_SZ scecli\0\0
Authentication Packages REG_MULTI_SZ msv1_0\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: AUTO_START: AeLookupSvc : Application Experience
STOPPED: AUTO_START: AudioEndpointBuilder : Windows Audio Endpoint Builder
STOPPED: AUTO_START: Audiosrv : Windows Audio
STOPPED: AUTO_START: BITS : Background Intelligent Transfer Service
STOPPED: AUTO_START: Browser : Computer Browser
STOPPED: AUTO_START: Dhcp : DHCP Client
STOPPED: AUTO_START: DPS : Diagnostic Policy Service
STOPPED: AUTO_START: ehstart : Windows Media Center Service Launcher
STOPPED: AUTO_START: EMDMgmt : ReadyBoost
STOPPED: AUTO_START: Eventlog : Windows Event Log
STOPPED: AUTO_START: EventSystem : COM+ Event System
STOPPED: AUTO_START: FDResPub : Function Discovery Resource Publication
STOPPED: AUTO_START: gpsvc : Group Policy Client
STOPPED: AUTO_START: hidserv : Human Interface Device Access
STOPPED: AUTO_START: hpqddsvc : HP CUE DeviceDiscovery Service
STOPPED: AUTO_START: iphlpsvc : IP Helper
STOPPED: AUTO_START: KtmRm : KtmRm for Distributed Transaction Coordinator
STOPPED: AUTO_START: LanmanServer : Server
STOPPED: AUTO_START: lmhosts : TCP/IP NetBIOS Helper
STOPPED: AUTO_START: MMCSS : Multimedia Class Scheduler
STOPPED: AUTO_START: Net Driver HPZ12 : Net Driver HPZ12
STOPPED: AUTO_START: PcaSvc : Program Compatibility Assistant Service
STOPPED: AUTO_START: Pml Driver HPZ12 : Pml Driver HPZ12
STOPPED: AUTO_START: Schedule : Task Scheduler
STOPPED: AUTO_START: seclogon : Secondary Logon
STOPPED: AUTO_START: SENS : System Event Notification Service
STOPPED: AUTO_START: ShellHWDetection : Shell Hardware Detection
STOPPED: AUTO_START: stisvc : Windows Image Acquisition (WIA)
STOPPED: AUTO_START: SysMain : Superfetch
STOPPED: AUTO_START: TabletInputService : Tablet PC Input Service
STOPPED: AUTO_START: TBS : TPM Base Services
STOPPED: AUTO_START: TermService : Terminal Services
STOPPED: AUTO_START: Themes : Themes
STOPPED: AUTO_START: TrkWks : Distributed Link Tracking Client
STOPPED: AUTO_START: upnphost : UPnP Device Host
STOPPED: AUTO_START: UxSms : Desktop Window Manager Session Manager
STOPPED: AUTO_START: W32Time : Windows Time
STOPPED: AUTO_START: WebClient : WebClient
STOPPED: AUTO_START: WerSvc : Windows Error Reporting Service
STOPPED: AUTO_START: WPDBusEnum : Portable Device Enumerator Service
STOPPED: AUTO_START: wscsvc : Security Center
STOPPED: AUTO_START: wuauserv : Windows Update
STOPPED: AUTO_START: wudfsvc : Windows Driver Foundation - User-mode Driver Framework
STOPPED: DEMAND_START: Appinfo : Application Information
STOPPED: DEMAND_START: CertPropSvc : Certificate Propagation
STOPPED: DEMAND_START: dot3svc : Wired AutoConfig
STOPPED: DEMAND_START: fdPHost : Function Discovery Provider Host
STOPPED: DEMAND_START: hkmsvc : Health Key and Certificate Management
STOPPED: DEMAND_START: hpqcxs08 : hpqcxs08
STOPPED: DEMAND_START: IPBusEnum : PnP-X IP Bus Enumerator
STOPPED: DEMAND_START: lltdsvc : Link-Layer Topology Discovery Mapper
STOPPED: DEMAND_START: MSiSCSI : Microsoft iSCSI Initiator Service
STOPPED: DEMAND_START: napagent : Network Access Protection Agent
STOPPED: DEMAND_START: p2pimsvc : Peer Networking Identity Manager
STOPPED: DEMAND_START: p2psvc : Peer Networking Grouping
STOPPED: DEMAND_START: pla : Performance Logs & Alerts
STOPPED: DEMAND_START: PNRPAutoReg : PNRP Machine Name Publication Service
STOPPED: DEMAND_START: PNRPsvc : Peer Name Resolution Protocol
STOPPED: DEMAND_START: QWAVE : Quality Windows Audio Video Experience
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: RasMan : Remote Access Connection Manager
STOPPED: DEMAND_START: RemoteRegistry : Remote Registry
STOPPED: DEMAND_START: SCardSvr : Smart Card
STOPPED: DEMAND_START: SCPolicySvc : Smart Card Removal Policy
STOPPED: DEMAND_START: SDRSVC : Windows Backup
STOPPED: DEMAND_START: SessionEnv : Terminal Services Configuration
STOPPED: DEMAND_START: SLUINotify : SL UI Notification Service
STOPPED: DEMAND_START: SSDPSRV : SSDP Discovery
STOPPED: DEMAND_START: SstpSvc : Secure Socket Tunneling Protocol Service
STOPPED: DEMAND_START: swprv : Microsoft Software Shadow Copy Provider
STOPPED: DEMAND_START: TapiSrv : Telephony
STOPPED: DEMAND_START: THREADORDER : Thread Ordering Server
STOPPED: DEMAND_START: wcncsvc : Windows Connect Now - Config Registrar
STOPPED: DEMAND_START: WcsPlugInService : Windows Color System
STOPPED: DEMAND_START: WdiServiceHost : Diagnostic Service Host
STOPPED: DEMAND_START: WdiSystemHost : Diagnostic System Host
STOPPED: DEMAND_START: Wecsvc : Windows Event Collector
STOPPED: DEMAND_START: wercplsupport : Problem Reports and Solutions Control Panel Support
STOPPED: DEMAND_START: WinHttpAutoProxySvc : WinHTTP Web Proxy Auto-Discovery Service
STOPPED: DEMAND_START: WinRM : Windows Remote Management (WS-Management)
STOPPED: DEMAND_START: WPCSvc : Parental Controls
STOPPED: DISABLED: Mcx2Svc : Windows Media Center Extender Service
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access
STOPPED: DISABLED: SharedAccess : Internet Connection Sharing (ICS)

------ SVCHOST CURRENTLY RUNNING:

704- C:\Windows\system32\svchost.exe -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- PlugPlay : Plug and Play

760- C:\Windows\system32\svchost.exe -k rpcss
- RpcSs : Remote Procedure Call (RPC)

800- C:\Windows\System32\svchost.exe -k secsvcs
- WinDefend : Windows Defender

924- C:\Windows\system32\svchost.exe -k netsvcs
- EapHost : Extensible Authentication Protocol
- IKEEXT : IKE and AuthIP IPsec Keying Modules
- ProfSvc : User Profile Service
- Winmgmt : Windows Management Instrumentation

956- C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
- Netman : Network Connections
- Wlansvc : WLAN AutoConfig

976- C:\Windows\system32\svchost.exe -k NetworkService
- CryptSvc : Cryptographic Services
- Dnscache : DNS Client
- NlaSvc : Network Location Awareness

992- C:\Windows\system32\svchost.exe -k LocalService
- LanmanWorkstation : Workstation
- netprofm : Network List Service
- nsi : Network Store Interface Service

1160- C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
- BFE : Base Filtering Engine
- MpsSvc : Windows Firewall

1264- C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
- PolicyAgent : IPsec Policy Agent

------ SVCHOST SUB-DEPENDENTS

nsi = 12
RUNNING: LanmanWorkstation: Workstation
RUNNING: Netman: Network Connections
RUNNING: netprofm: Network List Service
RUNNING: NlaSvc: Network Location Awareness
STOPPED: Browser: Computer Browser
STOPPED: Dhcp: DHCP Client
STOPPED: iphlpsvc: IP Helper
STOPPED: Netlogon: Netlogon
STOPPED: SessionEnv: Terminal Services Configuration
STOPPED: SharedAccess: Internet Connection Sharing (ICS)
STOPPED: SLUINotify: SL UI Notification Service
STOPPED: WinHttpAutoProxySvc: WinHTTP Web Proxy Auto-Discovery Service

SSDPSRV = 3
STOPPED: Mcx2Svc: Windows Media Center Extender Service
STOPPED: upnphost: UPnP Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

EventSystem = 5
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: DFSR: DFS Replication
STOPPED: SENS: System Event Notification Service
STOPPED: SLUINotify: SL UI Notification Service

lanmanworkstation = 3
STOPPED: Browser: Computer Browser
STOPPED: Netlogon: Netlogon
STOPPED: SessionEnv: Terminal Services Configuration

netprofm = 1
STOPPED: SLUINotify: SL UI Notification Service

fdphost = 2
STOPPED: IPBusEnum: PnP-X IP Bus Enumerator
STOPPED: Mcx2Svc: Windows Media Center Extender Service

SstpSvc = 4
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: SharedAccess: Internet Connection Sharing (ICS)

Netman = 1
STOPPED: SharedAccess: Internet Connection Sharing (ICS)

AudioEndpointBuilder = 1
STOPPED: Audiosrv: Windows Audio

IPBusEnum = 1
STOPPED: Mcx2Svc: Windows Media Center Extender Service

BFE = 6
RUNNING: IKEEXT: IKE and AuthIP IPsec Keying Modules
RUNNING: MpsSvc: Windows Firewall
RUNNING: PolicyAgent: IPsec Policy Agent
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: SharedAccess: Internet Connection Sharing (ICS)
STOPPED: Wecsvc: Windows Event Collector

mpssvc = 1
STOPPED: Wecsvc: Windows Event Collector

DHCP = 1
STOPPED: WinHttpAutoProxySvc: WinHTTP Web Proxy Auto-Discovery Service

TermService = 1
STOPPED: Mcx2Svc: Windows Media Center Extender Service

nlasvc = 2
RUNNING: netprofm: Network List Service
STOPPED: SLUINotify: SL UI Notification Service

Tapisrv = 4
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: SharedAccess: Internet Connection Sharing (ICS)

TermService = 1
STOPPED: Mcx2Svc: Windows Media Center Extender Service

lanmanserver = 1
STOPPED: Browser: Computer Browser

Rasman = 3
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: SharedAccess: Internet Connection Sharing (ICS)

SENS = 1
STOPPED: COMSysApp: COM+ System Application

Tapisrv = 4
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: SharedAccess: Internet Connection Sharing (ICS)

TermService = 1
STOPPED: Mcx2Svc: Windows Media Center Extender Service

ShellHWDetection = 1
STOPPED: stisvc: Windows Image Acquisition (WIA)

MMCSS = 1
STOPPED: Audiosrv: Windows Audio

ProfSvc = 1
STOPPED: Appinfo: Application Information

EapHost = 2
RUNNING: Wlansvc: WLAN AutoConfig
STOPPED: dot3svc: Wired AutoConfig

winmgmt = 6
STOPPED: eRecoveryService: eRecovery Service
STOPPED: eSettingsService: eSettings Service
STOPPED: iphlpsvc: IP Helper
STOPPED: SharedAccess: Internet Connection Sharing (ICS)
STOPPED: WMIService: ePower Service
STOPPED: wscsvc: Security Center

DHCP = 1
STOPPED: WinHttpAutoProxySvc: WinHTTP Web Proxy Auto-Discovery Service

eventlog = 3
STOPPED: Schedule: Task Scheduler
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: Wecsvc: Windows Event Collector

p2pimsvc = 3
STOPPED: p2psvc: Peer Networking Grouping
STOPPED: PNRPAutoReg: PNRP Machine Name Publication Service
STOPPED: PNRPsvc: Peer Name Resolution Protocol

PNRPSvc = 2
STOPPED: p2psvc: Peer Networking Grouping
STOPPED: PNRPAutoReg: PNRP Machine Name Publication Service

RpcSs = 92
RUNNING: BFE: Base Filtering Engine
RUNNING: CryptSvc: Cryptographic Services
RUNNING: EapHost: Extensible Authentication Protocol
RUNNING: IKEEXT: IKE and AuthIP IPsec Keying Modules
RUNNING: KeyIso: CNG Key Isolation
RUNNING: MpsSvc: Windows Firewall
RUNNING: Netman: Network Connections
RUNNING: netprofm: Network List Service
RUNNING: NlaSvc: Network Location Awareness
RUNNING: PolicyAgent: IPsec Policy Agent
RUNNING: ProfSvc: User Profile Service
RUNNING: WinDefend: Windows Defender
RUNNING: Winmgmt: Windows Management Instrumentation
RUNNING: Wlansvc: WLAN AutoConfig
STOPPED: Appinfo: Application Information
STOPPED: Audiosrv: Windows Audio
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: Browser: Computer Browser
STOPPED: CertPropSvc: Certificate Propagation
STOPPED: COMSysApp: COM+ System Application
STOPPED: DFSR: DFS Replication
STOPPED: dot3svc: Wired AutoConfig
STOPPED: ehRecvr: Windows Media Center Receiver Service
STOPPED: ehSched: Windows Media Center Scheduler Service
STOPPED: ehstart: Windows Media Center Service Launcher
STOPPED: EMDMgmt: ReadyBoost
STOPPED: eRecoveryService: eRecovery Service
STOPPED: eSettingsService: eSettings Service
STOPPED: EventSystem: COM+ Event System
STOPPED: fdPHost: Function Discovery Provider Host
STOPPED: FDResPub: Function Discovery Resource Publication
STOPPED: getPlus(R) Helper: getPlus(R) Helper
STOPPED: gpsvc: Group Policy Client
STOPPED: gusvc: Google Updater Service
STOPPED: hkmsvc: Health Key and Certificate Management
STOPPED: hpqcxs08: hpqcxs08
STOPPED: hpqddsvc: HP CUE DeviceDiscovery Service
STOPPED: IPBusEnum: PnP-X IP Bus Enumerator
STOPPED: iphlpsvc: IP Helper
STOPPED: KService: KService
STOPPED: KtmRm: KtmRm for Distributed Transaction Coordinator
STOPPED: LanmanServer: Server
STOPPED: lltdsvc: Link-Layer Topology Discovery Mapper
STOPPED: LVCOMSer: LVCOMSer
STOPPED: Mcx2Svc: Windows Media Center Extender Service
STOPPED: MDM: Machine Debug Manager
STOPPED: MSCSPTISRV: MSCSPTISRV
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: msiserver: Windows Installer
STOPPED: napagent: Network Access Protection Agent
STOPPED: PACSPTISVR: PACSPTISVR
STOPPED: PcaSvc: Program Compatibility Assistant Service
STOPPED: pla: Performance Logs & Alerts
STOPPED: ProtectedStorage: Protected Storage
STOPPED: QWAVE: Quality Windows Audio Video Experience
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RemoteRegistry: Remote Registry
STOPPED: RichVideo: Cyberlink RichVideo Service(CRVS)
STOPPED: SamSs: Security Accounts Manager
STOPPED: Schedule: Task Scheduler
STOPPED: SCPolicySvc: Smart Card Removal Policy
STOPPED: SDRSVC: Windows Backup
STOPPED: SENS: System Event Notification Service
STOPPED: SessionEnv: Terminal Services Configuration
STOPPED: SharedAccess: Internet Connection Sharing (ICS)
STOPPED: ShellHWDetection: Shell Hardware Detection
STOPPED: slsvc: Software Licensing
STOPPED: SLUINotify: SL UI Notification Service
STOPPED: Spooler: Print Spooler
STOPPED: SPTISRV: Sony SPTI Service
STOPPED: stisvc: Windows Image Acquisition (WIA)
STOPPED: swprv: Microsoft Software Shadow Copy Provider
STOPPED: SysMain: Superfetch
STOPPED: TabletInputService: Tablet PC Input Service
STOPPED: TapiSrv: Telephony
STOPPED: TermService: Terminal Services
STOPPED: TrkWks: Distributed Link Tracking Client
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: vds: Virtual Disk
STOPPED: VSS: Volume Shadow Copy
STOPPED: wcncsvc: Windows Connect Now - Config Registrar
STOPPED: WcsPlugInService: Windows Color System
STOPPED: Wecsvc: Windows Event Collector
STOPPED: WinRM: Windows Remote Management (WS-Management)
STOPPED: WMIService: ePower Service
STOPPED: WPCSvc: Parental Controls
STOPPED: WPDBusEnum: Portable Device Enumerator Service
STOPPED: wscsvc: Security Center
STOPPED: WSearch: Windows Search
STOPPED: wuauserv: Windows Update

PlugPlay = 11
STOPPED: AudioEndpointBuilder: Windows Audio Endpoint Builder
STOPPED: Audiosrv: Windows Audio
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: SCardSvr: Smart Card
STOPPED: SharedAccess: Internet Connection Sharing (ICS)
STOPPED: TabletInputService: Tablet PC Input Service
STOPPED: TapiSrv: Telephony
STOPPED: vds: Virtual Disk
STOPPED: wudfsvc: Windows Driver Foundation - User-mode Driver Framework

DcomLaunch = 93
RUNNING: BFE: Base Filtering Engine
RUNNING: CryptSvc: Cryptographic Services
RUNNING: EapHost: Extensible Authentication Protocol
RUNNING: IKEEXT: IKE and AuthIP IPsec Keying Modules
RUNNING: KeyIso: CNG Key Isolation
RUNNING: MpsSvc: Windows Firewall
RUNNING: Netman: Network Connections
RUNNING: netprofm: Network List Service
RUNNING: NlaSvc: Network Location Awareness
RUNNING: PolicyAgent: IPsec Policy Agent
RUNNING: ProfSvc: User Profile Service
RUNNING: RpcSs: Remote Procedure Call (RPC)
RUNNING: WinDefend: Windows Defender
RUNNING: Winmgmt: Windows Management Instrumentation
RUNNING: Wlansvc: WLAN AutoConfig
STOPPED: Appinfo: Application Information
STOPPED: Audiosrv: Windows Audio
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: Browser: Computer Browser
STOPPED: CertPropSvc: Certificate Propagation
STOPPED: COMSysApp: COM+ System Application
STOPPED: DFSR: DFS Replication
STOPPED: dot3svc: Wired AutoConfig
STOPPED: ehRecvr: Windows Media Center Receiver Service
STOPPED: ehSched: Windows Media Center Scheduler Service
STOPPED: ehstart: Windows Media Center Service Launcher
STOPPED: EMDMgmt: ReadyBoost
STOPPED: eRecoveryService: eRecovery Service
STOPPED: eSettingsService: eSettings Service
STOPPED: EventSystem: COM+ Event System
STOPPED: fdPHost: Function Discovery Provider Host
STOPPED: FDResPub: Function Discovery Resource Publication
STOPPED: getPlus(R) Helper: getPlus(R) Helper
STOPPED: gpsvc: Group Policy Client
STOPPED: gusvc: Google Updater Service
STOPPED: hkmsvc: Health Key and Certificate Management
STOPPED: hpqcxs08: hpqcxs08
STOPPED: hpqddsvc: HP CUE DeviceDiscovery Service
STOPPED: IPBusEnum: PnP-X IP Bus Enumerator
STOPPED: iphlpsvc: IP Helper
STOPPED: KService: KService
STOPPED: KtmRm: KtmRm for Distributed Transaction Coordinator
STOPPED: LanmanServer: Server
STOPPED: lltdsvc: Link-Layer Topology Discovery Mapper
STOPPED: LVCOMSer: LVCOMSer
STOPPED: Mcx2Svc: Windows Media Center Extender Service
STOPPED: MDM: Machine Debug Manager
STOPPED: MSCSPTISRV: MSCSPTISRV
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: msiserver: Windows Installer
STOPPED: napagent: Network Access Protection Agent
STOPPED: PACSPTISVR: PACSPTISVR
STOPPED: PcaSvc: Program Compatibility Assistant Service
STOPPED: pla: Performance Logs & Alerts
STOPPED: ProtectedStorage: Protected Storage
STOPPED: QWAVE: Quality Windows Audio Video Experience
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RasMan: Remote Access Connection Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RemoteRegistry: Remote Registry
STOPPED: RichVideo: Cyberlink RichVideo Service(CRVS)
STOPPED: SamSs: Security Accounts Manager
STOPPED: Schedule: Task Scheduler
STOPPED: SCPolicySvc: Smart Card Removal Policy
STOPPED: SDRSVC: Windows Backup
STOPPED: SENS: System Event Notification Service
STOPPED: SessionEnv: Terminal Services Configuration
STOPPED: SharedAccess: Internet Connection Sharing (ICS)
STOPPED: ShellHWDetection: Shell Hardware Detection
STOPPED: slsvc: Software Licensing
STOPPED: SLUINotify: SL UI Notification Service
STOPPED: Spooler: Print Spooler
STOPPED: SPTISRV: Sony SPTI Service
STOPPED: stisvc: Windows Image Acquisition (WIA)
STOPPED: swprv: Microsoft Software Shadow Copy Provider
STOPPED: SysMain: Superfetch
STOPPED: TabletInputService: Tablet PC Input Service
STOPPED: TapiSrv: Telephony
STOPPED: TermService: Terminal Services
STOPPED: TrkWks: Distributed Link Tracking Client
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: vds: Virtual Disk
STOPPED: VSS: Volume Shadow Copy
STOPPED: wcncsvc: Windows Connect Now - Config Registrar
STOPPED: WcsPlugInService: Windows Color System
STOPPED: Wecsvc: Windows Event Collector
STOPPED: WinRM: Windows Remote Management (WS-Management)
STOPPED: WMIService: ePower Service
STOPPED: WPCSvc: Parental Controls
STOPPED: WPDBusEnum: Portable Device Enumerator Service
STOPPED: wscsvc: Security Center
STOPPED: WSearch: Windows Search
STOPPED: wuauserv: Windows Update

[Ried]

Ok, Dave. I ran across another Vista user who is having the same troubles, and I'm going to give you several things to try. Please carry them out in the order listed below.

This user seemed to make progress by running McAfee again from Safe Mode. So please try that first, and then run ComboFix.exe again.

If ComboFix still won't run, then uninstall McAfee and try to run ComboFix.exe

If still will not run, please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
  
  • Update Malwarebytes' Anti-Malware
  • Launch Malwarebytes' Anti-Malware
• Then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform Full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Save it to your desktop.

Note: Malwarebytes' Anti-Malware may require a reboot to complete removals. After a reboot, if required, post that saved log in your next reply.

Please run a new scan with dds.scr and post the dds.txt as well.

[davep88]

hey, i did as instructedm combofix still didnt work so i uninstalled mcafee and then on restart i managed to log in on normal mode, i ran ComboFix and here is the log from tht below, thanks;


ComboFix 09-03-22.01 - Dave 2009-03-23 1:40:40.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.364 [GMT 0:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
.
The following files were disabled during the run:
c:\windows\System32\eNetHook.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\ActivationManager
c:\program files\ActivationManager\Uninstall.exe
c:\recycler\S-3-0-40-100000044-100002546-100018826-2420.com
c:\windows\server.exe
c:\windows\System32\Desktop_.ini
c:\windows\system32\drivers\gaopdxopcexddvfvtmqhtpdqukuuitqbajetxu.sys
c:\windows\system32\gaopdxcvoxeoiwnwatniiammnffeqingwvssef.dll
c:\windows\system32\x64

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-02-23 to 2009-03-23 )))))))))))))))))))))))))))))))
.

2009-03-23 01:39 . 2006-12-29 04:07 90,112 --a------ c:\windows\System32\eNetHook.dll
2009-03-23 01:07 . 2009-03-23 01:07 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-23 01:07 . 2009-03-23 01:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 01:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-23 01:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-20 00:53 . 2009-03-20 00:53 <DIR> d-------- c:\windows\Sun
2009-03-18 22:21 . 2009-03-18 22:21 <DIR> d-------- C:\rsit
2009-03-18 22:21 . 2009-03-18 22:25 <DIR> d-------- c:\program files\trend micro
2009-03-08 10:15 . 2009-03-18 23:03 104,123,558 --a------ c:\windows\MEMORY.DMP
2009-03-08 01:06 . 2009-03-08 01:06 <DIR> d-------- c:\users\All Users\Pure Networks
2009-03-07 15:40 . 2009-03-07 15:40 <DIR> d--h----- c:\users\All Users\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-10 17:29 --------- d-----w c:\program files\BitComet
2009-03-07 17:27 --------- d-----w c:\program files\WinTV
2009-03-07 15:20 --------- d-----w c:\program files\Bonjour
2009-03-07 14:16 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-03-07 14:16 --------- d-----w c:\program files\Java
2009-03-07 14:15 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 14:14 --------- d-----w c:\program files\IEPro
2009-03-06 19:15 --------- d-----w c:\program files\Safari
2009-03-05 07:58 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-12 17:57 --------- d-----w c:\program files\Windows Mail
2009-02-08 19:07 --------- d-----w c:\program files\Google
2009-01-26 12:26 --------- d-----w c:\program files\NOS
2009-01-23 16:47 --------- d-----w c:\program files\Microsoft
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\System32\GPhotos.scr
2008-11-21 00:37 32 ----a-w c:\users\All Users\ezsid.dat
2008-04-26 06:42 174 --sha-w c:\program files\desktop.ini
2007-10-05 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-05 00:02 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-05 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-11-03 17:00 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
2008-11-03 17:00 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
2008-11-03 17:00 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 464168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-31 185896]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]
"WinCast"="c:\hauppauge\WinTV CD 4.4\CDSetup\setup.exe" [2008-02-15 117352]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 c:\windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-08 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2008-05-20 110647]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-01-13 528384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-09-28 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CS Update]
copy [X]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9DD875FE-78F0-4301-A80C-729BFF3F3125}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{D889881C-2F8A-46CD-89FF-820D08F25743}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{C04357D4-B67B-4E61-8BD0-15DB84B71CFC}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{29FEDB76-9A50-43EE-8223-B6E7235DBB79}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{73140FF1-EC21-480B-A701-FAD58CCFCB1A}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{5E635FAE-609E-46FE-802D-2BB51ED39505}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{605D8940-5177-4A26-8323-10D8697D91E3}c:\\program files\\logitech\\desktop messenger\\8876480\\program\\backweb-8876480.exe"= UDP:c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe:Logitech Desktop Messenger
"UDP Query User{9A860F2C-E40E-4437-804B-3ABAFA0E7FC6}c:\\program files\\logitech\\desktop messenger\\8876480\\program\\backweb-8876480.exe"= TCP:c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe:Logitech Desktop Messenger
"{4BDAB04C-C7AD-4DC4-AEAB-4B903E2283F5}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{CD695F71-076A-41E6-81C0-206A38133508}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{A7E4F776-64C1-42AB-94EA-9CF20CC98870}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{0B3878C3-8ADD-41C3-B63A-6BDA2F7E3DA5}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= UDP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup
"UDP Query User{AA485D4E-7C80-4F01-B2B3-24EC25D385D5}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= TCP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup
"TCP Query User{43533714-59B3-407E-8312-B959B088025F}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{2EA58752-986C-4419-B3DB-4740A840DA2F}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{9F44C98E-C5A0-4CAC-85EF-8DB9096DC9F3}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{36A5C5D5-9164-4120-9CB7-DF8D9E566483}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{E87E5B9B-E785-4668-9DD6-E787DE1DAB18}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4C818D57-EE51-410F-875C-8195A7E95C75}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{17D4C0B2-C8A0-4D13-998E-95B6E8E08638}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C02F07DF-55D3-4F63-9E2B-FA7B3BB3FE71}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5458D0B6-5847-4BDE-A3B6-40BA8CB35323}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FC38054A-59FC-4CD0-AAE5-FC486BF178AD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{26BD7A7D-9F26-46F1-91FD-1C874D1BE9CF}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1BB15B3E-4C5C-4391-A0F1-BB74F74AFE52}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B1860340-E5F7-497A-9ED9-227C28BD4A39}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{533AE2F8-1D23-4D5B-922F-914BC86A547B}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{240EA22E-8A6C-48DA-A027-FEE6ED6575C3}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{F7769A39-0FEF-4EAE-8A2B-4A7CABC041E3}c:\\program files\\real\\realplayer\\recordingmanager.exe"= UDP:c:\program files\real\realplayer\recordingmanager.exe:RealNetworks Download and Record Manager
"UDP Query User{42FC7EC8-0E98-48EB-AF2F-9B3651148493}c:\\program files\\real\\realplayer\\recordingmanager.exe"= TCP:c:\program files\real\realplayer\recordingmanager.exe:RealNetworks Download and Record Manager
"{83B3B19D-5174-421F-9BAD-23DC1E87ED16}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{126EB1C4-81BE-4820-B60A-C0EDA0D946E3}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2A411DB2-0FD3-4623-A3F8-2D56F9BAF666}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{FDEDC098-8D53-4324-B929-1666980C232E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D33D8D43-61CF-4C0A-8EEC-507E9E785ECE}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C089A0FC-2D5F-46CD-B7CE-6FF10522123B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption

S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-26 33752]
S3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\System32\drivers\hcw95bda.sys [2008-05-20 560640]
S3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\System32\drivers\hcw95rc.sys [2008-05-20 15616]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\System32\drivers\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\System32\drivers\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\System32\drivers\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\System32\drivers\s125obex.sys [2007-04-24 98696]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2007-12-16 80744]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c100af-ad40-11dc-a7b0-0016d4d33770}]
\shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
HKLM-Run-Acer Tour - (no file)
HKLM-Run-SetPanel - (no file)
HKLM-Run-eRecoveryService - (no file)
MSConfigStartUp-ZangoOE - c:\program files\Zango\bin\10.0.370.0\OEAddOn.exe
MSConfigStartUp-ZangoSA - c:\program files\Zango\bin\10.0.370.0\ZangoSA.exe


.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://en-gb.facebook.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: nusextra.co.uk\www
Trusted Zone: softpedia.com\www
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-23 01:53:37
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files:

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(764)
c:\windows\system32\eNetHook.dll

- - - - - - - > 'lsass.exe'(680)
c:\windows\system32\eNetHook.dll
.
Completion time: 2009-03-23 1:56:30
ComboFix-quarantined-files.txt 2009-03-23 01:56:27

Pre-Run: 955,625,472 bytes free
Post-Run: 2,567,241,728 bytes free

237 --- E O F --- 2009-03-07 13:53:17

[Ried]

Good work, Dave.

How is the system behaving now? It should be much better.

It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

**Vista users - right click the IE icon and run as administrator

Using Internet Explorer or Firefox, visit http://www.kaspersky.com/kos/eng/par...avwebscan.html

1. Click Accept, when prompted to download and install the program files and database of malware definitions.


2. To optimize scanning time and produce a more sensible report for review:

• Close any open programs
  
• Turn off the real time scanner of any existing antivirus program while performing the online scan

3. Click Run at the Security prompt. The program will then begin downloading and installing and will also update the database. Please be patient as this can take several minutes.

• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

---------------------------------------------------------------

Next, please download the attached dave.zip to your desktop. Double click on the zip folder, then double click on the .bat file within. Click Run. It should only take a moment or two to complete. Please post the contents of that log in your next reply.

Please include the following in your next reply:

Kaspersky results
Contents of dave.txt
Update on system behavior

[davep88]

Hey,
The computer is working alot better now, it loads up every time in to normal made and there seems to be little wrong with it, it has shut down once, displaying the blue screen as before, and this was before i ran anything you directed me to do from you previous thread,

I have ran KasperSky, the log is below, and i downloaded dave.zip and ran the Bat file, but the log that it brought up each time was completely blank with no characters on anything within in it.

Thanks again for all the help with this.
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, March 24, 2009
Operating System: Microsoft Windows Vista Home Premium Edition, 32-bit Service Pack 1 (build 6001)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, March 23, 2009 18:16:57
Records in database: 1957186
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 146673
Threat name: 4
Infected objects: 5
Suspicious objects: 67
Duration of the scan: 03:38:19


File name / Threat name / Threats count
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\008957D0-0000024A.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\25A01F48-00000224.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\2EB0222C-0000027D.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\5ED21E0F-00000644.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\66FA1316-00000814.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Junk e-mail\3FB4227D-00000BEA.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\306C7387-00000001.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\5258282D-00000002.eml Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Users\Dave\Downloads\AVG_8.0!\avg_iswt_stf_all_8_169a1359.exe Infected: Worm.Win32.AutoRun.vmq 1
C:\Users\Dave\Downloads\AVG_8.0!\keygen.exe Infected: Worm.Win32.AutoRun.vmq 1
C:\Users\Dave\Music\Rihanna\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3 Infected: Trojan-Downloader.WMA.GetCodec.j 1
C:\Windows\System32\gaopdxcvoxeoiwnwatniiammnffeqingwvssef.dll Infected: Trojan-Spy.Win32.Small.cbd 1
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-08-14 123525\Backup files 7.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 8
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-08-24 060023\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-09-07 112058\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-09-16 125346\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 5
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-09-21 060020\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 3
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-09-28 060010\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-10-12 204040\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-10-12 204040\Backup files 1.zip Infected: Trojan-Downloader.WMA.GetCodec.j 1
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-10-20 153849\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 4
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-10-26 060024\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-11-09 060009\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-11-23 102758\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-11-30 102248\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 3
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-12-14 060300\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 5
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-12-21 060016\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2008-12-28 060028\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-01-11 060032\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-01-18 060024\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-01-26 001741\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 1
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-02-08 060016\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 5
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-02-15 060020\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 3
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-02-22 060026\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 2
D:\DAVE-PC\Backup Set 2008-08-14 123525\Backup Files 2009-03-01 060036\Backup files 1.zip Suspicious: Trojan-Spy.HTML.Fraud.gen 1

The selected area was scanned.

[Ried]

Hi Dave,

There's the source of all your trouble. Cracked software and P2P file sharing is what brought this monster rootkit to your system. Please take the time to educate yourself and anyone else using this PC about the Perils of P2P File Sharing and Cracked/Illegal Software.

====================================

The backups you created on 8/14/08:

D:\DAVE-PC\Backup Set 2008-08-14 123525\

contain infected files as well. When we're through here, I highly recommend deleting that entire backup and create a new one.

===================================


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

----------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Quote:

File::
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\008957D0-0000024A.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\25A01F48-00000224.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\2EB0222C-0000027D.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\5ED21E0F-00000644.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\66FA1316-00000814.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Junk e-mail\3FB4227D-00000BEA.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\306C7387-00000001.eml
C:\Users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\5258282D-00000002.eml
C:\Users\Dave\Music\Rihanna\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3

Folder::
C:\Users\Dave\Downloads\AVG_8.0!

Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe





Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt. Post the ComboFix.txt please.

[davep88]

Hey
thanks, i have taken on board everything in regards to p2p sharing etc

here is the log from the recent ComboFix
Again, really appreciate the help you've been given me;



***********************************************************
ComboFix 09-03-23.01 - Dave 2009-03-24 9:36:16.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1033.18.1013.151 [GMT 0:00]
Running from: c:\users\Dave\Desktop\ComboFix.exe
Command switches used :: c:\users\Dave\Desktop\CFScript.txt

FILE ::
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\008957D0-0000024A.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\25A01F48-00000224.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\2EB0222C-0000027D.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\5ED21E0F-00000644.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\66FA1316-00000814.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Junk e-mail\3FB4227D-00000BEA.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\306C7387-00000001.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\5258282D-00000002.eml
c:\users\Dave\Music\Rihanna\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\008957D0-0000024A.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\25A01F48-00000224.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\2EB0222C-0000027D.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\5ED21E0F-00000644.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Inbox\66FA1316-00000814.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Junk e-mail\3FB4227D-00000BEA.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\306C7387-00000001.eml
c:\users\Dave\AppData\Local\Microsoft\Windows Live Mail\Hotmail (ab 3cf\Sent items\5258282D-00000002.eml
c:\users\Dave\Downloads\AVG_8.0!
c:\users\Dave\Downloads\AVG_8.0!\avg_iswt_stf_all_8_169a1359.exe
c:\users\Dave\Downloads\AVG_8.0!\keygen.exe
c:\users\Dave\Music\Rihanna\Rihanna - Good Girl Gone Bad (Reloaded) (2008)\05 - Shut Up & Drive.mp3
c:\windows\system32\gaopdxcounter
c:\windows\system32\gaopdxcvoxeoiwnwatniiammnffeqingwvssef.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-24 to 2009-03-24 )))))))))))))))))))))))))))))))
.

2009-03-23 12:16 . 2009-03-23 12:16 118 --a------ c:\windows\System32\MRT.INI
2009-03-23 06:28 . 2008-12-16 03:29 8,147,456 --a------ c:\windows\System32\wmploc.DLL
2009-03-23 06:28 . 2009-02-09 03:10 2,033,152 --a------ c:\windows\System32\win32k.sys
2009-03-23 06:28 . 2008-11-27 04:43 268,288 --a------ c:\windows\System32\schannel.dll
2009-03-23 06:28 . 2008-12-16 05:31 7,680 --a------ c:\windows\System32\spwmp.dll
2009-03-23 06:28 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\msdxm.ocx
2009-03-23 06:28 . 2008-12-16 05:31 4,096 --a------ c:\windows\System32\dxmasf.dll
2009-03-23 02:36 . 2009-03-23 18:58 9,501 --a------ c:\windows\System32\Config.MPF
2009-03-23 02:34 . 2009-03-23 02:35 <DIR> d-------- c:\program files\SiteAdvisor
2009-03-23 02:33 . 2006-03-03 11:07 143,360 --a------ c:\windows\System32\dunzip32.dll
2009-03-23 02:32 . 2007-07-21 09:08 201,288 --a------ c:\windows\System32\drivers\mfehidk.sys
2009-03-23 02:32 . 2007-07-13 09:21 125,728 --a------ c:\windows\System32\drivers\Mpfp.sys
2009-03-23 02:32 . 2007-07-24 07:40 79,304 --a------ c:\windows\System32\drivers\mfeavfk.sys
2009-03-23 02:32 . 2007-07-21 09:08 40,488 --a------ c:\windows\System32\drivers\mfesmfk.sys
2009-03-23 02:32 . 2007-07-21 09:08 35,240 --a------ c:\windows\System32\drivers\mfebopk.sys
2009-03-23 02:32 . 2007-07-24 12:02 33,800 --a------ c:\windows\System32\drivers\mferkdk.sys
2009-03-23 02:31 . 2009-03-23 02:31 <DIR> d-------- c:\program files\McAfee.com
2009-03-23 02:31 . 2009-03-24 02:34 <DIR> d-------- c:\program files\McAfee
2009-03-23 02:31 . 2009-03-23 02:32 <DIR> d-------- c:\program files\Common Files\McAfee
2009-03-23 01:39 . 2006-12-29 04:07 90,112 --a------ c:\windows\System32\eNetHook.dll
2009-03-23 01:07 . 2009-03-23 01:07 <DIR> d-------- c:\users\All Users\Malwarebytes
2009-03-23 01:07 . 2009-03-23 01:14 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-23 01:07 . 2009-02-11 10:19 38,496 --a------ c:\windows\System32\drivers\mbamswissarmy.sys
2009-03-23 01:07 . 2009-02-11 10:19 15,504 --a------ c:\windows\System32\drivers\mbam.sys
2009-03-20 00:53 . 2009-03-20 00:53 <DIR> d-------- c:\windows\Sun
2009-03-18 22:21 . 2009-03-18 22:21 <DIR> d-------- C:\rsit
2009-03-18 22:21 . 2009-03-18 22:25 <DIR> d-------- c:\program files\trend micro
2009-03-08 10:15 . 2009-03-23 02:07 161,949,198 --a------ c:\windows\MEMORY.DMP
2009-03-08 01:06 . 2009-03-08 01:06 <DIR> d-------- c:\users\All Users\Pure Networks
2009-03-07 15:40 . 2009-03-07 15:40 <DIR> d--h----- c:\users\All Users\CanonBJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-23 12:25 --------- d-----w c:\program files\Windows Mail
2009-03-10 17:29 --------- d-----w c:\program files\BitComet
2009-03-07 17:27 --------- d-----w c:\program files\WinTV
2009-03-07 15:20 --------- d-----w c:\program files\Bonjour
2009-03-07 14:16 410,984 ----a-w c:\windows\System32\deploytk.dll
2009-03-07 14:16 --------- d-----w c:\program files\Java
2009-03-07 14:15 --------- d--h--w c:\program files\InstallShield Installation Information
2009-03-07 14:14 --------- d-----w c:\program files\IEPro
2009-03-06 19:15 --------- d-----w c:\program files\Safari
2009-03-05 07:58 --------- d-----w c:\program files\Microsoft Silverlight
2009-02-08 19:07 --------- d-----w c:\program files\Google
2009-01-26 12:26 --------- d-----w c:\program files\NOS
2009-01-15 06:11 827,392 ----a-w c:\windows\System32\wininet.dll
2009-01-05 22:33 3,751,995 ----a-w c:\windows\System32\GPhotos.scr
2008-11-21 00:37 32 ----a-w c:\users\All Users\ezsid.dat
2008-04-26 06:42 174 --sha-w c:\program files\desktop.ini
2007-10-05 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
2007-10-05 00:02 32,768 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
2007-10-05 00:02 16,384 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
2008-11-03 17:00 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Cookies\index.dat
2008-11-03 17:00 16,384 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\History\History.IE5\index.dat
2008-11-03 17:00 32,768 --sha-w c:\windows\ServiceProfiles\NetworkService\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-23_ 1.54.59.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-03-24 09:35:04 6,295,552 ----a-w c:\windows\ERDNT\Hiv-backup\schema.dat
- 2009-02-12 17:58:43 1,165,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
+ 2009-03-23 12:09:09 1,165,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\accicons.exe
- 2009-02-12 17:58:44 20,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
+ 2009-03-23 12:09:10 20,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\cagicon.exe
- 2009-02-12 17:58:44 159,504 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
+ 2009-03-23 12:09:09 159,504 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\inficon.exe
- 2009-02-12 17:58:44 184,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
+ 2009-03-23 12:09:09 184,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\joticon.exe
- 2009-02-12 17:58:44 217,864 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
+ 2009-03-23 12:09:10 217,864 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\misc.exe
- 2009-02-12 17:58:45 18,704 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
+ 2009-03-23 12:09:10 18,704 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\mspicons.exe
- 2009-02-12 17:58:45 35,088 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
+ 2009-03-23 12:09:11 35,088 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\oisicon.exe
- 2009-02-12 17:58:44 845,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
+ 2009-03-23 12:09:09 845,584 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\outicon.exe
- 2009-02-12 17:58:44 922,384 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
+ 2009-03-23 12:09:10 922,384 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pptico.exe
- 2009-02-12 17:58:44 272,648 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
+ 2009-03-23 12:09:10 272,648 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\pubs.exe
- 2009-02-12 17:58:45 888,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
+ 2009-03-23 12:09:11 888,080 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\wordicon.exe
- 2009-02-12 17:58:43 1,172,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-23 12:09:09 1,172,240 ----a-r c:\windows\Installer\{91120000-002E-0000-0000-0000000FF1CE}\xlicons.exe
+ 2009-03-23 12:28:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2009-03-23 12:28:23 2,048 --sha-w c:\windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2009-03-23 01:52:45 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-23 12:29:36 262,144 --sha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat
+ 2009-03-23 12:29:36 262,144 ---ha-w c:\windows\ServiceProfiles\LocalService\ntuser.dat.LOG1
- 2008-12-11 21:00:17 2,641,057 -c--a-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
+ 2009-03-23 12:30:27 2,641,057 -c--a-w c:\windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\SoftwareLicensing\tokens.dat
- 2009-03-23 01:53:09 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-24 09:43:18 262,144 --sha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat
+ 2009-03-24 09:43:18 262,144 ---ha-w c:\windows\ServiceProfiles\NetworkService\ntuser.dat.LOG1
- 2009-03-23 01:35:21 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2009-03-24 06:50:58 16,384 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2009-03-23 01:35:21 65,536 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2009-03-24 06:50:58 65,536 --sha-w c:\windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2009-03-23 01:35:21 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2009-03-24 06:50:58 32,768 --sha-w c:\windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2009-03-23 01:30:40 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
+ 2009-03-24 09:35:44 262,144 ----a-w c:\windows\System32\config\systemprofile\ntuser.dat
- 2008-10-17 11:22:40 370,312 ----a-w c:\windows\System32\FNTCACHE.DAT
+ 2009-03-23 12:28:39 370,312 ----a-w c:\windows\System32\FNTCACHE.DAT
- 2009-02-03 23:21:12 21,244,864 ----a-w c:\windows\System32\mrt.exe
+ 2009-02-25 12:55:00 24,768,960 ----a-w c:\windows\System32\mrt.exe
- 2009-03-23 01:41:32 110,386 ----a-w c:\windows\System32\perfc009.dat
+ 2009-03-24 02:00:42 110,386 ----a-w c:\windows\System32\perfc009.dat
- 2009-03-23 01:41:32 611,610 ----a-w c:\windows\System32\perfh009.dat
+ 2009-03-24 02:00:42 611,610 ----a-w c:\windows\System32\perfh009.dat
- 2009-03-15 01:49:09 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
+ 2009-03-23 12:40:16 6,553,600 ----a-w c:\windows\System32\SMI\Store\Machine\schema.dat
- 2009-03-23 01:37:29 16,336 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2395106379-2484697996-3912247965-1000_UserData.bin
+ 2009-03-23 02:10:02 16,344 ----a-w c:\windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2395106379-2484697996-3912247965-1000_UserData.bin
- 2009-03-23 01:37:29 106,232 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2009-03-23 02:10:02 106,248 ----a-w c:\windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-01-19 07:37:03 10,620,928 ----a-w c:\windows\System32\wmp.dll
+ 2008-12-16 05:31:35 10,622,976 ----a-w c:\windows\System32\wmp.dll
- 2009-02-15 08:08:42 88,008,947 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2009-03-23 06:28:24 89,946,786 ----a-w c:\windows\winsxs\ManifestCache\6.0.6001.18000_001c50b5_blobs.bin
+ 2008-12-16 05:53:36 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\dxmasf.dll
+ 2008-12-16 05:53:35 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\spwmp.dll
+ 2008-12-16 05:53:36 10,619,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmp.dll
+ 2008-12-16 05:53:30 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmpconfig.exe
+ 2008-12-16 05:53:30 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmplayer.exe
+ 2008-12-16 04:00:17 8,147,968 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmploc.DLL
+ 2008-12-16 05:53:30 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\wmpshare.exe
+ 2008-12-16 05:37:10 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\dxmasf.dll
+ 2008-12-16 05:36:47 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\spwmp.dll
+ 2008-12-16 05:37:33 10,619,904 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmp.dll
+ 2008-12-16 03:49:51 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmpconfig.exe
+ 2008-12-16 03:49:38 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmplayer.exe
+ 2008-12-16 03:49:52 8,147,968 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmploc.DLL
+ 2008-12-16 03:49:20 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\wmpshare.exe
+ 2008-12-16 05:31:31 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\dxmasf.dll
+ 2008-12-16 05:31:30 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\spwmp.dll
+ 2008-12-16 05:31:35 10,622,976 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmp.dll
+ 2008-12-16 05:31:19 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmpconfig.exe
+ 2008-12-16 05:31:19 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmplayer.exe
+ 2008-12-16 03:29:44 8,147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmploc.DLL
+ 2008-12-16 05:31:19 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\wmpshare.exe
+ 2008-12-16 04:32:10 4,096 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\dxmasf.dll
+ 2008-12-16 04:31:29 7,680 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\spwmp.dll
+ 2008-12-16 04:32:38 10,624,512 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmp.dll
+ 2008-12-16 02:38:46 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmpconfig.exe
+ 2008-12-16 02:38:29 168,960 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmplayer.exe
+ 2008-12-16 02:39:20 8,147,456 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmploc.DLL
+ 2008-12-16 02:38:10 107,520 ----a-w c:\windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\wmpshare.exe
+ 2009-02-11 23:29:35 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.16819_none_f0a011f86e53bc84\OESpamFilter.dat
+ 2009-02-11 23:29:48 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6000.21009_none_f13456d18769739f\OESpamFilter.dat
+ 2009-02-12 00:40:03 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.18214_none_f2814f2c6b7ecec2\OESpamFilter.dat
+ 2009-02-12 00:28:19 2,409,784 ----a-w c:\windows\winsxs\x86_microsoft-windows-oespamfilter-dat_31bf3856ad364e35_6.0.6001.22375_none_f2cb0cb984cc2f89\OESpamFilter.dat
+ 2008-11-27 04:42:05 269,824 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.16782_none_1fdb8f82585b552d\schannel.dll
+ 2008-12-02 04:25:38 269,824 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6000.20967_none_207fcf7d716438ef\schannel.dll
+ 2008-11-27 04:43:25 268,288 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.18175_none_21cf9ef255771632\schannel.dll
+ 2008-12-02 04:36:39 268,288 ----a-w c:\windows\winsxs\x86_microsoft-windows-security-schannel_31bf3856ad364e35_6.0.6001.22320_none_228a4bcd6e70a8bb\schannel.dll
+ 2009-02-09 01:59:26 2,028,032 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.16816_none_b70870b09d62e718\win32k.sys
+ 2009-02-09 01:54:23 2,030,080 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6000.21006_none_b79cb589b6789e33\win32k.sys
+ 2009-02-09 03:10:34 2,033,152 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.18211_none_b8e9ade49a8df956\win32k.sys
+ 2009-02-09 02:54:45 2,033,664 ----a-w c:\windows\winsxs\x86_microsoft-windows-win32k_31bf3856ad364e35_6.0.6001.22372_none_b9336b71b3db5a1d\win32k.sys
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"????r"="" [?]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-10-23 815104]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2007-01-03 464168]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-12-08 614400]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-06 57344]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2006-12-10 49152]
"LogitechCommunicationsManager"="c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-10-25 563984]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2007-10-25 2178832]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-11 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-11 166424]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-02-11 133656]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-07-31 185896]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
"4oD"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-02-06 177472]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-07 148888]
"WinCast"="c:\hauppauge\WinTV CD 4.4\CDSetup\setup.exe" [2008-02-15 117352]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2007-08-03 582992]
"McENUI"="c:\progra~1\McAfee\MHN\McENUI.exe" [2007-11-30 1164576]
"RtHDVCpl"="RtHDVCpl.exe" [2006-12-01 c:\windows\RtHDVCpl.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-04-11 c:\windows\KHALMNPR.Exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 5724184]

c:\users\Dave\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
Picture Motion Browser Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-09-08 344064]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
AutoStart IR.lnk - c:\program files\WinTV\Ir.exe [2008-05-20 110647]
Empowering Technology Launcher.lnk - c:\acer\Empowering Technology\eAPLauncher.exe [2007-01-13 528384]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-01-02 210520]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-09-28 692224]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=eNetHook.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
SetupExecute REG_MULTI_SZ \0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\?????????]
??????????????e [?]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CS Update]
copy [X]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiSpyware]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{9DD875FE-78F0-4301-A80C-729BFF3F3125}"= UDP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{D889881C-2F8A-46CD-89FF-820D08F25743}"= TCP:c:\program files\Acer Arcade Deluxe\Acer Arcade Deluxe\MCE Deluxe Suite.exe:CyberLink MCE Deluxe Suite
"{C04357D4-B67B-4E61-8BD0-15DB84B71CFC}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{29FEDB76-9A50-43EE-8223-B6E7235DBB79}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{73140FF1-EC21-480B-A701-FAD58CCFCB1A}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{5E635FAE-609E-46FE-802D-2BB51ED39505}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{605D8940-5177-4A26-8323-10D8697D91E3}c:\\program files\\logitech\\desktop messenger\\8876480\\program\\backweb-8876480.exe"= UDP:c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe:Logitech Desktop Messenger
"UDP Query User{9A860F2C-E40E-4437-804B-3ABAFA0E7FC6}c:\\program files\\logitech\\desktop messenger\\8876480\\program\\backweb-8876480.exe"= TCP:c:\program files\logitech\desktop messenger\8876480\program\backweb-8876480.exe:Logitech Desktop Messenger
"{4BDAB04C-C7AD-4DC4-AEAB-4B903E2283F5}"= UDP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{CD695F71-076A-41E6-81C0-206A38133508}"= TCP:c:\program files\Sony Ericsson\Sony Ericsson Media Manager 1.0\MediaManager.exe:Sony Ericsson Media Manager 1.0
"{A7E4F776-64C1-42AB-94EA-9CF20CC98870}"= c:\program files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{0B3878C3-8ADD-41C3-B63A-6BDA2F7E3DA5}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= UDP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup
"UDP Query User{AA485D4E-7C80-4F01-B2B3-24EC25D385D5}c:\\program files\\mcafee\\mbk\\mcafeedatabackup.exe"= TCP:c:\program files\mcafee\mbk\mcafeedatabackup.exe:McAfee Data Backup
"TCP Query User{43533714-59B3-407E-8312-B959B088025F}c:\\program files\\skype\\phone\\skype.exe"= UDP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"UDP Query User{2EA58752-986C-4419-B3DB-4740A840DA2F}c:\\program files\\skype\\phone\\skype.exe"= TCP:c:\program files\skype\phone\skype.exe:Skype. Take a deep breath
"TCP Query User{9F44C98E-C5A0-4CAC-85EF-8DB9096DC9F3}c:\\program files\\bitcomet\\bitcomet.exe"= UDP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"UDP Query User{36A5C5D5-9164-4120-9CB7-DF8D9E566483}c:\\program files\\bitcomet\\bitcomet.exe"= TCP:c:\program files\bitcomet\bitcomet.exe:BitComet - a BitTorrent Client
"TCP Query User{E87E5B9B-E785-4668-9DD6-E787DE1DAB18}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{4C818D57-EE51-410F-875C-8195A7E95C75}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{17D4C0B2-C8A0-4D13-998E-95B6E8E08638}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"{C02F07DF-55D3-4F63-9E2B-FA7B3BB3FE71}"= UDP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{5458D0B6-5847-4BDE-A3B6-40BA8CB35323}"= TCP:c:\program files\Microsoft Office\Office12\GROOVE.EXE:Microsoft Office Groove
"{FC38054A-59FC-4CD0-AAE5-FC486BF178AD}"= UDP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{26BD7A7D-9F26-46F1-91FD-1C874D1BE9CF}"= TCP:c:\program files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"TCP Query User{1BB15B3E-4C5C-4391-A0F1-BB74F74AFE52}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B1860340-E5F7-497A-9ED9-227C28BD4A39}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"{533AE2F8-1D23-4D5B-922F-914BC86A547B}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{240EA22E-8A6C-48DA-A027-FEE6ED6575C3}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{F7769A39-0FEF-4EAE-8A2B-4A7CABC041E3}c:\\program files\\real\\realplayer\\recordingmanager.exe"= UDP:c:\program files\real\realplayer\recordingmanager.exe:RealNetworks Download and Record Manager
"UDP Query User{42FC7EC8-0E98-48EB-AF2F-9B3651148493}c:\\program files\\real\\realplayer\\recordingmanager.exe"= TCP:c:\program files\real\realplayer\recordingmanager.exe:RealNetworks Download and Record Manager
"{83B3B19D-5174-421F-9BAD-23DC1E87ED16}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{126EB1C4-81BE-4820-B60A-C0EDA0D946E3}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{2A411DB2-0FD3-4623-A3F8-2D56F9BAF666}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{FDEDC098-8D53-4324-B929-1666980C232E}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{D33D8D43-61CF-4C0A-8EEC-507E9E785ECE}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{C089A0FC-2D5F-46CD-B7CE-6FF10522123B}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{E36A0DCC-6E3A-41F5-BD01-93F1AEE17173}"= Profile=Private|Profile=Public|c:\program files\Common Files\Mcafee\MNA\McNaSvc.exe:McAfee Network Agent

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Acer\\Empowering Technology\\eDataSecurity\\eDSfsu.exe"= c:\acer\Empowering Technology\eDataSecurity\eDSfsu.exe:*:Enabled:eDSfsu
"c:\\Acer\\Empowering Technology\\eDataSecurity\\encryption.exe"= c:\acer\Empowering Technology\eDataSecurity\encryption.exe:*:Enabled:encryption
"c:\\Acer\\Empowering Technology\\eDataSecurity\\decryption.exe"= c:\acer\Empowering Technology\eDataSecurity\decryption.exe:*:Enabled:decryption

R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [2009-03-24 203280]
R3 hcw95bda;Hauppauge MOD7700 Tuner Driver;c:\windows\System32\drivers\hcw95bda.sys [2008-05-20 560640]
R3 hcw95rc;Hauppauge MOD7700 IR Driver;c:\windows\System32\drivers\hcw95rc.sys [2008-05-20 15616]
S2 0108661237862127mcinstcleanup;McAfee Application Installer Cleanup (0108661237862127);c:\windows\TEMP\010866~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\010866~1.EXE c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 getPlus(R) Helper;getPlus(R) Helper;c:\program files\NOS\bin\getPlus_HelperSvc.exe [2009-01-26 33752]
S3 s125bus;Sony Ericsson Device 125 driver (WDM);c:\windows\System32\drivers\s125bus.sys [2007-04-24 83336]
S3 s125mdfl;Sony Ericsson Device 125 USB WMC Modem Filter;c:\windows\System32\drivers\s125mdfl.sys [2007-04-24 15112]
S3 s125mdm;Sony Ericsson Device 125 USB WMC Modem Driver;c:\windows\System32\drivers\s125mdm.sys [2007-04-24 108680]
S3 s125mgmt;Sony Ericsson Device 125 USB WMC Device Management Drivers (WDM);c:\windows\System32\drivers\s125mgmt.sys [2007-04-24 100488]
S3 s125obex;Sony Ericsson Device 125 USB WMC OBEX Interface;c:\windows\System32\drivers\s125obex.sys [2007-04-24 98696]
S3 WSVD;WSVD;c:\windows\System32\drivers\WSVD.sys [2007-12-16 80744]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MFEAVFK
*NewlyCreated* - MFEBOPK
*NewlyCreated* - MFEHIDK
*NewlyCreated* - MFESMFK

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{67c100af-ad40-11dc-a7b0-0016d4d33770}]
\shell\AutoRun\command - F:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2007-12-14 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2009-03-23 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]

2009-03-23 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2007-12-04 13:32]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://en-gb.facebook.com/
mStart Page = hxxp://en.uk.acer.yahoo.com
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://uk.rd.yahoo.com/customize/ycomp/defaults/su/*http://uk.yahoo.com
IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: nusextra.co.uk\www
Trusted Zone: softpedia.com\www
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-24 09:43:09
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-03-24 9:45:59
ComboFix-quarantined-files.txt 2009-03-24 09:45:55
ComboFix2.txt 2009-03-23 01:56:32

Pre-Run: 2,445,021,184 bytes free
Post-Run: 2,423,595,008 bytes free

379 --- E O F --- 2009-03-23 12:17:49