Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Error parsing raw registry hive S-1-5-18
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 2 1 2
 
LinkBack Thread Tools
Old 06-06-2009, 12:12 AM   #1 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Pin Error parsing raw registry hive S-1-5-18
Sophos finds these 4 problems:
Warning: Error parsing raw registry hive S-1-5-18. Registry scan may not be supported on this version of Windows.

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-21-2181395589-731268670-266398665-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\PastIconsStream
Removable: No
Notes: (type 3, length 1045732) "\x14 \x05 \x01 \x01 \xc0\x03 \x14 IL \x06\xc0\x03\xc1\x03\x04 \x10 \x10 \xff\xff\xff\xff! \xff\xff\xff\xff\xff\xff\xff\xffBM6 6 ( \x10 \x10<" ... "\x80\x07 \xc0\x07 "

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\I386\AUTOFMT.EXE
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Program Files\MozyHome\Data\filter_raw.log.1
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

When I run Malwarebytes:
Malwarebytes' Anti-Malware 1.37
Database version: 2234
Windows 5.1.2600 Service Pack 3

6/5/2009 8:12:05 PM
mbam-log-2009-06-05 (20-12-05).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 166724
Time elapsed: 1 hour(s), 58 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

And in the Malwarebytes Quarantine:
Date 5/10/2009
Vendor Rogue.RegistrySmart
Category file
Items C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job
Reference # 60895

This file is no longer in this location.


I am new to this forum and thankful to find it.

Here is the DDS:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 21:15:34.76 on Fri 06/05/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.86 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Snippy.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.goodsearch.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=8953&affid=370-9
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7754C418-F62E-44AA-B169-E719E718BCFD} - No File
TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IconixOEAddOn] "c:\program files\email id\oeaddon\OEdmn_3.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyhome status.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Snippy.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {1DE94D50-3BDF-4C2A-AE5F-6378448FF020} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-17 201320]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-2-9 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-17 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-17 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-17 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-1-25 206608]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 0247961239933471mcinstcleanup;McAfee Application Installer Cleanup (0247961239933471);c:\windows\temp\0247961239933471mcinst.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\0247961239933471mcinst.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\15e.tmp --> c:\windows\system32\15E.tmp [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-17 33832]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-1-25 206608]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-05-31 22:10 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-28 10:03 <DIR> --d--r-- c:\program files\Skype
2009-05-27 18:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-27 18:01 <DIR> --d----- c:\documents and settings\owner\.storybook
2009-05-27 18:00 <DIR> --d----- c:\program files\StorYBook
2009-05-23 13:41 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-05-16 19:55 <DIR> --d----- c:\program files\Wise Registry Cleaner
2009-05-16 19:53 <DIR> --d----- c:\program files\Wise Disk Cleaner
2009-05-15 18:16 116,224 a------- c:\windows\system32\pdfcmnnt.dll
2009-05-15 18:16 23,552 a------- c:\windows\system32\MSMPIDE.DLL
2009-05-15 18:16 <DIR> --d----- c:\program files\PDFCreator
2009-05-15 15:33 <DIR> --d----- c:\program files\Astonsoft

==================== Find3M ====================

2009-05-31 22:09 410,984 ac------ c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 457,248 ac------ c:\windows\system32\nvudisp.exe
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 ac------ c:\windows\system32\NVUNINST.EXE
2009-04-25 17:30 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-03-27 10:03 1,346,080 ac------ c:\windows\system32\nvdspsch.exe
2009-03-27 10:03 45,056 ac------ c:\windows\system32\nvmccsrs.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 ac------ c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 ac------ c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 ac------ c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 ac------ c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 ac------ c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 ac------ c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 ac------ c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2007-08-25 16:19 812,544 ac------ c:\program files\DoubleKiller.exe
2007-02-28 21:31 524 -c------ c:\docume~1\owner\applic~1\wklnhst.dat
2008-05-06 20:50 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050620080507\index.dat

============= FINISH: 21:17:26.89 ===============

Attached is attach.zip

I really appreciate your help.
Attached Files
File Type: zip Attach.zip (3.8 KB, 3 views)
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-12-2009, 12:46 PM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hello and welcome to TSF.

If you still need help, please post a fresh DDS.txt as it has been a while since you posted.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don’t hear from you in three days this thread will be closed.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2009, 06:06 PM   #3 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
I am on my way now to create a new DDS.txt.
Back ASAP.
Thank you for your help.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2009, 06:26 PM   #4 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18

Here is new DDS.txt




DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 17:12:53.73 on Fri 06/12/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.42 [GMT -7:00]

AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\MozyHome\mozybackup.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
c:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Documents and Settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\MozyHome\mozystat.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Snippy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Any Password\AnyPass.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.goodsearch.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=8953&affid=370-9
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7754C418-F62E-44AA-B169-E719E718BCFD} - No File
TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IconixOEAddOn] "c:\program files\email id\oeaddon\OEdmn_3.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
dRun: [Power2GoExpress] NA
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoupdate monitor.lnk - c:\program files\sophos\autoupdate\ALMon.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mozyhome status.lnk - c:\program files\mozyhome\mozystat.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\Snippy.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {1DE94D50-3BDF-4C2A-AE5F-6378448FF020} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ga4wdzn6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.GoodSearch.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-9-17 201320]
R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2009-2-9 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-5-26 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-5-26 72944]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2009-6-10 104704]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2009-6-10 35584]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-9-17 359248]
R2 McShield;McAfee Real-time Scanner;c:\program files\mcafee\virusscan\Mcshield.exe [2007-9-17 144704]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\trend micro\rubotted\TMRUBotted.exe [2009-1-25 582992]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2008-6-26 172032]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-9-17 695624]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\3f2.tmp --> c:\windows\system32\3F2.tmp [?]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-9-17 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-9-17 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-9-17 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-9-17 40488]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-5-26 7408]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [2009-1-25 206608]
S0 Lbd;Lbd;c:\windows\system32\drivers\lbd.sys --> c:\windows\system32\drivers\Lbd.sys [?]
S2 0247961239933471mcinstcleanup;McAfee Application Installer Cleanup (0247961239933471);c:\windows\temp\0247961239933471mcinst.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service --> c:\windows\temp\0247961239933471mcinst.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service [?]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [2009-1-25 206608]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2009-6-10 14976]

============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-06-10 11:02 130,088 a---h--- c:\windows\system32\75181696.stf
2009-06-10 11:02 130,088 a---h--- c:\windows\system32\67fe723c.stf
2009-06-10 11:02 130,088 a---h--- c:\windows\system32\33ae2a77.stf
2009-06-10 11:02 130,088 a---h--- c:\windows\system32\19906a92.stf
2009-06-10 11:02 130,088 a---h--- c:\windows\system32\183d071b.stf
2009-06-10 11:02 130,088 a---h--- c:\windows\system32\0e0d2ae7.stf
2009-06-10 11:02 130,088 a---h--- c:\windows\system32\04bf3385.stf
2009-06-10 11:02 130,088 a------- c:\windows\system32\sdccoinstaller.dll
2009-06-10 11:00 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-06-10 10:59 23,552 a------- c:\windows\system32\SophosBootTasks.exe
2009-06-10 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos
2009-06-10 10:56 35,584 a------- c:\windows\system32\drivers\savonaccessfilter.sys
2009-06-10 10:56 14,976 a------- c:\windows\system32\drivers\SophosBootDriver.sys
2009-06-10 10:56 104,704 a------- c:\windows\system32\drivers\savonaccesscontrol.sys
2009-06-10 10:55 <DIR> -cd----- C:\stdtsa
2009-06-09 15:32 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 15:32 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-05-31 22:10 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-28 10:03 <DIR> --d--r-- c:\program files\Skype
2009-05-27 18:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-27 18:01 <DIR> --d----- c:\documents and settings\owner\.storybook
2009-05-27 18:00 <DIR> --d----- c:\program files\StorYBook
2009-05-23 13:41 56 a---h--- c:\windows\system32\ezsidmv.dat
2009-05-16 19:55 <DIR> --d----- c:\program files\Wise Registry Cleaner
2009-05-16 19:53 <DIR> --d----- c:\program files\Wise Disk Cleaner
2009-05-15 18:16 116,224 a------- c:\windows\system32\pdfcmnnt.dll
2009-05-15 18:16 23,552 a------- c:\windows\system32\MSMPIDE.DLL
2009-05-15 18:16 <DIR> --d----- c:\program files\PDFCreator
2009-05-15 15:33 <DIR> --d----- c:\program files\Astonsoft

==================== Find3M ====================

2009-05-31 22:09 410,984 ac------ c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 457,248 ac------ c:\windows\system32\nvudisp.exe
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 ac------ c:\windows\system32\NVUNINST.EXE
2009-04-25 17:30 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-27 10:03 1,346,080 ac------ c:\windows\system32\nvdspsch.exe
2009-03-27 10:03 45,056 ac------ c:\windows\system32\nvmccsrs.dll
2007-08-25 16:19 812,544 ac------ c:\program files\DoubleKiller.exe
2007-02-28 21:31 524 -c------ c:\docume~1\owner\applic~1\wklnhst.dat
2008-05-06 20:50 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050620080507\index.dat

============= FINISH: 17:14:42.92 ===============
Attached Files
File Type: zip 20090612.zip (8.4 KB, 1 views)
Last edited by amateur; 06-12-2009 at 06:31 PM. Reason: to copy/paste the DDS.txt
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2009, 07:15 PM   #5 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

I can't see any malware in the log, but see an overkill of security. You have both McAfee Security Center and Sophos Anti-Virus installed and running at the same time. While this may seem like a greater protection, it can actually cause problems including slowdowns, system hangs and even crashes. Choose one to keep and uninstall the other.

Any antivirus program must be removed via add/remove program.
For any program that doesn't have an add/remove entry, you will have to do this:
re-install the program -> reboot -> uninstall

McAfee also has the McAfee Removal Tool, if you decide to remove McAfee.

Double click on MCPR.exe to launch it, then Click Run. A window should appear and disappear, this is normal. A new window should popup and begin the uninstall. When prompted to reboot your computer type Y.

=============================

Download ATF Cleaner by Atribune and save it to your Desktop.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

============================

Perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.
Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

========================

Please post a fresh DDS.txt and the Kaspersky report.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2009, 08:49 PM   #6 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
(Yes. Overkill. I have been knocked out four times with four expensive recoveries and have learned the "safe not sorry" lesson very well.

McAfee is provided by my ISP; I have recently begun using Sophos on 30-day trial. I thought that since it was the Sophos Root-Kit tool that found the error to begin with, Sophos AV might be helpful.)

I hope you will excuse me for the weekend. I will be back on post Monday with a follow up on your instructions.

Thank you, amateur.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-12-2009, 09:00 PM   #7 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

Quote:
McAfee is provided by my ISP; I have recently begun using Sophos on 30-day trial. I thought that since it was the Sophos Root-Kit tool that found the error to begin with, Sophos AV might be helpful.)
You'll have to uninstall/remove one of them. The error Sophos Root-Kit tool reported is no more than informing you that it was not able to access a certain hive in the registry. Doesn't necessarily mean that the system is infected, and not all hidden files are malicious. Was that error message the only issue you were having?

I'll be waiting for the Kaspersky report.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 06:24 AM   #8 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
DDS.txt =

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 4:31:40.79 on Tue 06/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_14

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.goodsearch.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=8953&affid=370-9
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\windows\system32\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {7754C418-F62E-44AA-B169-E719E718BCFD} - No File
TB: {4E7BD74F-2B8D-469E-95BA-ED6DB186BE32} - No File
TB: {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\owner\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [ccleaner] "c:\program files\ccleaner\CCleaner.exe" /AUTO
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [IconixOEAddOn] "c:\program files\email id\oeaddon\OEdmn_3.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [TMRUBottedTray] "c:\program files\trend micro\rubotted\TMRUBottedTray.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
dRun: [Power2GoExpress] NA
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683}
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21}
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_14-windows-i586.cab
TCP: {1DE94D50-3BDF-4C2A-AE5F-6378448FF020} = 208.67.222.222,208.67.220.220
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\Skype4COM.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\ga4wdzn6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.GoodSearch.com/
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=101703&gct=&gc=1&q=
FF - plugin: c:\documents and settings\owner\local settings\application data\google\update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google updater\2.4.1591.6512\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----

============= SERVICES / DRIVERS ===============


============== File Associations ===============

regfile=regedit.exe "%1" %*

=============== Created Last 30 ================

2009-06-16 04:07 0 ac------ C:\rollback.ini
2009-06-15 21:32 <DIR> --d----- c:\docume~1\owner\applic~1\MailFrontier
2009-06-15 21:26 13,511,712 a--sh--- c:\windows\system32\drivers\fidbox.dat
2009-06-15 21:26 32 a--sh--- c:\windows\system32\drivers\fidbox.idx
2009-06-15 21:16 1,221,512 a------- c:\windows\system32\zpeng25.dll
2009-06-15 21:16 <DIR> --d----- c:\program files\Zone Labs
2009-06-15 20:42 103,816 a------- c:\windows\system32\~GLH0053.TMP
2009-06-15 20:42 69,000 a------- c:\windows\system32\~GLH0051.TMP
2009-06-15 19:42 4,212 a---h--- c:\windows\system32\zllictbl.dat
2009-06-15 19:42 72,584 a------- c:\windows\zllsputility.exe
2009-06-15 19:40 <DIR> --d----- c:\windows\system32\ZoneLabs
2009-06-15 19:40 415,149 a------- c:\windows\system32\vsconfig.xml
2009-06-15 19:36 <DIR> --d----- c:\windows\Internet Logs
2009-06-10 10:59 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Sophos
2009-06-10 10:55 <DIR> -cd----- C:\stdtsa
2009-06-09 15:32 246,272 -c------ c:\windows\system32\dllcache\ieproxy.dll
2009-06-09 15:32 12,800 -c------ c:\windows\system32\dllcache\xpshims.dll
2009-05-31 22:10 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-28 10:03 <DIR> --d--r-- c:\program files\Skype
2009-05-27 18:20 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-05-27 18:01 <DIR> --d----- c:\documents and settings\owner\.storybook
2009-05-27 18:00 <DIR> --d----- c:\program files\StorYBook
2009-05-23 13:41 56 a---h--- c:\windows\system32\ezsidmv.dat

==================== Find3M ====================

2009-05-31 22:09 410,984 ac------ c:\windows\system32\deploytk.dll
2009-05-26 13:20 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 13:19 19,096 ac------ c:\windows\system32\drivers\mbam.sys
2009-05-25 00:24 350,208 -------- c:\windows\system32\mssph.dll
2009-05-12 22:15 915,456 a------- c:\windows\system32\wininet.dll
2009-05-12 15:12 26,144 a------- c:\windows\system32\spupdsvc.exe
2009-05-07 08:32 345,600 a------- c:\windows\system32\localspl.dll
2009-05-01 00:31 1,657,376 a------- c:\windows\system32\nwiz.exe
2009-05-01 00:31 449,056 a------- c:\windows\system32\nvappbar.exe
2009-05-01 00:31 436,768 a------- c:\windows\system32\keystone.exe
2009-05-01 00:31 1,724,416 a------- c:\windows\system32\nvwdmcpl.dll
2009-05-01 00:31 1,507,328 a------- c:\windows\system32\nview.dll
2009-05-01 00:31 1,101,824 a------- c:\windows\system32\nvwimg.dll
2009-05-01 00:31 466,944 a------- c:\windows\system32\nvshell.dll
2009-04-30 22:02 457,248 ac------ c:\windows\system32\nvudisp.exe
2009-04-30 22:02 9,994,240 a------- c:\windows\system32\nvoglnt.dll
2009-04-30 22:02 8,055,584 a------- c:\windows\system32\drivers\nv4_mini.sys
2009-04-30 22:02 5,896,320 a------- c:\windows\system32\nv4_disp.dll
2009-04-30 22:02 1,720,320 a------- c:\windows\system32\nvcuda.dll
2009-04-30 22:02 1,579,630 a------- c:\windows\system32\nvdata.bin
2009-04-30 22:02 1,314,816 a------- c:\windows\system32\nvcuvenc.dll
2009-04-30 22:02 806,912 a------- c:\windows\system32\nvapi.dll
2009-04-30 22:02 663,552 a------- c:\windows\system32\nvcuvid.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcodins.dll
2009-04-30 22:02 143,360 a------- c:\windows\system32\nvcod.dll
2009-04-27 00:42 457,248 ac------ c:\windows\system32\NVUNINST.EXE
2009-04-25 17:30 25,992 a------- c:\windows\system32\pgdfgsvc.exe
2009-04-17 05:26 1,847,168 a------- c:\windows\system32\win32k.sys
2009-04-15 07:51 585,216 a------- c:\windows\system32\rpcrt4.dll
2009-03-27 10:03 1,346,080 ac------ c:\windows\system32\nvdspsch.exe
2009-03-27 10:03 45,056 ac------ c:\windows\system32\nvmccsrs.dll
2007-08-25 16:19 812,544 ac------ c:\program files\DoubleKiller.exe
2007-02-28 21:31 524 -c------ c:\docume~1\owner\applic~1\wklnhst.dat
2008-05-06 20:50 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008050620080507\index.dat

============= FINISH: 4:41:12.39 ===============
Kapersky =
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, June 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 16, 2009 06:54:55
Records in database: 2349587
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 68572
Threat name: 2
Infected objects: 2
Suspicious objects: 0
Duration of the scan: 04:20:50


File name / Threat name / Threats count
C:\Documents and Settings\Owner\My Documents\Digital\Computing\Downloads\SysinternalsSuite.zip Infected: not-a-virus:RiskTool.Win32.PsKill.ba 1
C:\Documents and Settings\Owner\My Documents\Downloads\freeripmp3.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.br 1

The selected area was scanned.
-------------------------------------------------------------------------------
Thank you.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 07:48 AM   #9 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

Now, I am not seeing ANY antivirus installed and running. What happened? I asked you to leave one and uninstall the other.

Quote:
You'll have to uninstall/remove one of them
Otherwise, not much in the log, just some orphaned entries. Do you still get the error message?

We can take a deeper look with Combofix.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 02:40 PM   #10 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
I uninstalled both Sophos AV and McAfee Security Suite and installed Zone Alarm Security Suite instead.. Apologize for not saying so.

ZA took a many hours to do its first in-depth scan and found the same two "infections" that Kapersky did. (Are these what are known as the "orphaned entries?")

Back ASAP with the results of Sophos Anti-Root scan and ComboFix.txt.

Thank you.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 03:53 PM   #11 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
The original message from Sophos Root Kit scan is gone. Can I safely assume it was one of the AV’s? It has been replaced by these three:

Area: Windows registry
Description: Hidden registry value
Location: \HKEY_USERS\S-1-5-21-2181395589-731268670-266398665-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\TrayNotify\PastIconsStream
Removable: No
Notes: (type 3, length 1045732) "\x14 \x05 \x01 \x01 \xc0\x03 \x14 IL \x06\xc0\x03\xc1\x03\x04 \x10 \x10 \xff\xff\xff\xff! \xff\xff\xff\xff\xff\xff\xff\xffBM6 6 ( \x10 \x10<" ... "\x80\x07 \xc0\x07 "

Area: Local hard drives
Description: Unknown hidden file
Location: C:\Program Files\MozyHome\Data\filter_raw.log.1
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Area: Local hard drives
Description: Unknown hidden file
Location: C:\WINDOWS\ie7\advpack.dll
Removable: Yes (but clean up not recommended for this file)
Notes: (no more detail available)

Tried getting to ComboFix using the link http://www.bleepingcomputer.com/comb...o-use-combofix as above and got the Error 404. Thought I might need to register so I did, but with the same result.

Will you please resend link?
Thank you.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 07:27 PM   #12 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

We can ignore the first item Kaspersky reports. It's reported for its potential. I would delete the second one if you're not using it. It's usually bundled with MyWebSearch, but in this case, it appears to be downloaded on its own.

C:\Documents and Settings\Owner\My Documents\Downloads\freeripmp3.exe

As I already mentioned, not everything Sophos RootKit scan reports is a rootkit. From what I can see and understand, they are not threats. However, I am not familiar with Sophos Rootkit scanner. You might like to discuss them at their support forum.

My link is working for me, but yours is giving the 404 error to me too.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

# Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
-----------------------------------
Note: Please make sure that your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

How to disable your security applications
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 09:17 PM   #13 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
I deleted C:\Documents and Settings\Owner\My Documents\Downloads\freeripmp3.exe

Here is ComboFix.txt

ComboFix 09-06-16.01 - Owner 06/16/2009 19:50.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.182 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-16 04:32 . 2009-06-16 04:33 -------- d-----w- c:\documents and settings\Owner\Application Data\MailFrontier
2009-06-16 04:26 . 2009-06-17 02:55 40755552 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-16 04:16 . 2009-05-29 03:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-16 04:16 . 2009-05-29 03:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-16 04:16 . 2009-06-16 04:16 -------- d-----w- c:\program files\Zone Labs
2009-06-16 04:16 . 2009-05-29 03:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-16 02:42 . 2009-06-16 04:22 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-16 02:42 . 2009-05-29 03:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-06-16 02:40 . 2009-06-16 12:11 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-16 02:36 . 2009-06-17 02:45 -------- d-----w- c:\windows\Internet Logs
2009-06-10 18:50 . 2009-06-10 18:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sophos
2009-06-10 17:59 . 2009-06-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-06-10 17:55 . 2009-06-10 17:56 -------- dc----w- C:\stdtsa
2009-06-09 22:32 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:32 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-28 17:03 . 2009-05-28 17:03 -------- d-----w- c:\program files\Common Files\Skype
2009-05-28 17:03 . 2009-05-28 17:03 -------- d-----r- c:\program files\Skype
2009-05-28 01:21 . 2009-05-28 01:21 65024 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-05-28 01:21 . 2009-05-28 01:21 18944 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-05-28 01:20 . 2009-05-28 01:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 01:01 . 2009-06-01 02:46 -------- d-----w- c:\documents and settings\Owner\.storybook
2009-05-28 01:00 . 2009-05-28 01:01 -------- d-----w- c:\program files\StorYBook
2009-05-26 23:45 . 2009-05-26 23:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 23:41 . 2009-05-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 20:41 . 2009-05-23 20:41 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-23 20:41 . 2009-06-16 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-23 20:34 . 2009-06-14 22:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-23 20:30 . 2009-05-28 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-17 02:34 . 2009-06-17 02:37 2094080 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-17 02:34 . 2009-06-16 04:26 524204 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-16 04:42 . 2009-05-17 02:55 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-06-16 04:39 . 2009-05-17 02:53 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-06-16 04:04 . 2009-03-17 03:24 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 02:51 . 2009-01-12 03:23 -------- d-----w- c:\program files\Sophos
2009-06-12 03:52 . 2009-02-13 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2009-06-10 06:17 . 2008-09-23 18:06 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-08 16:46 . 2006-02-01 12:32 47544 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 02:37 . 2009-01-20 21:10 -------- d-----w- c:\program files\Lavasoft
2009-06-06 02:37 . 2008-10-19 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-06 02:34 . 2008-02-14 19:23 -------- d-----w- c:\program files\Google
2009-06-05 02:56 . 2009-05-15 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\DeepBurner
2009-06-01 05:09 . 2008-10-28 00:55 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-01 05:08 . 2006-02-01 09:26 -------- d-----w- c:\program files\Java
2009-05-29 03:25 . 2009-06-16 03:42 69000 ----a-w- c:\windows\system32\~GLH0051.TMP
2009-05-29 03:25 . 2009-06-16 03:42 103816 ----a-w- c:\windows\system32\~GLH0053.TMP
2009-05-28 06:44 . 2009-01-10 06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 01:21 . 2008-10-10 03:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 09:06 . 2009-02-10 05:56 -------- d-----w- c:\program files\MozyHome
2009-05-26 20:20 . 2009-01-10 06:21 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2009-01-10 06:21 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 07:24 . 2008-05-27 05:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 14:17 . 2008-10-10 03:29 -------- d-----w- c:\program files\filehippo.com
2009-05-22 05:17 . 2009-05-15 22:33 -------- d-----w- c:\program files\Astonsoft
2009-05-20 03:00 . 2008-07-25 02:30 -------- d-----w- c:\program files\Wise Registry Cleaner 3
2009-05-16 04:33 . 2009-05-16 01:16 -------- d-----w- c:\program files\PDFCreator
2009-05-13 05:15 . 2004-08-26 16:12 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 22:12 . 2006-02-01 09:45 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-08 05:01 . 2008-09-12 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-08 05:00 . 2008-12-28 22:10 -------- d-----w- c:\program files\Panda Security
2009-05-08 04:56 . 2008-10-06 04:50 -------- d-----w- c:\program files\Speeditup Free
2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 04:12 . 2009-05-06 18:42 -------- d-----w- c:\program files\Coupons
2009-05-02 20:27 . 2009-05-02 20:27 -------- d-----w- c:\program files\pdfsam
2009-05-01 07:31 . 2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 07:31 . 2009-05-01 07:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 07:31 . 2009-05-01 07:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 07:31 . 2009-05-01 07:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 07:31 . 2009-05-01 07:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 07:31 . 2009-05-01 07:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 07:31 . 2009-05-01 07:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 05:02 . 2009-05-01 05:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 05:02 . 2009-05-01 05:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 05:02 . 2009-02-09 21:18 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 05:02 . 2007-12-05 09:41 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 05:02 . 2006-02-01 09:58 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 05:02 . 2006-02-01 09:58 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 05:02 . 2006-02-01 09:58 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 05:02 . 2006-02-01 09:58 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 05:02 . 2006-02-01 09:28 457248 -c--a-w- c:\windows\system32\nvudisp.exe
2009-05-01 05:02 . 2004-08-26 10:56 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 05:02 . 2004-08-26 10:56 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-30 06:39 . 2008-06-21 02:08 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-30 06:38 . 2008-06-21 02:05 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-27 07:42 . 2006-02-01 09:19 457248 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-04-26 04:01 . 2009-04-26 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-04-26 00:30 . 2009-04-26 00:30 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-04-17 12:26 . 2006-02-01 09:42 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-26 16:12 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 06:05 . 2009-04-10 06:05 16838 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{78E804CC-A148-4C8F-AD46-0B476EFE34C2}\_62DEEFFD575387FCB7E1E9.exe
2009-04-10 06:05 . 2009-04-10 06:05 10270 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{78E804CC-A148-4C8F-AD46-0B476EFE34C2}\_6FEFF9B68218417F98F549.exe
2009-03-31 20:12 . 2008-06-10 01:21 1324 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-03-27 17:03 . 2006-02-01 09:58 45056 -c--a-w- c:\windows\system32\nvmccsrs.dll
2009-03-27 17:03 . 2006-02-01 09:58 1346080 -c--a-w- c:\windows\system32\nvdspsch.exe
2009-03-27 04:04 . 2009-03-27 03:47 152576 -c--a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-08-25 23:19 . 2007-07-07 14:07 812544 -c--a-w- c:\program files\DoubleKiller.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_02.22.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-17 02:38 . 2009-06-17 02:38 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2009-06-17 02:38 . 2009-06-17 02:38 16384 c:\windows\Temp\Perflib_Perfdata_6f4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-05-15 20:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-05-15 20:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-22 133104]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-05-27 1573104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IconixOEAddOn"="c:\program files\eMail ID\OEAddOn\OEdmn_3.exe" [2008-05-28 281872]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-5-15 2871608]
Snippy.exe [2008-9-27 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^1-Click Answers.lnk]
backup=c:\windows\pss\1-Click Answers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2/9/2009 10:56 PM 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [1/25/2009 7:39 PM 582992]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/25/2009 7:39 PM 206608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 0247961239933471mcinstcleanup;McAfee Application Installer Cleanup (0247961239933471);c:\windows\TEMP\0247961239933471mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\0247961239933471mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\194.tmp --> c:\windows\system32\194.tmp [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/25/2009 7:39 PM 206608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-17 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-26 23:41]

2009-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2181395589-731268670-266398665-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-22 23:35]

2006-07-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 12:42]

2009-06-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-06-16 c:\windows\Tasks\User_Feed_Synchronization-{D8E26795-7180-4CC8-9685-7A6034A13BA0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2009-05-20 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-05-17 23:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.goodsearch.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=8953&affid=370-9
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
TCP: {1DE94D50-3BDF-4C2A-AE5F-6378448FF020} = 208.67.222.222,208.67.220.220
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 19:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\194.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3644)
c:\windows\system32\WININET.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-06-17 19:58
ComboFix-quarantined-files.txt 2009-06-17 02:58
ComboFix2.txt 2009-06-17 02:26

Pre-Run: 71,974,428,672 bytes free
Post-Run: 71,970,267,136 bytes free

256 --- E O F --- 2009-06-16 10:06


Thank you.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-16-2009, 09:49 PM   #14 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

Looks like Combofix was run twice. Please go to Start>Run and copy/paste the following text in bold into the Run box and click OK. It will open a text file for you. Please copy/paste the contents of that file in your next reply.

C:\qoobox\ComboFix2.txt
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 04:59 PM   #15 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
Yes.
The first time, my computer stalled on the reboot, just before it loaded the desktop. I turned it off at the power button. Thinking that this might interfere with the results, I ran ComboFix again.

Here is C:\qoobox\ComboFix2.txt:

ComboFix 09-06-16.01 - Owner 06/16/2009 19:14.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.92 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\ODCTOOLS
c:\documents and settings\Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\SUPERAntiSpyware Free Edition.lnk
D:\Autorun.inf
D:\Desktop.ini

.
((((((((((((((((((((((((( Files Created from 2009-05-17 to 2009-06-17 )))))))))))))))))))))))))))))))
.

2009-06-16 04:32 . 2009-06-16 04:33 -------- d-----w- c:\documents and settings\Owner\Application Data\MailFrontier
2009-06-16 04:26 . 2009-06-17 02:22 38200096 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-16 04:16 . 2009-05-29 03:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-16 04:16 . 2009-05-29 03:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-16 04:16 . 2009-06-16 04:16 -------- d-----w- c:\program files\Zone Labs
2009-06-16 04:16 . 2009-05-29 03:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-16 02:42 . 2009-06-16 04:22 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-16 02:42 . 2009-05-29 03:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-06-16 02:40 . 2009-06-16 12:11 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-16 02:36 . 2009-06-17 02:10 -------- d-----w- c:\windows\Internet Logs
2009-06-10 18:50 . 2009-06-10 18:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sophos
2009-06-10 17:59 . 2009-06-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-06-10 17:55 . 2009-06-10 17:56 -------- dc----w- C:\stdtsa
2009-06-09 22:32 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:32 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-28 17:03 . 2009-05-28 17:03 -------- d-----w- c:\program files\Common Files\Skype
2009-05-28 17:03 . 2009-05-28 17:03 -------- d-----r- c:\program files\Skype
2009-05-28 01:21 . 2009-05-28 01:21 65024 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-05-28 01:21 . 2009-05-28 01:21 18944 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-05-28 01:20 . 2009-05-28 01:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 01:01 . 2009-06-01 02:46 -------- d-----w- c:\documents and settings\Owner\.storybook
2009-05-28 01:00 . 2009-05-28 01:01 -------- d-----w- c:\program files\StorYBook
2009-05-26 23:45 . 2009-05-26 23:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 23:41 . 2009-05-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 20:41 . 2009-05-23 20:41 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-23 20:41 . 2009-06-16 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-23 20:34 . 2009-06-14 22:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-23 20:30 . 2009-05-28 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-16 04:42 . 2009-05-17 02:55 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-06-16 04:39 . 2009-05-17 02:53 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-06-16 04:26 . 2009-06-16 04:26 32 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-16 04:04 . 2009-03-17 03:24 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 02:51 . 2009-01-12 03:23 -------- d-----w- c:\program files\Sophos
2009-06-12 03:52 . 2009-02-13 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2009-06-10 06:17 . 2008-09-23 18:06 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-08 16:46 . 2006-02-01 12:32 47544 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 02:37 . 2009-01-20 21:10 -------- d-----w- c:\program files\Lavasoft
2009-06-06 02:37 . 2008-10-19 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-06 02:34 . 2008-02-14 19:23 -------- d-----w- c:\program files\Google
2009-06-05 02:56 . 2009-05-15 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\DeepBurner
2009-06-01 05:09 . 2008-10-28 00:55 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-01 05:08 . 2006-02-01 09:26 -------- d-----w- c:\program files\Java
2009-05-29 03:25 . 2009-06-16 03:42 69000 ----a-w- c:\windows\system32\~GLH0051.TMP
2009-05-29 03:25 . 2009-06-16 03:42 103816 ----a-w- c:\windows\system32\~GLH0053.TMP
2009-05-28 06:44 . 2009-01-10 06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 01:21 . 2008-10-10 03:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 09:06 . 2009-02-10 05:56 -------- d-----w- c:\program files\MozyHome
2009-05-26 20:20 . 2009-01-10 06:21 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2009-01-10 06:21 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 07:24 . 2008-05-27 05:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 14:17 . 2008-10-10 03:29 -------- d-----w- c:\program files\filehippo.com
2009-05-22 05:17 . 2009-05-15 22:33 -------- d-----w- c:\program files\Astonsoft
2009-05-20 03:00 . 2008-07-25 02:30 -------- d-----w- c:\program files\Wise Registry Cleaner 3
2009-05-16 04:33 . 2009-05-16 01:16 -------- d-----w- c:\program files\PDFCreator
2009-05-13 05:15 . 2004-08-26 16:12 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 22:12 . 2006-02-01 09:45 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-08 05:01 . 2008-09-12 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-08 05:00 . 2008-12-28 22:10 -------- d-----w- c:\program files\Panda Security
2009-05-08 04:56 . 2008-10-06 04:50 -------- d-----w- c:\program files\Speeditup Free
2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 04:12 . 2009-05-06 18:42 -------- d-----w- c:\program files\Coupons
2009-05-02 20:27 . 2009-05-02 20:27 -------- d-----w- c:\program files\pdfsam
2009-05-01 07:31 . 2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 07:31 . 2009-05-01 07:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 07:31 . 2009-05-01 07:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 07:31 . 2009-05-01 07:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 07:31 . 2009-05-01 07:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 07:31 . 2009-05-01 07:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 07:31 . 2009-05-01 07:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 05:02 . 2009-05-01 05:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 05:02 . 2009-05-01 05:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 05:02 . 2009-02-09 21:18 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 05:02 . 2007-12-05 09:41 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 05:02 . 2006-02-01 09:58 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 05:02 . 2006-02-01 09:58 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 05:02 . 2006-02-01 09:58 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 05:02 . 2006-02-01 09:58 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 05:02 . 2006-02-01 09:28 457248 -c--a-w- c:\windows\system32\nvudisp.exe
2009-05-01 05:02 . 2004-08-26 10:56 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 05:02 . 2004-08-26 10:56 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-30 06:39 . 2008-06-21 02:08 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-30 06:38 . 2008-06-21 02:05 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-27 07:42 . 2006-02-01 09:19 457248 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-04-26 04:01 . 2009-04-26 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-04-26 00:30 . 2009-04-26 00:30 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-04-17 12:26 . 2006-02-01 09:42 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-26 16:12 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 06:05 . 2009-04-10 06:05 16838 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{78E804CC-A148-4C8F-AD46-0B476EFE34C2}\_62DEEFFD575387FCB7E1E9.exe
2009-04-10 06:05 . 2009-04-10 06:05 10270 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{78E804CC-A148-4C8F-AD46-0B476EFE34C2}\_6FEFF9B68218417F98F549.exe
2009-03-31 20:12 . 2008-06-10 01:21 1324 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-03-27 17:03 . 2006-02-01 09:58 45056 -c--a-w- c:\windows\system32\nvmccsrs.dll
2009-03-27 17:03 . 2006-02-01 09:58 1346080 -c--a-w- c:\windows\system32\nvdspsch.exe
2009-03-27 04:04 . 2009-03-27 03:47 152576 -c--a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-08-25 23:19 . 2007-07-07 14:07 812544 -c--a-w- c:\program files\DoubleKiller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-05-15 20:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-05-15 20:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-22 133104]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-05-27 1573104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IconixOEAddOn"="c:\program files\eMail ID\OEAddOn\OEdmn_3.exe" [2008-05-28 281872]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" [X]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-5-15 2871608]
Snippy.exe [2008-9-27 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^1-Click Answers.lnk]
backup=c:\windows\pss\1-Click Answers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MBkLogOnHook

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2/9/2009 10:56 PM 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R2 RUBotted;Trend Micro RUBotted Service;c:\program files\Trend Micro\RUBotted\TMRUBotted.exe [1/25/2009 7:39 PM 582992]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [11/3/2006 7:19 PM 13592]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\194.tmp --> c:\windows\system32\194.tmp [?]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/25/2009 7:39 PM 206608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 0247961239933471mcinstcleanup;McAfee Application Installer Cleanup (0247961239933471);c:\windows\TEMP\0247961239933471mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\0247961239933471mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/25/2009 7:39 PM 206608]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MEMSWEEP2

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-16 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-26 23:41]

2009-06-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2181395589-731268670-266398665-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-22 23:35]

2006-07-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 12:42]

2009-06-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-06-16 c:\windows\Tasks\User_Feed_Synchronization-{D8E26795-7180-4CC8-9685-7A6034A13BA0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2009-05-20 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-05-17 23:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.goodsearch.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=8953&affid=370-9
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
TCP: {1DE94D50-3BDF-4C2A-AE5F-6378448FF020} = 208.67.222.222,208.67.220.220
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-16 19:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\194.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1024)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2009-06-17 19:26
ComboFix-quarantined-files.txt 2009-06-17 02:26

Pre-Run: 71,742,492,672 bytes free
Post-Run: 71,816,257,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

255 --- E O F --- 2009-06-16 10:06

Thank you.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 06:02 PM   #16 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

Quote:
Wise Registry Cleaner
We don't recommend the use of such tools.

Here is a good link about the registry cleaners and boosters:

http://miekiemoes.blogspot.com/2008/...eaking_13.html

and also this one:

http://aumha.net/viewtopic.php?t=28099

=============================

  • Open notepad (Start>All programs>accessories>notepad ) (It must be notepad, not wordpad, or it won’t work)
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Click Format and ensure Wordwrap is unchecked.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Code:
DDS::
Trusted Zone: internet

Registry::
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"=-

RegLock::
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]

Driver::
MEMSWEEP2
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 06-17-2009 at 06:04 PM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 08:27 PM   #17 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
Yikes!
I will remove both Wise Registry Cleaner and Wise Disc Cleaner. Reading these reports, I now have an idea why Windows Updates do not install and why Word does not connect to the internet anymore!

CCleaner ran upon reboot, as it is scheduled to do; I did not think to turn it off for this report.

Here is the report:

ComboFix 09-06-17.02 - Owner 06/17/2009 18:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.382.170 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: ZoneAlarm Security Suite Antivirus *On-access scanning disabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MEMSWEEP2
-------\Service_MEMSWEEP2


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-18 01:40 . 2009-06-18 01:42 -------- dc----w- C:\32788R22FWJFW
2009-06-16 04:32 . 2009-06-16 04:33 -------- d-----w- c:\documents and settings\Owner\Application Data\MailFrontier
2009-06-16 04:26 . 2009-06-18 02:02 92332832 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-06-16 04:16 . 2009-05-29 03:25 69000 ----a-w- c:\windows\system32\zlcomm.dll
2009-06-16 04:16 . 2009-05-29 03:25 103816 ----a-w- c:\windows\system32\zlcommdb.dll
2009-06-16 04:16 . 2009-06-16 04:16 -------- d-----w- c:\program files\Zone Labs
2009-06-16 04:16 . 2009-05-29 03:25 1221512 ----a-w- c:\windows\system32\zpeng25.dll
2009-06-16 02:42 . 2009-06-16 04:22 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2009-06-16 02:42 . 2009-05-29 03:25 72584 ----a-w- c:\windows\zllsputility.exe
2009-06-16 02:40 . 2009-06-16 12:11 -------- d-----w- c:\windows\system32\ZoneLabs
2009-06-16 02:36 . 2009-06-18 01:54 -------- d-----w- c:\windows\Internet Logs
2009-06-10 18:50 . 2009-06-10 18:50 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\Sophos
2009-06-10 17:59 . 2009-06-10 17:59 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2009-06-10 17:55 . 2009-06-10 17:56 -------- dc----w- C:\stdtsa
2009-06-09 22:32 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-06-09 22:32 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-05-28 17:03 . 2009-05-28 17:03 -------- d-----w- c:\program files\Common Files\Skype
2009-05-28 17:03 . 2009-05-28 17:03 -------- d-----r- c:\program files\Skype
2009-05-28 01:21 . 2009-05-28 01:21 65024 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
2009-05-28 01:21 . 2009-05-28 01:21 18944 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
2009-05-28 01:20 . 2009-05-28 01:20 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-05-28 01:01 . 2009-06-01 02:46 -------- d-----w- c:\documents and settings\Owner\.storybook
2009-05-28 01:00 . 2009-05-28 01:01 -------- d-----w- c:\program files\StorYBook
2009-05-26 23:45 . 2009-05-26 23:45 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-05-26 23:41 . 2009-05-26 23:50 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-05-23 20:41 . 2009-05-23 20:41 56 ---ha-w- c:\windows\system32\ezsidmv.dat
2009-05-23 20:41 . 2009-06-16 01:41 -------- d-----w- c:\documents and settings\Owner\Application Data\skypePM
2009-05-23 20:34 . 2009-06-14 22:07 -------- d-----w- c:\documents and settings\Owner\Application Data\Skype
2009-05-23 20:30 . 2009-05-28 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 01:50 . 2009-06-16 04:26 1234508 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-06-17 02:34 . 2009-06-17 02:37 2094080 ----a-w- c:\windows\Internet Logs\xDB1.tmp
2009-06-16 04:42 . 2009-05-17 02:55 -------- d-----w- c:\program files\Wise Registry Cleaner
2009-06-16 04:39 . 2009-05-17 02:53 -------- d-----w- c:\program files\Wise Disk Cleaner
2009-06-16 04:04 . 2009-03-17 03:24 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2009-06-16 02:51 . 2009-01-12 03:23 -------- d-----w- c:\program files\Sophos
2009-06-12 03:52 . 2009-02-13 21:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Canon
2009-06-10 06:17 . 2008-09-23 18:06 -------- d-----w- c:\program files\Windows Desktop Search
2009-06-08 16:46 . 2006-02-01 12:32 47544 -c--a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-06-06 02:37 . 2009-01-20 21:10 -------- d-----w- c:\program files\Lavasoft
2009-06-06 02:37 . 2008-10-19 23:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2009-06-06 02:34 . 2008-02-14 19:23 -------- d-----w- c:\program files\Google
2009-06-05 02:56 . 2009-05-15 22:34 -------- d-----w- c:\documents and settings\Owner\Application Data\DeepBurner
2009-06-01 05:09 . 2008-10-28 00:55 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-06-01 05:08 . 2006-02-01 09:26 -------- d-----w- c:\program files\Java
2009-05-29 03:25 . 2009-06-16 03:42 69000 ----a-w- c:\windows\system32\~GLH0051.TMP
2009-05-29 03:25 . 2009-06-16 03:42 103816 ----a-w- c:\windows\system32\~GLH0053.TMP
2009-05-28 06:44 . 2009-01-10 06:21 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-05-28 01:21 . 2008-10-10 03:49 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-05-27 09:06 . 2009-02-10 05:56 -------- d-----w- c:\program files\MozyHome
2009-05-26 20:20 . 2009-01-10 06:21 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-26 20:19 . 2009-01-10 06:21 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-05-25 07:24 . 2008-05-27 05:18 350208 ------w- c:\windows\system32\mssph.dll
2009-05-24 14:17 . 2008-10-10 03:29 -------- d-----w- c:\program files\filehippo.com
2009-05-22 05:17 . 2009-05-15 22:33 -------- d-----w- c:\program files\Astonsoft
2009-05-20 03:00 . 2008-07-25 02:30 -------- d-----w- c:\program files\Wise Registry Cleaner 3
2009-05-16 04:33 . 2009-05-16 01:16 -------- d-----w- c:\program files\PDFCreator
2009-05-13 05:15 . 2004-08-26 16:12 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-12 22:12 . 2006-02-01 09:45 26144 ----a-w- c:\windows\system32\spupdsvc.exe
2009-05-08 05:01 . 2008-09-12 20:15 -------- d-----w- c:\documents and settings\All Users\Application Data\DriverScanner
2009-05-08 05:00 . 2008-12-28 22:10 -------- d-----w- c:\program files\Panda Security
2009-05-08 04:56 . 2008-10-06 04:50 -------- d-----w- c:\program files\Speeditup Free
2009-05-07 15:32 . 2004-08-26 16:11 345600 ----a-w- c:\windows\system32\localspl.dll
2009-05-07 04:12 . 2009-05-06 18:42 -------- d-----w- c:\program files\Coupons
2009-05-02 20:27 . 2009-05-02 20:27 -------- d-----w- c:\program files\pdfsam
2009-05-01 07:31 . 2009-05-01 07:31 1657376 ----a-w- c:\windows\system32\nwiz.exe
2009-05-01 07:31 . 2009-05-01 07:31 449056 ----a-w- c:\windows\system32\nvappbar.exe
2009-05-01 07:31 . 2009-05-01 07:31 436768 ----a-w- c:\windows\system32\keystone.exe
2009-05-01 07:31 . 2009-05-01 07:31 466944 ----a-w- c:\windows\system32\nvshell.dll
2009-05-01 07:31 . 2009-05-01 07:31 1724416 ----a-w- c:\windows\system32\nvwdmcpl.dll
2009-05-01 07:31 . 2009-05-01 07:31 1507328 ----a-w- c:\windows\system32\nview.dll
2009-05-01 07:31 . 2009-05-01 07:31 1101824 ----a-w- c:\windows\system32\nvwimg.dll
2009-05-01 05:02 . 2009-05-01 05:02 1579630 ----a-w- c:\windows\system32\nvdata.bin
2009-05-01 05:02 . 2009-05-01 05:02 1314816 ----a-w- c:\windows\system32\nvcuvenc.dll
2009-05-01 05:02 . 2009-02-09 21:18 663552 ----a-w- c:\windows\system32\nvcuvid.dll
2009-05-01 05:02 . 2007-12-05 09:41 1720320 ----a-w- c:\windows\system32\nvcuda.dll
2009-05-01 05:02 . 2006-02-01 09:58 9994240 ----a-w- c:\windows\system32\nvoglnt.dll
2009-05-01 05:02 . 2006-02-01 09:58 806912 ----a-w- c:\windows\system32\nvapi.dll
2009-05-01 05:02 . 2006-02-01 09:58 143360 ----a-w- c:\windows\system32\nvcodins.dll
2009-05-01 05:02 . 2006-02-01 09:58 143360 ----a-w- c:\windows\system32\nvcod.dll
2009-05-01 05:02 . 2006-02-01 09:28 457248 -c--a-w- c:\windows\system32\nvudisp.exe
2009-05-01 05:02 . 2004-08-26 10:56 8055584 ----a-w- c:\windows\system32\drivers\nv4_mini.sys
2009-05-01 05:02 . 2004-08-26 10:56 5896320 ----a-w- c:\windows\system32\nv4_disp.dll
2009-04-30 06:39 . 2008-06-21 02:08 -------- d-----w- c:\program files\SystemRequirementsLab
2009-04-30 06:38 . 2008-06-21 02:05 -------- d-----w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2009-04-30 06:37 . 2009-04-30 06:37 290816 ----a-w- c:\documents and settings\Owner\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2009-04-27 07:42 . 2006-02-01 09:19 457248 -c--a-w- c:\windows\system32\NVUNINST.EXE
2009-04-26 04:01 . 2009-04-26 04:01 -------- d-----w- c:\documents and settings\All Users\Application Data\FreeRIP
2009-04-26 00:30 . 2009-04-26 00:30 25992 ----a-w- c:\windows\system32\pgdfgsvc.exe
2009-04-17 12:26 . 2006-02-01 09:42 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-26 16:12 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-10 06:05 . 2009-04-10 06:05 16838 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{78E804CC-A148-4C8F-AD46-0B476EFE34C2}\_62DEEFFD575387FCB7E1E9.exe
2009-04-10 06:05 . 2009-04-10 06:05 10270 ----a-r- c:\documents and settings\Owner\Application Data\Microsoft\Installer\{78E804CC-A148-4C8F-AD46-0B476EFE34C2}\_6FEFF9B68218417F98F549.exe
2009-03-31 20:12 . 2008-06-10 01:21 1324 -c--a-w- c:\windows\system32\d3d9caps.dat
2009-03-27 17:03 . 2006-02-01 09:58 45056 -c--a-w- c:\windows\system32\nvmccsrs.dll
2009-03-27 17:03 . 2006-02-01 09:58 1346080 -c--a-w- c:\windows\system32\nvdspsch.exe
2009-03-27 04:04 . 2009-03-27 03:47 152576 -c--a-w- c:\documents and settings\Owner\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2007-08-25 23:19 . 2007-07-07 14:07 812544 -c--a-w- c:\program files\DoubleKiller.exe
.

((((((((((((((((((((((((((((( SnapShot@2009-06-17_02.22.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 01:52 . 2009-06-18 01:52 16384 c:\windows\Temp\usgthrsvc\Perflib_Perfdata_204.dat
+ 2009-06-17 02:38 . 2009-06-17 02:38 16384 c:\windows\Temp\Perflib_Perfdata_7ac.dat
+ 2009-06-18 01:52 . 2009-06-18 01:52 16384 c:\windows\Temp\Perflib_Perfdata_73c.dat
+ 2009-06-18 01:52 . 2009-06-18 01:52 16384 c:\windows\Temp\Perflib_Perfdata_688.dat
+ 2009-06-16 04:26 . 2009-06-18 02:01 433116 c:\windows\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy2]
@="{747E722C-CB46-4a9d-BDFE-192AAD5099B1}"
[HKEY_CLASSES_ROOT\CLSID\{747E722C-CB46-4a9d-BDFE-192AAD5099B1}]
2009-05-15 20:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\mozy3]
@="{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}"
[HKEY_CLASSES_ROOT\CLSID\{EE6F5A00-7898-40f7-AB77-51FF9D6DEB20}]
2009-05-15 20:04 2833208 ----a-w- c:\program files\MozyHome\mozyshell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"Google Update"="c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-12-22 133104]
"ccleaner"="c:\program files\CCleaner\CCleaner.exe" [2009-05-27 1573104]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"IconixOEAddOn"="c:\program files\eMail ID\OEAddOn\OEdmn_3.exe" [2008-05-28 281872]
"TMRUBottedTray"="c:\program files\Trend Micro\RUBotted\TMRUBottedTray.exe" [2008-11-06 288088]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-05-01 13750272]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-05-01 86016]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-05-29 1005960]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2007-04-16 577536]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2009-05-01 1657376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
MozyHome Status.lnk - c:\program files\MozyHome\mozystat.exe [2009-5-15 2871608]
Snippy.exe [2008-9-27 102400]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 19:05 356352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0pgdfgsvc C 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^1-Click Answers.lnk]
backup=c:\windows\pss\1-Click Answers.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BigFix.lnk]
backup=c:\windows\pss\BigFix.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
backup=c:\windows\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
backup=c:\windows\pss\Windows Search.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 mozyFilter;mozyFilter;c:\windows\system32\drivers\mozy.sys [2/9/2009 10:56 PM 53752]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [5/26/2009 10:05 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/26/2009 10:05 AM 72944]
R3 TMPassthruMP;TMPassthruMP;c:\windows\system32\drivers\TMPassthru.sys [1/25/2009 7:39 PM 206608]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys --> c:\windows\system32\DRIVERS\Lbd.sys [?]
S2 0247961239933471mcinstcleanup;McAfee Application Installer Cleanup (0247961239933471);c:\windows\TEMP\0247961239933471mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service --> c:\windows\TEMP\0247961239933471mcinst.exe c:\progra~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [5/26/2009 10:05 AM 7408]
S3 TMPassthru;Trend Micro Passthru Ndis Service;c:\windows\system32\drivers\TMPassthru.sys [1/25/2009 7:39 PM 206608]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-18 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-05-26 23:41]

2009-06-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2181395589-731268670-266398665-1003.job
- c:\documents and settings\Owner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-12-22 23:35]

2006-07-09 c:\windows\Tasks\ISP signup reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-26 12:42]

2009-06-18 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]

2009-06-17 c:\windows\Tasks\User_Feed_Synchronization-{D8E26795-7180-4CC8-9685-7A6034A13BA0}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]

2009-05-20 c:\windows\Tasks\Wise Registry Cleaner 4.job
- c:\program files\Wise Registry Cleaner\WiseRegistryCleaner.exe [2009-05-17 23:51]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.goodsearch.com
uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=8953&affid=370-9
Trusted Zone: mcafee.com
Trusted Zone: microsoft.com\*.windowsupdate
Trusted Zone: windowsupdate.com
TCP: {1DE94D50-3BDF-4C2A-AE5F-6378448FF020} = 208.67.222.222,208.67.220.220
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-17 18:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2484)
c:\windows\system32\WININET.dll
c:\program files\MozyHome\mozyshell.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\IME\SPGRMR.DLL
c:\windows\system32\webcheck.dll
c:\program files\Common Files\Microsoft Shared\INK\SKCHUI.DLL
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\Windows Defender\MsMpEng.exe
c:\windows\system32\ZoneLabs\vsmon.exe
c:\windows\system32\ZoneLabs\avsys\ScanningProcess.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\MozyHome\mozybackup.exe
c:\windows\system32\HPZipm12.exe
c:\program files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
c:\program files\Trend Micro\RUBotted\TMRUBotted.exe
c:\windows\system32\searchindexer.exe
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\rundll32.exe
c:\documents and settings\All Users\Start Menu\Programs\Startup\Snippy.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\searchfilterhost.exe
.
**************************************************************************
.
Completion time: 2009-06-18 19:10 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 02:10
ComboFix2.txt 2009-06-17 02:58
ComboFix3.txt 2009-06-17 02:26

Pre-Run: 71,435,046,912 bytes free
Post-Run: 71,424,688,128 bytes free

282 --- E O F --- 2009-06-17 22:38

Thank you.
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 08:31 PM   #18 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
(ComboFix did not detect XP and sent an error message. I clicked through anyway and it ran the report but I thought I'd report this just in case it makes a difference.)
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 09:18 PM   #19 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,463
OS: XP SP3


Re: Error parsing raw registry hive S-1-5-18
Hi,

Quote:
(ComboFix did not detect XP and sent an error message. I clicked through anyway and it ran the report but I thought I'd report this just in case it makes a difference.)
Thanks. Combofix did not detect XP? What was the exact error message, if you could remember? Was ZoneAlarm disabled before running Combofix?

Quote:
CCleaner ran upon reboot, as it is scheduled to do; I did not think to turn it off for this report.
That's fine. Also, the warning about the registry cleaners would also be valid for the Registry section of CCleaner.

Quote:
I will remove both Wise Registry Cleaner and Wise Disc Cleaner. Reading these reports, I now have an idea why Windows Updates do not install and why Word does not connect to the internet anymore!
Windows XP Support forum may be able to help you with the Windows update issues.

The log is clean. As far as malware is concerned, you should be good to go.
  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /




This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.

It’s vital that you keep all your software up-to-date as older versions may have some security vulnerabilities. Secunia Software Inspector Scan can help you find out which programs need to be updated.

Please respond to this thread one more time so we can mark this thread as resolved.

Surf Safely and Think Prevention!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2009, 11:15 PM   #20 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: Windows XP Home SP 3


Re: Error parsing raw registry hive S-1-5-18
The only additional I can remember is that it was a "Win32 error" and I saw "Vista" as well. Tried to remember more.

Yes. Zone Alarm was disabled before running ComboFix.

hank you for the link to the Windows XP Support forum; I appreciate how you anticipated this concern. This is my the task, just after I visit Secunia.

I have removed Wise Registry Cleaner and Wise Disc Cleaner and will not use the registry cleaner with CCleaner again! I have certainly learned this lesson.

I have uninstalled ComboFix following the instructions. (Yes, I fished it from the recycle bin.)

Thank you for helping me through this. I have learned many things. I also know not to use the tools without "adult"supervision.

I will also follow the "Prevention" link you provided. I need to learn to think differently. I appreciate all your careful help.

Forever blessings to you!
E__P is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 1 of 2 1 2

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 04:05 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85