Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Slow PC and 'System Restore cannot protect your computer' (Logs inside)

This is a discussion on Slow PC and 'System Restore cannot protect your computer' (Logs inside) within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi, I have recently noticed that my computer is going very slowly, especially when browsing the internet. I tried disk


 
 
Thread Tools Search this Thread
Old 05-09-2008, 12:14 PM   #1
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi,

I have recently noticed that my computer is going very slowly, especially when browsing the internet. I tried disk cleanup, defrag, anti virus and anti-spyware scans (AVG) and everything appears fine, no apparent viruses. I run Windows XP Home edition SP2 (Although I updated to SP3 today but its made no difference)

Also, System restore doesn't work. When I try to open it from the start menu/accessories/system tools/system restore, it doesn't open, instead a box appears saying "System restore cannot protect your computer. Please restart and run System Restore again". I click 'OK', restart the computer and it still doesnt work.

I then came here and carried out all the processes for 'slow computer' and the '5 steps to malware removal', but nothing has made a difference.

I have since carried out a HiJackThis, Combofix and Panda ActiveScan.


The logs of these are below.
If anyone has any ideas or advice to help me, then I would REALLY apprecaite it so much.


(Although I got SP3 today, my logs were carried out before this was installed. I still don't have System Restore after installing SP3, and the system is still running slow.)


Thanks guys, in advance.

James





HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:02:55, on 06/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - https://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - https://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://uhvpn.herts.ac.uk/dana-cache...erSetupSP1.cab
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ansys JobManager Service V11 (JobManagerService110) - Ansys, Inc - C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ansys ScriptHost Service V11 (ScriptHostService110) - Ansys, Inc. - C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11440 bytes






Panda Active Scan Log (Only 27% completed after 6 hours)


;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-06 23:48:22
PROTECTIONS: 1
MALWARE: 21
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
AVG 7.5.524 7.5.524 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
00168090 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00168093 Cookie/Serving-sys TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][2].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00187950 Cookie/bravenetA TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00286732 Cookie/Cgi-bin TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
01176994 Bck/VB.XB Virus/Trojan No 0 No No C:\Documents and Settings\James\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\ComboFix[1]\nircmd.com
01262593 Application/NirCmd.A HackTools No 0 Yes No C:\ComboFix[1]\nircmd.cfexe
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\James\Cookies\[email protected][1].txt
;===================================================================================================================================================================================
SUSPECTS
Sent Location hB
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description hB
;===================================================================================================================================================================================
;===================================================================================================================================================================================









Combofix.exe Log



ComboFix 08-05-01.3 - James 2008-05-06 18:48:16.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.524 [GMT 1:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 10:04 . 2008-05-06 10:05 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 13:35 . 2008-05-05 13:35 <DIR> d-------- C:\Program Files\Juniper Networks
2008-05-05 13:35 . 2008-05-05 13:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-05-05 13:33 . 2008-05-05 13:35 <DIR> d-------- C:\Documents and Settings\James\Application Data\Juniper Networks
2008-04-19 16:14 . 2008-04-19 16:14 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-19 16:01 . 2008-04-19 18:47 <DIR> d-------- C:\My Music
2008-04-14 16:19 . 2008-04-14 16:19 <DIR> d-------- C:\Documents and Settings\James\Application Data\EndNote
2008-04-14 16:18 . 2008-04-14 16:18 <DIR> d-------- C:\Program Files\EndNote X
2008-04-14 16:18 . 2008-04-14 16:18 <DIR> d-------- C:\Program Files\Common Files\Risxtd
2008-04-14 16:17 . 2008-04-14 16:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 11:41 . 2008-04-12 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 11:41 . 2008-04-12 11:41 2,547 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 16:48 --------- d-----w C:\Documents and Settings\James\Application Data\AVG7
2008-05-01 13:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-27 23:33 --------- d-----w C:\Program Files\Plagiarism-Finder TRIAL
2008-04-25 09:24 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-19 15:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-19 15:12 --------- d-----w C:\Program Files\Real
2008-04-12 10:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 08:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-29 11:03 --------- d-----w C:\Program Files\Windows Live
2008-03-29 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 22:24 --------- d-----w C:\Program Files\M3DK
2008-03-27 19:19 --------- d-----w C:\Program Files\Common Files\McNeel Shared
2008-03-27 19:18 --------- d-----w C:\Program Files\Rhinoceros 4.0
2008-03-27 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McNeel
2008-03-24 20:39 --------- d-----w C:\Documents and Settings\James\Application Data\Canon
2008-03-22 12:07 --------- d-----w C:\Documents and Settings\James\Application Data\Ahead
2008-03-20 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-10 19:53 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-10 19:51 --------- d-----w C:\Program Files\Nero
2008-03-10 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-09 19:21 17,664 ----a-w C:\WINDOWS\system32\drivers\LfNtSp50.SYS
2008-03-09 19:21 --------- d-----w C:\Program Files\Life Racing
2008-03-09 14:23 --------- d-----w C:\Program Files\Creative
2008-03-09 14:21 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-09 14:21 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-09 14:21 --------- d-----w C:\Documents and Settings\James\Application Data\Creative
2008-03-09 14:06 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-21 22:15 22,328 ----a-w C:\Documents and Settings\James\Application Data\PnkBstrK.sys
2007-11-15 10:46 1,776 -c--a-w C:\Documents and Settings\James\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 06:42 401491]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-07-20 06:55 1617920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:40 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-10 20:13 282624]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 13:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 15:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"MSVideo"= VfwECamC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-09-17 11:32 4608 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awTray.exe]
--a------ 2005-12-01 12:59 1305600 C:\Program Files\Intel\IDU\awtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 20:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--a------ 2003-06-18 02:00 45056 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-07-02 11:03 57344 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
--a------ 2006-08-11 15:53 42496 C:\WINDOWS\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 06:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-04-01 17:41 270336 C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
--a------ 2005-12-02 18:50 1687552 C:\Program Files\Intel\IDU\iptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 13:06 62760 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2003-12-30 11:40 380928 C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-03-02 12:49 86016 C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-10 20:13 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 10:35 72736 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--a------ 2002-12-03 19:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tempreg]
regsvr32 /s C:\Program Files\Helper\1202129298.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Dassault Systemes\\B16\\intel_a\\code\\bin\\CNEXT.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ReaderHostCAT5U.exe"= C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\CATIAV5\\intel\\code\\bin\\ReaderHostCAT5U.exe
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\phoenics\\d_earth\\d_windf\\earexe.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 14:22]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-11-11 15:51]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 01:12]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:34]
R2 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []
R2 JobManagerService110;Ansys JobManager Service V11;"C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe" [2007-01-16 16:20]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
R2 ScriptHostService110;Ansys ScriptHost Service V11;"C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe" [2007-01-16 16:20]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-12-28 03:48]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-15 13:15]
S3 LfNtSp50;LfNtSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\LfNtSp50.sys [2008-03-09 20:21]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2006-11-20 13:47]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2006-11-20 13:48]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2006-11-20 13:48]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2006-11-20 13:49]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2006-11-20 13:47]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2006-11-20 13:50]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2006-11-20 13:47]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 17:00:00 C:\WINDOWS\Tasks\A76C90D790F70F07.job"
- c:\docume~1\james\applic~1\proxyk~1\memoantesecond.exe
"2008-05-06 12:40:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D3DECC57-6D38-40B5-8AB4-ECD36CD1EC18}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-05-06 18:51:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 22

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-06 18:56:34
ComboFix-quarantined-files.txt 2008-05-06 17:56:32
ComboFix2.txt 2008-05-06 17:36:31
ComboFix3.txt 2008-01-30 23:56:24

Pre-Run: 20,523,507,712 bytes free
Post-Run: 20,558,348,288 bytes free

220 --- E O F --- 2008-04-09 08:51:45









Deckards Main Log File (After SP3 installation)



Deckard's System Scanner v20071014.68
Run by James on 2008-05-09 19:16:20
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Failed to create restore point; System Restore is disabled (service is not running).


-- Last 5 Restore Point(s) --
109: 2008-03-01 12:11:31 UTC - RP442 - System Checkpoint
108: 2008-02-28 1954 UTC - RP441 - System Checkpoint
107: 2008-02-26 18:20:39 UTC - RP440 - System Checkpoint
106: 2008-02-25 17:39:00 UTC - RP439 - Installed MP Drivers
105: 2008-02-25 10:12:39 UTC - RP438 - Installed ATI Catalyst Control Center


-- First Restore Point --
1: 2008-01-30 23:44:05 UTC - RP334 - Restore Operation


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as James.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:24:07, on 09/05/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\IDU\awServ.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\VZJSJ08J\dss[1].exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\James.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - https://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - https://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - https://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://uhvpn.herts.ac.uk/dana-cache...erSetupSP1.cab
O20 - AppInit_DLLs: WIKI.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - OSA Technologies Inc., An Avocent Company - C:\Program Files\Intel\IDU\awServ.exe
O23 - Service: Backbone Service (BBDemon) - Dassault Systemes - C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Ansys JobManager Service V11 (JobManagerService110) - Ansys, Inc - C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Ansys ScriptHost Service V11 (ScriptHostService110) - Ansys, Inc. - C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 11109 bytes

-- File Associations -----------------------------------------------------------

.cpl - cplfile - shell\cplopen\command - rundll32.exe shell32.dll,Control_RunDLL "%1",%*
.cpl - cplfile - shell\runas\command - rundll32.exe shell32.dll,Control_RunDLLAsUser "%1",%*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 LUMDriver - c:\windows\system32\drivers\lumdriver.sys <Not Verified; IBM; LUM application>
R1 OsaFsLoc - c:\windows\system32\drivers\osafsloc.sys <Not Verified; OSA Technologies; >
R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R2 osaio - c:\windows\system32\drivers\osaio.sys <Not Verified; OSA Technologies, An Avocent Company; Windows (R) 2000 DDK driver>
R2 SIODRV - c:\windows\system32\drivers\siodrv.sys <Not Verified; Intel Corporation; Intel(R) Active Monitor>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 GTNDIS5 (GTNDIS5 NDIS Protocol Driver) - c:\program files\belkin\f5d9050\gtndis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
R3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SMBios (Intel (R) System Management BIOS Service) - c:\windows\system32\drivers\smbios.sys <Not Verified; Intel Corporation; Intel (R) System Management BIOS Driver>
R3 smbusp (Intel(R) SMBus 2.0 Driver) - c:\windows\system32\drivers\intelsmb.sys <Not Verified; Intel Corporation; Intel(R) SMBus Controller>
R3 StreamSurge (StreamSurge Driver (miniport)) - c:\windows\system32\drivers\ss.sys <Not Verified; WikiTek Inc.; >

S2 CSS DVP - c:\windows\system32\drivers\css-dvp.sys (file missing)
S3 ATICDSDr - c:\docume~1\admini~1\locals~1\temp\aticdsdr.sys (file missing)
S3 btwhid - c:\windows\system32\drivers\btwhid.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2401>
S3 btwmodem (Bluetooth Modem) - c:\windows\system32\drivers\btwmodem.sys <Not Verified; Broadcom Corporation.; Bluetooth Software 4.0.1.2401>
S3 LfNtSp50 (LfNtSp50 NDIS Protocol Driver) - c:\windows\system32\drivers\lfntsp50.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 pgfilter - c:\program files\peerguardian2\pgfilter.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 ANSYS FLEXlm license manager - c:\progra~1\ansysi~1\shared~1\licens~1\intel\lmgrd.exe <Not Verified; Macrovision Corporation; >
R2 Autodata Limited License Service - "c:\program files\common files\autodata limited shared\service\adcdlicsvc.exe" <Not Verified; Autodata Limited; Autodata Limited License Service>
R2 AWService (AdminWorks Agent X6) - "c:\program files\intel\idu\awserv.exe" <Not Verified; OSA Technologies Inc., An Avocent Company; AdminWorks>
R2 BBDemon (Backbone Service) - "c:\program files\dassault systemes\b16\intel_a\code\bin\catsysdemon.exe" -service <Not Verified; Dassault Systemes; Dassault Systemes Product>
R2 JobManagerService110 (Ansys JobManager Service V11) - "c:\program files\ansys inc\v110\rsm\bin\jobmanagerservice.exe" <Not Verified; Ansys, Inc; JobManagerService>
R2 ScriptHostService110 (Ansys ScriptHost Service V11) - "c:\program files\ansys inc\v110\rsm\bin\scripthostservice.exe" <Not Verified; Ansys, Inc.; ScriptHostService>
R2 StarWindServiceAE (StarWind AE Service) - c:\program files\alcohol soft\alcohol 120\starwind\starwindserviceae.exe <Not Verified; Rocket Division Software; StarWind Alcohol Edition>

S2 CLTNetCnService (Symantec Lic NetConnect service) - "c:\program files\common files\symantec shared\ccsvchst.exe" /h cccommon (file missing)
S3 MSControlService (Microsoft cache control) - c:\windows\system32\windows (file missing)
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Microsoft UAA Bus Driver for High Definition Audio
Device ID: PCI\VEN_8086&DEV_2668&SUBSYS_E2038086&REV_03\3&11583659&0&D8
Manufacturer: Microsoft
Name: Microsoft UAA Bus Driver for High Definition Audio
PNP Device ID: PCI\VEN_8086&DEV_2668&SUBSYS_E2038086&REV_03\3&11583659&0&D8
Service: HDAudBus

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_30588086&REV_01\4&29230EF5&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection #2
PNP Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_30588086&REV_01\4&29230EF5&0&40F0
Service: E100B

Class GUID: {95C7A0A0-3094-11D7-A202-00508B9D7D5A}
Description: Bluetooth Bus Enumerator
Device ID: ROOT\BTW\0000
Manufacturer: WIDCOMM
Name: Bluetooth Bus Enumerator
PNP Device ID: ROOT\BTW\0000
Service: btkrnl

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Packet Scheduler Miniport
Device ID: ROOT\MS_PSCHEDMP\0007
Manufacturer: Microsoft
Name: Belkin Wireless G Plus MIMO USB Network Adapter #4 - Packet Scheduler Miniport
PNP Device ID: ROOT\MS_PSCHEDMP\0007
Service: PSched


-- Scheduled Tasks -------------------------------------------------------------

2008-05-09 19:00:00 264 --ah----- C:\WINDOWS\Tasks\A76C90D790F70F07.job
2008-05-09 11:35:18 422 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{D3DECC57-6D38-40B5-8AB4-ECD36CD1EC18}.job


-- Files created between 2008-04-09 and 2008-05-09 -----------------------------

2008-05-09 17:34:20 0 d-------- C:\WINDOWS\Prefetch
2008-05-09 17:24:39 0 d-------- C:\WINDOWS\system32\scripting
2008-05-09 17:24:38 0 d-------- C:\WINDOWS\system32\en
2008-05-09 17:24:38 0 d-------- C:\WINDOWS\system32\bits
2008-05-09 17:24:38 0 d-------- C:\WINDOWS\l2schemas
2008-05-09 14:25:59 0 d-------- C:\I386
2008-05-06 19:02:34 0 d-------- C:\Program Files\Trend Micro
2008-05-06 18:26:57 68096 --a------ C:\WINDOWS\zip.exe
2008-05-06 18:26:57 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-06 18:26:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 18:26:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 18:26:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 18:26:57 98816 --a------ C:\WINDOWS\sed.exe
2008-05-06 18:26:57 80412 --a------ C:\WINDOWS\grep.exe
2008-05-06 18:26:57 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 10:04:42 0 d-------- C:\Program Files\Panda Security
2008-05-05 13:35:23 0 d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-05-05 13:35:14 0 d-------- C:\Program Files\Juniper Networks
2008-05-05 13:33:12 0 d-------- C:\Documents and Settings\James\Application Data\Juniper Networks
2008-04-19 16:14:27 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-19 16:01:41 0 d-------- C:\My Music
2008-04-14 16:19:05 0 d-------- C:\Documents and Settings\James\Application Data\EndNote
2008-04-14 16:18:48 0 d-------- C:\Program Files\Common Files\Risxtd
2008-04-14 16:18:09 0 d-------- C:\Program Files\EndNote X
2008-04-14 16:17:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 11:41:33 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 11:41:33 2547 --a------ C:\WINDOWS\unins000.dat


-- Find3M Report ---------------------------------------------------------------

2008-05-09 18:53:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-09 17:24:53 0 d-------- C:\Program Files\Messenger
2008-05-09 17:24:37 0 d-------- C:\Program Files\Movie Maker
2008-05-09 17:21:59 0 d-------- C:\Program Files\Windows NT
2008-05-08 07:02:39 0 d-------- C:\Documents and Settings\James\Application Data\AVG7
2008-04-28 00:33:27 0 d-------- C:\Program Files\Plagiarism-Finder TRIAL
2008-04-25 10:24:51 0 d-------- C:\Program Files\PeerGuardian2
2008-04-20 21:46:41 0 d-------- C:\Documents and Settings\James\Application Data\Adobe
2008-04-19 16:14:27 0 d-------- C:\Program Files\Common Files
2008-04-19 16:14:06 0 d-------- C:\Program Files\Common Files\Real
2008-04-19 16:12:52 0 d-------- C:\Program Files\Real
2008-04-19 16:12:52 0 d-------- C:\Documents and Settings\James\Application Data\Real
2008-03-29 12:03:56 0 d-------- C:\Program Files\Windows Live
2008-03-27 23:24:42 0 d-------- C:\Program Files\M3DK
2008-03-27 20:19:06 0 d-------- C:\Program Files\Common Files\McNeel Shared
2008-03-27 20:18:52 0 d-------- C:\Program Files\Rhinoceros 4.0
2008-03-24 21:39:33 0 d-------- C:\Documents and Settings\James\Application Data\Canon
2008-03-22 13:07:50 0 d-------- C:\Documents and Settings\James\Application Data\Ahead
2008-03-20 18:41:30 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-10 20:53:04 0 d-------- C:\Program Files\Common Files\Ahead
2008-03-10 20:51:50 0 d-------- C:\Program Files\Nero
2008-03-09 20:21:50 0 d-------- C:\Program Files\Life Racing
2008-03-09 15:23:29 0 d-------- C:\Program Files\Creative
2008-03-09 15:21:59 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-09 15:21:59 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>
2008-03-09 15:21:33 0 d-------- C:\Documents and Settings\James\Application Data\Creative
2008-03-09 1538 0 d-------- C:\Program Files\Microsoft Silverlight
2008-03-04 23:59:06 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-02-24 23:26:48 0 --a----c- C:\WINDOWS\ativpsrm.bin


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 02:00]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [20/07/2006 06:55]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 10:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/09/2006 20:13]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 06:42]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=WIKI.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awTray.exe]
"C:\Program Files\Intel\IDU\awtray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
CTXFIREG.exe /FAIL1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
"C:\Program Files\Intel\IDU\iptray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tempreg]
regsvr32 /s "C:\Program Files\Helper\1202129298.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - GTNDIS5
*Newly Created Service* - USNJSVC



-- Hosts -----------------------------------------------------------------------

127.0.0.1 007guard.com
127.0.0.1 www.007guard.com
127.0.0.1 008i.com
127.0.0.1 008k.com
127.0.0.1 www.008k.com
127.0.0.1 00hq.com
127.0.0.1 www.00hq.com
127.0.0.1 010402.com
127.0.0.1 032439.com
127.0.0.1 www.032439.com

8141 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-05-09 19:29:46 ------------




Thanks,
James
jwarren2k2 is offline  
Sponsored Links
Advertisement
 
Old 05-20-2008, 01:00 PM   #2
Guest
 
Join Date: May 2008
Posts: 13
OS:



My computer seems a bit quicker now, but I still don't have system restore which is a worry.

Any help will be very much appreciated!

Ive waited over 2 weeks for a reply, I know you're busy though!

Thanks,
James
jwarren2k2 is offline  
Old 05-20-2008, 11:24 PM   #3
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hello James.

Welcome, and thank you for your kind patience.

I'd like you to use a different online scanner to search for any remnants that may be lurking about. It can take some time, so please be patient and allow it to run it's full course:

Using Internet Explorer, visit https://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.



  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

---------------------------------------------------

I'd also like to see this report:

C:\Qoobox\ComboFix 2.txt
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Sponsored Links
Advertisement
 
Old 05-21-2008, 11:14 AM   #4
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi,

Thank you for the reply.

Fortunately I had a job interview today and had the day free to leave the scanner running!

Here are the reports (The Kapersky scanner found 14 viruses, mostly to do with 'Restore' and 44 infected objects!)


Kapersky

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, May 21, 2008 611 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/05/2008
Kaspersky Anti-Virus database records: 789759
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
M:\

Scan Statistics:
Total number of scanned objects: 399344
Number of viruses found: 14
Number of infected objects: 44
Number of suspicious objects: 0
Duration of the scan process: 07:37:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped
C:\Documents and Settings\James\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\James\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\James\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\James\Desktop\SmitfraudFix.exe RAR: infected - 1 skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\James\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temp\~DFD46.tmp Object is locked skipped
C:\Documents and Settings\James\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\James\ntuser.dat Object is locked skipped
C:\Documents and Settings\James\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Nero-8.2.8.0_eng_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Nero-8.2.8.0_eng_trial.exe 7-Zip: infected - 1 skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\sw_ae-20080521-080721.log Object is locked skipped
C:\Program Files\Ansys Inc\Shared Files\Licensing\license.log Object is locked skipped
C:\Program Files\Juniper Networks\Common Files\NCService.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP347\A0129641.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP403\A0156520.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP403\A0156521.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP403\A0156531.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP403\A0156532.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP405\A0156568.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edx skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP405\A0156572.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP409\A0157181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.quc skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP409\A0157182.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP409\A0157183.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP409\A0157184.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP409\A0157234.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP411\A0159216.exe Infected: not-a-virus:FraudTool.Win32.SysKontroller.a skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP411\A0159235.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159390.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159403.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159432.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159433.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159441.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159456.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edx skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159457.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159461.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP414\A0159578.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP423\A0162882.exe/data0000 Infected: not-a-virus:AdWare.Win32.E404.m skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP423\A0162882.exe/data0001/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP423\A0162882.exe/data0001 Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP423\A0162882.exe EmbeddedEXE: infected - 3 skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP434\A0172641.exe/AdKey.exe Infected: Backdoor.Win32.Blhouse.c skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP434\A0172641.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP436\A0173066.exe/AdKey.exe Infected: Backdoor.Win32.Blhouse.c skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP436\A0173066.exe RAR: infected - 1 skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP440\A0177352.exe Infected: Worm.Win32.VB.an skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP440\A0177353.exe Infected: Worm.Win32.VB.an skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP440\A0177354.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP440\A0177355.exe Infected: Worm.Win32.VB.an skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP440\A0177356.exe Infected: Worm.Win32.VB.an skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP441\A0178606.exe/wr-1-1395.exe Infected: Trojan-Downloader.Win32.Small.ihc skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP441\A0178606.exe/setup120u.exe Infected: Trojan.Win32.Agent.mwy skipped
C:\System Volume Information\_restore{3872BC8E-91CA-4D81-A5A5-A468E81E805E}\RP441\A0178606.exe nBinder5: infected - 2 skipped
C:\WINDOWS\$_hpcst$.hpc Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_3a8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
M:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.









Combofix 2


ComboFix 08-05-01.3 - James 2008-05-06 18:31:53.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.489 [GMT 1:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-06 to 2008-05-06 )))))))))))))))))))))))))))))))
.

2008-05-06 10:04 . 2008-05-06 10:05 <DIR> d-------- C:\Program Files\Panda Security
2008-05-05 13:35 . 2008-05-05 13:35 <DIR> d-------- C:\Program Files\Juniper Networks
2008-05-05 13:35 . 2008-05-05 13:35 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-05-05 13:33 . 2008-05-05 13:35 <DIR> d-------- C:\Documents and Settings\James\Application Data\Juniper Networks
2008-04-19 16:14 . 2008-04-19 16:14 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-04-19 16:01 . 2008-04-19 18:47 <DIR> d-------- C:\My Music
2008-04-14 16:19 . 2008-04-14 16:19 <DIR> d-------- C:\Documents and Settings\James\Application Data\EndNote
2008-04-14 16:18 . 2008-04-14 16:18 <DIR> d-------- C:\Program Files\EndNote X
2008-04-14 16:18 . 2008-04-14 16:18 <DIR> d-------- C:\Program Files\Common Files\Risxtd
2008-04-14 16:17 . 2008-04-14 16:17 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 11:41 . 2008-04-12 11:34 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 11:41 . 2008-04-12 11:41 2,547 --a------ C:\WINDOWS\unins000.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-06 16:48 --------- d-----w C:\Documents and Settings\James\Application Data\AVG7
2008-05-01 13:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-04-27 23:33 --------- d-----w C:\Program Files\Plagiarism-Finder TRIAL
2008-04-25 09:24 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-19 15:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-19 15:12 --------- d-----w C:\Program Files\Real
2008-04-12 10:44 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-12 10:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-09 08:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-29 11:03 --------- d-----w C:\Program Files\Windows Live
2008-03-29 11:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-27 22:24 --------- d-----w C:\Program Files\M3DK
2008-03-27 19:19 --------- d-----w C:\Program Files\Common Files\McNeel Shared
2008-03-27 19:18 --------- d-----w C:\Program Files\Rhinoceros 4.0
2008-03-27 19:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\McNeel
2008-03-24 20:39 --------- d-----w C:\Documents and Settings\James\Application Data\Canon
2008-03-22 12:07 --------- d-----w C:\Documents and Settings\James\Application Data\Ahead
2008-03-20 17:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-10 19:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-10 19:53 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-10 19:51 --------- d-----w C:\Program Files\Nero
2008-03-10 19:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-03-09 19:21 17,664 ----a-w C:\WINDOWS\system32\drivers\LfNtSp50.SYS
2008-03-09 19:21 --------- d-----w C:\Program Files\Life Racing
2008-03-09 14:23 --------- d-----w C:\Program Files\Creative
2008-03-09 14:21 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2008-03-09 14:21 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2008-03-09 14:21 --------- d-----w C:\Documents and Settings\James\Application Data\Creative
2008-03-09 14:06 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2007-12-21 22:15 22,328 ----a-w C:\Documents and Settings\James\Application Data\PnkBstrK.sys
2007-11-15 10:46 1,776 -c--a-w C:\Documents and Settings\James\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 06:42 401491]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-07-20 06:55 1617920]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:40 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-10 20:13 282624]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 13:00 158208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 15:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"MSVideo"= VfwECamC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-09-17 11:32 4608 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awTray.exe]
--a------ 2005-12-01 12:59 1305600 C:\Program Files\Intel\IDU\awtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 20:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--a------ 2003-06-18 02:00 45056 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-07-02 11:03 57344 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
--a------ 2006-08-11 15:53 42496 C:\WINDOWS\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 06:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-04-01 17:41 270336 C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
--a------ 2005-12-02 18:50 1687552 C:\Program Files\Intel\IDU\iptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 13:06 62760 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2003-12-30 11:40 380928 C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-03-02 12:49 86016 C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-10 20:13 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 10:35 72736 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--a------ 2002-12-03 19:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tempreg]
regsvr32 /s C:\Program Files\Helper\1202129298.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Dassault Systemes\\B16\\intel_a\\code\\bin\\CNEXT.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ReaderHostCAT5U.exe"= C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\CATIAV5\\intel\\code\\bin\\ReaderHostCAT5U.exe
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\phoenics\\d_earth\\d_windf\\earexe.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 14:22]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-11-11 15:51]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 01:12]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:34]
R2 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []
R2 JobManagerService110;Ansys JobManager Service V11;"C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe" [2007-01-16 16:20]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
R2 ScriptHostService110;Ansys ScriptHost Service V11;"C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe" [2007-01-16 16:20]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-12-28 03:48]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-15 13:15]
S3 LfNtSp50;LfNtSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\LfNtSp50.sys [2008-03-09 20:21]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2006-11-20 13:47]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2006-11-20 13:48]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2006-11-20 13:48]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2006-11-20 13:49]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2006-11-20 13:47]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2006-11-20 13:50]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2006-11-20 13:47]

*Newly Created Service* - CATCHME
*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2008-05-06 17:00:00 C:\WINDOWS\Tasks\A76C90D790F70F07.job"
- c:\docume~1\james\applic~1\proxyk~1\memoantesecond.exe
"2008-05-06 12:40:07 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D3DECC57-6D38-40B5-8AB4-ECD36CD1EC18}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-05-06 18:34:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-06 18:36:30
ComboFix-quarantined-files.txt 2008-05-06 17:36:08
ComboFix2.txt 2008-01-30 23:56:24

Pre-Run: 20,062,597,120 bytes free
Post-Run: 20,455,825,408 bytes free

225 --- E O F --- 2008-04-09 08:51:45







Thanks very much,

James
jwarren2k2 is offline  
Old 05-21-2008, 08:20 PM   #5
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi James,

Kaspersky is only reporting backups items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm you unless you choose to perform a manual restore. Nevertheless, we shall be resetting/clearing the cache when we're through here.


Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.

***************************************************

Delete your existing Combofix.exe and download it again from any of the links below:

Link 1
Link 2


**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Open notepad and copy/paste the text in the code box below into it:

Code:
File::
C:\WINDOWS\Tasks\A76C90D790F70F07.job

Folder::
c:\docume~1\james\applic~1\proxyk~1
Save this as "CFScript.txt", and as Type: All Files (*.*)
in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


--------------------------------------------------------------------

Download fl.zip
  • Extract the contents of the fl.zip to a new folder on Desktop.
  • Within the folder, locate & double-click fl.bat.
  • It should produce a report at c:\findlop.txt.
----------------------------------------------------------------------

Please run dss.exe again, but use these instructions:

Click Start>Select 'Run' - then copy/paste the following text into the run box & click OK

"%userprofile%\desktop\dss.exe" /config

In the dialog box that appears:

Under the Main Log heading--Uncheck everything
Under the Extra Log heading-- 'Check' Add Remove Programs
Click Scan!

The extra.txt will open up in Notepad. Copy/paste the contents of that report in your next reply.

----------------------------------------------------------------------------------------------------


Please include the following in your next reply:

C:\Combofix.txt
C:\findlop.txt
extra.txt
Update on system behavior
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-22-2008, 04:44 AM   #6
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi, thanks for that help!

My computer seems to be running 'more freely'. It doesn't feel restricted like it used to. System restore isn't working, but from what you've said so far, I can't imagine you're expecting it to be fixed!

I did everything you said all in one go with AVG anti-virus off and my internet explorer closed as advised. They were all run one after another with no operations in between.

Here are the reports you asked for:



Combofix


ComboFix 08-05-21.2 - James 2008-05-22 11:10:05.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.522 [GMT 1:00]
Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt

FILE ::
C:\WINDOWS\Tasks\A76C90D790F70F07.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\james\applic~1\proxyk~1
c:\docume~1\james\applic~1\proxyk~1\A531B23C
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\Tasks\A76C90D790F70F07.job

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-21 08:14 . 2008-05-21 08:14 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-21 08:14 . 2008-05-21 08:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-11 16:03 . 2008-05-11 16:03 2,120 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-10 22:08 . 2008-05-10 22:08 <DIR> d-------- C:\Program Files\Kontiki
2008-05-10 22:08 . 2008-05-10 22:08 <DIR> d-------- C:\Program Files\Channel4
2008-05-10 22:08 . 2008-05-22 11:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-10 22:08 . 2008-05-10 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-05-09 19:35 . 2008-05-10 19:28 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-09 19:35 . 2008-05-10 19:30 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 19:16 . 2008-05-09 19:16 <DIR> d-------- C:\Deckard
2008-05-09 17:24 . 2008-05-09 17:24 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-09 17:24 . 2008-05-09 17:24 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-09 17:24 . 2008-05-09 17:24 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-09 17:24 . 2008-05-09 17:24 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-09 16:53 . 2008-04-14 01:12 291,328 --------- C:\WINDOWS\system32\qagentrt.dll
2008-05-09 16:53 . 2008-04-14 01:12 150,528 --------- C:\WINDOWS\system32\qagent.dll
2008-05-09 16:53 . 2008-04-14 01:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-05-09 16:53 . 2008-04-14 01:12 76,800 --------- C:\WINDOWS\system32\qutil.dll
2008-05-09 16:53 . 2008-04-14 01:12 69,120 --------- C:\WINDOWS\system32\wlanapi.dll
2008-05-09 16:53 . 2008-04-14 01:12 62,464 --------- C:\WINDOWS\system32\qcliprov.dll
2008-05-09 16:53 . 2008-04-14 01:12 61,952 --------- C:\WINDOWS\system32\rasqec.dll
2008-05-09 16:53 . 2008-04-14 01:12 50,688 --------- C:\WINDOWS\system32\tspkg.dll
2008-05-09 16:53 . 2008-04-14 01:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-05-09 16:53 . 2008-04-13 19:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-05-09 15:33 . 2001-08-17 22:36 23,040 --a--c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-09 15:32 . 2001-08-17 22:37 99,865 --a--c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-09 15:32 . 2001-08-17 22:37 27,648 --a--c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-09 15:32 . 2004-08-03 22:29 19,455 --a--c--- C:\WINDOWS\system32\dllcache\wvchntxx.sys
2008-05-09 15:32 . 2001-08-17 12:11 16,970 --a--c--- C:\WINDOWS\system32\dllcache\xem336n5.sys
2008-05-09 15:32 . 2004-08-03 22:29 12,063 --a--c--- C:\WINDOWS\system32\dllcache\wsiintxx.sys
2008-05-09 15:32 . 2001-08-17 22:37 4,608 --a--c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-09 15:31 . 2001-08-17 13:28 771,581 --a--c--- C:\WINDOWS\system32\dllcache\winacisa.sys
2008-05-09 15:31 . 2004-08-03 22:31 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-05-09 15:31 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\wiamsmud.dll
2008-05-09 15:31 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-05-09 15:29 . 2001-08-17 13:28 604,253 --a--c--- C:\WINDOWS\system32\dllcache\vmodem.sys
2008-05-09 15:29 . 2001-08-17 13:28 397,502 --a--c--- C:\WINDOWS\system32\dllcache\vpctcom.sys
2008-05-09 15:29 . 2001-08-17 12:14 249,402 --a--c--- C:\WINDOWS\system32\dllcache\vinwm.sys
2008-05-09 15:29 . 2001-08-17 13:28 64,605 --a--c--- C:\WINDOWS\system32\dllcache\vvoice.sys
2008-05-09 15:29 . 2001-08-17 12:13 19,528 --a--c--- C:\WINDOWS\system32\dllcache\w840nd.sys
2008-05-09 15:29 . 2001-08-17 12:13 19,016 --a--c--- C:\WINDOWS\system32\dllcache\w926nd.sys
2008-05-09 15:28 . 2001-08-17 13:28 765,884 --a--c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-09 15:28 . 2001-08-17 13:28 687,999 --a--c--- C:\WINDOWS\system32\dllcache\usrwdxjs.sys
2008-05-09 15:28 . 2001-08-17 13:28 113,762 --a--c--- C:\WINDOWS\system32\dllcache\usrpda.sys
2008-05-09 15:28 . 2001-08-17 13:49 24,576 --a--c--- C:\WINDOWS\system32\dllcache\viairda.sys
2008-05-09 15:28 . 2001-08-17 13:28 7,556 --a--c--- C:\WINDOWS\system32\dllcache\usroslba.sys
2008-05-09 15:27 . 2001-08-17 13:28 794,654 --a--c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-05-09 15:27 . 2001-08-17 13:28 794,399 --a--c--- C:\WINDOWS\system32\dllcache\usr1806v.sys
2008-05-09 15:27 . 2001-08-17 13:28 793,598 --a--c--- C:\WINDOWS\system32\dllcache\usr1806.sys
2008-05-09 15:27 . 2001-08-17 13:28 224,802 --a--c--- C:\WINDOWS\system32\dllcache\usr1807a.sys
2008-05-09 15:27 . 2001-08-17 22:36 94,720 --a--c--- C:\WINDOWS\system32\dllcache\umaxud32.dll
2008-05-09 15:27 . 2004-08-03 22:31 32,384 --a--c--- C:\WINDOWS\system32\dllcache\usb101et.sys
2008-05-09 15:26 . 2001-08-17 22:36 69,632 --a--c--- C:\WINDOWS\system32\dllcache\umaxu12.dll
2008-05-09 15:26 . 2001-08-17 22:36 50,688 --a--c--- C:\WINDOWS\system32\dllcache\umaxscan.dll
2008-05-09 15:26 . 2001-08-17 22:36 50,176 --a--c--- C:\WINDOWS\system32\dllcache\umaxp60.dll
2008-05-09 15:26 . 2001-08-17 22:36 28,160 --a--c--- C:\WINDOWS\system32\dllcache\umaxu40.dll
2008-05-09 15:26 . 2001-08-17 22:36 26,624 --a--c--- C:\WINDOWS\system32\dllcache\umaxu22.dll
2008-05-09 15:26 . 2001-08-17 13:58 22,912 --a--c--- C:\WINDOWS\system32\dllcache\umaxpcls.sys
2008-05-09 15:25 . 2001-08-17 22:36 216,064 --a--c--- C:\WINDOWS\system32\dllcache\um34scan.dll
2008-05-09 15:25 . 2001-08-17 22:36 211,968 --a--c--- C:\WINDOWS\system32\dllcache\um54scan.dll
2008-05-09 15:25 . 2001-08-17 12:51 166,784 --a--c--- C:\WINDOWS\system32\dllcache\tridxpm.sys
2008-05-09 15:25 . 2001-08-17 22:36 47,616 --a--c--- C:\WINDOWS\system32\dllcache\umaxcam.dll
2008-05-09 15:25 . 2001-08-17 13:52 36,736 --a--c--- C:\WINDOWS\system32\dllcache\ultra.sys
2008-05-09 15:25 . 2001-08-17 13:48 11,520 --a--c--- C:\WINDOWS\system32\dllcache\twotrack.sys
2008-05-09 15:24 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-09 15:24 . 2001-08-17 14:56 440,576 --a--c--- C:\WINDOWS\system32\dllcache\tridkb.dll
2008-05-09 15:24 . 2001-08-17 14:56 315,520 --a--c--- C:\WINDOWS\system32\dllcache\trid3d.dll
2008-05-09 15:24 . 2001-08-17 12:51 222,336 --a--c--- C:\WINDOWS\system32\dllcache\trid3dm.sys
2008-05-09 15:24 . 2001-08-17 12:51 159,232 --a--c--- C:\WINDOWS\system32\dllcache\tridkbm.sys
2008-05-09 15:24 . 2001-08-17 12:12 34,375 --a--c--- C:\WINDOWS\system32\dllcache\tpro4.sys
2008-05-09 15:23 . 2001-08-17 14:01 241,664 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-09 15:23 . 2001-08-17 14:02 230,912 --a--c--- C:\WINDOWS\system32\dllcache\tosdvd03.sys
2008-05-09 15:23 . 2001-08-17 22:35 42,496 --a--c--- C:\WINDOWS\system32\dllcache\tp4res.dll
2008-05-09 15:23 . 2001-08-17 22:36 31,744 --a--c--- C:\WINDOWS\system32\dllcache\tp4.dll
2008-05-09 15:23 . 2001-08-17 12:10 28,232 --a--c--- C:\WINDOWS\system32\dllcache\tos4mo.sys
2008-05-09 15:23 . 2001-08-17 13:51 4,992 --a--c--- C:\WINDOWS\system32\dllcache\toside.sys
2008-05-09 15:22 . 2001-08-17 12:51 138,528 --a--c--- C:\WINDOWS\system32\dllcache\tgiulnt5.sys
2008-05-09 15:22 . 2001-08-17 12:14 123,995 --a--c--- C:\WINDOWS\system32\dllcache\tjisdn.sys
2008-05-09 15:22 . 2001-08-17 14:56 81,408 --a--c--- C:\WINDOWS\system32\dllcache\tgiul50.dll
2008-05-09 15:22 . 2001-08-17 12:13 37,961 --a--c--- C:\WINDOWS\system32\dllcache\tdk100b.sys
2008-05-09 15:22 . 2001-08-17 12:13 17,129 --a--c--- C:\WINDOWS\system32\dllcache\tdkcd31.sys
2008-05-09 15:21 . 2001-08-17 14:56 172,768 --a--c--- C:\WINDOWS\system32\dllcache\t2r4disp.dll
2008-05-09 15:21 . 2001-08-17 12:50 36,640 --a--c--- C:\WINDOWS\system32\dllcache\t2r4mini.sys
2008-05-09 15:21 . 2001-08-17 14:07 32,640 --a--c--- C:\WINDOWS\system32\dllcache\symc8xx.sys
2008-05-09 15:21 . 2001-08-17 14:07 30,688 --a--c--- C:\WINDOWS\system32\dllcache\sym_u3.sys
2008-05-09 15:21 . 2001-08-17 13:49 30,464 --a--c--- C:\WINDOWS\system32\dllcache\tbatm155.sys
2008-05-09 15:21 . 2001-08-17 14:07 16,256 --a--c--- C:\WINDOWS\system32\dllcache\symc810.sys
2008-05-09 15:21 . 2001-08-17 13:52 7,040 --a--c--- C:\WINDOWS\system32\dllcache\tandqic.sys
2008-05-09 15:20 . 2001-08-17 13:50 103,936 --a--c--- C:\WINDOWS\system32\dllcache\sx.sys
2008-05-09 15:20 . 2001-08-17 22:36 94,293 --a--c--- C:\WINDOWS\system32\dllcache\sxports.dll
2008-05-09 15:20 . 2001-08-17 22:36 53,760 --a--c--- C:\WINDOWS\system32\dllcache\sw_wheel.dll
2008-05-09 15:20 . 2001-08-17 14:07 28,384 --a--c--- C:\WINDOWS\system32\dllcache\sym_hi.sys
2008-05-09 15:20 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpidflt.dll
2008-05-09 15:20 . 2001-08-17 22:36 10,240 --a--c--- C:\WINDOWS\system32\dllcache\swpdflt2.dll
2008-05-09 15:20 . 2001-08-17 14:02 3,968 --a--c--- C:\WINDOWS\system32\dllcache\swusbflt.sys
2008-05-09 15:19 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-09 15:19 . 2001-08-17 22:36 155,648 --a--c--- C:\WINDOWS\system32\dllcache\stlnprop.dll
2008-05-09 15:19 . 2001-08-17 22:36 53,248 --a--c--- C:\WINDOWS\system32\dllcache\stlncoin.dll
2008-05-09 15:19 . 2001-08-17 12:11 48,736 --a--c--- C:\WINDOWS\system32\dllcache\srwlnd5.sys
2008-05-09 15:19 . 2001-08-17 22:36 41,472 --a--c--- C:\WINDOWS\system32\dllcache\sw_effct.dll
2008-05-09 15:19 . 2001-08-17 13:51 16,896 --a--c--- C:\WINDOWS\system32\dllcache\stcusb.sys
2008-05-09 15:18 . 2001-08-17 22:36 106,584 --a--c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-05-09 15:18 . 2001-08-17 22:36 99,328 --a--c--- C:\WINDOWS\system32\dllcache\srusd.dll
2008-05-09 15:18 . 2001-08-17 13:51 61,824 --a--c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-05-09 15:18 . 2001-08-17 12:51 37,040 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-05-09 15:18 . 2001-08-17 22:36 24,660 --a--c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-05-09 15:18 . 2001-08-17 14:07 19,072 --a--c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-05-09 15:18 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-09 15:17 . 2001-08-17 22:36 114,688 --a--c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-05-09 15:17 . 2001-08-17 12:51 58,368 --a--c--- C:\WINDOWS\system32\dllcache\smiminib.sys
2008-05-09 15:17 . 2001-08-17 12:51 20,752 --a--c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-05-09 15:17 . 2001-08-17 13:53 9,600 --a--c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-05-09 15:17 . 2001-08-17 13:53 7,040 --a--c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-05-09 15:16 . 2001-08-17 14:56 147,200 --a--c--- C:\WINDOWS\system32\dllcache\smidispb.dll
2008-05-09 15:16 . 2001-08-17 22:36 45,568 --a--c--- C:\WINDOWS\system32\dllcache\smb3w.dll
2008-05-09 15:16 . 2001-08-17 12:10 35,913 --a--c--- C:\WINDOWS\system32\dllcache\smcirda.sys
2008-05-09 15:16 . 2001-08-17 12:12 25,034 --a--c--- C:\WINDOWS\system32\dllcache\smcpwr2n.sys
2008-05-09 15:16 . 2001-08-17 12:12 24,576 --a--c--- C:\WINDOWS\system32\dllcache\smc8000n.sys
2008-05-09 15:16 . 2001-08-17 13:57 6,784 --a--c--- C:\WINDOWS\system32\dllcache\smbhc.sys
2008-05-09 15:15 . 2001-08-17 14:56 157,696 --a--c--- C:\WINDOWS\system32\dllcache\sisv256.dll
2008-05-09 15:15 . 2001-08-17 12:12 94,698 --a--c--- C:\WINDOWS\system32\dllcache\sk98xwin.sys
2008-05-09 15:15 . 2001-08-17 12:12 91,294 --a--c--- C:\WINDOWS\system32\dllcache\skfpwin.sys
2008-05-09 15:15 . 2004-08-03 22:31 63,547 --a--c--- C:\WINDOWS\system32\dllcache\sla30nd5.sys
2008-05-09 15:15 . 2001-08-17 22:36 33,792 --a--c--- C:\WINDOWS\system32\dllcache\smb0w.dll
2008-05-09 15:15 . 2001-08-17 22:36 28,672 --a--c--- C:\WINDOWS\system32\dllcache\sma0w.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-14 06:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-12 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-05-09 20:03 --------- d-----w C:\Documents and Settings\James\Application Data\AVG7
2008-05-09 17:53 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 17:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-25 09:24 --------- d-----w C:\Program Files\PeerGuardian2
2008-04-19 15:14 --------- d-----w C:\Program Files\Common Files\xing shared
2008-04-19 15:14 --------- d-----w C:\Program Files\Common Files\Real
2008-04-19 15:12 --------- d-----w C:\Program Files\Real
2008-04-14 15:19 --------- d-----w C:\Documents and Settings\James\Application Data\EndNote
2008-04-14 15:18 --------- d-----w C:\Program Files\EndNote X
2008-04-14 15:18 --------- d-----w C:\Program Files\Common Files\Risxtd
2008-04-14 15:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-14 04:42 985,088 ----a-w C:\WINDOWS\system32\setupapi.dll
2008-04-14 04:42 11,264 ----a-w C:\WINDOWS\system32\spnpinst.exe
2008-04-14 04:41 423,936 ----a-w C:\WINDOWS\system32\licdll.dll
2008-04-14 00:25 1,804 ----a-w C:\WINDOWS\system32\dcache.bin
2008-04-14 00:16 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 00:13 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 00:13 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:11 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2008-04-14 00:10 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 00:10 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 00:10 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-13 21:00 103,424 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 19:30 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:24 2,145,280 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ----a-w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:47 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 18:45 60,160 ----a-w C:\WINDOWS\system32\drivers\drmk.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ----a-w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ----a-w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 18:39 7,552 ----a-w C:\WINDOWS\system32\drivers\mskssrv.sys
2008-04-13 18:39 5,504 ----a-w C:\WINDOWS\system32\drivers\mstee.sys
2008-04-13 18:39 5,376 ----a-w C:\WINDOWS\system32\drivers\mspclock.sys
2008-04-13 18:39 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 18:39 4,992 ----a-w C:\WINDOWS\system32\drivers\mspqm.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 06:42 401491]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00 90112]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [2006-07-20 06:55 1617920]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 10:40 579584]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-10 20:13 282624]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-05 15:44 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=WIKI.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSACM.CEGSM"= mobilev.acm
"MSVideo"= VfwECamC.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-04-23 11:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 23:16 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
--a------ 2007-09-17 11:32 4608 C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awTray.exe]
--a------ 2005-12-01 12:59 1305600 C:\Program Files\Intel\IDU\awtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
--a------ 2007-11-16 20:20 91432 C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
--a------ 2003-06-18 02:00 45056 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2008-04-14 01:12 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2006-08-11 15:56 17920 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-07-02 11:03 57344 C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2006-08-11 15:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
--a------ 2006-08-11 15:53 42496 C:\WINDOWS\system32\CTXFIREG.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
--a------ 2004-02-03 06:42 401491 C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
--a------ 2003-04-01 17:41 270336 C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
--a------ 2005-12-02 18:50 1687552 C:\Program Files\Intel\IDU\iptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-06-14 16:24 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-04-23 11:23 1032640 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
--------- 2007-10-11 13:06 62760 C:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2003-12-30 11:40 380928 C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
--a------ 2004-03-02 12:49 86016 C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-09-10 20:13 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--------- 2007-10-28 10:35 72736 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
--a------ 2002-12-03 19:06 45056 C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tempreg]
regsvr32 /s C:\Program Files\Helper\1202129298.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
--a------ 2006-10-18 21:05 204288 C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"ScriptHostService110"=2 (0x2)
"NMIndexingService"=3 (0x3)
"KService"=2 (0x2)
"JobManagerService110"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"BBDemon"=2 (0x2)
"AWService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Microsoft ActiveSync\\WCESCOMM.EXE"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Dassault Systemes\\B16\\intel_a\\code\\bin\\CNEXT.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JobManagerService.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMAdmin.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\JMPassword.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\RSM\\bin\\ScriptHostService.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\CATIAV5\\Intel\\code\\bin\\ReaderHostCAT5U.exe"= C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\CATIAV5\\intel\\code\\bin\\ReaderHostCAT5U.exe
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CommonFiles\\intel\\AnsysWBU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\ANSYS\\bin\\intel\\ANSYS.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ActivePIMgrU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\AISOL\\CAD Integration\\intel\\ReaderHostU.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\tclsh.exe"=
"C:\\Program Files\\ANSYS Inc\\v110\\CommonFiles\\TCL\\bin\\intel\\wish.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\phoenics\\d_earth\\d_windf\\earexe.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 LUMDriver;LUMDriver;C:\WINDOWS\system32\drivers\LUMDriver.sys [2003-07-11 14:22]
R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-11-11 15:51]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\000.fcl [2007-11-03 01:12]
R2 ANSYS FLEXlm license manager;ANSYS FLEXlm license manager;C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe [2006-03-24 22:34]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 17:58]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2007-12-28 03:48]
R3 StreamSurge;StreamSurge Driver (miniport);C:\WINDOWS\system32\DRIVERS\ss.sys [2005-06-18 02:48]
S3 ATICDSDr;ATICDSDr;C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ATICDSDr.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-01-15 13:15]
S3 LfNtSp50;LfNtSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\LfNtSp50.sys [2008-03-09 20:21]
S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []
S3 sea1bus;Sony Ericsson Device 0A1 driver (WDM);C:\WINDOWS\system32\DRIVERS\sea1bus.sys [2006-11-20 13:47]
S3 sea1mdfl;Sony Ericsson Device 0A1 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\sea1mdfl.sys [2006-11-20 13:48]
S3 sea1mdm;Sony Ericsson Device 0A1 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\sea1mdm.sys [2006-11-20 13:48]
S3 sea1mgmt;Sony Ericsson Device 0A1 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\sea1mgmt.sys [2006-11-20 13:49]
S3 sea1nd5;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (NDIS);C:\WINDOWS\system32\DRIVERS\sea1nd5.sys [2006-11-20 13:47]
S3 sea1obex;Sony Ericsson Device 0A1 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\sea1obex.sys [2006-11-20 13:50]
S3 sea1unic;Sony Ericsson Device 0A1 USB Ethernet Emulation SEMCA1 (WDM);C:\WINDOWS\system32\DRIVERS\sea1unic.sys [2006-11-20 13:47]
S4 BBDemon;Backbone Service;"C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\CATSysDemon.exe" -service []
S4 JobManagerService110;Ansys JobManager Service V11;"C:\Program Files\ANSYS Inc\v110\RSM\bin\JobManagerService.exe" [2007-01-16 16:20]
S4 ScriptHostService110;Ansys ScriptHost Service V11;"C:\Program Files\ANSYS Inc\v110\RSM\bin\ScriptHostService.exe" [2007-01-16 16:20]

.
Contents of the 'Scheduled Tasks' folder
"2008-05-22 1009 C:\WINDOWS\Tasks\User_Feed_Synchronization-{D3DECC57-6D38-40B5-8AB4-ECD36CD1EC18}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, https://www.gmer.net
Rootkit scan 2008-05-22 11:14:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
"ImagePath"="C:\WINDOWS\system32\windows"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\000.fcl"
.
Completion time: 2008-05-22 11:19:52
ComboFix-quarantined-files.txt 2008-05-22 10:19:49
ComboFix2.txt 2008-05-06 17:56:38
ComboFix3.txt 2008-05-06 17:36:31
ComboFix4.txt 2008-01-30 23:56:24

Pre-Run: 18,145,476,608 bytes free
Post-Run: 18,483,269,632 bytes free

425 --- E O F --- 2008-05-16 14:58:44













findlop



Volume in drive C has no label.
Volume Serial Number is D03A-16ED

Directory of C:\Documents and Settings\Administrator\Application Data

05/03/2008 14:38 <DIR> Adobe
05/03/2008 14:47 <DIR> Grisoft
05/03/2008 14:42 <DIR> Macromedia
0 File(s) 0 bytes
3 Dir(s) 18,513,932,288 bytes free
Volume in drive C has no label.
Volume Serial Number is D03A-16ED

Directory of C:\Documents and Settings\All Users\Application Data

23/01/2008 21:51 <DIR> Adobe
02/05/2006 21:49 <DIR> Adobe Systems
10/03/2008 20:54 <DIR> Ahead
09/03/2006 17:58 <DIR> Apple Computer
25/02/2008 11:16 <DIR> ATI
27/12/2006 18:50 <DIR> Autodata Limited
12/05/2008 21:23 <DIR> avg7
03/12/2007 11:44 <DIR> Avocent AdminWorks
10/05/2008 22:08 <DIR> Channel4
07/12/2007 13:21 <DIR> CyberLink
01/10/2007 18:37 <DIR> DassaultSystemes
07/11/2006 20:56 <DIR> Defy Store Gram Up
05/03/2008 15:44 <DIR> Grisoft
18/02/2008 11:13 <DIR> IsolatedStorage
21/05/2008 08:14 <DIR> Kaspersky Lab
26/09/2007 01:28 <DIR> Kodak
22/05/2008 11:22 <DIR> Kontiki
01/10/2007 18:53 <DIR> Macrovision
27/03/2008 20:18 <DIR> McNeel
14/05/2008 07:35 <DIR> Microsoft Help
10/03/2008 20:51 <DIR> Nero
13/03/2008 22:50 1,753 QTSBandwidthCache
12/04/2008 11:42 <DIR> Spybot - Search & Destroy
09/05/2008 18:53 <DIR> Symantec
10/05/2008 19:30 <DIR> TEMP
30/11/2007 13:08 <DIR> Virgin Broadband
08/03/2006 20:03 <DIR> Windows Genuine Advantage
27/12/2007 23:11 <DIR> WinZip
29/03/2008 12:03 <DIR> WLInstaller
1 File(s) 1,753 bytes
28 Dir(s) 18,513,928,192 bytes free
Volume in drive C has no label.
Volume Serial Number is D03A-16ED

Directory of C:\Documents and Settings\James\Application Data

20/04/2008 21:46 <DIR> Adobe
08/08/2006 19:20 <DIR> AdobeUM
22/03/2008 13:07 <DIR> Ahead
18/02/2008 11:22 <DIR> Ansys
09/03/2006 18:59 <DIR> Apple Computer
18/09/2006 21:21 <DIR> ATI
09/05/2008 21:03 <DIR> AVG7
03/12/2007 11:44 <DIR> Avocent AdminWorks
30/09/2007 15:01 <DIR> Azureus
24/03/2008 21:39 <DIR> Canon
09/03/2008 15:21 <DIR> Creative
07/12/2007 13:21 <DIR> CyberLink
01/11/2007 12:11 <DIR> DassaultSystemes
30/09/2007 23:28 <DIR> DivX
05/09/2006 18:31 <DIR> dvdcss
25/11/2007 21:10 <DIR> Earthsim
14/04/2008 16:19 <DIR> EndNote
08/05/2006 10:43 <DIR> Google
29/01/2008 23:46 <DIR> Grisoft
08/03/2006 19:59 <DIR> Help
08/03/2006 18:05 <DIR> Identities
03/12/2007 11:44 <DIR> Intel
13/02/2008 21:02 <DIR> JAM Software
05/05/2008 13:35 <DIR> Juniper Networks
10/06/2006 19:33 <DIR> Macromedia
09/02/2008 22:46 <DIR> MathWorks
09/03/2006 00:36 <DIR> Microsoft Web Folders
10/03/2006 01:33 <DIR> Motive
11/02/2008 15:25 <DIR> Mozilla
04/02/2008 14:51 <DIR> Nero
02/05/2006 22:00 <DIR> Opera
01/03/2008 10:37 <DIR> Plagiarism-Finder
21/12/2007 23:15 22,328 PnkBstrK.sys
19/04/2008 16:12 <DIR> Real
11/02/2008 15:25 <DIR> SecondLife
12/12/2007 04:28 <DIR> sldIM
12/12/2007 04:27 <DIR> SolidWorks
14/10/2007 13:59 <DIR> Sun
01/05/2006 21:04 <DIR> Symantec
14/11/2007 15:37 <DIR> Template
17/10/2007 17:31 <DIR> TVU Networks
17/05/2006 23:03 <DIR> Unigraphics Solutions
30/11/2007 13:08 <DIR> Virgin Broadband
15/06/2006 10:41 <DIR> vlc
15/11/2007 11:46 1,776 wklnhst.dat
2 File(s) 24,104 bytes
43 Dir(s) 18,513,924,096 bytes free
Volume in drive C has no label.
Volume Serial Number is D03A-16ED

Directory of C:\Documents and Settings\Default User\Application Data

08/03/2006 17:48 <DIR> .
08/03/2006 17:48 <DIR> ..
08/03/2006 17:48 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 18,513,924,096 bytes free
Volume in drive C has no label.
Volume Serial Number is D03A-16ED

Directory of C:\Documents and Settings\LocalService\Application Data

Volume in drive C has no label.
Volume Serial Number is D03A-16ED

Directory of C:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'User_Feed_Synchronization-{D3DECC57-6D38-40B5-8AB4-ECD3
6CD1EC18}.job'
[TRACE] Printing all job properties

ApplicationName: 'C:\WINDOWS\system32\msfeedssync.exe'
Parameters: 'sync'
WorkingDirectory: 'C:\Program Files\Internet Explorer'
Comment: 'Updates out-of-date system feeds.'
Creator: 'James'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 05/22/2008 1100
NextRun: 05/22/2008 20:38:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

2 Triggers

Trigger 0:
Type: Once
StartDate: 05/22/2008
EndDate: 00/00/0000
StartTime: 20:38
MinutesDuration: 202
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Trigger 1:
Type: Daily
DaysInterval: 1
StartDate: 05/23/2008
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 5
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0













extra



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Creative\SBAudigy2ZS\Program\SETUP.EXE" /S /U /W
--> C:\PROGRA~1\ntl\BROADB~1\Uninstall.exe ntl
--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F5C40EC6-E027-4A6E-96FA-8CE130A584C4}
--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{107254A0-0ADF-11D4-9397-00D0B7020B38}\setup.exe"
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{169F8893-C1C5-4847-972C-EA1E008112AC}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{236FADD8-58FD-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{435E969D-867E-4364-8E74-3DC8A69C5BDB}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5210ED6D-52A9-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7201B853-5833-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{77ACE67A-0D21-4CEF-8A97-ED20A61B978B}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF5F498-7FB5-11D6-9963-00A0C92C4EC3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8EF5F498-7FB5-11D6-9963-00A0C92C4EC3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9154ED7C-926E-49CC-B677-0CF3C5267457}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9A4D2983-4662-4387-BE3D-4CFC2FA9C100}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{A1185190-514F-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{AC157741-3285-4D6A-B934-9174587A3493}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B3549608-69D3-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D8BE2E7E-C3DA-49DE-8624-5C907D91ACEF}\Setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{DEBD7BF3-5856-11D6-A285-00A0CC51B2FE}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FB2292C6-1F0A-11D7-AB2D-0090271A23A2}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{FD851F7E-F887-405D-9E1C-488811113EF3}\setup.exe" -l0x9 /remove
--> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0015-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0016-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0018-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0019-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001A-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001B-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0409-0000-0000000FF1CE} /uninstall {3EC77D26-799B-4CD8-914F-C1565E796173}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-040C-0000-0000000FF1CE} /uninstall {430971B1-C31E-45DA-81E0-72C095BAB72C}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-001F-0C0A-0000-0000000FF1CE} /uninstall {F7A31780-33C4-4E39-951A-5EC9B91D7BF1}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {BEE75E01-DD3F-4D5F-B96C-609E6538D419}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0044-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-006E-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00A1-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-00BA-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0114-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0115-0409-0000-0000000FF1CE} /uninstall {FAD8A83E-9BAC-4179-9268-A35948034D85}
2007 Microsoft Office Suite Service Pack 1 (SP1) --> msiexec /package {90120000-0117-0409-0000-0000000FF1CE} /uninstall {4CA4ECC1-DBD4-4591-8F4C-AA12AD2D3E59}
360 USB2.0 [email protected] --> C:\WINDOWS\CleanTrb.exe C:\WINDOWS\DC3150.txt
4oD --> MsiExec.exe /I {8B7443F5-E141-42A0-AB61-ED2331AAD606}
Action Sats Learning Spelling --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Action Sats Learning\Spelling\Uninst.isu"
Adobe Common File Installer --> MsiExec.exe /I{8EDBA74D-0686-4C99-BFDD-F894678E5B39}
Adobe Digital Editions --> C:\Documents and Settings\James\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\digita...ditions2x0.exe -uninstall
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Help Center 1.0 --> MsiExec.exe /I{E9787678-1033-0000-8E67-000000000001}
Adobe Photoshop CS2 --> msiexec /I {236BB7C4-4419-42FD-0409-1E257A25E34D}
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe Shockwave Player --> MsiExec.exe /X{43BFB9E2-169C-46A9-BB81-141A37FD9750}
Adobe Stock Photos 1.0 --> MsiExec.exe /I{BC467935-A9A5-4D0F-BD89-94F36CDF0524}
ANSYS Products 11.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{127F1FD4-43BB-4428-8B2A-70539F4B6F1F}\setup.exe" -l0x9 -removeonly
ANSYS Remote Solve Manager (RSM) 11.0 --> MsiExec.exe /I{1B611B02-BCB6-4D2C-AD7C-F7370B272853}
Apollo DVD Copy 4.8.21 --> "C:\Program Files\Apollo DVD Copy\unins000.exe"
ATI - Software Uninstall Utility --> C:\Program Files\ATI Technologies\UninstallAll\AtiCimUn.exe
ATI Catalyst Control Center --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{055EE59D-217B-43A7-ABFF-507B966405D8}\setup.exe" -l0x0
ATI Control Panel --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}\setup.exe"
ATI Display Driver --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,[email protected] -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
ATI HydraVision --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}\setup.exe"
ATI Parental Control & Encoder --> MsiExec.exe /I{8D70145A-3BD3-4DBF-9CBF-223EF4A43257}
AVG 7.5 --> C:\Program Files\Grisoft\AVG7\setup.exe /UNINSTALL
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AWP 11.0 CATIAV5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{065121AF-D8ED-4D41-B40B-5AC8C4DCD35B}\setup.exe" -l0x9 -removeonly -ALLOW32ONX64
BearShare --> C:\PROGRA~1\BEARSH~1\UNWISE.EXE C:\PROGRA~1\BEARSH~1\INSTALL.LOG
Belkin Bluetooth Software --> MsiExec.exe /X{3F4EC965-28EF-45C3-B063-04B25D4E9679}
Belkin Wireless G Plus MIMO USB Network Adapter --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\Belkin\F5D9050\Setup.exe" -l0x9
BitLord 1.1 --> C:\Program Files\BitLord\uninst.exe
broadband medic --> C:\WINDOWS\Motive\ntl\MCCUninst.exe
Canon MP Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\Setup.exe" -l0x9 -Uninstall
CardRecovery --> C:\PROGRA~1\CARDRE~1\UNWISE.EXE C:\PROGRA~1\CARDRE~1\INSTALL.LOG
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
Creative Audio Console --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B9AE66C-2A8F-4FB2-85D7-416AFFAE8408}\setup.exe" -l0x9 /remove
Creative System Information --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{87499F38-FD69-4A2B-B41A-BAB8DE9B94FE}\setup.exe" -l0x9 /remove
Dassault Systemes Software B16 --> "C:\Program Files\Dassault Systemes\B16\intel_a\code\bin\Uninstall.exe" "C:\Program Files\Dassault Systemes\B16" "CODE" "GUI" "B16" "0"
DivX Codec --> C:\Program Files\DivX\DivXCodecUninstall.exe /CODEC
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Converter --> C:\Program Files\DivX\DivXConverterUninstall.exe /CONVERTER
DivX Player --> C:\Program Files\DivX\DivXPlayerUninstall.exe /PLAYER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
DockWare for SmartPhone --> "C:\Program Files\Microsoft ActiveSync\DockWare PHN\Remove.exe" DockWare PHN
Emerald M3DK --> C:\PROGRA~1\M3DK\UNWISE.EXE C:\PROGRA~1\M3DK\INSTALL.LOG
EndNote X Volume License Edition --> MsiExec.exe /I{FE4BD9BD-4A26-4F39-B12C-19336204B102}
Far Cry --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\9\INTEL3~1\IDriver.exe /M{D6DBDC2A-E72C-4284-B6AD-6B3B61B4DABC}
Graph Paper Printer 5.4.0.2 --> "C:\Program Files\GraphPap\unins000.exe"
Half-Life(R) 2 --> MsiExec.exe /I{D45EC259-4A19-4656-B588-C2C360DD18EA}
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Image Resizer Powertoy for Windows XP --> MsiExec.exe /I{1CB92574-96F2-467B-B793-5CEB35C40C29}
Intel(R) Desktop Utilities --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{DE1FD294-CF2A-4936-92F4-B1B778371627}
Intel(R) PRO Network Adapters and Drivers --> Prounstl.exe
Intel(R) PROSet for Wired Connections --> MsiExec.exe /I{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}
ISI ResearchSoft - Export Helper --> C:\PROGRA~1\COMMON~1\Risxtd\_UNINST.EXE
iTunes --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{54C0D94A-F467-4ABC-9D02-6E58748668D4} /l1033
Java 2 Runtime Environment Standard Edition v1.3.1_04 --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\JavaSoft\JRE\1.3.1_04\Uninst.isu"
Java(TM) 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Juniper Networks Network Connect 6.0.0 --> "C:\Program Files\Juniper Networks\Network Connect 6.0.0\uninstall.exe"
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
MATLAB R2007b --> C:\Program Files\MATLAB\R2007b\uninstall\uninstall.exe C:\Program Files\MATLAB\R2007b\
Microsoft ActiveSync 3.7 --> "C:\WINDOWS\ISUNINST.EXE" -f"C:\Program Files\Microsoft ActiveSync\DeIsL1.isu" -c"C:\Program Files\Microsoft ActiveSync\ceuninst.dll"
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Money Essentials --> "C:\Program Files\Microsoft Money Plus\MNYCoreFiles\Setup\uninst.exe" /s:120
Microsoft Money Shared Libraries --> MsiExec.exe /X{7F1B3341-A94E-4F5C-B587-CA0EB964221E}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Project 2007 Service Pack 1 (SP1) --> msiexec /package {90120000-00B4-0409-0000-0000000FF1CE} /uninstall {75EC8FFC-B913-4991-B3A1-22576D2FC45D}
Microsoft Office Project 2007 Service Pack 1 (SP1) --> msiexec /package {91120000-003B-0000-0000-0000000FF1CE} /uninstall {C1877F6E-C1C8-486D-A697-86431029690C}
Microsoft Office Project MUI (English) 2007 --> MsiExec.exe /X{90120000-00B4-0409-0000-0000000FF1CE}
Microsoft Office Project Professional 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall PRJPROR /dll OSETUP.DLL
Microsoft Office Project Professional 2007 --> MsiExec.exe /X{91120000-003B-0000-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Silverlight --> MsiExec.exe /I{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}
Microsoft SQL Server 2005 Compact Edition [ENU] --> MsiExec.exe /I{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft VC80 Support DLLs --> MsiExec.exe /I{342F5437-C87D-4BB5-89B9-B23E16C6A395}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA8}
Microsoft Works --> MsiExec.exe /I{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}
MSXML 6.0 Parser (KB933579) --> MsiExec.exe /I{0A869A65-8C94-4F7C-A5C7-972D3C8CED9E}
Need for Speed Underground 2 --> C:\Program Files\EA GAMES\Need for Speed Underground 2\EAUninstall.exe
Nero 7 Ultra Edition --> MsiExec.exe /X{A20A58C4-6784-4B4B-86CC-94E2E3671033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Panda ActiveScan 2.0 --> C:\Program Files\Panda Security\ActiveScan 2.0\as2uninst.exe
PC Inspector smart recovery --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9A87D86-FDFD-418B-BF96-EF09320973B3}\Setup.exe" -l0x9
PeerGuardian 2.0 --> "C:\Program Files\PeerGuardian2\unins000.exe"
PHOENICS 2006 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{62EF7B32-E668-11DA-B663-0050042EDB2F}\setup.exe"
PowerDVD Ultra --> "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -l0x000409 /z-uninstall
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{C21D5524-A970-42FA-AC8A-59B8C7CDCA31} /l1033
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Rhinoceros 4.0 --> MsiExec.exe /I{5C2CBFFD-FC3B-4AA9-993B-CE2B8DA25B87}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Microsoft Office Publisher 2007 (KB950114) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F9C3CDBA-1F00-4D4D-959D-75C9D3ACDD85}
Security Update for Microsoft Office system 2007 (KB951808) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {8F375E11-4FD6-4B89-9E2B-A76D48B51E00}
Security Update for Microsoft Office Word 2007 (KB950113) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {AD72BABE-C733-4FCF-9674-4314466191B9}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Security Update for Visio 2007 (KB947590) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {6BAD036C-261F-4BEF-96CF-C20678D07A41}
Shockwave --> C:\WINDOWS\system32\Macromed\SHOCKW~2\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~2\INSTALL.LOG
Solid Edge V17 --> MsiExec.exe /I{3036EFC0-226E-455E-A757-E12518E6443B}
Sound Blaster Audigy 2 ZS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{9E2514D9-DC24-4634-B348-61F3EF0F1628}\SETUP.EXE" -l0x9
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Spybot - Search & Destroy 1.5.2.20 --> "C:\WINDOWS\unins000.exe"
SpywareBlaster 4.0 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Steam(TM) --> MsiExec.exe /X{048298C9-A4D3-490B-9FF9-AB023A9238F3}
Symantec Technical Support Web Controls --> MsiExec.exe /X{C4868E88-F5B5-4E45-9592-C7062BD97441}
The Italian Job --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B58561BB-0425-458C-B9C4-44618814BA70}\setup.exe" -l0x9
Update for Office 2007 (KB946691) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Office 2007 (KB946691) --> msiexec /package {91120000-003B-0000-0000-0000000FF1CE} /uninstall {A420F522-7395-4872-9882-C591B4B92278}
Update for Outlook 2007 Junk Email Filter (kb950378) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {F6296086-AED5-4EC0-938B-08EA0254F20E}
Update Service --> C:\Program Files\Sony Ericsson\Update Service\uninst.exe
VCRedistSetup --> MsiExec.exe /I{3921A67A-5AB1-4E48-9444-C71814CF3027}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
Windows Media Connect --> "C:\WINDOWS\$NtUninstallWMCSetup$\spuninst\spuninst.exe"
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Rights Management Client Backwards Compatibility SP2 --> MsiExec.exe /X{EC905264-BCFE-423B-9C42-C3A106266790}
Windows Rights Management Client with Service Pack 2 --> MsiExec.exe /X{BDCF27CA-BFC4-4F49-8D24-A925C9505AB8}
Windows XP Service Pack 3 --> "C:\WINDOWS\$NtServicePackUninstall$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip --> "C:\Program Files\WinZip\WINZIP32.EXE" /uninstall
XML Paper Specification Shared Components Pack 1.0 -->
XMLinst --> MsiExec.exe /I{EA23971F-2CEE-48FC-B64D-7F74A6EF90F0}


-- End of Deckard's System Scanner: finished at 2008-05-22 11:28:08 ------------










Thanks,
James
jwarren2k2 is offline  
Old 05-22-2008, 01:34 PM   #7
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi James,

I have a few things for you to do. Please copy this page to Notepad and save to your desktop for reference as you should not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the sequence listed below.

***************************************************

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O3 - Toolbar: (no name) - {37B85A29-692B-4205-9CAD-2626E4993404} - (no file)
O20 - AppInit_DLLs: WIKI.DLL


Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad.

Quote:
@echo off
sc stop MSControlService
sc delete MSControlService
exit
Save this as del.bat Choose to "Save type as - All Files"
It should look like this:

Double click del.bat. A window will open and close. This is normal.

-------------------------------------------------------------------------

Open notepad and copy/paste the entire text inside the quote box below: (don't forget to copy and paste REGEDIT4)


Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\system\ControlSet003\Services\MSControlService]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tempreg]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
[-HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

Save the file as "delete.reg". Make sure to save it with the quotes. Choose to "Save type as - All Files"
It should look like this:

Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following folder by right clicking and selecting 'Delete':

C:\Documents and Settings\All Users\Application Data\ Defy Store Gram Up


--------------------------------------------------------------------

Reboot your system.

--------------------------------------------------------------------

I still see quite a few entries for Symantec AV and Firewall.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Symantec Technical Support Web Controls

-------------------------------------------------------------------

Here is a guide for uninstalling Norton, including uninstallers. Be sure to use the uninstaller for the version of Norton/Symantec that is active on your system.

-------------------------------------------------------------------

If System Restore is still giving you that message, download querySvc.exe to your Desktop.

Double click the .exe to run the tool and please post the contents of that report.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-23-2008, 04:33 AM   #8
Guest
 
Join Date: May 2008
Posts: 13
OS:



Thanks for that help.

I have carried out all steps you advised, again, one straight after another with no other operations in between.

I am still receiving that message when trying to open system restore.

I ran the query.exe, and this is the report:




Query.exe Report


------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- eapsvcs - eaphost
- dot3svc - dot3svc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN, napagent, hkmsvc

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: BITS : Background Intelligent Transfer Service
STOPPED: DEMAND_START: dmserver : Logical Disk Manager
STOPPED: DEMAND_START: Dot3svc : Wired AutoConfig
STOPPED: DEMAND_START: EapHost : Extensible Authentication Protocol Service
STOPPED: DEMAND_START: hkmsvc : Health Key and Certificate Management Service
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: napagent : Network Access Protection Agent
STOPPED: DEMAND_START: NtmsSvc : Removable Storage
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: HidServ : Human Interface Device Access
STOPPED: DISABLED: Messenger : Messenger
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access
STOPPED: DISABLED: WebClient : WebClient

------ SVCHOST CURRENTLY RUNNING:

1164- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1228- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1288- C:\WINDOWS\System32\svchost.exe -k netsvcs
- AudioSrv : Windows Audio
- Browser : Computer Browser
- CryptSvc : Cryptographic Services
- Dhcp : DHCP Client
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- FastUserSwitchingCompatibility : Fast User Switching Compatibility
- helpsvc : Help and Support
- lanmanserver : Server
- lanmanworkstation : Workstation
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- RasMan : Remote Access Connection Manager
- Schedule : Task Scheduler
- seclogon : Secondary Logon
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- ShellHWDetection : Shell Hardware Detection
- TapiSrv : Telephony
- Themes : Themes
- TrkWks : Distributed Link Tracking Client
- W32Time : Windows Time
- winmgmt : Windows Management Instrumentation
- wscsvc : Security Center
- wuauserv : Automatic Updates
- WZCSVC : Wireless Zero Configuration

1340- C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
- WudfSvc : Windows Driver Foundation - User-mode Driver Framework

1492- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

1572- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- SSDPSRV : SSDP Discovery Service

2492- C:\WINDOWS\system32\svchost.exe -k imgsvc
- stisvc : Windows Image Acquisition (WIA)

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 2
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

LanmanServer = 1
RUNNING: Browser: Computer Browser

LanmanWorkstation = 5
RUNNING: Browser: Computer Browser
STOPPED: Alerter: Alerter
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 2
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: RasAuto: Remote Access Auto Connection Manager

winmgmt = 2
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: wscsvc: Security Center

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 57
RUNNING: AudioSrv: Windows Audio
RUNNING: Avg7Alrt: AVG7 Alert Manager Server
RUNNING: Avg7UpdSvc: AVG7 Update Service
RUNNING: AVGEMS: AVG E-mail Scanner
RUNNING: CryptSvc: Cryptographic Services
RUNNING: dsNcService: Juniper Network Connect Service
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility
RUNNING: helpsvc: Help and Support
RUNNING: KService: KService
RUNNING: MDM: Machine Debug Manager
RUNNING: Netman: Network Connections
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: RichVideo: Cyberlink RichVideo Service(CRVS)
RUNNING: SamSs: Security Accounts Manager
RUNNING: Schedule: Task Scheduler
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: ShellHWDetection: Shell Hardware Detection
RUNNING: Spooler: Print Spooler
RUNNING: stisvc: Windows Image Acquisition (WIA)
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: wscsvc: Security Center
RUNNING: WZCSVC: Wireless Zero Configuration
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: CiSvc: Indexing Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: dmserver: Logical Disk Manager
STOPPED: Dot3svc: Wired AutoConfig
STOPPED: EapHost: Extensible Authentication Protocol Service
STOPPED: HidServ: Human Interface Device Access
STOPPED: hkmsvc: Health Key and Certificate Management Service
STOPPED: iPodService: iPodService
STOPPED: Messenger: Messenger
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: napagent: Network Access Protection Agent
STOPPED: NBService: NBService
STOPPED: NetSvc: Intel NCS NetService
STOPPED: NMIndexingService: NMIndexingService
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RSVP: QoS RSVP
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: usnjsvc: Messenger Sharing Folders USN Journal Reader service
STOPPED: VSS: Volume Shadow Copy
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: xmlprov: Network Provisioning Service

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

eaphost = 1
STOPPED: Dot3svc: Wired AutoConfig









Thanks,
James
jwarren2k2 is offline  
Old 05-23-2008, 08:44 AM   #9
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



James, let's try reinstalling System Restore.

Click Start>Run and copy/paste the following into the Run box and click OK:

rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf

If the 'Files Needed' dialog box appears, click Browse and point to the i386 folder on the Windows XP CD or to the i386 folder on the hard drive, if it exists.

For systems updated with the Service Pack 2 or 3 CD, or downloaded from Microsoft, browse to the C:\Windows\ServicePackFiles\i386 folder.

The retail version of Windows XP (SP2) also contains the latest version of the files needed.


Reboot and try System Restore.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 05-24-2008, 08:21 AM   #10
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi,

I tried the above, but System Restore still doesn't work!

I do really appreciate your help on this, so thank you very much!

James
jwarren2k2 is offline  
Old 05-24-2008, 10:35 AM   #11
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



You're welcome.

Please run the querySvc.exe again and post the results here.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-03-2008, 04:21 PM   #12
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi, sorry for the late reply, I've been away for a while!

Here is the log for the Query.exe you asked for:










------ REGISTRY:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
- HTTPFilter - HTTPFilter
- LocalService - Alerter, WebClient, LmHosts, RemoteRegistry, upnphost, SSDPSRV
- NetworkService - DnsCache
- DcomLaunch - DcomLaunch, TermService
- rpcss - RpcSs
- imgsvc - StiSvc
- termsvcs - TermService
- WudfServiceGroup - WUDFSvc
- eapsvcs - eaphost
- dot3svc - dot3svc
- netsvcs - 6to4, AppMgmt, AudioSrv, Browser, CryptSvc, DMServer, DHCP, ERSvc, EventSystem, FastUserSwitchingCompatibility, HidServ, Ias, Iprip, Irmon, LanmanServer, LanmanWorkstation, Messenger, Netman, Nla, Ntmssvc, NWCWorkstation, Nwsapagent, Rasauto, Rasman, Remoteaccess, Schedule, Seclogon, SENS, Sharedaccess, SRService, Tapisrv, Themes, TrkWks, W32Time, WZCSVC, Wmi, WmdmPmSp, winmgmt, wscsvc, xmlprov, BITS, wuauserv, ShellHWDetection, helpsvc, WmdmPmSN, napagent, hkmsvc

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

------ SVCHOST SERVICES NOT RUNNING

STOPPED: DEMAND_START: AppMgmt : Application Management
STOPPED: DEMAND_START: BITS : Background Intelligent Transfer Service
STOPPED: DEMAND_START: dmserver : Logical Disk Manager
STOPPED: DEMAND_START: Dot3svc : Wired AutoConfig
STOPPED: DEMAND_START: EapHost : Extensible Authentication Protocol Service
STOPPED: DEMAND_START: hkmsvc : Health Key and Certificate Management Service
STOPPED: DEMAND_START: HTTPFilter : HTTP SSL
STOPPED: DEMAND_START: napagent : Network Access Protection Agent
STOPPED: DEMAND_START: NtmsSvc : Removable Storage
STOPPED: DEMAND_START: RasAuto : Remote Access Auto Connection Manager
STOPPED: DEMAND_START: upnphost : Universal Plug and Play Device Host
STOPPED: DEMAND_START: WmdmPmSN : Portable Media Serial Number Service
STOPPED: DEMAND_START: xmlprov : Network Provisioning Service
STOPPED: DISABLED: Alerter : Alerter
STOPPED: DISABLED: HidServ : Human Interface Device Access
STOPPED: DISABLED: Messenger : Messenger
STOPPED: DISABLED: RemoteAccess : Routing and Remote Access
STOPPED: DISABLED: WebClient : WebClient

------ SVCHOST CURRENTLY RUNNING:

1160- C:\WINDOWS\system32\svchost -k DcomLaunch
- DcomLaunch : DCOM Server Process Launcher
- TermService : Terminal Services

1220- C:\WINDOWS\system32\svchost -k rpcss
- RpcSs : Remote Procedure Call (RPC)

1260- C:\WINDOWS\System32\svchost.exe -k netsvcs
- AudioSrv : Windows Audio
- Browser : Computer Browser
- CryptSvc : Cryptographic Services
- Dhcp : DHCP Client
- ERSvc : Error Reporting Service
- EventSystem : COM+ Event System
- FastUserSwitchingCompatibility : Fast User Switching Compatibility
- helpsvc : Help and Support
- lanmanserver : Server
- lanmanworkstation : Workstation
- Netman : Network Connections
- Nla : Network Location Awareness (NLA)
- RasMan : Remote Access Connection Manager
- Schedule : Task Scheduler
- seclogon : Secondary Logon
- SENS : System Event Notification
- SharedAccess : Windows Firewall/Internet Connection Sharing (ICS)
- ShellHWDetection : Shell Hardware Detection
- TapiSrv : Telephony
- Themes : Themes
- TrkWks : Distributed Link Tracking Client
- W32Time : Windows Time
- winmgmt : Windows Management Instrumentation
- wscsvc : Security Center
- wuauserv : Automatic Updates
- WZCSVC : Wireless Zero Configuration

1292- C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
- WudfSvc : Windows Driver Foundation - User-mode Driver Framework

1460- C:\WINDOWS\system32\svchost.exe -k NetworkService
- Dnscache : DNS Client

1568- C:\WINDOWS\system32\svchost.exe -k LocalService
- LmHosts : TCP/IP NetBIOS Helper
- SSDPSRV : SSDP Discovery Service

2152- C:\WINDOWS\system32\svchost.exe -k imgsvc
- stisvc : Windows Image Acquisition (WIA)

------ SVCHOST SUB-DEPENDENTS

HTTPFilter = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

upnphost = 1
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

SSDPSRV = 2
STOPPED: upnphost: Universal Plug and Play Device Host
STOPPED: WMPNetworkSvc: Windows Media Player Network Sharing Service

DMServer = 1
STOPPED: dmadmin: Logical Disk Manager Administrative Service

EventSystem = 1
RUNNING: SENS: System Event Notification

LanmanServer = 1
RUNNING: Browser: Computer Browser

LanmanWorkstation = 5
RUNNING: Browser: Computer Browser
STOPPED: Alerter: Alerter
STOPPED: Messenger: Messenger
STOPPED: Netlogon: Net Logon
STOPPED: RpcLocator: Remote Procedure Call (RPC) Locator

Netman = 1
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)

Rasman = 1
STOPPED: RasAuto: Remote Access Auto Connection Manager

Tapisrv = 2
RUNNING: RasMan: Remote Access Connection Manager
STOPPED: RasAuto: Remote Access Auto Connection Manager

winmgmt = 2
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: wscsvc: Security Center

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

RpcSs = 57
RUNNING: AudioSrv: Windows Audio
RUNNING: Avg7Alrt: AVG7 Alert Manager Server
RUNNING: Avg7UpdSvc: AVG7 Update Service
RUNNING: AVGEMS: AVG E-mail Scanner
RUNNING: CryptSvc: Cryptographic Services
RUNNING: dsNcService: Juniper Network Connect Service
RUNNING: ERSvc: Error Reporting Service
RUNNING: EventSystem: COM+ Event System
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility
RUNNING: helpsvc: Help and Support
RUNNING: KService: KService
RUNNING: MDM: Machine Debug Manager
RUNNING: Netman: Network Connections
RUNNING: PolicyAgent: IPSEC Services
RUNNING: ProtectedStorage: Protected Storage
RUNNING: RasMan: Remote Access Connection Manager
RUNNING: RichVideo: Cyberlink RichVideo Service(CRVS)
RUNNING: SamSs: Security Accounts Manager
RUNNING: Schedule: Task Scheduler
RUNNING: SENS: System Event Notification
RUNNING: SharedAccess: Windows Firewall/Internet Connection Sharing (ICS)
RUNNING: ShellHWDetection: Shell Hardware Detection
RUNNING: Spooler: Print Spooler
RUNNING: stisvc: Windows Image Acquisition (WIA)
RUNNING: TapiSrv: Telephony
RUNNING: TermService: Terminal Services
RUNNING: TrkWks: Distributed Link Tracking Client
RUNNING: usnjsvc: Messenger Sharing Folders USN Journal Reader service
RUNNING: winmgmt: Windows Management Instrumentation
RUNNING: wscsvc: Security Center
RUNNING: WZCSVC: Wireless Zero Configuration
STOPPED: BITS: Background Intelligent Transfer Service
STOPPED: CiSvc: Indexing Service
STOPPED: COMSysApp: COM+ System Application
STOPPED: dmadmin: Logical Disk Manager Administrative Service
STOPPED: dmserver: Logical Disk Manager
STOPPED: Dot3svc: Wired AutoConfig
STOPPED: EapHost: Extensible Authentication Protocol Service
STOPPED: HidServ: Human Interface Device Access
STOPPED: hkmsvc: Health Key and Certificate Management Service
STOPPED: iPodService: iPodService
STOPPED: Messenger: Messenger
STOPPED: MSDTC: Distributed Transaction Coordinator
STOPPED: MSIServer: Windows Installer
STOPPED: napagent: Network Access Protection Agent
STOPPED: NBService: NBService
STOPPED: NetSvc: Intel NCS NetService
STOPPED: NMIndexingService: NMIndexingService
STOPPED: NtmsSvc: Removable Storage
STOPPED: RasAuto: Remote Access Auto Connection Manager
STOPPED: RDSessMgr: Remote Desktop Help Session Manager
STOPPED: RemoteAccess: Routing and Remote Access
STOPPED: RSVP: QoS RSVP
STOPPED: SwPrv: MS Software Shadow Copy Provider
STOPPED: VSS: Volume Shadow Copy
STOPPED: WmiApSrv: WMI Performance Adapter
STOPPED: xmlprov: Network Provisioning Service

TermService = 1
RUNNING: FastUserSwitchingCompatibility: Fast User Switching Compatibility

eaphost = 1
STOPPED: Dot3svc: Wired AutoConfig













Thanks,
James
jwarren2k2 is offline  
Old 06-03-2008, 06:15 PM   #13
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Welcome back, James.

Going back a bit to this:
Quote:
Originally Posted by Ried
let's try reinstalling System Restore.

Click Start>Run and copy/paste the following into the Run box and click OK:

rundll32.exe advpack.dll,LaunchINFSection C:\Windows\Inf\sr.inf

If the 'Files Needed' dialog box appears, click Browse and point to the i386 folder on the Windows XP CD or to the i386 folder on the hard drive, if it exists.

For systems updated with the Service Pack 2 or 3 CD, or downloaded from Microsoft, browse to the C:\Windows\ServicePackFiles\i386 folder.

The retail version of Windows XP (SP2) also contains the latest version of the files needed.


Reboot and try System Restore.
Quote:
tried the above, but System Restore still doesn't work!
Do you recall what happened when you did try that? Did you receive any error messages?

---------------------------------------------------------

2 reports I'd like to see:

Go to Start > Run - type in eventvwr <Press Enter>



This is a picture of what the event viewer looks like.
You will see Application, Security & System listed in the left pane.
  1. In the left pane click on Application.
  2. Click the gray title Type at the top of the source name column in the right pane to sort by type name
    Look for Error & double-click on the most recent 10, and evaluate the event description for any indication of the cause of the problem.
  3. Make note of the Description, EventID and Source of these Event Properties.
  4. From the right pane, doubleclick on the line where it says error & you should get a window like the example below





  5. In the upper right corner of this picture, you should see 2 arrows. One is pointing up & the other, pointing down.
    There is another button below the 2 arrows. Click once on it. (this will copy some information to clipboard)
  6. Open notepad & paste the info in there. This will copy the event information to the clipboard. Paste the information for each event here

Repeat steps 1-6 for System

------------------------------------------------

Run a new scan with dss.exe and post the main.txt it produces.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-04-2008, 04:17 AM   #14
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi,

The error I get is shown in the screen shot below.






I did the things you said, but none of the top 10 where SYSTEM, so I haven't done the dss.exe log, if you still want me to, then I will.

Here is a screen shot of the top 10 errors;










Thanks,
James
jwarren2k2 is offline  
Old 06-04-2008, 06:00 AM   #15
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi James,

1. The screenshot of the Event Viewer does not provide me with the information I need. Please look at the steps I listed for you in my previous post.


Quote:
tried the above, but System Restore still doesn't work!

Do you recall what happened when you did try that? Did you receive any error messages?
2. What I meant was - when you tried to reinstall System Restore, did you receive any error messages during that procedure?

3. Yes, I still would like to see a new main.txt from dss.exe
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-05-2008, 02:42 AM   #16
Guest
 
Join Date: May 2008
Posts: 13
OS:



Hi,

Sorry, I didn't read you post properly yesterday!
Right, i think I've done it properly now!


When I tried to re-install system restore, there were no errors, in fact, there was nothing at all. It came up with the box in the top left corner when installing, then once it was complete, it just disappeared, no confirmation or anything. This may be normal though.


Just to let you know, my second hard disk (doesnt have windows installed) wasnt too healthy yesterday, so I ran a check disk on it and it seems fine now, but I think alot of the "errors" for the "System" are to do with this. I hope it doesn't detract from what you need?





The top ten errors for Application and System are below;



APPLICATION



Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 04/06/2008
Time: 20:05:51
User: N/A
Computer: JAMESPUKKAPC
Description:
Fault bucket 734037209.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 37 33 34 30 33 37 32 30 73403720
0010: 39 0d 0a 9..



Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 04/06/2008
Time: 20:05:44
User: N/A
Computer: JAMESPUKKAPC
Description:
Hanging application explorer.exe, version 6.0.2900.5512, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 65 78 70 6c 6f 72 explor
0018: 65 72 2e 65 78 65 20 36 er.exe 6
0020: 2e 30 2e 32 39 30 30 2e .0.2900.
0028: 35 35 31 32 20 69 6e 20 5512 in
0030: 68 75 6e 67 61 70 70 20 hungapp
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 30 30 30 30 30 30 t 000000
0050: 30 30 00



Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 03/06/2008
Time: 23:53:15
User: N/A
Computer: JAMESPUKKAPC
Description:
Fault bucket 337816799.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 33 33 37 38 31 36 37 39 33781679
0010: 39 0d 0a 9..



Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 03/06/2008
Time: 23:52:50
User: N/A
Computer: JAMESPUKKAPC
Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 77 6d 70 6c 61 79 wmplay
0018: 65 72 2e 65 78 65 20 31 er.exe 1
0020: 31 2e 30 2e 35 37 32 31 1.0.5721
0028: 2e 35 31 34 35 20 69 6e .5145 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000



Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 03/06/2008
Time: 23:46:45
User: N/A
Computer: JAMESPUKKAPC
Description:
Fault bucket 337816799.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 33 33 37 38 31 36 37 39 33781679
0010: 39 0d 0a 9..



Event Type: Error
Event Source: Application Hang
Event Category: None
Event ID: 1001
Date: 03/06/2008
Time: 23:46:10
User: N/A
Computer: JAMESPUKKAPC
Description:
Fault bucket 337816799.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 42 75 63 6b 65 74 3a 20 Bucket:
0008: 33 33 37 38 31 36 37 39 33781679
0010: 39 0d 0a 9..




Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 03/06/2008
Time: 23:46:06
User: N/A
Computer: JAMESPUKKAPC
Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 77 6d 70 6c 61 79 wmplay
0018: 65 72 2e 65 78 65 20 31 er.exe 1
0020: 31 2e 30 2e 35 37 32 31 1.0.5721
0028: 2e 35 31 34 35 20 69 6e .5145 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000


Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 03/06/2008
Time: 23:46:04
User: N/A
Computer: JAMESPUKKAPC
Description:
Hanging application wmplayer.exe, version 11.0.5721.5145, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 77 6d 70 6c 61 79 wmplay
0018: 65 72 2e 65 78 65 20 31 er.exe 1
0020: 31 2e 30 2e 35 37 32 31 1.0.5721
0028: 2e 35 31 34 35 20 69 6e .5145 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000




Event Type: Error
Event Source: Application Hang
Event Category: (101)
Event ID: 1002
Date: 20/05/2008
Time: 20:27:50
User: N/A
Computer: JAMESPUKKAPC
Description:
Hanging application iexplore.exe, version 7.0.6000.16640, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 48 61 6e 67 ion Hang
0010: 20 20 69 65 78 70 6c 6f iexplo
0018: 72 65 2e 65 78 65 20 37 re.exe 7
0020: 2e 30 2e 36 30 30 30 2e .0.6000.
0028: 31 36 36 34 30 20 69 6e 16640 in
0030: 20 68 75 6e 67 61 70 70 hungapp
0038: 20 30 2e 30 2e 30 2e 30 0.0.0.0
0040: 20 61 74 20 6f 66 66 73 at offs
0048: 65 74 20 30 30 30 30 30 et 00000
0050: 30 30 30 000





Event Type: Error
Event Source: MsiInstaller
Event Category: None
Event ID: 11904
Date: 16/05/2008
Time: 17:03:15
User: JAMESPUKKAPC\James
Computer: JAMESPUKKAPC
Description:
Product: 4oD -- Error 1904.Module C:\WINDOWS\system32\Macromed\Flash\Flash9d.ocx failed to register. HRESULT -2147220473. Contact your support personnel.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 7b 38 42 37 34 34 33 46 {8B7443F
0008: 35 2d 45 31 34 31 2d 34 5-E141-4
0010: 32 41 30 2d 41 42 36 31 2A0-AB61
0018: 2d 45 44 32 33 33 31 41 -ED2331A
0020: 41 44 36 30 36 7d AD606}














SYSTEM


Event Type: Error
Event Source: ipnathlp
Event Category: None
Event ID: 32003
Date: 05/06/2008
Time: 09:15:40
User: N/A
Computer: JAMESPUKKAPC
Description:
The Network Address Translator (NAT) was unable to request an operation of the kernel-mode translation module. This may indicate misconfiguration, insufficient resources, or an internal error. The data is the error code.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 1f 00 00 00 ....






Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date: 05/06/2008
Time: 09:15:35
User: N/A
Computer: JAMESPUKKAPC
Description:
The CSS DVP service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.






Event Type: Error
Event Source: ati2mtag
Event Category: CRT
Event ID: 45062
Date: 05/06/2008
Time: 09:14:03
User: N/A
Computer: JAMESPUKKAPC
Description:
CRT invalid display type
Data:
0000: 00 00 00 00 01 00 5a 00 ......Z.
0008: 2c 00 00 00 06 b0 00 c0 ,.....
0010: 00 00 00 00 00 00 00 00 ........
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 00 00 00 00 00 00 00 ........






Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 04/06/2008
Time: 21:27:34
User: N/A
Computer: JAMESPUKKAPC
Description:
The device, \Device\Harddisk1\D, has a bad block.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 07 00 04 c0 .......
0010: 00 01 00 00 9c 00 00 c0 ......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 4e 05 bf 00 00 00 00 .N.....
0028: 6a 56 05 00 00 00 00 00 jV......
0030: ff ff ff ff 00 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 38 7f 14 00 f8 b3 68 87 8..h
0058: 00 00 00 00 28 cb b2 85 ....(˲
0060: 02 00 00 00 a7 82 5f 00 ...._.
0068: 28 00 00 5f 82 a7 00 00 (.._..
0070: 08 00 00 00 00 00 00 00 ........
0078: f0 00 03 00 00 00 00 0b .......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........











Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 04/06/2008
Time: 21:27:29
User: N/A
Computer: JAMESPUKKAPC
Description:
The device, \Device\Harddisk1\D, has a bad block.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 07 00 04 c0 .......
0010: 00 01 00 00 9c 00 00 c0 ......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 de 04 bf 00 00 00 00 ......
0028: 62 55 05 00 00 00 00 00 bU......
0030: ff ff ff ff 00 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 08 80 46 03 f8 b3 68 87 .F.h
0058: 00 00 00 00 28 cb b2 85 ....(˲
0060: 02 00 00 00 6f 82 5f 00 ....o_.
0068: 28 00 00 5f 82 6f 00 00 (.._o..
0070: 80 00 00 00 00 00 00 00 .......
0078: f0 00 03 00 00 00 00 0b .......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........




Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 04/06/2008
Time: 21:27:21
User: N/A
Computer: JAMESPUKKAPC
Description:
The device, \Device\Harddisk1\D, has a bad block.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 07 00 04 c0 .......
0010: 00 01 00 00 9c 00 00 c0 ......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 5e 80 be 00 00 00 00 .^....
0028: 5f 53 05 00 00 00 00 00 _S......
0030: ff ff ff ff 00 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 08 80 46 03 f8 b3 68 87 .F.h
0058: 00 00 00 00 28 cb b2 85 ....(˲
0060: 02 00 00 00 2f 40 5f 00 ..../@_.
0068: 28 00 00 5f 40 2f 00 00 ([email protected]/..
0070: 80 00 00 00 00 00 00 00 .......
0078: f0 00 03 00 00 00 00 0b .......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........




Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 04/06/2008
Time: 21:27:17
User: N/A
Computer: JAMESPUKKAPC
Description:
The device, \Device\Harddisk1\D, has a bad block.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 07 00 04 c0 .......
0010: 00 01 00 00 9c 00 00 c0 ......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 ae fd bd 00 00 00 00 .....
0028: 52 52 05 00 00 00 00 00 RR......
0030: ff ff ff ff 00 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 38 7f 14 00 f8 b3 68 87 8..h
0058: 00 00 00 00 28 cb b2 85 ....(˲
0060: 02 00 00 00 d7 fe 5e 00 ....^.
0068: 28 00 00 5e fe d7 00 00 (..^..
0070: 08 00 00 00 00 00 00 00 ........
0078: f0 00 03 00 00 00 00 0b .......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........








Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 04/06/2008
Time: 21:27:13
User: N/A
Computer: JAMESPUKKAPC
Description:
The device, \Device\Harddisk1\D, has a bad block.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 07 00 04 c0 .......
0010: 00 01 00 00 9c 00 00 c0 ......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 4e fd bd 00 00 00 00 .N....
0028: 4c 51 05 00 00 00 00 00 LQ......
0030: ff ff ff ff 00 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 08 80 46 03 78 ca 6f 87 .F.xo
0058: 00 00 00 00 f8 88 6e 87 ....n
0060: 02 00 00 00 a7 fe 5e 00 ....^.
0068: 28 00 00 5e fe a7 00 00 (..^..
0070: 80 00 00 00 00 00 00 00 .......
0078: f0 00 03 00 00 00 00 0b .......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........










Event Type: Error
Event Source: Disk
Event Category: None
Event ID: 7
Date: 04/06/2008
Time: 21:27:09
User: N/A
Computer: JAMESPUKKAPC
Description:
The device, \Device\Harddisk1\D, has a bad block.

For more information, see Help and Support Center at https://go.microsoft.com/fwlink/events.asp.
Data:
0000: 03 00 68 00 01 00 b6 00 ..h....
0008: 00 00 00 00 07 00 04 c0 .......
0010: 00 01 00 00 9c 00 00 c0 ......
0018: 00 00 00 00 00 00 00 00 ........
0020: 00 4e 87 bd 00 00 00 00 .N....
0028: 42 50 05 00 00 00 00 00 BP......
0030: ff ff ff ff 00 00 00 00 ....
0038: 40 00 00 84 02 00 01 00 @......
0040: 00 20 0a 12 40 03 20 00 . [email protected] .
0048: 00 00 00 00 0a 00 00 00 ........
0050: 38 7f 14 00 f8 b3 68 87 8..h
0058: 00 00 00 00 28 cb b2 85 ....(˲
0060: 02 00 00 00 a7 c3 5e 00 ....^.
0068: 28 00 00 5e c3 a7 00 00 (..^ç..
0070: 08 00 00 00 00 00 00 00 ........
0078: f0 00 03 00 00 00 00 0b .......
0080: 00 00 00 00 00 00 00 00 ........
0088: 00 00 00 00 00 00 00 00 ........











Here is the Main.txt from the dss.exe scan;


MAIN.TXT





Deckard's System Scanner v20071014.68
Run by James on 2008-06-05 09:32:44
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as James.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:32:52, on 05/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\ansyslmd.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Documents and Settings\James\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\James.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Internet Explorer\IEXPLORE.EXE https://www.symantec.com/techsupp/ser...00046.000000b5
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Belkin\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - https://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - https://by105fd.bay105.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - https://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - https://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - https://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://uhvpn.herts.ac.uk/dana-cache...erSetupSP1.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ANSYS FLEXlm license manager - Macrovision Corporation - C:\PROGRA~1\ANSYSI~1\SHARED~1\LICENS~1\Intel\lmgrd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\Belkin\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 9413 bytes

-- Files created between 2008-05-05 and 2008-06-05 -----------------------------

2008-06-04 20:01:44 81920 --a------ C:\WINDOWS\ALCFDRTM.EXE <Not Verified; Realtek Semiconductor Corp.; Realtek ALCFDRTM>
2008-06-04 20:01:08 0 d-------- C:\WINDOWS\system32\Lang
2008-06-04 18:23:35 0 d-------- C:\WINDOWS\system32\RTCOM
2008-06-04 10:12:56 0 d-------- C:\WINDOWS\I386
2008-05-11 16:03:32 2120 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-10 22:08:41 0 d-------- C:\Program Files\Kontiki
2008-05-10 22:08:40 0 d-------- C:\Program Files\Channel4
2008-05-10 22:08:40 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2008-05-10 22:08:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Channel4
2008-05-09 19:35:32 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-09 17:34:20 0 d-------- C:\WINDOWS\Prefetch
2008-05-09 17:24:39 0 d-------- C:\WINDOWS\system32\scripting
2008-05-09 17:24:38 0 d-------- C:\WINDOWS\system32\en
2008-05-09 17:24:38 0 d-------- C:\WINDOWS\system32\bits
2008-05-09 17:24:38 0 d-------- C:\WINDOWS\l2schemas
2008-05-09 14:25:59 0 d-------- C:\I386
2008-05-06 19:02:34 0 d-------- C:\Program Files\Trend Micro
2008-05-06 18:26:57 68096 --a------ C:\WINDOWS\zip.exe
2008-05-06 18:26:57 49152 --a------ C:\WINDOWS\VFind.exe
2008-05-06 18:26:57 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-05-06 18:26:57 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-05-06 18:26:57 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-05-06 18:26:57 98816 --a------ C:\WINDOWS\sed.exe
2008-05-06 18:26:57 80412 --a------ C:\WINDOWS\grep.exe
2008-05-06 18:26:57 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-05-06 10:04:42 0 d-------- C:\Program Files\Panda Security
2008-05-05 13:35:23 0 d-------- C:\Documents and Settings\LocalService\Application Data\Juniper Networks
2008-05-05 13:35:14 0 d-------- C:\Program Files\Juniper Networks
2008-05-05 13:33:12 0 d-------- C:\Documents and Settings\James\Application Data\Juniper Networks


-- Find3M Report ---------------------------------------------------------------

2008-06-04 20:05:39 0 d-------- C:\Program Files\PeerGuardian2
2008-06-04 20:04:50 0 d-------- C:\Program Files\Common Files
2008-06-01 21:21:19 0 d-------- C:\Documents and Settings\James\Application Data\Canon
2008-05-23 11:23:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-05-09 21:03:21 0 d-------- C:\Documents and Settings\James\Application Data\AVG7
2008-05-09 17:24:53 0 d-------- C:\Program Files\Messenger
2008-05-09 17:24:37 0 d-------- C:\Program Files\Movie Maker
2008-05-09 17:21:59 0 d-------- C:\Program Files\Windows NT
2008-04-20 21:46:41 0 d-------- C:\Documents and Settings\James\Application Data\Adobe
2008-04-19 16:14:27 0 d-------- C:\Program Files\Common Files\xing shared
2008-04-19 16:14:06 0 d-------- C:\Program Files\Common Files\Real
2008-04-19 16:12:52 0 d-------- C:\Program Files\Real
2008-04-19 16:12:52 0 d-------- C:\Documents and Settings\James\Application Data\Real
2008-04-14 16:19:06 0 d-------- C:\Documents and Settings\James\Application Data\EndNote
2008-04-14 16:18:57 0 d-------- C:\Program Files\EndNote X
2008-04-14 16:17:20 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-12 11:41:33 2547 --a------ C:\WINDOWS\unins000.dat
2008-04-12 11:34:48 691545 --a------ C:\WINDOWS\unins000.exe
2008-03-09 15:21:59 409600 --a------ C:\WINDOWS\system32\wrap_oal.dll <Not Verified; Creative Labs; Creative Labs OpenAL32>
2008-03-09 15:21:59 86016 --a------ C:\WINDOWS\system32\OpenAL32.dll <Not Verified; Portions (C) Creative Labs Inc. and NVIDIA Corp.; Standard OpenAL(TM) Library>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [11/05/2000 02:00]
"F5D9050"="C:\Program Files\Belkin\F5D9050\Belkinwcui.exe" [20/07/2006 06:55]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [15/04/2008 10:40]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/09/2006 20:13]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"SoundMan"="SOUNDMAN.EXE" [21/09/2005 10:24 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [21/09/2005 15:32 C:\WINDOWS\ALCWZRD.EXE]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 18:43 C:\WINDOWS\ALCMTR.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [03/02/2004 06:42]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [23/04/2007 11:23]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
@=C:\Program Files\Internet Explorer\IEXPLORE.EXE https://www.symantec.com/techsupp/ser...00046.000000b5

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Norton SystemWorks"="C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"C:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcoholAutomount]
"C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\awTray.exe]
"C:\Program Files\Intel\IDU\awtray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDRegion]
C:\Program Files\Cyberlink\Shared Files\brs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CtxfiReg]
CTXFIREG.exe /FAIL1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
C:\Program Files\ATI Technologies\ATI HydraVision\HydraDM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipTray.exe]
"C:\Program Files\Intel\IDU\iptray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBKeyScan]
"C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRONoMgrWired]
C:\Program Files\Intel\PROSetWired\NCS\PROSet\PRONoMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tweak UI]
RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"CiSvc"=3 (0x3)
"WLSetupSvc"=3 (0x3)
"ScriptHostService110"=2 (0x2)
"NMIndexingService"=3 (0x3)
"KService"=2 (0x2)
"JobManagerService110"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"CLTNetCnService"=2 (0x2)
"BBDemon"=2 (0x2)
"AWService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - GTNDIS5



-- End of Deckard's System Scanner: finished at 2008-06-05 09:35:50 ------------










Thanks,
James
jwarren2k2 is offline  
Old 06-05-2008, 08:58 AM   #17
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Download GMER Rootkit Scanner from here or here.

Unzip it to your Desktop.

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Click the Scan button and let the program do its work. It will produce a log.
  • Copy the log using the Copy button
  • Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it, and post the log in this thread.
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-06-2008, 04:59 PM   #18
Guest
 
Join Date: May 2008
Posts: 13
OS:



The GMER log;



GMER 1.0.14.14536 - https://www.gmer.net
Rootkit scan 2008-06-06 23:58:32
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT sptd.sys ZwCreateKey [0xF744D0D0]
SSDT sptd.sys ZwEnumerateKey [0xF7452FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF7453340]
SSDT sptd.sys ZwOpenKey [0xF744D0B0]
SSDT sptd.sys ZwQueryKey [0xF7453418]
SSDT sptd.sys ZwQueryValueKey [0xF7453298]
SSDT sptd.sys ZwSetValueKey [0xF74534AA]

---- Kernel code sections - GMER 1.0.14 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F6DAD8AC 5 Bytes JMP 875BE518
? System32\Drivers\ahn3atta.SYS The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A1712 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1693 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A16D7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A161F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A1659 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A174D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3396] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F746406C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7464018] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F74869AE] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F746406C] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F744DAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F744DC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F744DB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F744E748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F744E61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F746329A] sptd.sys

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 877CC1E8

AttachedDevice \FileSystem\Ntfs \Ntfs OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

Device \FileSystem\Fastfat \FatCdrom 85F6C790
Device \Driver\Tcpip \Device\Ip avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-0 8755F1E8
Device \Driver\usbuhci \Device\USBPDO-1 8755F1E8
Device \Driver\usbuhci \Device\USBPDO-2 8755F1E8
Device \Driver\usbuhci \Device\USBPDO-3 8755F1E8
Device \Driver\usbehci \Device\USBPDO-4 875731E8
Device \Driver\Tcpip \Device\Tcp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\Ftdisk \Device\HarddiskVolume1 877621E8
Device \Driver\PCI_NTPNP5620 \Device\00000064 sptd.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 877621E8
Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
Device \Driver\Cdrom \Device\CdRom0 8743E5D0
Device \Driver\Ftdisk \Device\HarddiskVolume3 877621E8
Device \Driver\Cdrom \Device\CdRom1 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
Device \Driver\Cdrom \Device\CdRom1 8743E5D0
Device \Driver\Cdrom \Device\CdRom2 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
Device \Driver\Cdrom \Device\CdRom2 8743E5D0
Device \Driver\NetBT \Device\NetBt_Wins_Export 863B9790
Device \Driver\NetBT \Device\NetbiosSmb 863B9790
Device \Driver\Tcpip \Device\Udp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{BD782189-7E3E-4C59-9FDB-A828569EE313} 863B9790
Device \Driver\Tcpip \Device\RawIp avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 8755F1E8
Device \Driver\usbuhci \Device\USBFDO-1 8755F1E8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9CA25959-EB3E-4A59-9AC7-8C79FBA7463C} 863B9790
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85F621E8
Device \Driver\Tcpip \Device\IPMULTICAST avgtdi.sys (AVG Network connection watcher/GRISOFT, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-2 8755F1E8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 85F621E8
Device \Driver\usbuhci \Device\USBFDO-3 8755F1E8
Device \Driver\Ftdisk \Device\FtControl 877621E8
Device \Driver\usbehci \Device\USBFDO-4 875731E8
Device \Driver\ahn3atta \Device\Scsi\ahn3atta1Port4Path0Target0Lun0 874181E8
Device \Driver\ahn3atta \Device\Scsi\ahn3atta1 874181E8
Device \FileSystem\Fastfat \Fat 85F6C790

AttachedDevice \FileSystem\Fastfat \Fat OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)

Device \FileSystem\Cdfs \Cdfs 873AE2F8

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] 0xA7 0x50 0x52 0x12 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0xBF 0xAC 0x43 0x68 ...
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\[email protected] 0x30 0xD6 0x55 0x56 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] 0x83 0x38 0x19 0x67 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0xBF 0xAC 0x43 0x68 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\[email protected] 0x44 0x7E 0xC9 0x5B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1227612868
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1066906043
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\[email protected] 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] 0x83 0x38 0x19 0x67 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0xBF 0xAC 0x43 0x68 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\[email protected] 0x44 0x7E 0xC9 0x5B ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected] 0
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected] 0x83 0x38 0x19 0x67 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\[email protected] C:\Program Files\Alcohol Soft\Alcohol 120\
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\[email protected] 0xBF 0xAC 0x43 0x68 ...
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40
Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\[email protected] 0x44 0x7E 0xC9 0x5B ...
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]@\aŠ\nm\5\x2018|\1\ImageUploader4.ocx 1
Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\[email protected]\xa0Œ\x2030\am\5\x2018|\1\ImageUploader4.ocx 1

---- EOF - GMER 1.0.14 ----










James
jwarren2k2 is offline  
Old 06-07-2008, 12:13 PM   #19
TSF Security Manager
Emeritus
 
Ried's Avatar

Microsoft Most Valuable Professional
 
Join Date: Jan 2005
Location: Ohio
Posts: 42,837
OS: WinXP Home, Vista, Windows 7 64bit



Hi James,

I'm not finding any malware here. As such, you would be better served discussing this issue in the Windows XP Support section of this forum.

It would be a good idea to link them to this thread so they can see all the steps taken.

Also let them know that we've tried reinstalling System Restore in Post #9
__________________
Member of UNITE since 2006

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Old 06-08-2008, 03:24 AM   #20
Guest
 
Join Date: May 2008
Posts: 13
OS:



OK, well, I would like to thank you for all of your help anyway, I really appreciate the time and effort you have put into helping me out.


Thanks again,
James
jwarren2k2 is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 10:54 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts