Tech Support Forum banner

PC and network slowdown, high CPU usage too

2279 Views 4 Replies 2 Participants Last post by  chemist
Hiya guys,

after doing what i coudl to try and get rid of this i have come to teh end of my wits. I have found that somehow even with ym reg blocker etc that i have managed to become infected with (at least) WIN32.gael.3666 and that i am experiencing massive slow downs on my PC and network.
From what i can see i now have too many svchosts in my processes but getting rid of them from Vista ultimate isnt as easy as it used to be on XP (well not for me anyway)
Also with this being my day to day laptop i am sceptical to just reinstall as i have a lot of data that i will need to carry over to a new build so would prefer to stop the threat in the first place.
Nothing wierd happening with PC, no silly pop ups or anything but what i have seen is that Outlook sometimes says it is sending 2 mails when i have only a single mail to one person, this is what prompted me to look into things and while Symantec has been finding some DWHxxxx.tmp files it sticks them into quarantine and thats it but the fact i see replicating files it worries me even more.
You will find the DDS.txt below and the other two zipped up like specified (as long as i have done it right)


DDS (Ver_09-05-14.01) - NTFSx86
Run by Andy at 15:44:48.69 on 18/05/2009
Internet Explorer: 7.0.6001.18000
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.2046.788 [GMT 1:00]

AV: Symantec AntiVirus *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: The Shield Deluxe 2009 Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Symantec AntiVirus *enabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\QuesCom\Management Console\QWAlerter\QWAlerter.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Webroot\WebrootSecurity\SpySweeper.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k HPService
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\FlashGet\flashget.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Windows\stsystra.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
C:\Program Files\SpeedFan\speedfan.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\svchost.exe -k WindowsMobile
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Program Files\CCleaner\CCleaner.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Andy\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: FGCatchUrl: {2f364306-aa45-47b5-9f9d-39a8b94e7ef7} - c:\program files\flashget\jccatch.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FlashGet GetFlash Class: {f156768e-81ef-470c-9057-481ba8380dba} - c:\program files\flashget\getflash.dll
uRun: [DAEMON Tools] "c:\program files\daemon tools\daemon.exe" -lang 1033
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [AWMON] "c:\program files\norman\norman ad-aware se plus\Ad-Watch.exe"
uRun: [Fraps] "c:\fraps\FRAPS.EXE"
mRun: [Windows Defender] "%ProgramFiles%\Windows Defender\MSASCui.exe" -hide
mRun: [SynTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] "c:\progra~1\symant~1\VPTray.exe"
mRun: [Flashget] "c:\program files\flashget\FlashGet.exe" /min
mRun: [NWEReboot]
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Auto Run Software for Photo Frame]
mRun: [SigmatelSysTrayApp] "stsystra.exe"
mRun: [NvSvc] "RUNDLL32.EXE" c:\windows\system32\nvsvc.dll,nvsvcStart
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] "RUNDLL32.EXE" c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [NVHotkey] "rundll32.exe" c:\windows\system32\nvHotkey.dll,Start
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\users\andy\appdata\roaming\micros~1\windows\startm~1\programs\startup\buffal~1.lnk - c:\program files\buffalo\nasnavi\NasNavi.exe
StartupFolder: c:\users\andy\appdata\roaming\micros~1\windows\startm~1\programs\startup\speedf~1.lnk - c:\program files\speedfan\speedfan.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: &Download All with FlashGet - c:\program files\flashget\jc_all.htm
IE: &Download with FlashGet - c:\program files\flashget\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - c:\program files\flashget\FlashGet.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_03\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www1.snapfish.co.uk/SnapfishUKActivia.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-24-0.cab
DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader3.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} - hxxps://secure.logmein.com/activex/ractrl.cab?lmi=100
TCP: {A0EF7E3F-789A-4DB1-A286-FA16733DCD4F} = 208.67.220.220,156.154.70.1
TCP: {E8162D65-8F59-417D-8AFC-4AC8ADB38C54} = 208.67.220.220,62.6.40.162
STS: Windows DreamScene: {e31004d1-a431-41b8-826f-e902f9d95c81} - %SystemRoot%\System32\DreamScene.dll

============= SERVICES / DRIVERS ===============

R0 ssfs0bbc;ssfs0bbc;c:\windows\system32\drivers\ssfs0bbc.sys [2009-4-2 29808]
R1 fanio;FanIO driver;c:\windows\system32\drivers\fanio.sys [2007-10-10 14464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
R2 QWAlerter;QWAlerter;c:\program files\quescom\management console\qwalerter\QWAlerter.exe [2007-8-15 86016]
R3 DUSBTAWAN;Psion Dacom ISDN NDISWAN;c:\windows\system32\drivers\dusbwan.sys [2007-8-17 23479]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-3-6 101936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2006-11-2 167936]
S3 Camdrv30;Philips ToUcam XS;c:\windows\system32\drivers\camdrv30.sys [2001-8-17 171264]
S3 DTA128;Psion Dacom Gold Port ISDN;c:\windows\system32\drivers\dusbta2k.sys [2007-8-17 127949]
S3 Kwari.xLoader;Kwari.xLoader;c:\users\andy\appdata\local\micro forte\kwari\kwari.xloader.32 --> c:\users\andy\appdata\local\micro forte\kwari\Kwari.xLoader.32 [?]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-11-28 122008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\system32\drivers\WSDPrint.sys [2008-9-11 16896]

============== File Associations ===============

vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*

=============== Created Last 30 ================

2009-05-18 15:35 <DIR> --d----- c:\users\andy\appdata\roaming\Webroot
2009-05-18 15:09 81,984 a------- c:\windows\system32\bdod.bin
2009-05-18 14:27 <DIR> --d----- c:\program files\Trend Micro
2009-05-18 12:50 946 a------- c:\windows\system32\BDUpdateV1.xml
2009-05-18 12:40 850 a------- c:\windows\system32\ProductTweaks.xml
2009-05-18 12:40 385 a------- c:\windows\system32\user_gensett.xml
2009-05-18 12:27 <DIR> --d----- c:\program files\MSSOAP
2009-05-18 12:27 <DIR> --d----- c:\program files\common files\MSSoap
2009-05-18 12:27 <DIR> --d----- c:\programdata\Webroot
2009-05-18 12:27 <DIR> --d----- c:\program files\Webroot
2009-05-18 12:27 <DIR> --d----- c:\progra~2\Webroot
2009-05-18 12:19 164 a------- c:\windows\install.dat
2009-05-18 12:13 <DIR> --d----- c:\users\andy\appdata\roaming\BitDefender
2009-05-18 12:12 <DIR> --d----- c:\programdata\BitDefender
2009-05-18 12:12 <DIR> --d----- c:\program files\PCSecurityShield
2009-05-18 12:12 <DIR> --d----- c:\progra~2\BitDefender
2009-05-18 12:10 <DIR> --d----- c:\program files\common files\BitDefender
2009-05-14 10:43 107,368 a------- c:\windows\system32\GEARAspi.dll
2009-05-14 10:43 23,400 a------- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-14 10:43 <DIR> --d----- c:\program files\iPod
2009-05-14 10:42 <DIR> --d----- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 10:42 <DIR> --d----- c:\program files\iTunes
2009-05-14 10:42 <DIR> --d----- c:\progra~2\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 10:35 <DIR> --d----- c:\program files\Bonjour
2009-04-24 12:25 <DIR> --d----- c:\program files\File And MP3 Tag Renamer
2009-04-21 16:30 <DIR> --d----- c:\programdata\FLEXnet
2009-04-21 15:16 <DIR> --d----- c:\program files\common files\Macrovision Shared

==================== Find3M ====================

2009-05-15 12:07 213,128 a------- c:\users\andy\appdata\roaming\nvModes.dat
2009-05-14 10:40 51,200 a------- c:\windows\inf\infpub.dat
2009-05-14 10:40 143,360 a------- c:\windows\inf\infstrng.dat
2009-05-14 10:40 86,016 a------- c:\windows\inf\infstor.dat
2009-04-02 14:30 176,752 a------- c:\windows\system32\drivers\ssidrv.sys
2009-04-02 14:30 23,152 a------- c:\windows\system32\drivers\sshrmd.sys
2009-04-02 14:30 29,808 a------- c:\windows\system32\drivers\ssfs0bbc.sys
2009-03-26 15:23 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2009-03-26 15:23 36,864 a------- c:\windows\system32\drivers\usbaapl.sys
2009-01-22 00:40 44 ----h--- c:\program files\206246e1.tmp
2008-12-19 13:37 174 a--sh--- c:\program files\desktop.ini
2008-12-19 13:17 665,600 a------- c:\windows\inf\drvindex.dat
2008-03-15 19:17 22,328 a------- c:\users\andy\appdata\roaming\PnkBstrK.sys
2008-01-28 12:03 557,056 a------- c:\users\andy\GoToAssist_phone__319_en.exe
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfi.dat
2006-11-02 13:40 287,440 a------- c:\windows\inf\perflib\0409\perfh.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfd.dat
2006-11-02 13:40 30,674 a------- c:\windows\inf\perflib\0409\perfc.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 10:20 287,440 a------- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 10:20 30,674 a------- c:\windows\inf\perflib\0000\perfc.dat
2008-07-27 16:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-07-27 16:28 32,768 a--sh--- c:\windows\serviceprofiles\localservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-07-27 16:28 16,384 a--sh--- c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\windows\cookies\index.dat
2008-12-19 01:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\history\history.ie5\index.dat
2008-12-19 01:47 32,768 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\windows\temporary internet files\content.ie5\index.dat
2008-12-19 01:47 16,384 a--sh--- c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\windows\cookies\index.dat
2007-02-21 20:50 8,192 a--sh--- c:\windows\users\default\NTUSER.DAT

============= FINISH: 15:45:31.87 ===============

Attachments

See less See more
Status
Not open for further replies.
1 - 5 of 5 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Your hard drive is almost full.

C: is FIXED (NTFS) - 100 GiB total, 6.487 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 0.529 GiB free.
Having too little free space on your hard drive can compromise system performance. I suggest you move pictures, music, etc. to an external drive or USB stick if you have one and uninstall any programs that are never or hardly ever used.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
See less See more
Hiya,

i have removed a lot of the old games i had on my system and now much better. You will find the results from Combofix.exe below: What i will say is that even before removing the old games my CPU usage has gone back to normal. I have done nothing that i know of..apart from try and get rid of SPy sweeper(which i cant as some reg entries are undeletable) But looking through the results i can see a lot of registry entries for software that i no longer have, i regularly run Crap cleaner and am told these are fixed but lookign again i can see that there is loads.
Anyway:

ComboFix 09-05-20.A1 - Andy 21/05/2009 16:33.1 - NTFSx86
Microsoft® Windows Vista™ Ultimate 6.0.6001.1.1252.44.1033.18.2046.1008 [GMT 1:00]
Running from: c:\users\Andy\Desktop\ComboFix.exe
AV: Symantec AntiVirus *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
AV: The Shield Deluxe 2009 Antivirus *On-access scanning disabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
SP: Symantec AntiVirus *disabled* (Updated) {6C85A515-B91D-4D2B-AF18-40984A4A8493}
SP: The Shield Deluxe 2009 Antispyware *disabled* (Updated) {8B2012EC-32D4-494F-BC03-832DB3BDF911}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\X64
c:\windows\system32\X64\License.rtf
c:\windows\system32\X64\Readme.txt
c:\windows\system32\X64\setup.exe
c:\windows\system32\X86
c:\windows\system32\X86\License.rtf
c:\windows\system32\X86\Readme.txt
c:\windows\system32\X86\setup.exe

.
((((((((((((((((((((((((( Files Created from 2009-04-21 to 2009-05-21 )))))))))))))))))))))))))))))))
.

2009-05-21 15:39 . 2009-05-21 15:39 -------- d-----w c:\users\Andy\AppData\Local\temp
2009-05-21 15:39 . 2009-05-21 15:39 -------- d-----w c:\users\Games\AppData\Local\temp
2009-05-18 14:09 . 2009-05-18 14:09 81984 ----a-w c:\windows\system32\bdod.bin
2009-05-18 13:27 . 2009-05-18 13:27 -------- d-----w c:\program files\Trend Micro
2009-05-18 11:27 . 2009-05-18 11:27 -------- d-----w c:\program files\MSSOAP
2009-05-18 11:27 . 2009-05-18 14:35 -------- d-----w c:\programdata\Webroot
2009-05-18 11:27 . 2009-05-18 14:35 -------- d-----w c:\users\All Users\Webroot
2009-05-18 11:27 . 2009-05-18 11:27 -------- d-----w c:\program files\Webroot
2009-05-18 11:19 . 2009-05-18 11:19 164 ----a-w c:\windows\install.dat
2009-05-18 11:13 . 2009-05-18 11:13 -------- d-----w c:\users\Andy\AppData\Roaming\BitDefender
2009-05-18 11:12 . 2009-05-18 11:39 -------- d-----w c:\programdata\BitDefender
2009-05-18 11:12 . 2009-05-18 11:39 -------- d-----w c:\users\All Users\BitDefender
2009-05-18 11:12 . 2009-05-18 11:12 -------- d-----w c:\program files\PCSecurityShield
2009-05-18 11:10 . 2009-05-18 14:12 -------- d-----w c:\program files\Common Files\BitDefender
2009-05-18 11:03 . 2009-05-18 11:04 -------- d-----w c:\windows\BDOSCAN8
2009-05-14 09:43 . 2008-04-17 11:12 107368 ----a-w c:\windows\system32\GEARAspi.dll
2009-05-14 09:43 . 2009-03-19 15:32 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-14 09:43 . 2009-05-14 09:43 -------- d-----w c:\program files\iPod
2009-05-14 09:42 . 2009-05-14 09:43 -------- d-----w c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 09:42 . 2009-05-14 09:43 -------- d-----w c:\users\All Users\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-14 09:42 . 2009-05-14 09:43 -------- d-----w c:\program files\iTunes
2009-05-14 09:35 . 2009-05-14 09:35 -------- d-----w c:\program files\Bonjour
2009-04-24 11:25 . 2009-04-24 11:28 -------- d-----w c:\program files\File And MP3 Tag Renamer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 14:03 . 2007-08-16 06:59 213128 ----a-w c:\users\Andy\AppData\Roaming\nvModes.dat
2009-05-20 12:34 . 2007-08-15 16:12 7160 ----a-w c:\users\Andy\AppData\Local\d3d9caps.dat
2009-05-14 09:43 . 2008-06-29 09:58 -------- d-----w c:\program files\Common Files\Apple
2009-05-14 09:40 . 2006-11-02 10:25 51200 ----a-w c:\windows\inf\infpub.dat
2009-05-14 09:40 . 2006-11-02 10:25 86016 ----a-w c:\windows\inf\infstor.dat
2009-05-14 09:40 . 2006-11-02 10:25 143360 ----a-w c:\windows\inf\infstrng.dat
2009-04-30 16:12 . 2009-03-27 19:07 -------- d-----w c:\program files\PokerStars
2009-04-21 14:31 . 2007-08-15 16:13 105840 ----a-w c:\users\Andy\AppData\Local\GDIPFONTCACHEV1.DAT
2009-04-21 14:29 . 2007-08-16 14:40 -------- d-----w c:\program files\Common Files\Adobe
2009-04-21 14:28 . 2009-04-21 14:28 -------- d-----w c:\program files\Adobe Media Player
2009-04-21 14:23 . 2009-04-21 14:23 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-04-21 14:16 . 2009-04-21 14:16 -------- d-----w c:\program files\Common Files\Macrovision Shared
2009-04-16 10:58 . 2009-04-16 10:58 -------- d-----w c:\program files\GIMP-2.0
2009-04-02 13:30 . 2009-04-02 13:30 176752 ----a-w c:\windows\system32\drivers\ssidrv.sys
2009-04-02 13:30 . 2009-04-02 13:30 23152 ----a-w c:\windows\system32\drivers\sshrmd.sys
2009-04-02 13:30 . 2009-04-02 13:30 29808 ----a-w c:\windows\system32\drivers\ssfs0bbc.sys
2009-04-02 09:59 . 2009-04-02 09:58 -------- d-----w c:\program files\Ferrari Virtual Race
2009-03-26 14:23 . 2009-03-26 14:23 36864 ----a-w c:\windows\system32\drivers\usbaapl.sys
2009-03-26 14:23 . 2009-03-26 14:23 1900544 ----a-w c:\windows\system32\usbaaplrc.dll
2009-01-21 23:40 . 2009-01-23 11:40 44 ---h--w c:\program files\206246e1.tmp
2008-12-19 12:37 . 2006-11-02 12:49 174 --sha-w c:\program files\desktop.ini
2007-02-21 19:50 . 2007-02-21 19:50 8192 --sha-w c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="c:\program files\DAEMON Tools\daemon.exe" [2007-04-03 165784]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]
"AWMON"="c:\program files\Norman\Norman Ad-Aware SE Plus\Ad-Watch.exe" [2005-06-27 516608]
"Fraps"="c:\fraps\FRAPS.EXE" [2007-07-12 913064]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-11-15 815104]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2006-11-22 107112]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2006-11-28 134808]
"Flashget"="c:\program files\FlashGet\FlashGet.exe" [2007-06-29 1990704]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-10-04 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-04 8497696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-10-04 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-10-04 86016]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2006-03-24 282624]

c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
BUFFALO NAS Navigator.lnk - c:\program files\BUFFALO\NASNAVI\NasNavi.exe [2007-5-11 1070648]
SpeedFan (2).lnk - c:\program files\SpeedFan\speedfan.exe [2007-2-28 2796544]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-1-2 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnk.Startup
backupExtension=.Startup

[HKLM\~\startupfolder\C:^Users^Andy^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^MemSet.exe.lnk]
path=c:\users\Andy\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MemSet.exe.lnk
backup=c:\windows\pss\MemSet.exe.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2365035102-2755956191-3292100487-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{538841C1-D515-4E8D-9A59-48C6881DD9C9}"= UDP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{31B2E4C5-A7B3-4951-A6DF-C7C7B517D6AF}"= TCP:c:\program files\Symantec AntiVirus\Rtvscan.exe:Symantec Antivirus
"{882A83BB-6222-4539-A331-D2E354CC574A}"= UDP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"{65F8BEB8-1F42-4E5F-A30D-1DDCCF4DBCC9}"= TCP:c:\program files\Common Files\Symantec Shared\ccApp.exe:Symantec Email
"TCP Query User{8056D63A-0246-4AFC-A7BE-8F23BD608C54}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{4B5D65FA-B95C-440B-A168-D93AC5F17C87}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{8498C5F0-0ECD-42F9-8328-BFE8ED802541}c:\\windows\\system32\\mmc.exe"= UDP:c:\windows\system32\mmc.exe:Microsoft Management Console
"UDP Query User{5329325C-512D-423D-8A12-E67BA8E59588}c:\\windows\\system32\\mmc.exe"= TCP:c:\windows\system32\mmc.exe:Microsoft Management Console
"TCP Query User{0EE1E568-103C-40F3-93C7-994E2F41A5B9}c:\\program files\\flashget\\flashget.exe"= UDP:c:\program files\flashget\flashget.exe:FlashGet
"UDP Query User{480BCA3F-7D7F-4174-8344-81D2E1CFCE28}c:\\program files\\flashget\\flashget.exe"= TCP:c:\program files\flashget\flashget.exe:FlashGet
"TCP Query User{4D18CAC6-F513-4445-817B-CB35CB78A2F1}c:\\windows\\system32\\mmc.exe"= UDP:c:\windows\system32\mmc.exe:Microsoft Management Console
"UDP Query User{FEA728C3-F45F-408D-831B-1B8F55F6D710}c:\\windows\\system32\\mmc.exe"= TCP:c:\windows\system32\mmc.exe:Microsoft Management Console
"{066E3788-3CEF-49AB-B5EF-CB52169F0BA3}"= TCP:6004|c:\program files\Microsoft Office\Office12\outlook.exe:Microsoft Office Outlook
"TCP Query User{5C1B62CB-D20E-4C4D-8E31-293D7E1844BE}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{B7419867-C65E-4326-B418-9E11D99E62AC}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{3702EF26-E37F-4E16-9844-9EBB0A0FA0EC}c:\\users\\public\\[pc] test drive unlimited [proper] [rip] [dopeman]\\tdu\\tdu\\testdriveunlimited.exe"= UDP:c:\users\public\[pc] test drive unlimited [proper] [rip] [dopeman]\tdu\tdu\testdriveunlimited.exe:Test Drive Unlimited
"UDP Query User{01AC1678-36BF-4EC5-80E7-F9EF87ED6978}c:\\users\\public\\[pc] test drive unlimited [proper] [rip] [dopeman]\\tdu\\tdu\\testdriveunlimited.exe"= TCP:c:\users\public\[pc] test drive unlimited [proper] [rip] [dopeman]\tdu\tdu\testdriveunlimited.exe:Test Drive Unlimited
"TCP Query User{AEA6A451-33DC-422C-B5CA-DB95C7B24C65}c:\\program files\\codemasters\\dirt\\dirt.exe"= UDP:c:\program files\codemasters\dirt\dirt.exe:DiRT Executable
"UDP Query User{F522198F-F546-490C-A5D6-82D42799CD29}c:\\program files\\codemasters\\dirt\\dirt.exe"= TCP:c:\program files\codemasters\dirt\dirt.exe:DiRT Executable
"TCP Query User{EFF502B6-BEC2-4799-8900-5097F0059691}c:\\program files\\golden fairway\\goldenfairway.exe"= UDP:c:\program files\golden fairway\goldenfairway.exe:Golden Fairway Application
"UDP Query User{AE358A1C-5A9C-4AE8-B193-B4A2064A6187}c:\\program files\\golden fairway\\goldenfairway.exe"= TCP:c:\program files\golden fairway\goldenfairway.exe:Golden Fairway Application
"{0440B88C-B4DD-4985-B4E1-7354477B0782}"= UDP:c:\program files\Ubisoft\Ghost Recon Advanced Warfighter 2\graw2.exe:Ghost Recon Advanced Warfighter® 2
"{1A58EC9B-2710-4C0F-9123-B2F0ED596806}"= TCP:c:\program files\Ubisoft\Ghost Recon Advanced Warfighter 2\graw2.exe:Ghost Recon Advanced Warfighter® 2
"{D07BAACB-E9AC-4438-8B07-90792CB57122}"= UDP:c:\program files\Ubisoft\Ghost Recon Advanced Warfighter 2\graw2_dedicated.exe:Ghost Recon Advanced Warfighter® 2 Dedicated Server
"{264515BF-DEDF-4F4D-B875-CFB52144C44D}"= TCP:c:\program files\Ubisoft\Ghost Recon Advanced Warfighter 2\graw2_dedicated.exe:Ghost Recon Advanced Warfighter® 2 Dedicated Server
"TCP Query User{4CAFF10C-3896-4DB2-91F6-8A72901C9CCD}c:\\program files\\internet explorer\\iexplore.exe"= UDP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{263F3C4F-B959-449A-A70C-B38D66DCA108}c:\\program files\\internet explorer\\iexplore.exe"= TCP:c:\program files\internet explorer\iexplore.exe:Internet Explorer
"TCP Query User{48B7FC1E-C74C-4048-AEF5-8E4EADFF8E4A}c:\\program files\\codemasters\\dirt\\dirt.exe"= UDP:c:\program files\codemasters\dirt\dirt.exe:DiRT Executable
"UDP Query User{5DA221B2-08DA-4A56-8174-7CCA59ED969B}c:\\program files\\codemasters\\dirt\\dirt.exe"= TCP:c:\program files\codemasters\dirt\dirt.exe:DiRT Executable
"TCP Query User{815867B0-51C0-4E90-BC0C-7B1FF49A6AFE}c:\\program files\\java\\jre1.6.0_02\\bin\\javaw.exe"= UDP:c:\program files\java\jre1.6.0_02\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{431C9323-7B25-41D1-92DD-89BD552E27F7}c:\\program files\\java\\jre1.6.0_02\\bin\\javaw.exe"= TCP:c:\program files\java\jre1.6.0_02\bin\javaw.exe:Java(TM) Platform SE binary
"{3B5E09C7-9425-47CB-820B-C07D1F145E38}"= UDP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"{9FF06716-F892-47AE-924D-603F8A120E00}"= TCP:c:\programdata\NexonUS\NGM\NGM.exe:Nexon Game Manager
"TCP Query User{34E83B86-2F08-4892-AF79-E291C2E97362}c:\\program files\\thq\\motogp 2007\\motogp.exe"= UDP:c:\program files\thq\motogp 2007\motogp.exe:motogp
"UDP Query User{C16A999A-A43D-487C-A440-9AF84D17D794}c:\\program files\\thq\\motogp 2007\\motogp.exe"= TCP:c:\program files\thq\motogp 2007\motogp.exe:motogp
"TCP Query User{2781A180-AAE7-4501-BE47-65A1C784110E}c:\\program files\\thq\\motogp 2007\\motogp.exe"= UDP:c:\program files\thq\motogp 2007\motogp.exe:motogp
"UDP Query User{E7147865-B691-4B5C-A15C-94C6224AA8F9}c:\\program files\\thq\\motogp 2007\\motogp.exe"= TCP:c:\program files\thq\motogp 2007\motogp.exe:motogp
"{87CFA4DA-8A6C-46A9-9E7F-26B7F8D1284B}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis SP Demo\Bin32\Crysis.exe:Crysis_32_sp_demo
"{657734D2-A268-4D7B-BAB0-30E8E49138A7}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis SP Demo\Bin32\Crysis.exe:Crysis_32_sp_demo
"{0243C7CC-F56C-4BF1-BF2A-5A4DB5139098}"= UDP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{0B8A8ED6-7C18-45E3-9373-80790B7FD6CF}"= TCP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{E7EE6818-7C49-41E1-BB0C-09B3D30D7547}"= UDP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{8734CCCB-16CA-41E6-830B-FA3224F69E3E}"= TCP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{67FB004F-D66C-4DC7-AB21-9FCC75B42882}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{4D2ED11A-8CF4-40FB-8557-C23DD9F8CC59}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{078BD156-654D-404E-9C09-907532B5E93B}c:\\program files\\kontiki\\khost.exe"= UDP:c:\program files\kontiki\khost.exe:Delivery Manager
"UDP Query User{2E244CE5-996B-42D9-A74A-41527C10AFA6}c:\\program files\\kontiki\\khost.exe"= TCP:c:\program files\kontiki\khost.exe:Delivery Manager
"{E9A43507-1C75-471A-97A2-508A0198D653}"= UDP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"{B97695D2-DC0A-4DED-98DF-198DEBCA6F66}"= TCP:c:\program files\Kontiki\KService.exe:Delivery Manager Service
"TCP Query User{321584A6-F868-4219-A553-9416FC94C391}c:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= UDP:c:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary
"UDP Query User{AFE3539E-E363-47BA-B73E-D942C1C7F65D}c:\\program files\\java\\jre1.6.0_03\\bin\\javaw.exe"= TCP:c:\program files\java\jre1.6.0_03\bin\javaw.exe:Java(TM) Platform SE binary
"{30D212D2-8A04-4B80-8B78-9E1C436D7A78}"= UDP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{C6391F6F-D3EB-447D-A99C-AA0CE6E923DC}"= TCP:c:\windows\System32\PnkBstrA.exe:pnkBstrA
"{4A102778-509C-4C14-B702-7B8C9065FFC1}"= UDP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{DE690B99-7696-4AFB-9E82-F5DD423F1C54}"= TCP:c:\windows\System32\PnkBstrB.exe:pnkBstrB
"{9CA2033B-2EB1-4031-9D3F-71E907276260}"= UDP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"{F08346DD-268F-4059-8CEB-FC27B6922419}"= TCP:c:\program files\Activision\Call of Duty 4 - Modern Warfare\iw3mp.exe:Call of Duty(R) 4 - Modern Warfare(TM)
"TCP Query User{8C6F3104-58B5-44CE-B846-76CA4AFCABD8}c:\\program files\\smart dialer\\smart dialer.exe"= UDP:c:\program files\smart dialer\smart dialer.exe:Smart Dialer Application
"UDP Query User{AB4BF376-A931-48A5-872A-F6F7E4891858}c:\\program files\\smart dialer\\smart dialer.exe"= TCP:c:\program files\smart dialer\smart dialer.exe:Smart Dialer Application
"TCP Query User{12889E35-9C18-44E2-97D9-4AF58B55D855}c:\\program files\\activision\\call of duty 4 - modern warfare\\iw3mp.exe"= UDP:c:\program files\activision\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"UDP Query User{25E30F84-B0E8-43C5-BCF5-B349E8E398C4}c:\\program files\\activision\\call of duty 4 - modern warfare\\iw3mp.exe"= TCP:c:\program files\activision\call of duty 4 - modern warfare\iw3mp.exe:iw3mp
"TCP Query User{3F481D7E-57E8-4388-8EC4-17922F28C3DB}c:\\program files\\konami\\pro evolution soccer 2008\\pes2008.exe"= UDP:c:\program files\konami\pro evolution soccer 2008\pes2008.exe:pro Evolution Soccer 2008
"UDP Query User{FE36EB4B-3208-4D9F-B7F8-C2AEF2790FB8}c:\\program files\\konami\\pro evolution soccer 2008\\pes2008.exe"= TCP:c:\program files\konami\pro evolution soccer 2008\pes2008.exe:pro Evolution Soccer 2008
"TCP Query User{F6121C70-4648-414E-BEC9-C1E80AD8EDB9}c:\\program files\\secway\\simplite-msn 2.2\\simplite-msn.exe"= UDP:c:\program files\secway\simplite-msn 2.2\simplite-msn.exe:SimpLite-MSN
"UDP Query User{8D091261-4053-4598-AEF1-530EB2A6B6BD}c:\\program files\\secway\\simplite-msn 2.2\\simplite-msn.exe"= TCP:c:\program files\secway\simplite-msn 2.2\simplite-msn.exe:SimpLite-MSN
"TCP Query User{2C938378-2AC1-4C95-9DE9-C5018E333869}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{B9957AF1-334E-4B1C-A7E6-DD2B18C11221}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"TCP Query User{980CBC56-568E-4C6B-80BD-716CCF3A22DF}c:\\users\\andy\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= UDP:c:\users\andy\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"UDP Query User{526A4E3B-9882-4A03-B789-2E60871A2E55}c:\\users\\andy\\appdata\\local\\micro forte\\kwari\\kwari_launcher.exe.part.1"= TCP:c:\users\andy\appdata\local\micro forte\kwari\kwari_launcher.exe.part.1:kwari_launcher.exe.part.1
"{10035928-5E65-46B6-9E04-B83D1F510858}"= UDP:c:\program files\CommTraffic\CommTraffic.exe:CommTraffic Console
"{6E69B588-592E-48F6-9767-E7512B1535A8}"= TCP:c:\program files\CommTraffic\CommTraffic.exe:CommTraffic Console
"{4F5E48BC-1CCF-487F-B745-94E8DCF9F000}"= UDP:c:\program files\CommTraffic\CTserv.exe:CommTraffic Service
"{3D2DC6BC-55ED-4323-895A-250F93364F70}"= TCP:c:\program files\CommTraffic\CTserv.exe:CommTraffic Service
"{04DBD6AA-6C48-427C-A78A-D782AE3D08A1}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{96401029-E55F-4BB6-B193-E2CE4E375482}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\Crysis.exe:Crysis_32
"{0E73E634-07C0-4A65-B950-C8225D43449F}"= UDP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"{A5C3ADA1-8A5A-4833-ABE1-A2432D0B3A19}"= TCP:c:\program files\Electronic Arts\Crytek\Crysis\Bin32\CrysisDedicatedServer.exe:CrysisDedicatedServer_32
"TCP Query User{62B6268C-04F6-4B28-8E38-62422EAA55F5}c:\\program files\\sjlabs\\sjphone\\sjphone.exe"= UDP:c:\program files\sjlabs\sjphone\sjphone.exe:SJphone
"UDP Query User{DBFF157B-CA3E-48B2-94F9-A863C83D707B}c:\\program files\\sjlabs\\sjphone\\sjphone.exe"= TCP:c:\program files\sjlabs\sjphone\sjphone.exe:SJphone
"TCP Query User{BF5BAB2E-8216-40D0-9858-0BD488608525}c:\\program files\\coreftp\\coreftp.exe"= UDP:c:\program files\coreftp\coreftp.exe:Core FTP App
"UDP Query User{81D8D2A9-14E8-4F2D-B787-19F4497217A4}c:\\program files\\coreftp\\coreftp.exe"= TCP:c:\program files\coreftp\coreftp.exe:Core FTP App
"TCP Query User{CCF38B1B-7950-4378-BCF0-EF935437689A}c:\\team17\\worms2 demo\\worms2.exe"= UDP:c:\team17\worms2 demo\worms2.exe:Worms 2 Frontend Demo
"UDP Query User{253F95A2-3498-4823-8304-42ECF295A986}c:\\team17\\worms2 demo\\worms2.exe"= TCP:c:\team17\worms2 demo\worms2.exe:Worms 2 Frontend Demo
"TCP Query User{063F1A24-5BD2-4C28-8721-77EFE21CB5A7}c:\\program files\\pocket tanks\\pockettanks.exe"= UDP:c:\program files\pocket tanks\pockettanks.exe:pocket Tanks
"UDP Query User{B1331D2D-46FF-416B-AC77-39FB4419F51B}c:\\program files\\pocket tanks\\pockettanks.exe"= TCP:c:\program files\pocket tanks\pockettanks.exe:pocket Tanks
"TCP Query User{6DA25BA0-CF7E-48E5-962B-30CB3F8B44D1}c:\\program files\\hamachi\\hamachi.exe"= UDP:c:\program files\hamachi\hamachi.exe:Hamachi Client
"UDP Query User{BB2E3082-BD68-4BD9-B067-57074F7E50E7}c:\\program files\\hamachi\\hamachi.exe"= TCP:c:\program files\hamachi\hamachi.exe:Hamachi Client
"TCP Query User{3EC7502C-2813-47A8-9D7F-76BA6A244F3E}c:\\program files\\git\\git.exe"= UDP:c:\program files\git\git.exe:Gamer's Internet Tunnel
"UDP Query User{A37C3F32-DD78-490F-8C2D-7DCBE33551CA}c:\\program files\\git\\git.exe"= TCP:c:\program files\git\git.exe:Gamer's Internet Tunnel
"TCP Query User{CD4D2716-E1B9-44FF-BC40-506C377B17C9}c:\\program files\\git\\git.exe"= UDP:c:\program files\git\git.exe:Gamer's Internet Tunnel
"UDP Query User{089740A3-5417-440C-A61F-CE2E5FDD23E9}c:\\program files\\git\\git.exe"= TCP:c:\program files\git\git.exe:Gamer's Internet Tunnel
"TCP Query User{40DB1B76-C0AF-4186-B0E8-86EB3EA9E802}c:\\program files\\real\\realplayer\\realplay.exe"= UDP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"UDP Query User{4AB3CA66-C0E3-4B57-A892-7F45003ECFAE}c:\\program files\\real\\realplayer\\realplay.exe"= TCP:c:\program files\real\realplayer\realplay.exe:RealPlayer
"{0E78E0EE-7DE4-4478-8600-01483E1D1F7D}"= UDP:c:\program files\Brother\Brmfl07a\FAXRX.exe:FAXRX.EXE
"{B0E953E6-7A68-4BF3-8F9E-62F89466D538}"= TCP:c:\program files\Brother\Brmfl07a\FAXRX.exe:FAXRX.EXE
"{E8DB996A-671D-4E47-847C-53D3D404DB35}"= TCP:54925:Brother Network Scanner
"TCP Query User{C336EDE0-FA77-4010-9EC7-0A34AB519B8A}c:\\team17\\worms2 demo\\worms2.exe"= UDP:c:\team17\worms2 demo\worms2.exe:Worms 2 Frontend Demo
"UDP Query User{07BCCEED-928B-4E85-8E10-E5257BFDC176}c:\\team17\\worms2 demo\\worms2.exe"= TCP:c:\team17\worms2 demo\worms2.exe:Worms 2 Frontend Demo
"TCP Query User{30BA208F-F17C-42A8-B125-424DBC67546B}c:\\program files\\tightvnc\\vncviewer.exe"= UDP:c:\program files\tightvnc\vncviewer.exe:vncviewer
"UDP Query User{2FA4C4E3-5160-4E52-8BC3-D40482D0ED4A}c:\\program files\\tightvnc\\vncviewer.exe"= TCP:c:\program files\tightvnc\vncviewer.exe:vncviewer
"{04471579-C6ED-4C43-8AEC-FEFB99F0E84D}"= UDP:c:\program files\Codemasters\GRID\GRID.exe:GRID
"{3987A418-D889-469A-8EC6-FA75A6AEFD77}"= TCP:c:\program files\Codemasters\GRID\GRID.exe:GRID
"TCP Query User{C789918D-19A3-4359-9AF1-F17FD9597CA3}c:\\program files\\codemasters\\grid\\grid.exe"= UDP:c:\program files\codemasters\grid\grid.exe:GRID Executable
"UDP Query User{77EFCC83-0EEF-4677-8532-3BC4C04D262E}c:\\program files\\codemasters\\grid\\grid.exe"= TCP:c:\program files\codemasters\grid\grid.exe:GRID Executable
"{B3B326D3-6DF0-4B13-BB35-5070812DB15C}"= UDP:990:LocalSubnet:LocalSubnet|IF={DEC653FF-8899-4DD2-B4D9-DAFA75AE6160}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:mad:%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{F2AC60A6-6032-460F-A443-A2B2187BBD75}"= Disabled:UDP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{D94B18E3-0BEE-462B-80F6-79F31C34299D}"= Disabled:TCP:e:\setup\HPZNUI01.EXE:hpznui01.exe
"{5AC979CC-329D-4ABA-B205-2B33B69B1896}"= Disabled:UDP:e:\setup\HPONICIFS01.EXE:hponicifs01.exe
"{22C7CA2B-30EF-4089-91C3-43AB7273B46E}"= Disabled:TCP:e:\setup\HPONICIFS01.EXE:hponicifs01.exe
"{E8012A72-7719-4A31-8C68-27DEF58FA0CD}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{4404C4FE-2A3D-4DB1-9CD4-0E597960371A}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqtra08.exe:hpqtra08.exe
"{6518A5F9-B3D6-4668-BA97-4C5347E9A28B}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{E8430A2B-D7B7-4D3C-AF67-8913AD215EF2}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqste08.exe:hpqste08.exe
"{43AA69DB-942B-4798-A46A-60BA3D6ECB2C}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{C49E68CA-D609-4317-ACAB-54D165706D4E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpofxm08.exe:hpofxm08.exe
"{78647ECC-F94D-4725-A359-C7E9A66A5EA4}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{274105E7-2BE8-4282-826A-38281E12F087}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposfx08.exe:hposfx08.exe
"{B7FA1CBF-61AF-4842-8DF5-245304D9A751}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{26792F6F-32FA-4252-A9F5-DC5824ABA57D}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hposid01.exe:hposid01.exe
"{888FA365-9ED6-487E-8C8C-E0D743899026}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{078230EA-F199-486D-A85A-10EC8FD7A05E}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqscnvw.exe:hpqscnvw.exe
"{79D8D4EB-FF6A-448F-928E-3A270475804E}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{440E1057-9C89-4B76-9118-641E5637C236}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpqkygrp.exe:hpqkygrp.exe
"{974270A2-6350-4DF2-BBE6-72752AFF5AE2}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{F6259581-F4F8-432E-B2E2-38C0E208EA07}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpzwiz01.exe:hpzwiz01.exe
"{8900CB5A-6062-4242-A2D0-DAB7B5FDC616}"= Disabled:UDP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"{AAF350B3-E08E-4137-AC40-98FA72D52A0F}"= Disabled:TCP:c:\program files\HP\Digital Imaging\bin\hpoews01.exe:hpoews01.exe
"TCP Query User{C8B28B31-8CFC-4093-BB33-32D978370CC5}c:\\program files\\3com\\3cdaemon\\3cdaemon.exe"= UDP:c:\program files\3com\3cdaemon\3cdaemon.exe:3CDaemon Application
"UDP Query User{E3AE67A2-4091-4305-B7CE-9476A4C62484}c:\\program files\\3com\\3cdaemon\\3cdaemon.exe"= TCP:c:\program files\3com\3cdaemon\3cdaemon.exe:3CDaemon Application
"TCP Query User{D1A71C1E-A1B5-4BAC-9700-067CD0FFFE25}c:\\kav\\kav7\\setup.exe"= UDP:c:\kav\kav7\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"UDP Query User{7CF30481-0652-4099-B42A-B9A5A2D7E618}c:\\kav\\kav7\\setup.exe"= TCP:c:\kav\kav7\setup.exe:Kaspersky Anti-Virus 7.0 Setup
"{449BAA7D-EB9C-4F6C-AAB4-8114A6265BCF}"= UDP:990:LocalSubnet:LocalSubnet|IF={03B84764-7DF9-4970-9A62-DF36261D4624}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:mad:%systemroot%\WindowsMobile\wmdSync.exe,-4001
"TCP Query User{FA47156E-D64F-4B0C-831D-A1D9E34E1EDB}c:\\program files\\gp bikes\\core.exe"= UDP:c:\program files\gp bikes\core.exe:core
"UDP Query User{5F2C87F2-2C08-4896-94D9-7D946B291529}c:\\program files\\gp bikes\\core.exe"= TCP:c:\program files\gp bikes\core.exe:core
"TCP Query User{BEA01E80-EC72-4ED9-A55B-66B017406E4C}c:\\program files\\sjlabs\\sjphone\\sjphone.exe"= UDP:c:\program files\sjlabs\sjphone\sjphone.exe:SJphone
"UDP Query User{DE06856F-9C7E-4FBD-A952-DC23B2DD3861}c:\\program files\\sjlabs\\sjphone\\sjphone.exe"= TCP:c:\program files\sjlabs\sjphone\sjphone.exe:SJphone
"{04B41337-6058-43AD-83AD-C352C95EF949}"= UDP:990:LocalSubnet:LocalSubnet|IF={DEC653FF-8899-4DD2-B4D9-DAFA75AE6160}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:mad:%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{82B4E513-C9AE-4C16-A25B-569B1BF94CC7}"= UDP:990:LocalSubnet:LocalSubnet|IF={03B84764-7DF9-4970-9A62-DF36261D4624}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:mad:%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{4889A91A-B08C-4E65-9324-B72D0693A40B}"= UDP:990:LocalSubnet:LocalSubnet|IF={DEC653FF-8899-4DD2-B4D9-DAFA75AE6160}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:mad:%systemroot%\WindowsMobile\wmdSync.exe,-4001
"{BC17F7EE-8F40-4F77-9E7A-E9FCF6019432}"= UDP:990:LocalSubnet:LocalSubnet|IF={03B84764-7DF9-4970-9A62-DF36261D4624}|%SystemRoot%\system32\svchost.exe|Svc=rapimgr:mad:%systemroot%\WindowsMobile\wmdSync.exe,-4001
"TCP Query User{6551AF73-C7C0-47AA-8AF3-E11BECF3BF12}c:\\program files\\pagebreeze\\pagebreeze.exe"= UDP:c:\program files\pagebreeze\pagebreeze.exe:pagebreeze
"UDP Query User{1F9E3D9F-B41D-4CD9-84B1-EDC1E6984A81}c:\\program files\\pagebreeze\\pagebreeze.exe"= TCP:c:\program files\pagebreeze\pagebreeze.exe:pagebreeze
"TCP Query User{8DA7950F-F973-46F3-A201-BD713DAC266C}c:\\windows\\system32\\java.exe"= UDP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"UDP Query User{486A77E0-0497-48A8-9DC0-F722CB5CA599}c:\\windows\\system32\\java.exe"= TCP:c:\windows\system32\java.exe:Java(TM) Platform SE binary
"TCP Query User{A80C5640-26A5-476C-AE7D-22CC0042AA38}c:\\program files\\vidophone\\vidophone.exe"= UDP:c:\program files\vidophone\vidophone.exe:Softphone Application
"UDP Query User{6094F19F-CB05-411A-AF2B-31340A6BAD70}c:\\program files\\vidophone\\vidophone.exe"= TCP:c:\program files\vidophone\vidophone.exe:Softphone Application
"TCP Query User{7CE2F325-A7C2-4F19-82F3-9BDBA2BD5D11}c:\\program files\\microsoft office\\office12\\msaccess.exe"= UDP:c:\program files\microsoft office\office12\msaccess.exe:Microsoft Office Access
"UDP Query User{9EBA1D71-B267-4DE6-805B-B955E96C8B7D}c:\\program files\\microsoft office\\office12\\msaccess.exe"= TCP:c:\program files\microsoft office\office12\msaccess.exe:Microsoft Office Access
"TCP Query User{F1E939D6-F53B-4C2F-ABD2-3377E840E677}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= UDP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"UDP Query User{247A9438-FCC2-4DF1-802F-9DF1FB78D7B9}c:\\program files\\nero\\nero 7\\nero home\\nerohome.exe"= TCP:c:\program files\nero\nero 7\nero home\nerohome.exe:Nero Home
"{9B925FD4-6EBB-44AC-A20B-A40F321C9D8B}"= UDP:5353:Adobe CSI CS4
"{29B63552-5756-4DD0-8F63-70977B38291C}"= UDP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{B9026D05-ACB4-4111-A174-EC14FBF980D2}"= TCP:c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe:Adobe CSI CS4
"{62E0353F-E86C-4668-B9BA-1BAA335F98CC}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{9464E704-3942-4AC3-BD44-642C19CC1F81}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{61A52147-EDF6-460E-8D23-801A77360090}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{636EAE92-A547-4FF0-BBC6-E51B9BB92F6F}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

R0 ssfs0bbc;ssfs0bbc;c:\windows\System32\drivers\ssfs0bbc.sys [02/04/2009 14:30 29808]
R1 fanio;FanIO driver;c:\windows\System32\drivers\fanio.sys [10/10/2007 16:25 14464]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [02/08/2005 22:10 32512]
R2 QWAlerter;QWAlerter;c:\program files\QuesCom\Management Console\QWAlerter\QWAlerter.exe [15/08/2007 23:11 86016]
R3 DUSBTAWAN;Psion Dacom ISDN NDISWAN;c:\windows\System32\drivers\dusbwan.sys [17/08/2007 13:17 23479]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [06/03/2009 21:01 101936]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\System32\drivers\b57nd60x.sys [02/11/2006 11:25 167936]
S3 Camdrv30;Philips ToUcam XS;c:\windows\System32\drivers\camdrv30.sys [17/08/2001 22:04 171264]
S3 DTA128;Psion Dacom Gold Port ISDN;c:\windows\System32\drivers\dusbta2k.sys [17/08/2007 13:17 127949]
S3 Kwari.xLoader;Kwari.xLoader;c:\users\Andy\AppData\Local\Micro Forte\Kwari\Kwari.xLoader.32 --> c:\users\Andy\AppData\Local\Micro Forte\Kwari\Kwari.xLoader.32 [?]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [28/11/2006 06:34 122008]
S3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [11/09/2008 20:11 16896]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
HPService REG_MULTI_SZ HPSLPSVC
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7070D8E0-650A-46b3-B03C-9497582E6A74}]
%SystemRoot%\system32\soundschemes.exe /AddRegistration

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B3688A53-AB2A-4b1d-8CEF-8F93D8C51C24}]
%SystemRoot%\system32\soundschemes2.exe /AddRegistration
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)
HKLM-Run-Auto Run Software for Photo Frame - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en
uInternet Settings,ProxyOverride = *.local
IE: &Download All with FlashGet - c:\program files\FlashGet\jc_all.htm
IE: &Download with FlashGet - c:\program files\FlashGet\jc_link.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {A0EF7E3F-789A-4DB1-A286-FA16733DCD4F} = 208.67.220.220,156.154.70.1
TCP: {E8162D65-8F59-417D-8AFC-4AC8ADB38C54} = 208.67.220.220,62.6.40.162
.
.
------- File Associations -------
.
vbefile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
vbsfile\shell\open2\command="%SystemRoot%\System32\CScript.exe" "%1" %*
jsefile\shell\open2\command=%SystemRoot%\System32\CScript.exe "%1" %*
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-21 16:39
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Kwari.xLoader]
"ImagePath"="c:\users\Andy\AppData\Local\Micro Forte\Kwari\Kwari.xLoader.32"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2365035102-2755956191-3292100487-1000\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:7b,99,a6,a9,69,dd,17,44,88,d9,df,21,07,ba,fd,a9,5a,2b,25,49,e8,7c,b0,
e9,39,21,ac,46,ed,06,8a,fb,7d,92,94,1e,a2,cd,7e,e3,e0,75,ba,4b,04,61,f6,18,\
"??"=hex:91,c5,4e,72,3a,f7,74,0c,86,02,c0,23,95,1c,e0,b9

[HKEY_USERS\S-1-5-21-2365035102-2755956191-3292100487-1000\Software\SecuROM\License information*]
@Allowed: (Read) (RestrictedCode)
"datasecu"=hex:1b,51,fe,9f,3b,34,6d,99,a0,b6,39,15,82,26,19,46,bd,f6,b3,c0,e0,
6b,49,da,fa,1c,eb,66,f8,73,68,bb,d1,a4,6a,9c,c5,db,05,bc,89,56,4f,88,a1,2d,\
"rkeysecu"=hex:e5,5a,1d,a1,1b,4f,be,7c,92,14,32,1b,05,08,a6,05

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(704)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Completion time: 2009-05-21 16:42
ComboFix-quarantined-files.txt 2009-05-21 15:41

Pre-Run: 6,538,043,392 bytes free
Post-Run: 7,097,798,656 bytes free

372 --- E O F --- 2009-01-01 01:21
See less See more
2
Hello again, Almightydutch. Please tell us how your system is behaving.

Please save this page to Notepad in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

Follow these steps to remove SpySweeper remnants:

Please download SSECleanup.zip and Save it to your Desktop.
  • Close all programs.
  • Double-click SSECleanup.exe inside the SSECleanup.zip folder to run the tool.
  • Follow the on-screen instructions.
  • Restart the computer if asked.
  • Then delete SSECleanup.zip from your desktop.
------------------------------------------------------

Close any open browsers.

Disable your antivirus and antispyware applications, usually via a right-click on the System Tray icon. They may otherwise interfere with ComboFix.

Open Notepad and copy/paste all the text in the quotebox below into Notepad:

SecCenter::
{6C4BB89C-B0ED-4F41-A29C-4373888923BB}
{8B2012EC-32D4-494F-BC03-832DB3BDF911}

RegLock::
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]

Driver::
Kwari.xLoader
Save this Notepad file as CFScript.txt to your Desktop and then close the file.





Referring to the picture above, drag CFScript onto ComboFix

Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.

When finished, it shall produce a log for you. Please post that log, ComboFix.txt in your next reply.

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall.


------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 and Save it to your Desktop.
  • Scroll down to where it says Java Runtime Environment (JRE) 6 Update 13 The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement
  • Click Continue The page will refresh.
  • Click on the link to download Windows Offline Installation and Save the file to your Desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start(or My Computer) > Control Panel and double-click on Programs and Features and remove all older versions of Java.
  • Click (highlight) any item with Java Runtime Environment (JRE, J2SE, Java(TM) SE or Java(TM) 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.
  • After the install is complete, go back to your Control Panel(using Classic View) and click the Java icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button.
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
      • Trace and Log Files
    • Click OK on Delete Temporary Files Window.
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE
    • Click OK to leave the Temporary Files Window.
    • Click OK to leave the Java Control Panel.
    • Delete jre-6u13-windows-i586-p.exe from your desktop.
------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Right-click ATF-Cleaner.exe and choose Run as Administrator to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Ensure your external and/or USB drives are inserted during the scan.

In Microsoft Windows Vista, you must open the Web browser via a right-click using the Run as Administrator command.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

ComboFix.txt
Kaspersky report
report on system behavior
See less See more
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

IMPORTANT - Read This Before Posting For Malware Removal Help

------------------------------------------------------
1 - 5 of 5 Posts
Status
Not open for further replies.
Top