144 replies to this topic

[forest5678]

I was not asked about the recovery, but I did receive an error stating that the boot partition cannot be enumerated correctly. And I clicked ok and then it continued to scan with combo fix.

ComboFix 11-04-25.01 - DJ Dash 04/25/2011 13:12:49.2.4 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2403 [GMT -5:00]
Running from: I:\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\DJ Dash\Application Data\.#
c:\documents and settings\DJ Dash\Application Data\.#\MBX@1750@3837C8.###
c:\documents and settings\DJ Dash\Application Data\.#\MBX@1750@3837D8.###
c:\documents and settings\DJ Dash\Application Data\.#\MBX@1750@3837E8.###
c:\documents and settings\DJ Dash\Application Data\EurekaLog
c:\documents and settings\DJ Dash\Application Data\EurekaLog\EurekaLog.ini
c:\documents and settings\DJ Dash\System
c:\documents and settings\DJ Dash\System\win_qs8.jqx
c:\documents and settings\DJ Dash\WINDOWS
c:\program files\Downloaded Installers
c:\program files\Downloaded Installers\{674636D6-F844-4ACB-AA56-3F4E55F172D6}\setup.msi
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_BLOCK_READER
-------\Legacy_RKHIT
-------\Service_block_reader
-------\Service_RkHit
.
.
((((((((((((((((((((((((( Files Created from 2011-03-25 to 2011-04-25 )))))))))))))))))))))))))))))))
.
.
2011-04-18 04:08 . 2011-04-18 04:08 -------- d-----w- c:\windows\Internet Logs
2011-04-15 00:24 . 2011-04-15 00:24 388096 ----a-r- c:\documents and settings\DJ Dash\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-15 00:24 . 2011-04-15 00:24 -------- d-----w- c:\program files\Trend Micro
2011-04-13 03:49 . 2010-04-14 17:50 82952 ----a-w- c:\windows\system32\drivers\mfetdi2k.sys
2011-04-13 03:49 . 2010-04-14 17:50 55456 ----a-w- c:\windows\system32\drivers\cfwids.sys
2011-04-13 03:49 . 2011-04-13 03:50 -------- d-----w- c:\program files\Common Files\Mcafee
2011-04-13 03:46 . 2010-04-14 17:50 385536 ----a-r- c:\windows\system32\drivers\mfehidk.sys
2011-04-12 08:06 . 2011-04-12 08:06 -------- d-----w- c:\documents and settings\DJ Dash\Application Data\Lavasoft
2011-04-08 16:28 . 2011-04-09 18:30 -------- d-----w- c:\documents and settings\DJ Dash\Application Data\vlc
2011-04-08 15:08 . 2011-04-08 15:08 -------- d-----w- c:\documents and settings\DJ Dash\Application Data\DDMSettings
2011-04-04 01:45 . 2011-04-14 16:39 -------- d-----w- c:\program files\Multi Password Recovery
2011-04-03 19:47 . 2011-04-03 19:47 -------- d-----w- c:\program files\Instant Messengers Password Recovery Master
2011-04-03 19:46 . 2011-04-03 19:46 -------- d-----w- c:\program files\Facebook Password Recovery Master
2011-04-02 11:06 . 2011-04-02 11:06 -------- d-----w- c:\program files\Awesome Duplicate Photo Finder
2011-03-27 21:15 . 2011-03-27 21:32 -------- d-----w- c:\documents and settings\All Users\Application Data\InstallMate
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-25 23:48 . 2011-03-25 23:48 4284416 ----a-w- c:\windows\system32\GPhotos.scr
2011-03-23 22:37 . 2009-09-08 10:57 164880 ---ha-w- c:\documents and settings\DJ Dash\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2011-02-15 06:40 . 2010-09-17 09:49 11232 ----a-w- c:\windows\system32\drivers\SWDUMon.sys
2011-02-07 17:16 . 2010-08-12 00:05 16400 ----a-w- c:\windows\system32\drivers\LNonPnP.sys
2009-11-03 09:05 . 2009-05-08 23:04 4987136 ----a-w- c:\program files\Common Files\lpuninstall.exe
2009-06-09 09:06 . 2009-06-09 09:06 1589760 -c--a-w- c:\program files\Abander_TagControl.exe
2010-11-30 00:40 . 2010-11-24 02:14 113976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-11-30 00:40 . 2010-11-24 02:14 444216 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-11-24 02:14 . 2010-11-24 02:14 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-11-24 02:14 . 2010-11-24 02:14 99208 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
.
.
------- Sigcheck -------
.
[-] 2009-08-22 . DD258FA1EC736895565E5ADCA8A822F4 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\drivers\TCPIP.SYS
[-] 2009-08-22 . DD258FA1EC736895565E5ADCA8A822F4 . 360320 . . [5.1.2600.3394] . . c:\windows\system32\dllcache\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\DJ Dash\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\DJ Dash\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2009-12-09 01:19 94208 ----a-w- c:\documents and settings\DJ Dash\Application Data\Dropbox\bin\DropboxExt.13.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2008-06-06 114688]
"$Volumouse$"="c:\program files\Volumouse\volumouse.exe" [2006-05-27 26112]
"TaskSwitchXP.exe"="c:\program files\TaskSwitchXP\TaskSwitchXP.exe" [2007-05-09 106904]
"StartMenu7"="c:\program files\Start Menu 7\StartMenu7.exe" [2010-04-19 2919288]
"DisplayFusion"="c:\program files\DisplayFusion\DisplayFusion.exe" [2010-03-17 800944]
"NetBalancer"="c:\program files\NetBalancer\SeriousBit.NetBalancer.Tray.exe" [2010-06-01 59904]
"YahooImapConnector"="c:\program files\Bravura\Yahoo IMAP Connector\YahooImap.exe" [2010-11-13 988928]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IJNetworkScanUtility"="c:\program files\Canon\Canon IJ Network Scan Utility\CNMNSUT.EXE" [2007-05-21 124512]
"Everything"="c:\program files\Everything\Everything.exe" [2009-03-13 602624]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-06-26 1311312]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-10-08 110696]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-10-08 13851752]
"nwiz"="c:\program files\NVIDIA Corporation\nView\nwiz.exe" [2010-08-26 1753192]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
c:\documents and settings\DJ Dash\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Launchy.lnk - c:\program files\Launchy\Launchy.exe [2010-4-11 286720]
MultiMon Taskbar.lnk - c:\program files\MMTaskbar\MultiMon.exe [2010-5-27 294912]
UltraMon.lnk - c:\windows\Installer\{B49673F8-7AB6-4A14-8213-C8A7BE370010}\IcoUltraMon.ico [2010-10-8 29310]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsNetHood"= 1 (0x1)
"NoSecurityTab"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{F552DDE6-2090-4bf4-B924-6141E87789A5}"= "c:\progra~1\Greatis\REGRUN~1\RRShell.dll" [2009-04-06 335943]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2008-05-27 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\acaptuser32.dll
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0Partizan
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RkHit.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GPLog.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GPLog.lnk
backup=c:\windows\pss\GPLog.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^GreenPrint TrayIcon.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\GreenPrint TrayIcon.lnk
backup=c:\windows\pss\GreenPrint TrayIcon.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
backup=c:\windows\pss\Windows Search.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DJ Dash^Start Menu^Programs^Startup^Logitech Touch Mouse Server.lnk]
path=c:\documents and settings\DJ Dash\Start Menu\Programs\Startup\Logitech Touch Mouse Server.lnk
backup=c:\windows\pss\Logitech Touch Mouse Server.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DJ Dash^Start Menu^Programs^Startup^Shortcut to ted.lnk]
path=c:\documents and settings\DJ Dash\Start Menu\Programs\Startup\Shortcut to ted.lnk
backup=c:\windows\pss\Shortcut to ted.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^DJ Dash^Start Menu^Programs^Startup^WePrint Server.lnk]
backup=c:\windows\pss\WePrint Server.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-11-10 18:49 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2010-04-06 23:03 64032 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus Photo RX595 Series]
2007-03-30 11:00 182272 ----a-w- c:\windows\system32\spool\drivers\w32x86\3\E_FATICLA.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-02-27 03:02 135664 ----atw- c:\documents and settings\DJ Dash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hazard Shield]
2010-10-26 09:24 42496 ----a-w- c:\program files\Hazard Shield\hzrTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 23:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2010-04-06 23:04 19523104 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmartDefrag]
2010-07-09 23:08 2712920 ----a-w- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TVersityMediaServer"=2 (0x2)
"TuneUp.Defrag"=3 (0x3)
"ose"=3 (0x3)
"odserv"=3 (0x3)
"JavaQuickStarterService"=2 (0x2)
"idsvc"=3 (0x3)
"IDriverT"=3 (0x3)
"gusvc"=2 (0x2)
"getPlus® Helper"=3 (0x3)
"gearsec"=2 (0x2)
"MSSQL$SQLEXPRESS"=2 (0x2)
"MSSQL$NR2007"=3 (0x3)
"VMware NAT Service"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"rsyncd"=2 (0x2)
"Rsync"=2 (0x2)
"OracleServiceFTK2"=2 (0x2)
"OracleJobSchedulerFTK2"=2 (0x2)
"Oracleftk2TNSListener"=2 (0x2)
".1240528317SsTR"=2 (0x2)
"WRConsumerService"=2 (0x2)
"WebrootSpySweeperService"=2 (0x2)
"Nero BackItUp Scheduler 4.0"=3 (0x3)
"Microsoft Office Groove Audit Service"=3 (0x3)
"gupdate1c9e48af8e87b18"=2 (0x2)
"XobniService"=2 (0x2)
"WinAutomation Service"=2 (0x2)
"Media Center 15 Service"=3 (0x3)
"US30Service"=2 (0x2)
"HazardShield"=2 (0x2)
"WMPNetworkSvc"=2 (0x2)
"sshd"=2 (0x2)
"iPod Service"=3 (0x3)
"FLEXnet Licensing Service"=3 (0x3)
"BootlogService"=2 (0x2)
"VMUSBArbService"=2 (0x2)
"ufad-ws60"=3 (0x3)
"STSService"=3 (0x3)
"SQLWriter"=2 (0x2)
"SQLBrowser"=2 (0x2)
"rpcapd"=3 (0x3)
"MacDriveService"=2 (0x2)
"GPClientService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" resetprofile
"ctfmon.exe"=c:\windows\system32\ctfmon.exe
"swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
"PeerBlock"=c:\program files\PeerBlock\peerblock.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SmartDefrag"="c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe" /StartUp
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\DJ Dash\\My Documents\\sniffer\\iptools.exe"=
"c:\\Program Files\\NX Client for Windows\\nxclient.exe"=
"c:\\Program Files\\Nero\\Nero 9\\Nero ShowTime\\ShowTime.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\WePrint\\WePrint Server.exe"=
"c:\\Documents and Settings\\DJ Dash\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Opera\\opera.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Soluto\\Soluto.exe"=
"c:\\Program Files\\Soluto\\SolutoService.exe"=
"c:\\Program Files\\Soluto\\SolutoConsole.exe"=
"c:\\Program Files\\Soluto\\SolutoUpdateService.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\WINDOWS\\system32\\MediaServerDump\\LiveUpdate\\OLUpdate.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\XBMC\\XBMC.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\AirVideoServer\\AirVideoServer.exe"=
"c:\\silvermark\\smejunit\\bin\\smejunit.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\Logitech Touch Mouse Server\\iTouch-Server-Win.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\windows\\system32\\sessmgr.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\support\\bin\\win\\RosettaStoneLtdServices.exe"=
"c:\\Program Files\\Rosetta Stone\\Rosetta Stone Version 3\\RosettaStoneVersion3.exe"=
"c:\\Program Files\\Synkron\\Synkron.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Ubisoft\\DEMO\\The Settlers 7 - Paths to a Kingdom DEMO\\Data\\Base\\_Dbg\\Bin\\Release\\Settlers7R.exe"=
"c:\\Program Files\\Ubisoft\\Ubisoft Game Launcher\\UbisoftGameLauncher.exe"=
"c:\\Program Files\\Bravura\\Yahoo IMAP Connector\\YahooImap.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800
"61782:TCP"= 61782:TCP:rdp
"22:TCP"= 22:TCP:ssh
"901:TCP"= 901:TCP:*:Disabled:swat
"1194:UDP"= 1194:UDP:openvpn
"9524:TCP"= 9524:TCP:*:Disabled:Lansweeper Port
"9524:UDP"= 9524:UDP:*:Disabled:Lansweeper Port
"9:UDP"= 9:UDP:Wake-On-LAN
"24800:TCP"= 24800:TCP:synergy
"137:TCP"= 137:TCP:SMB
"67:UDP"= 67:UDP:0.0.0.0/255.255.255.255:Enabled:DHCP Discovery Service
"5643:TCP"= 5643:TCP:share
"53168:TCP"= 53168:TCP:*:Disabled:Mezzmo Media Server Service
"1900:TCP"= 1900:TCP:upnp
"2869:UDP"= 2869:UDP:upnp2
"30888:TCP"= 30888:TCP:*:Disabled:tvmobili
"47:TCP"= 47:TCP:VPN
"1723:TCP"= 1723:TCP:VPN2
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundTimestampRequest"= 1 (0x1)
"AllowInboundMaskRequest"= 1 (0x1)
"AllowInboundRouterRequest"= 1 (0x1)
"AllowOutboundDestinationUnreachable"= 1 (0x1)
"AllowOutboundSourceQuench"= 1 (0x1)
"AllowOutboundParameterProblem"= 1 (0x1)
"AllowOutboundTimeExceeded"= 1 (0x1)
"AllowRedirect"= 1 (0x1)
"AllowOutboundPacketTooBig"= 1 (0x1)
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 hotcore3;hc3ServiceName;c:\windows\system32\drivers\hotcore3.sys [7/2/2009 6:12 AM 40464]
R0 MDFSYSNT;MacDrive file system driver;c:\windows\system32\drivers\MDFSYSNT.SYS [3/9/2009 4:56 PM 284416]
R0 MDPMGRNT;MacDrive partition driver;c:\windows\system32\drivers\MDPMGRNT.SYS [2/4/2009 12:22 PM 19456]
R1 ElRawDisk;ElRawDisk;c:\windows\system32\drivers\dddsk.sys [2/8/2011 4:49 AM 22312]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [4/12/2011 10:49 PM 82952]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [12/11/2010 2:54 AM 143248]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [12/11/2010 2:53 AM 41936]
R2 cpuz133;cpuz133;c:\windows\system32\drivers\cpuz133_x32.sys [6/24/2010 11:02 AM 20072]
R2 hzrDriver;Hazard Shield driver;c:\program files\Hazard Shield\hzrDriver.sys [10/26/2010 4:23 AM 10496]
R2 kqemu;kqemu driver;c:\windows\system32\drivers\kqemu.sys [8/23/2010 7:07 AM 123939]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\Mcafee\SystemCore\mfevtps.exe [4/12/2011 10:49 PM 141792]
R2 NetBalancer Windows Service;NetBalancer Windows Service;c:\program files\NetBalancer\SeriousBit.NetBalancer.Service.exe [6/23/2010 12:50 AM 10752]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 12:07 PM 35088]
R2 UltraMonUtility;UltraMon Utility Driver;c:\program files\Common Files\Realtime Soft\UltraMonMirrorDrv\x32\UltraMonUtility.sys [11/14/2008 2:11 AM 17184]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 5:00 AM 70704]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [11/25/2005 5:43 PM 31896]
R3 Nbdrv;NetBalancer Service;c:\windows\system32\drivers\nbdrv.sys [6/23/2010 12:50 AM 28776]
R3 pflt;Shrew Soft Miniport Filter;c:\windows\system32\drivers\vfilter.sys [9/2/2010 2:18 AM 24192]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesDriver32.sys [10/7/2010 2:34 PM 10064]
R3 VBoxNetAdp;VirtualBox Host-Only Ethernet Adapter;c:\windows\system32\drivers\VBoxNetAdp.sys [12/1/2010 2:44 PM 100560]
R3 VBoxNetFlt;VBoxNetFlt Service;c:\windows\system32\drivers\VBoxNetFlt.sys [12/1/2010 2:44 PM 111504]
S0 ntcdrdrv;ntcdrdrv; [x]
S0 PCGenFAM;PCGenFAM;c:\windows\system32\drivers\PCGenFAM.sys [6/12/2010 10:32 PM 179144]
S2 DeltaCopyService;DeltaCopy Server; [x]
S2 ISWKL;ZoneAlarm ForceField ISWKL;\??\c:\program files\CheckPoint\ZAForceField\ISWKL.sys --> c:\program files\CheckPoint\ZAForceField\ISWKL.sys [?]
S2 IswSvc;ZoneAlarm ForceField IswSvc;"c:\program files\CheckPoint\ZAForceField\IswSvc.exe" --> c:\program files\CheckPoint\ZAForceField\IswSvc.exe [?]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\Drivers\LBeepKE.sys --> c:\windows\system32\Drivers\LBeepKE.sys [?]
S2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\Mcafee\SystemCore\mfefire.exe [4/12/2011 10:49 PM 188136]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2011\TuneUpUtilitiesService32.exe [12/14/2010 8:41 AM 1517376]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [4/20/2010 8:42 AM 1691480]
S3 CEDRIVER55;CEDRIVER55;\??\c:\program files\Cheat Engine\dbk32.sys --> c:\program files\Cheat Engine\dbk32.sys [?]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [4/12/2011 10:49 PM 55456]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver; [x]
S3 FRIdrv;FRIdrv;c:\windows\system32\drivers\FRIdrv.sys [7/30/2009 12:07 PM 3968]
S3 icsak;icsak;\??\c:\program files\CheckPoint\ZAForceField\AK\icsak.sys --> c:\program files\CheckPoint\ZAForceField\AK\icsak.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\1E5.tmp --> c:\windows\system32\1E5.tmp [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\DRIVERS\mfendisk.sys --> c:\windows\system32\DRIVERS\mfendisk.sys [?]
S3 mfendiskmp;mfendiskmp;c:\windows\system32\DRIVERS\mfendisk.sys --> c:\windows\system32\DRIVERS\mfendisk.sys [?]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2/25/2010 1:33 PM 18432]
S3 Partizan;Partizan;c:\windows\system32\drivers\Partizan.sys [9/7/2010 8:55 AM 35816]
S3 PsSdk31;PsSdk31;c:\windows\system32\drivers\pssdk31.drv [12/6/2010 3:20 AM 30272]
S3 PsSdk41;PsSdk41;c:\windows\system32\drivers\pssdk41.sys [8/28/2009 2:18 AM 36928]
S3 PulseUsb;Livescribe Smartpen USB Driver;c:\windows\system32\drivers\PulseUsb.sys [10/17/2010 7:04 PM 20480]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [9/7/2010 9:29 AM 24416]
S3 sbuschk;sbuschk;\??\c:\windows\system32\sbuschk.sys --> c:\windows\system32\sbuschk.sys [?]
S3 SndTAudio;SndTAudio;c:\windows\system32\drivers\SndTAudio.sys [9/8/2009 10:52 PM 23096]
S3 tap0801;TAP-Win32 Adapter V8;c:\windows\system32\drivers\tap0801.sys [11/13/2006 2:19 AM 23552]
S3 WinRing0_1_2_0;WinRing0_1_2_0;\??\c:\documents and settings\DJ Dash\Desktop\SysinternalsSuite\RealTemp_3.00\WinRing0.sys --> c:\documents and settings\DJ Dash\Desktop\SysinternalsSuite\RealTemp_3.00\WinRing0.sys [?]
S4 BootlogService;BootlogService;c:\program files\Greatis\RegRunSuite\BootLogService.exe [9/7/2010 9:13 AM 65304]
S4 gearsec;gearsec;c:\windows\system32\gearsec.exe [12/2/2003 8:49 AM 53248]
S4 GPClientService;GreenPrint Client Report Service;c:\program files\GreenPrint Technologies\GreenPrint World\GPClientService.exe [4/27/2009 7:50 PM 126976]
S4 gupdate1c9e48af8e87b18;Google Update Service (gupdate1c9e48af8e87b18);c:\program files\Google\Update\GoogleUpdate.exe [6/3/2009 3:36 PM 133104]
S4 MacDriveService;MacDrive service;c:\program files\Mediafour\MacDrive 7\MacDriveService.exe [11/26/2008 10:23 AM 150528]
S4 Media Center 15 Service;Media Center 15 Service; [x]
S4 MSSQL$NR2007;SQL Server (NR2007); [x]
S4 nosGetPlusHelper;getPlus® Helper 3004;c:\windows\System32\svchost.exe -k nosGetPlusHelper [8/4/2004 7:00 AM 14336]
S4 Oracleftk2TNSListener;Oracleftk2TNSListener;c:\oracle\ftk2\BIN\TNSLSNR --> c:\oracle\ftk2\BIN\TNSLSNR [?]
S4 OracleJobSchedulerFTK2;OracleJobSchedulerFTK2;c:\oracle\ftk2\Bin\extjob.exe FTK2 --> c:\oracle\ftk2\Bin\extjob.exe FTK2 [?]
S4 OracleServiceFTK2;OracleServiceFTK2;c:\oracle\ftk2\bin\ORACLE.EXE FTK2 --> c:\oracle\ftk2\bin\ORACLE.EXE FTK2 [?]
S4 PenCommService;Livescribe Smartpen Service;c:\program files\Common Files\Livescribe\PenComm\PenCommService.exe [7/28/2010 1:32 PM 444928]
S4 Rsync;Rsync;c:\cygwin\bin\cygrunsrv.exe [6/11/2009 4:06 AM 68096]
S4 rsyncd;rsyncd;c:\cygwin\bin\cygrunsrv.exe [6/11/2009 4:06 AM 68096]
S4 SolutoService;Soluto PCGenome Core Service;c:\program files\Soluto\SolutoService.exe [6/2/2010 1:51 PM 338464]
S4 sshd;CYGWIN sshd;c:\cygwin\bin\cygrunsrv.exe [6/11/2009 4:06 AM 68096]
S4 STSService;STSService; [x]
S4 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
S4 WinAutomation Service;WinAutomation Service;c:\program files\WinAutomation\WinAutomation.ServiceAgent.exe [7/9/2010 4:49 AM 147128]
S4 XobniService;XobniService;c:\program files\Xobni\XobniService.exe [12/7/2009 7:29 PM 55016]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
nosGetPlusHelper REG_MULTI_SZ nosGetPlusHelper
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{B2C3BB6B-E005-4246-B8E5-DF0A4D073CDC}]
2008-06-18 20:04 8192 ----a-w- c:\program files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 16:50]
.
2011-04-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-24 11:58]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 20:36]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-06-03 20:36]
.
2011-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1645522239-725345543-1003Core.job
- c:\documents and settings\DJ Dash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-28 03:02]
.
2011-04-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-484763869-1645522239-725345543-1003UA.job
- c:\documents and settings\DJ Dash\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-02-28 03:02]
.
2010-11-18 c:\windows\Tasks\SmartDefrag.job
- c:\program files\IObit\IObit SmartDefrag\IObit SmartDefrag.exe [2010-08-10 23:08]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Connection Wizard,ShellNext = hxxp://www.xfxsupportb.co.uk/nvidia_system_tools.zip
uInternet Settings,ProxyOverride = *.local;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {445F47D7-E043-4BD6-82EB-7A1BD0EBA773} - hxxp://www.psapoll.com/CopyGuardIE.cab
DPF: {88650482-3892-11D5-8997-00104BD12D94} - hxxp://support.gateway.com/support/profiler/PCPitStop.CAB
FF - ProfilePath - c:\documents and settings\DJ Dash\Application Data\Mozilla\Firefox\Profiles\gbp2jw9f.DJ Dash\
FF - prefs.js: browser.startup.homepage - www.yahoo.com
FF - prefs.js: keyword.URL -
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: CheckPlaces: checkplaces@andyhalford.com - %profile%\extensions\checkplaces@andyhalford.com
FF - Ext: Morning Coffee: morningCoffee@shaneliesegang - %profile%\extensions\morningCoffee@shaneliesegang
FF - Ext: Organize Search Engines: organize-search-engines@maltekraus.de - %profile%\extensions\organize-search-engines@maltekraus.de
FF - Ext: Add-on Collector: sharing@addons.mozilla.org - %profile%\extensions\sharing@addons.mozilla.org
FF - Ext: Smart Bookmarks Bar: smartbookmarksbar@remy.juteau - %profile%\extensions\smartbookmarksbar@remy.juteau
FF - Ext: Session Manager: {1280606b-2510-4fe0-97ef-9b5a22eafe30} - %profile%\extensions\{1280606b-2510-4fe0-97ef-9b5a22eafe30}
FF - Ext: Organize Status Bar: {35106bca-6c78-48c7-ac28-56df30b51d2c} - %profile%\extensions\{35106bca-6c78-48c7-ac28-56df30b51d2c}
FF - Ext: Qute: {36C13C8F-54F1-412e-8177-2E411719162D} - %profile%\extensions\{36C13C8F-54F1-412e-8177-2E411719162D}
FF - Ext: ScrapBook: {53A03D43-5363-4669-8190-99061B2DEBA5} - %profile%\extensions\{53A03D43-5363-4669-8190-99061B2DEBA5}
FF - Ext: MR Tech Toolkit: {9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC} - %profile%\extensions\{9669CC8F-B388-42FE-86F4-CB5E7F5A8BDC}
FF - Ext: MozXP: {ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1} - %profile%\extensions\{ADA51547-FEF6-4b2c-8E96-EE45BDF53DE1}
FF - Ext: CoolPreviews : {CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B} - %profile%\extensions\{CE6E6E3B-84DD-4cac-9F63-8D2AE4F30A4B}
FF - Ext: Adblock Plus: {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} - %profile%\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
FF - Ext: Download Statusbar: {D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389} - %profile%\extensions\{D4DD63FA-01E4-46a7-B6B1-EDAB7D6AD389}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Slickerfox: {359faf50-e061-11dd-ad8b-0800200c9a66} - %profile%\extensions\{359faf50-e061-11dd-ad8b-0800200c9a66}
FF - Ext: AvantGarde Nightlife: {3fb63340-652a-11dd-ad8b-0800200c9a66} - %profile%\extensions\{3fb63340-652a-11dd-ad8b-0800200c9a66}
FF - Ext: AvantGarde Skylight: {d62e0de0-401b-11dd-ae16-0800200c9a66} - %profile%\extensions\{d62e0de0-401b-11dd-ae16-0800200c9a66}
FF - Ext: Adobe DLM (powered by getPlus®): {E2883E8F-472F-4fb0-9522-AC9BF37916A7} - %profile%\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: TinEye Reverse Image Search: tineye@ideeinc.com - %profile%\extensions\tineye@ideeinc.com
FF - Ext: Wired-Marker: {e36db930-f18d-4449-b45f-e286cfb9e03a} - %profile%\extensions\{e36db930-f18d-4449-b45f-e286cfb9e03a}
FF - Ext: Vacuum Places Improved: VacuumPlacesImproved@lultimouomo-gmail.com - %profile%\extensions\VacuumPlacesImproved@lultimouomo-gmail.com
FF - Ext: TooManyTabs: TooManyTabs@visibotech.com - %profile%\extensions\TooManyTabs@visibotech.com
FF - Ext: gTranslate: {aff87fa2-a58e-4edd-b852-0a20203c1e17} - %profile%\extensions\{aff87fa2-a58e-4edd-b852-0a20203c1e17}
FF - Ext: FoxLingo: {ef62e1ce-d2a4-4cdd-b7ec-92b120366b66} - %profile%\extensions\{ef62e1ce-d2a4-4cdd-b7ec-92b120366b66}
FF - Ext: Extension List Dumper: extensionlistdumper@sogame.cat - %profile%\extensions\extensionlistdumper@sogame.cat
FF - Ext: Cooliris: piclens@cooliris.com - %profile%\extensions\piclens@cooliris.com
FF - Ext: Evernote Web Clipper: {E0B8C461-F8FB-49b4-8373-FE32E9252800} - %profile%\extensions\{E0B8C461-F8FB-49b4-8373-FE32E9252800}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
FF - Ext: Greasefire: greasefire@skrul.com - %profile%\extensions\greasefire@skrul.com
FF - Ext: Image Zoom: {1A2D0EC4-75F5-4c91-89C4-3656F6E44B68} - %profile%\extensions\{1A2D0EC4-75F5-4c91-89C4-3656F6E44B68}
FF - Ext: Gmail Space: {B9C8BE50-7105-4ec6-8FB4-4935C0671648} - %profile%\extensions\{B9C8BE50-7105-4ec6-8FB4-4935C0671648}
FF - Ext: Menu Editor: {EDA7B1D7-F793-4e03-B074-E6F303317FB0} - %profile%\extensions\{EDA7B1D7-F793-4e03-B074-E6F303317FB0}
FF - Ext: PDF Download: {37E4D8EA-8BDA-4831-8EA1-89053939A250} - %profile%\extensions\{37E4D8EA-8BDA-4831-8EA1-89053939A250}
FF - Ext: Read It Later: isreaditlater@ideashower.com - %profile%\extensions\isreaditlater@ideashower.com
FF - Ext: StatusbarEx: doudehou@gmail.com - %profile%\extensions\doudehou@gmail.com
FF - Ext: VacuumPlaces Extension: VacuumPlaces@revertron.com - %profile%\extensions\VacuumPlaces@revertron.com
FF - Ext: Fasterfox Lite: FasterFox_Lite@BigRedBrent - %profile%\extensions\FasterFox_Lite@BigRedBrent
FF - Ext: Prism for Firefox: refractor@developer.mozilla.org - %profile%\extensions\refractor@developer.mozilla.org
FF - Ext: AutoPager: autopager@mozilla.org - %profile%\extensions\autopager@mozilla.org
FF - Ext: AutocompletePro - Your handy search suggestions tool: support@predictad.com - %profile%\extensions\support@predictad.com
FF - Ext: Automatic Save Folder: asf@mangaheart.org - %profile%\extensions\asf@mangaheart.org
FF - Ext: LastPass: support@lastpass.com - %profile%\extensions\support@lastpass.com
FF - Ext: EmailOracle: {18aec871-6264-4b10-91cb-ee1fb68eda7c} - %profile%\extensions\{18aec871-6264-4b10-91cb-ee1fb68eda7c}
FF - Ext: Download Youtube Videos +: video.downloader.plugin@ffpimp.com - %profile%\extensions\video.downloader.plugin@ffpimp.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: ui.submenuDelay - 65000
FF - user.js: dom.disable_window_open_feature.scrollbars - true
FF - user.js: dom.disable_window_open_feature.minimizable - true
FF - user.js: dom.disable_window_open_feature.resizable - true
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.pipelining.ssl - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.protocol-handler.warn-external.dnupdate - false
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-{0C8413C1-FAD1-446C-8584-BE50576F863E} - (no file)
Toolbar-Locked - (no file)
HKLM-Run-TkBellExe - c:\program files\Common Files\Real\Update_OB\realsched.exe
MSConfigStartUp-SCHelper - c:\program files\Spyware Cease\SCHelper.exe
MSConfigStartUp-SpywareCease - c:\program files\Spyware Cease\SpywareCease.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-25 13:30
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\1E5.tmp"
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\Oracleftk2TNSListener]
"ImagePath"="c:\oracle\ftk2\BIN\TNSLSNR "
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\PsSdk31]
"ImagePath"="\??\c:\windows\system32\Drivers\pssdk31.drv"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10i_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Cryptography\RNG*]
"Seed"=hex:49,31,f4,88,04,28,01,14,c5,ca,fa,5f,f5,cf,66,6e,1f,6c,42,48,3b,1d,
bb,84,6e,c3,98,a3,07,68,b8,a1,8e,3f,71,ca,a8,53,6d,af,a8,e5,29,51,a3,e5,99,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1428)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
.
- - - - - - - > 'explorer.exe'(3904)
c:\windows\system32\WININET.dll
c:\program files\NVIDIA Corporation\nView\nview.dll
c:\program files\DisplayFusion\DisplayFusionHookx86.dll
c:\documents and settings\DJ Dash\Application Data\Dropbox\bin\DropboxExt.13.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\Windows Desktop Search\deskbar.dll
c:\program files\Windows Desktop Search\en-us\dbres.dll.mui
c:\program files\Windows Desktop Search\dbres.dll
c:\program files\Windows Desktop Search\wordwheel.dll
c:\program files\Windows Desktop Search\en-us\msnlExtRes.dll.mui
c:\program files\Windows Desktop Search\msnlExtRes.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\program files\WinSCP\DragExt.dll
c:\program files\Wondershare\SafeLock\selockdir.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe
c:\program files\Common Files\LogiShrd\Bluetooth\lbtserv.exe
c:\windows\system32\netdde.exe
c:\program files\Common Files\Acronis\Schedule2\schedul2.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\documents and settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
c:\windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\windows\system32\HPZipm12.exe
c:\windows\System32\snmp.exe
c:\program files\NVIDIA Corporation\System Update\UpdateCenterService.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
c:\program files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\msiexec.exe
.
**************************************************************************
.
Completion time: 2011-04-25 13:39:40 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-25 18:39
.
Pre-Run: 336,068,165,632 bytes free
Post-Run: 336,719,278,080 bytes free
.
- - End Of File - - F5C45CA6597CA49796264D67589A0124



Thanks!!! And I tried attaching the mbr information again.

Attached Files

•  MBR.zip   499bytes   266 downloads

[oldman960]

Hi forest5678,

I was not asked about the recovery, but I did receive an error stating that the boot partition cannot be enumerated correctly

This was when you dragged and droped the file onto combofix.exe?

At which point did you loose he ability to connect to the internet?

[forest5678]

yes it was when I dragged the program onto the combofx. I lost internet connection about 2 months ago. Thanks!!!!

[oldman960]

Hi forest5678, Thanks for the additional information. Did you loose the internet before or after you started cleaning this machine?

[forest5678]

before. I am pretty sure I downloaded a virus somehow and then thats when it all started. a little over a month ago. I could not access the internet or open any virus protection programs.

[oldman960]

Hi forest5678,

Open windows explorer (right click the Start button and click Explore)

At the top of windows explorer, click tools, folder options, click the
view tab

• check Display the contents of system folders
• check Show hidden files and folders
• uncheck "Hide extensions for known file types" box
• uncheck "Hide protecting operating system files" box

Click apply, click ok

• In the right hand panel locate a file named boot.ini
• right click it and click open or Open with
• if prompted with Open with choose notepad

Please post the contens of the file.

Thanks

Navigate to the C:\ folder and click on it.

[forest5678]

this was boot.ini: ; ;Warning: Boot.ini is used on Windows XP and earlier operating systems. ;Warning: Use BCDEDIT.exe to modify Windows Vista boot options. ; [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT this was boot.ini.backup: [boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /NOEXECUTE=OPTIN /FASTDETECT thanks!!!!!!!

[oldman960]

Hi forest5678, Did you at one time or currently also have Vista installed?

[forest5678]

I am not sure, to be honest. Thanks!!!

[oldman960]

Hi forest5678,

Please right click boot.ini and click properties. What is the created and modified dates for that file?

Please do the same for boot.ini.backup.

When you boot the compute are you given a choice of Operating Sytems to boot to?

Thanks

[forest5678]

No I am not given a choice, it boots into windows xp. Boot ini: created monday september 28, 2009, 2:47:40 am modified tuesday september 22, 2009, 3:47:28 pm location c:\reimageUndo boot.ini.backup: created thursday, may 21, 2009, 5:16:00 pm modified tuesday november 03, 2009, 5:09:34 pm location: c:\WINDOWS\pss Thanks!!!!

[oldman960]

Hi forest5678,

Is there a copy of boot.ini located in just C:\? The files you posted appear to be in a subfolder of C:\.

[forest5678]

there is a folder c:\Boot that contains folders and stuff, but no boot.ini Thanks!!

[oldman960]

Hi forest5678,

Haven't forgotten about you, just trying to figure out what's going on with your computer.

Please download SystemLook from one of the links below and transfer it to your infected computer's Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
• Copy the content of the following codebox into the main textfield
• Do not copy the word CODE , please note the script starts with the :
  

  :filefind
  boot.ini
  BCDEDIT.exe
  :dir
  C:\Boot

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

If the log looks overly large please attach it.

Thanks

[forest5678]

SystemLook 04.09.10 by jpshortstuff Log created at 00:52 on 07/06/2011 by DJ Dash Administrator - Elevation successful ========== filefind ========== Searching for "boot.ini" C:\ReimageUndo\Boot.ini --ahsc- 355 bytes [07:47 28/09/2009] [20:47 22/09/2009] 882021418375303061B16C0AF33AB53F Searching for "BCDEDIT.exe" No files found. ========== dir ========== C:\Boot - Parameters: "(none)" ---Files--- BCD --a--c- 28672 bytes [12:38 05/05/2009] [09:47 02/07/2009] BCD.LOG --ahs-- 1024 bytes [12:38 05/05/2009] [09:12 02/07/2009] BCD.LOG1 --ahs-- 0 bytes [12:38 05/05/2009] [12:38 05/05/2009] BCD.LOG2 --ahs-- 0 bytes [12:38 05/05/2009] [12:38 05/05/2009] BOOTSTAT.DAT --ahs-- 65536 bytes [12:38 05/05/2009] [12:38 05/05/2009] memtest.exe --a---- 484944 bytes [12:38 05/05/2009] [05:24 22/04/2009] ---Folders--- cs-CZ d------ [12:38 05/05/2009] da-DK d------ [12:38 05/05/2009] de-DE d------ [12:38 05/05/2009] el-GR d------ [12:38 05/05/2009] en-US d------ [12:38 05/05/2009] es-ES d------ [12:38 05/05/2009] fi-FI d------ [12:38 05/05/2009] Fonts d------ [12:38 05/05/2009] fr-FR d------ [12:38 05/05/2009] hu-HU d------ [12:38 05/05/2009] it-IT d------ [12:38 05/05/2009] ja-JP d------ [12:38 05/05/2009] ko-KR d------ [12:38 05/05/2009] nb-NO d------ [12:38 05/05/2009] nl-NL d------ [12:38 05/05/2009] pl-PL d------ [12:38 05/05/2009] pt-BR d------ [12:38 05/05/2009] pt-PT d------ [12:38 05/05/2009] ru-RU d------ [12:38 05/05/2009] sv-SE d------ [12:38 05/05/2009] tr-TR d------ [12:38 05/05/2009] zh-CN d------ [12:38 05/05/2009] zh-HK d------ [12:38 05/05/2009] zh-TW d------ [12:38 05/05/2009] -= EOF =- Thanks!!!!!!