Win32.TDSS.reg Hijack

Status
Not open for further replies.
You must be getting tired of me by now.

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-07-15 13:43:46
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT spky.sys ZwEnumerateKey [0xBA6C5CA4]
SSDT spky.sys ZwEnumerateValueKey [0xBA6C6032]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84B101F8

AttachedDevice \Driver\Tcpip \Device\Ip NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp NVTcp.sys (NVIDIA Networking Protocol Driver./NVIDIA Corporation)

---- EOF - GMER 1.0.15 ----
 
You must be getting tired of me by now.:) Not really , this is a learning experience for both you and me. It may give you a heads up to be a bit more careful while surfing the internet.

GMER is one of the better tools and shows no rootkit:bigthumb:

How are things running now??
 
Everything is running fine and my optical drives work again. Spybot still finds one instance of Win32.TDSS.reg and Rooter still finds that other thing. Does it matter if its there if it doesn't seem to be doing anything? Also it still says it can't find boot.ini but it boots just fine.
 
Open up Spybot Search and Destroy and go to help> About and make sure its version 1.6.2, if not uninstall it and download and install the latest version .
http://www.safer-networking.org/en/donate-alternative/index.html

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys]

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this
reg.jpg


Make sure you reboot your system and then run Spybots latest version again.

Reboot your system and rerun Rooter, post the log, I need to see it , not just a verbal reference that its gone.
 
Last edited:
It hates me.

Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.11 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:116 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [CD_Rom]
G:\ [CD_Rom]
H:\ [CD_Rom]
.
Scan : 18:18.42
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (612)
______ \??\C:\windows\system32\csrss.exe (668)
______ \??\C:\windows\system32\winlogon.exe (692)
______ C:\windows\system32\services.exe (736)
______ C:\windows\system32\lsass.exe (748)
______ C:\windows\system32\svchost.exe (944)
______ C:\windows\system32\svchost.exe (992)
______ C:\windows\System32\svchost.exe (1092)
______ C:\windows\system32\svchost.exe (1132)
______ C:\windows\system32\svchost.exe (1240)
______ C:\windows\system32\svchost.exe (1300)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1372)
______ C:\WINDOWS\system32\brsvc01a.exe (1580)
______ C:\WINDOWS\system32\brss01a.exe (1604)
______ C:\windows\system32\spoolsv.exe (1612)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (1660)
______ C:\windows\system32\svchost.exe (1736)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1828)
______ C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (1844)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1880)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (1904)
______ C:\windows\system32\nvsvc32.exe (1948)
______ C:\WINDOWS\system32\PSIService.exe (1988)
______ C:\windows\system32\svchost.exe (260)
______ C:\windows\system32\Wacom_Tablet.exe (312)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe (492)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (544)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (1216)
______ C:\WINDOWS\system32\wbem\unsecapp.exe (1272)
______ C:\windows\System32\alg.exe (1876)
______ C:\windows\system32\WTablet\Wacom_TabletUser.exe (2772)
______ C:\windows\system32\Wacom_Tablet.exe (2868)
______ C:\windows\Explorer.EXE (2896)
______ C:\windows\system32\RUNDLL32.EXE (3092)
______ C:\windows\system32\rundll32.exe (3108)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (3120)
______ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (2552)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (3044)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (3724)
______ C:\Program Files\iTunes\iTunesHelper.exe (3504)
______ C:\windows\system32\ctfmon.exe (3520)
______ C:\Program Files\AIM6\aim6.exe (3540)
______ C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (3548)
______ C:\Program Files\Logitech\SetPoint\SetPoint.exe (3600)
______ C:\Program Files\iPod\bin\iPodService.exe (3664)
______ C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE (3776)
______ C:\Program Files\AIM6\aolsoftware.exe (3988)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3088)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (1676)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500096991744)
.
----------------------\\ Scheduled Tasks
.
C:\windows\Tasks\Ad-Aware Update (Weekly).job
C:\windows\Tasks\desktop.ini
C:\windows\Tasks\SA.DAT
.
----------------------\\ Registry
.
Rootkit! ... [HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 18:19.48
.
C:\Rooter$\Rooter_4.txt - (15/07/2009 | 18:19.48)
 
Something is preventing its removal. I am going to have someone else take a peak at this and offer some advice.

In the meantime run this quick scan please

Download reglooks and save it to your desktop.
  • Doubleclick reglooks.exe and wait until a logfile appears.
  • The log will be called result.txt.
  • Copy and paste the contents of this log in your next reply.
 
Last edited:
REGLOOKS logfile - version 0.982
Scan started: Wed 07/15/2009 21:11:19.79

--- INFORMATION ---

Operating System: Microsoft Windows XP Home Edition - version 5.1.2600 - Service Pack 3
Bootmode: Normal boot
User: Owner (Administrator account)
Total RAM: 3326 MB (free 2610 MB - 78%)
Internet Explorer Version: 8.0.6001.18702
Antivirus Program: AntiVir Desktop 9.0.1.30 [Enabled - Updated]



--- SIGCHECK ---

C:\windows\explorer.exe -- sigcheck OK

C:\windows\system32\ctfmon.exe -- sigcheck OK

C:\windows\system32\lsass.exe -- sigcheck OK

C:\windows\system32\ntkrnlpa.exe -- sigcheck OK

C:\windows\system32\ntoskrnl.exe -- sigcheck OK

C:\windows\system32\services.exe -- sigcheck OK

C:\windows\system32\sfcfiles.dll -- sigcheck OK

C:\windows\system32\spoolsv.exe -- sigcheck OK

C:\windows\system32\svchost.exe -- sigcheck OK

C:\windows\system32\termsrv.dll -- sigcheck OK

C:\windows\system32\user32.dll -- sigcheck OK

C:\windows\system32\userinit.exe -- sigcheck OK

C:\windows\system32\wininet.dll -- sigcheck OK

C:\windows\system32\winlogon.exe -- sigcheck OK

C:\windows\system32\ws2_32.dll -- sigcheck OK

C:\windows\system32\wuauclt.exe -- sigcheck OK

C:\windows\system32\drivers\ip6fw.sys -- sigcheck OK

C:\windows\system32\drivers\ndis.sys -- sigcheck OK

C:\windows\system32\drivers\tcpip.sys -- sigcheck OK



--- SSODL regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" -- File: %SystemRoot%\system32\SHELL32.dll -- [?]
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" -- File: C:\windows\system32\webcheck.dll -- [236544] -- [03/08/2009 04:34 AM]
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" -- File: %systemroot%\system32\stobject.dll -- [?]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}" -- File: C:\WINDOWS\system32\WPDShServiceObj.dll -- [133632] -- [10/19/2006 12:47 AM]


--- STS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader" -- File: %SystemRoot%\system32\browseui.dll -- [?]
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon" -- File: %SystemRoot%\system32\browseui.dll -- [?]


--- USERINIT regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\windows\\system32\\userinit.exe,"
File: C:\windows\system32\userinit.exe -- [26112] -- [04/13/2008 07:12 PM]


--- SHELL regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell"="Explorer.exe"
File: C:\windows\Explorer.exe -- [1033728] -- [04/13/2008 07:12 PM]


--- SYSTEM regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


--- APPINIT_DLLS regkey ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no AppInit_DLLs regkey found


--- NOTIFY regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
-- File: C:\windows\system32\crypt32.dll -- [599040] -- [04/13/2008 07:11 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
-- File: C:\windows\system32\cryptnet.dll -- [64512] -- [04/13/2008 07:11 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
-- File: C:\windows\system32\cscdll.dll -- [101888] -- [04/13/2008 07:11 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dimsntfy]
-- File: %SystemRoot%\System32\dimsntfy.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
-- File: c:\program files\common files\logitech\bluetooth\LBTWlgn.dll -- [72208] -- [05/02/2008 03:42 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\LBTWlgn]
-- File: c:\program files\common files\logitech\bluetooth\LBTWlgn.dll -- [72208] -- [05/02/2008 03:42 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
-- File: C:\windows\system32\wlnotify.dll -- [92672] -- [04/13/2008 07:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
-- File: C:\windows\system32\wlnotify.dll -- [92672] -- [04/13/2008 07:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
-- File: C:\windows\system32\sclgntfy.dll -- [20480] -- [04/13/2008 07:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
-- File: C:\windows\system32\WlNotify.dll -- [92672] -- [04/13/2008 07:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
-- File: C:\windows\system32\wlnotify.dll -- [92672] -- [04/13/2008 07:12 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
-- File: C:\windows\system32\wlnotify.dll -- [92672] -- [04/13/2008 07:12 PM]


--- RUN / LOAD regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows]
no run / load keys found


--- SHELLEXECUTEHOOKS regkey ---

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" -- File: shell32.dll -- [?]


--- HKLM AUTORUN regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor]
no AutoRun regkey found


--- HKCU AUTORUN regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Command Processor]
no AutoRun regkey found


--- HKLM\RUN regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer" -- File: KHALMNPR.EXE -- [?]
"nwiz" -- File: nwiz.exe /install -- [?]
"Adobe_ID0ENQBO" -- File C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE -- [378224] -- [08/15/2008 06:46 AM]
"NvMediaCenter" -- File: RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit -- [?]
"Kernel and Hardware Abstraction Layer" -- File: KHALMNPR.EXE -- [?]
"SoundMAXPnP" -- File C:\Program Files\Analog Devices\Core\smax4pnp.exe -- [868352] -- [12/18/2006 10:34 PM]
"NvCplDaemon" -- File: RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup -- [?]
"MaxMenuMgr" -- File "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" -- [181544] -- [10/28/2008 05:42 PM]
"TkBellExe" -- File: "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot -- [?]
"avgnt" -- File: "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min -- [?]
"Adobe Reader Speed Launcher" -- File "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" -- [35696] -- [02/27/2009 05:10 PM]
"iTunesHelper" -- File "C:\Program Files\iTunes\iTunesHelper.exe" -- [292136] -- [06/05/2009 01:39 PM]


--- HKLM\RUNONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found


--- HKLM\RUNONCEEX regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
no runonceex values found


--- HKLM\RUNSERVICES regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
no runservices values found


--- HKLM\RUNSERVICESONCE regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
no runservicesonce values found


--- HKCU\RUN regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe" -- File C:\windows\system32\ctfmon.exe -- [15360] -- [04/13/2008 07:12 PM]
"Aim6" -- File: "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp -- [?]
"DAEMON Tools Pro Agent" -- File: "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun -- [?]
"AlcoholAutomount" -- File: "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount -- [?]


--- HKCU\RUNONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
no runonce values found


--- HKCU\RUNONCEEX regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
key not found


--- HKCU\RUNSERVICES regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
no runservices values found


--- HKCU\RUNSERVICESONCE regkey ---

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
no runservicesonce values found


--- HKU\.DEFAULT\Run regkeys - Default user ---

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found


--- HKU\S-1-5-18\Run regkeys - user SYSTEM ---

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
no run values found


--- HKU\S-1-5-19\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found


--- HKU\S-1-5-20\Run regkeys - User Lokale service ---

[HKEY_USERS\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
key not found


--- HKLM\Explorer\Run regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
no run values found


--- HKCU\Explorer\Run regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
no run values found


--- Image File Execution regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
no debuggers found


--- BROWSER HELPER OBJECTS regkeys ---

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
-- File: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll -- [75128] -- [02/27/2009 12:07 PM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}]
-- File: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll -- [349576] -- [02/27/2009 12:12 PM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
-- File: C:\Program Files\Java\jre6\bin\jp2ssv.dll -- [35840] -- [03/09/2009 05:18 AM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
-- File: C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll -- [73728] -- [03/09/2009 05:18 AM]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4971EE7-DAA0-4053-9964-665D8EE6A077}]
-- File: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll -- [349576] -- [02/27/2009 12:12 PM]


--- TOOLBAR regkeys ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
no toolbars found


--- HKLM\URLSEARCHHOOKS regkeys ---

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\URLSearchHooks]
no urlsearchhooks found


--- HKCU\URLSEARCHHOOKS regkeys ---

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
{CFBFAE00-17A6-11D0-99CB-00C04FD64497} -- File: C:\windows\system32\ieframe.dll -- [11064832] -- [04/30/2009 04:22 PM]


--- SRCEENSAVER regkey ---

[HKEY_CURRENT_USER\Control Panel\Desktop]
scrnsave.exe value not found


--- ALTERNATESHELL regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
File: C:\windows\system32\cmd.exe -- [389120] -- [04/13/2008 07:12 PM]


--- SECURITYPROVIDERS regkey ---

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
File: C:\windows\system32\msapsspc.dll -- [86016] -- [04/13/2008 07:11 PM]
File: C:\windows\system32\schannel.dll -- [144896] -- [12/05/2008 01:54 AM]
File: C:\windows\system32\digest.dll -- [68608] -- [04/13/2008 07:11 PM]
File: C:\windows\system32\msnsspc.dll -- [290816] -- [04/13/2008 07:12 PM]


--- Active Setup\Installed Components regkey ---

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\<{12d0ed0d-0ee0-4f90-8827-78cefb8f4988}]
-- File: C:\windows\system32\ieudinit.exe -- [36864] -- [03/08/2009 04:32 AM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
-- File: C:\windows\system32\ie4uinit.exe -UserIconConfig -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
-- File: "C:\windows\system32\rundll32.exe" "C:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
-- File: RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
-- File: %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0291E591-EA41-4c82-8106-3DC6CE7F7664}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
-- File: "C:\Program Files\Common Files\LightScribe\LSRunOnce.exe" -- [451872] -- [11/19/2007 05:47 PM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{224128A4-681C-6BA7-B58A-432616F8A8BF}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{233C1507-6A77-46A4-9443-F871F945D258}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2A202491-F00D-11cf-87CC-0020AFEECF20}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
-- File: %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{30528230-99F7-4BB4-88D8-FA1D4F56A2AB}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{347B0667-C7ED-429B-BDE3-CC8D3BACAA31}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
-- File: "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{45C60FB9-FEFA-0B12-BA91-085FCC926126}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73fa19d0-2d75-11d2-995d-00c04f98bbc9}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{75E5ADBE-D095-3A4A-83C2-EC9A0802135B}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
-- File: regsvr32.exe /s /n /i:U shell32.dll -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\windows\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
-- File: C:\windows\system32\ie4uinit.exe -BaseSettings -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
-- File: C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
-- File: rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.UnInstall.PerUser -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
-- File: rundll32.exe C:\WINDOWS\system32\Setup\FxsOcm.dll,XP_UninstallProvider -- [?]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{98E0783C-EC9A-072A-590E-0FCE7267B348}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A17E30C4-A9BA-11D4-8673-60DB54C10000}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{AA218328-0EA8-4D70-8972-E987A9190FF4}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{F0E588B9-8F58-C027-B639-E5CD2620D406}]
-- filepath not found


--- Services regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\abp480n5]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adfs]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ADIDTSFiltService]
-- File: system32\drivers\adidts.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Adobe Version Cue CS4]
-- File: "C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exe" -win32service -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AdobeDriveCS4_NP]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\adpu160m]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AEAudio]
-- File: system32\drivers\AEAudio.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aec]
-- File: system32\drivers\aec.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78u2]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78xx]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\amsint]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3350p]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asc3550]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspnet_state]
-- File: %SystemRoot%\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atapi]
-- File: system32\DRIVERS\atapi.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\audstub]
-- File: system32\DRIVERS\audstub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avgio]
-- File: \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avgntflt]
-- File: system32\DRIVERS\avgntflt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\avipbb]
-- File: system32\DRIVERS\avipbb.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Bridge]
-- File: system32\DRIVERS\bridge.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BridgeMP]
-- File: system32\DRIVERS\bridge.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BrSerIf]
-- File: System32\Drivers\BrSerIf.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CCALib8]
-- File: C:\Program Files\Canon\CAL\CALMAIN.exe -- [96370] -- [01/31/2007 03:55 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DigiFilter]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DigiNet]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DrmCDriverV32]
-- File: system32\drivers\DrmCDriverV32.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dvd43llh]
-- File: System32\DRIVERS\dvd43llh.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EPSON_PM_RPCV4_01]
-- File: C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE -- [102400] -- [04/18/2006 04:00 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ExpresFC]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FreeAgentGoNext Service]
-- File: "C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe" -- [156968] -- [10/28/2008 05:42 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fsdk-wrap]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omgmt]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i2omp]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042prt]
-- File: system32\DRIVERS\i8042prt.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ICSharing]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\idsvc]
-- File: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe" -- [881664] -- [07/29/2008 08:24 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\inetaccs]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ini910u]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\intelppm]
-- File: system32\DRIVERS\intelppm.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iPod Service]
-- File: "C:\Program Files\iPod\bin\iPodService.exe" -- [541992] -- [06/05/2009 01:39 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\isapnp]
-- File: system32\DRIVERS\isapnp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\JavaQuickStarterService]
-- File: "C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\L8042Kbd]
-- File: system32\DRIVERS\L8042Kbd.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\L8042mou]
-- File: system32\DRIVERS\L8042mou.Sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lavasoft Ad-Aware Service]
-- File: "C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe" -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Lbd]
-- File: system32\DRIVERS\Lbd.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LBTServ]
-- File: C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe -- [121360] -- [05/02/2008 03:42 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LHidFilt]
-- File: system32\DRIVERS\LHidFilt.Sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LHidKe]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LMouFilt]
-- File: system32\DRIVERS\LMouFilt.Sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lpxnds]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Maplom]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MaplomL]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mcdbus]
-- File: system32\DRIVERS\mcdbus.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMP50]
-- File: \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMP50a64]
-- File: \??\C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MREMPR5]
-- File: \??\C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRESP50]
-- File: \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MRESP50a64]
-- File: \??\C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetTcpPortSharing]
-- File: "C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\SMSvcHost.exe" -- [132096] -- [07/29/2008 08:16 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntcdrdrv]
-- File: system32\DRIVERS\ntcdrdrv.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\odserv]
-- File: "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE" -- [443776] -- [08/24/2007 04:19 AM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ohci1394]
-- File: system32\DRIVERS\ohci1394.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ose]
-- File: "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" -- [145184] -- [10/26/2006 02:03 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SndTDriverV32]
-- File: system32\drivers\SndTDriverV32.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swwd]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TabletServiceWacom]
-- File: C:\windows\system32\Wacom_Tablet.exe -- [2749224] -- [10/30/2008 12:13 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TPkd]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ultra]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upnphost]
-- File: %SystemRoot%\system32\svchost.exe -k LocalService -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbaudio]
-- File: system32\drivers\usbaudio.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbccgp]
-- File: system32\DRIVERS\usbccgp.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbehci]
-- File: system32\DRIVERS\usbehci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbhub]
-- File: system32\DRIVERS\usbhub.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbohci]
-- File: system32\DRIVERS\usbohci.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbprint]
-- File: system32\DRIVERS\usbprint.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usprserv]
-- File: %SystemRoot%\System32\svchost.exe -k netsvcs -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wacomvhid]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmBEnum]
-- File: system32\drivers\WmBEnum.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmFilter]
-- File: system32\drivers\WmFilter.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmHidLo]
-- File: system32\drivers\WmHidLo.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmVirHid]
-- File: system32\drivers\WmVirHid.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmXlCore]
-- File: system32\drivers\WmXlCore.sys -- [?]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\YahooAUService]
-- File: "C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe" -- [602392] -- [11/09/2008 03:48 PM]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{2E26EF4F-53D0-42B2-B439-9DA91E122750}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{8B3E0A00-16B3-4265-A270-2116DC16B2F8}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{C209CDAA-EE6B-48FB-B8B9-66902BEB3D74}]
-- filepath not found
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{D4C4B337-3333-465E-BADF-701E1DFB51AD}]
-- filepath not found


--- SAFEBOOT MINIMAL SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal
Lavasoft Ad-Aware Service
OneCareMP
Service Host Driver
WdfLoadGroup
{533C5B84-EC70-11D2-9505-00C04F79DEAF}


--- SAFEBOOT Network SERVICES ---

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network
DnsCache
Lavasoft Ad-Aware Service
OneCareMP
Service Host Driver
WdfLoadGroup
{1a3e09be-1e45-494b-9174-d7385b45bbf5}


--- BOOTEXECUTE regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute"= autocheck autochk *\0lsdelete\0\0


--- PENDINGFILERENAMEOPERATIONS regkey ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
PendingFileRenameOperations key not found


--- WOW-CMDLINE regkeys ---

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
"cmdline" = %SystemRoot%\system32\ntvdm.exe
"cmdline" = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386


--- NETSVCS regkey ---

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost] -- NETSVCS
0WmdmPmSN


--- DNS SERVER regkeys ---

no "NameServer" values found


--- File associations ---

.BAT files: ("%1" %*)
.COM files: ("%1" %*)
.EXE files: ("%1" %*)
.HLP files: (%SystemRoot%\System32\winhlp32.exe %1)
.INF files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.INI files: (%SystemRoot%\System32\NOTEPAD.EXE %1)
.JS files: (%SystemRoot%\System32\WScript.exe "%1" %*)
.PIF files: ("%1" %*)
.REG files: (regedit.exe "%1")
.SCR files: ("%1" /S)
.TXT files: (%SystemRoot%\system32\NOTEPAD.EXE %1)
.VBS files: (%SystemRoot%\System32\WScript.exe "%1" %*)


--- STARTUP FOLDERS ---

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\desktop.ini -- [84] -- [08/10/2007 06:37 PM]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\ERUNT AutoBackup.lnk -- [777] -- [07/13/2009 11:09 AM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini -- [84] -- [08/10/2007 06:37 PM]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk -- [1501] -- [08/10/2007 09:10 PM]


--- TASK SCHEDULER JOBS ---

C:\windows\tasks\Ad-Aware Update (Weekly).job -- [472] -- [07/13/2009 07:36 PM]


Scan completed: Wed 07/15/2009 21:11:40.28
FINISHED
 
Lets give the Avenger another shot, disregard the download instructions if you still have this tool

1. Please download The Avenger by Swandog46 and SAVE it to your Desktop.
  • After download has completed,
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the lines of text in the code box below (including blank lines and comments) to your Clipboard by highlighting them with your mouse, then

Right clicking and choosing Copy:

Code:
[HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys]
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage your system!



3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
3. The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to

    C:\avenger\backup.zip
    .
  • Please delete C:\avenger <=this folder; Do NOT delete C:\avenger.txt <=this file

Please post the contents of C:\Avenger.txt; and a new HJT log please
 
FYI- I believe there is a new version of Avenger which changes these instructions slightly. Also, I assume you wanted the same "Drivers to delete:" command in front?

I swear to God that I can see this driver plain as day in Regedit, why can't any program?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\msqpdxserv.sys" not found!
Deletion of driver "msqpdxserv.sys" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.



//////////////////////////////////////////
Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 3)
Thu Jul 16 10:43:32 2009

10:43:32: Error: Invalid script. A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error: registry key "\Registry\Machine\System\CurrentControlSet\Services\[HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys]" not found!
Deletion of driver "[HKLM\SYSTEM\ControlSet001\Services\msqpdxserv.sys]" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.
 
My bad on the script, I am a bit rusty with Avenger, run it again and this will be the new script.

Registry keys to delete:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys
 
I think you got it that time!! Spybot is finally clean as well. This boot.ini error remains, but I suppose thats for a different forum. Thanks so much for your three days of help.

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry key "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msqpdxserv.sys" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:35:56 AM, on 7/16/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\windows\Explorer.EXE
C:\windows\system32\RUNDLL32.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\windows\system32\rundll32.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\DAEMON Tools Pro\DTProAgent.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\windows\system32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\windows\system32\svchost.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\windows\system32\Wacom_Tablet.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://netflix.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SmartSelect Class - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Adobe_ID0ENQBO] C:\PROGRA~1\COMMON~1\Adobe\ADOBEV~2\Server\bin\VERSIO~2.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\windows\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe" -autorun
O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Logitech SetPoint.lnk = ?
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\windows\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: PackageCab - http://ak.imgag.com/imgag/cp/install/AxCtp2.cab
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\system32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Unknown owner - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe (file missing)
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: TabletServiceWacom - Wacom Technology, Corp. - C:\windows\system32\Wacom_Tablet.exe

--
End of file - 9642 bytes


Rooter.exe (v1.0.2) by Eric_71
.
SeDebugPrivilege granted successfully ...
.
Windows XP Home Edition (5.1.2600) Service Pack 3
[32_bits] - x86 Family 6 Model 15 Stepping 11, GenuineIntel
.
[wscsvc] (Security Center) RUNNING (state:4)
[SharedAccess] RUNNING (state:4)
Windows Firewall -> Enabled
.
Internet Explorer 8.0.6001.18702
Mozilla Firefox 3.0.11 (en-US)
.
C:\ [Fixed-NTFS] .. ( Total:465 Go - Free:116 Go )
D:\ [CD_Rom]
E:\ [CD_Rom]
F:\ [CD_Rom]
G:\ [CD_Rom]
H:\ [CD_Rom]
.
Scan : 11:37.19
Path : C:\Documents and Settings\Owner\Desktop\Rooter.exe
User : Owner ( Administrator -> YES )
.
----------------------\\ Processes
.
Locked [System Process] (0)
______ System (4)
______ \SystemRoot\System32\smss.exe (616)
______ \??\C:\windows\system32\csrss.exe (672)
______ \??\C:\windows\system32\winlogon.exe (696)
______ C:\windows\system32\services.exe (740)
______ C:\windows\system32\lsass.exe (752)
______ C:\windows\system32\svchost.exe (948)
______ C:\windows\system32\svchost.exe (996)
______ C:\windows\System32\svchost.exe (1096)
______ C:\windows\system32\svchost.exe (1128)
______ C:\windows\system32\svchost.exe (1240)
______ C:\windows\system32\svchost.exe (1308)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe (1468)
______ C:\WINDOWS\system32\brsvc01a.exe (1584)
______ C:\WINDOWS\system32\brss01a.exe (1608)
______ C:\windows\system32\spoolsv.exe (1616)
______ C:\Program Files\Avira\AntiVir Desktop\sched.exe (1668)
______ C:\windows\system32\svchost.exe (1744)
______ C:\windows\Explorer.EXE (1988)
______ C:\windows\system32\RUNDLL32.EXE (260)
______ C:\Program Files\Analog Devices\Core\smax4pnp.exe (284)
______ C:\windows\system32\rundll32.exe (320)
______ C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe (336)
______ C:\Program Files\Common Files\Real\Update_OB\realsched.exe (344)
______ C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (348)
______ C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe (360)
______ C:\Program Files\iTunes\iTunesHelper.exe (376)
______ C:\windows\system32\ctfmon.exe (384)
______ C:\Program Files\AIM6\aim6.exe (392)
______ C:\Program Files\DAEMON Tools Pro\DTProAgent.exe (400)
______ C:\Program Files\Logitech\SetPoint\SetPoint.exe (668)
______ C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE (716)
______ C:\Program Files\AIM6\aolsoftware.exe (1208)
______ C:\Program Files\Avira\AntiVir Desktop\avguard.exe (1872)
______ C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S30RP1.EXE (1892)
______ C:\Program Files\Java\jre6\bin\jqs.exe (1944)
______ C:\Program Files\Common Files\LightScribe\LSSrvc.exe (2004)
______ C:\windows\system32\nvsvc32.exe (2104)
______ C:\WINDOWS\system32\PSIService.exe (2164)
______ C:\windows\system32\svchost.exe (2300)
______ C:\windows\system32\Wacom_Tablet.exe (2380)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe (2820)
______ C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe (3020)
______ C:\windows\system32\Wacom_Tablet.exe (3804)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (3912)
______ C:\WINDOWS\system32\wbem\unsecapp.exe (256)
______ C:\Program Files\iPod\bin\iPodService.exe (272)
______ C:\windows\System32\alg.exe (2244)
______ C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe (2844)
______ C:\Program Files\Mozilla Firefox\firefox.exe (3056)
______ C:\windows\system32\wuauclt.exe (3136)
______ C:\WINDOWS\system32\wbem\wmiprvse.exe (3840)
______ C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe (2888)
______ C:\Documents and Settings\Owner\Desktop\Rooter.exe (2932)
.
----------------------\\ Device\Harddisk0\
.
\Device\Harddisk0 [Sectors : 63 x 512 Bytes]
.
\Device\Harddisk0\Partition1 --[ MBR ]-- (Start_Offset:32256 | Length:500096991744)
.
----------------------\\ Scheduled Tasks
.
C:\windows\Tasks\Ad-Aware Update (Weekly).job
C:\windows\Tasks\desktop.ini
C:\windows\Tasks\SA.DAT
.
----------------------\\ Registry
.
.
----------------------\\ Files & Folders
.
----------------------\\ Scan completed at 11:39.08
.
C:\Rooter$\Rooter_5.txt - (16/07/2009 | 11:39.08)
 
Great :bigthumb: Let me tell ya, a few years ago , you removed a few bad entries with HJT, deleted a a few bad files and that was it, the dirtbags that write this garbage have become more sophisticated and making it harder to remove this stuff.

You log looks fine,:bigthumb:

Run this free online virus scanner to make sure we got it all.

Please run this free online virus scanner from ESET
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic
 
Had to run it twice. I think its good.

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
ESETSmartInstaller@High as downloader log:
all ok
# version=6
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=c6fffda05fe02c429b7f87e2422c994c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-16 07:09:18
# local_time=2009-07-16 02:09:18 (-0600, Central Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 21 100 100 687862031250
# scanned=343481
# found=2
# cleaned=2
# scan_time=5071
C:\RECYCLER\S-1-5-21-1708537768-842925246-839522115-1003\Dc31.exe Win32/Adware.Agent.NMA application (deleted - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{6E015A96-78EE-4A26-A070-A34864C5E4CC}\RP394\A0111864.exe Win32/Adware.Agent.NMA application (deleted - quarantined) 00000000000000000000000000000000 C
# version=6
# firefox.exe=1.9.0.11
# OnlineScanner.ocx=1.0.0.5886
# api_version=3.0.2
# EOSSerial=c6fffda05fe02c429b7f87e2422c994c
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-07-16 08:56:39
# local_time=2009-07-16 03:56:39 (-0600, Central Daylight Time)
# country="United States"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=1797 37 100 100 752279843750
# scanned=343962
# found=0
# cleaned=0
# scan_time=4736
 
It found a bad file in your recycle bin but its gone.

Everything else looks fine, how are things running now??
 
Thats Great :bigthumb:

Lets update your Java to make your system more secure

Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 14, if not proceed with the instructions.

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 14 <--The wording is confusing but this is what you need

  • Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
  • Reboot your computer
  • Install the latest version
You can verify the installation Here



GMER <--Drag it to the trash

Avenger <--Drag it the trash

Rooter <---Drag it to the trash

TFC <--Yours to keep, run it about once aweek to clean out the clutter.

Malwarebytes <-- Yours to keep also, check for updates and run a scan now and then.

Combofix <---Is not a general cleaning tool, just run it with supervision or you can bork your system

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • CF_Cleanup.png

  • When shown the disclaimer, Select "2"

The above procedure will:
  • Delete the following:
    • ComboFix and its associated files and folders.
    • VundoFix backups, if present
    • The C:\Deckard folder, if present
    • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.





Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
 
Status
Not open for further replies.
Back
Top