Solved Twin Issues in Windows Explorer That Occur 'Only' In Safe Mode

[richc46]

I will surprise you, I do not agree. MS has MSE (Security Essentials), and a firewall that a user is free to choose. If it were part of the system, it would operate the same and have the same benefit and flaws. I prefer to choose my own AV, just like I prefer to have a choice of which browser and which email client.
If an individual feels that Security Essentials is the way to go, they are free to make that choice. Very rarely does the choice of the correct (IMO) Security Essentials create problems. If you choose wrong, you pay the price.
We have and are entitled to our choice; choose wisely you win, choose poorly you lose. I think this is how it should be. Imagine a scenario, where MS gives you a security suite that is not effective, or efficient, do you want to have that forced on you. I certainly dont.

 

[pm2397]

I will surprise you, I do not agree. MS has MSE (Security Essentials), and a firewall that a user is free to choose. If it were part of the system, it would operate the same and have the same benefit and flaws. I prefer to choose my own AV, just like I prefer to have a choice of which browser and which email client.
If an individual feels that Security Essentials is the way to go, they are free to make that choice. Very rarely does the choice of the correct (IMO) Security Essentials create problems. If you choose wrong, you pay the price.
We have and are entitled to our choice; choose wisely you win, choose poorly you lose. I think this is how it should be. Imagine a scenario, where MS gives you a security suite that is not effective, or efficient, do you want to have that forced on you. I certainly dont.

Sir, i actually did not refer to Microsoft Security Essentials in my just earlier post # 20 but referred to the importance of having 'a comprehensive, containing all security components, and 'effective' Internet Security Suite' in the next version of the Windows OS that Microsoft is developing.

Probably your opinion is based on the hitherto poor long standing traditional generally felt reputation of Microsoft on 'security aspects' by most people (which i also lamented in my above cited post thru 'Third Party security software developers have primarily come up and thrived because Microsoft has traditionally been lax in security aspects is what i feel.', but this is where Microsoft needs to really improve a lot, isn't it?

Prashant

 

[niemiro]

Microsoft aren't quite as lax as many of us feel. If a security flaw is found in ANY bit of their code, they have a fix out within half an hour, rain or shine, night or day, public holiday or not. They have introduced many security features into Windows Vista. IE8, and in particular IE9 is incredibly secure what with all of its Smart Screen etc. etc. Now they release an amazing anti-virus package. The Windows Firewall is perfectly adequate. I am very happy with Microsoft Security.

I agree that in Windows 98SE, if you have been denied access to an entire drive, you could do Microsoft Word > File > Open and now have access to the entire drive, but those days are gone!

Often, other companies, such as Mozilla, are so slow to release a patch, that you are less secure using Firefox, than the targeted IE!

 

[pm2397]

Microsoft aren't quite as lax as many of us feel. If a security flaw is found in ANY bit of their code, they have a fix out within half an hour, rain or shine, night or day, public holiday or not. They have introduced many security features into Windows Vista. IE8, and in particular IE9 is incredibly secure what with all of its Smart Screen etc. etc. Now they release an amazing anti-virus package. The Windows Firewall is perfectly adequate. I am very happy with Microsoft Security.

I agree that in Windows 98SE, if you have been denied access to an entire drive, you could do Microsoft Word > File > Open and now have access to the entire drive, but those days are gone!

Often, other companies, such as Mozilla, are so slow to release a patch, that you are less secure using Firefox, than the targeted IE!

Richard, i completely agree with you that Microsoft has improved tremendously of late; 'hitherto' this may not have been completely true, but actually my intention in my post #20 was to really get a response from you and others as to the 'specific content' therein rather than it being solely about MSSE or IE or about the security aspects of Windows Code. My post was to highlight the 'tight integration' of an 'efficient' and 'comprehensive Internet Security Suite' right within the OS itself as a 'Security Layer' by Microsoft in the next version of Windows currently still on the drawing board stage. Could you possibly go back to my post #20 and provide me with your inputs and response to that in that specific context? Thanks

 

[niemiro]

Don't all of you realize and also want that it is high time Microsoft in its 'next Windows version' which is in the development phase, 'tightly integrates' 'a complete Internet Security Suite' right within the OS itself as a 'Complete Security Layer' that contains per se an 'excellent Firewall', a really 'effective Anti-virus Engine' built to tackle the numerous spawning threats that a user today faces while surfing the Internet, an Anti-Malware and Anti-Spyware engine, anti-phishing, and also 'a diagnostic tools suite' to investigate and 'sandbox' the 'threats that still slip thru'.

As richc46 has said, I don't necessarily think we can push it onto people quite at the moment, in the current mindset. Microsoft have currently pushed MSE as an update, and this is the start. I think that there will come a time, perhaps Windows 9, where Microsoft ship it with all of this, and leave it as optional to un-install and replace. This will create problems. Microsoft need to make sure that they don't get a reputation as installing junk on the system, and slowly, they will be able to integrate all this into their system. The curtial thing is speed. What would happen if Microsoft release Windows 7 SP1, and with this enabled Windows Firewall, MSE, and removed Norton or McAfee or whatever you have paid for!? I think that installing it as standard is to come, and ultimately will get Microsoft a better reputation if they can dramatically reduce virus attack numbers. I also think that maybe Microsoft should consider automatic security update installs, but again, it would have to be in a way that would not ruin their reputation overnight. However, if they can do it well, and over time, it would be for the best. I think it will take a little while to get into this mindset, but it would benefit everyone if they can.

I feel by hiring the best Security experts as their staff, Microsoft can surely do this and render yeoman's service to all users who surf the Internet. The other thing is that then Microsoft can jack up the price of their OS accordingly. Further the Security Suite definitions and program updates would then get automatically updated via Windows Update!!!. And users wouldn't have to seek anywhere else for anything on Security. I think that if Microsoft really goes 'hammers and tongs' on this aspect, it will stop the 'competition' on such products in its tracks. Third Party security software developers have primarily come up and thrived because Microsoft has traditionally been lax in security aspects is what i feel.

I don't think Microsoft could up-price any more! I think a mutiny would follow! But yes, they could hire the best (and in fact already do) In fact, the security flaws are found by enthusiasts and reformed hackers, switched sides to Microsoft. They are the mini tanks!

The immense benefit to 'layman' Users would be that they do not get at all a 'choice' of not installing 'a Security Suite' and endangering their own system as well as that of their contacts. Users do not have to spend money to install a third party security suite and to go through the process of evaluating one versus the others.

I think that the users who make a choice are not most at risk! It is those that do not know to make a choice!

A 'Complete and Comprehensive Security Layer that encompasses all of the above components' had better be a 'mandatory' part of an OS rather than be a 'choice' for 'Users' and to be bought or not even bought by ignoramus layman Users who do not realize the import of their actions or in-actions.

Agree, but it would have to be done gently gently.

And the Internet surfing world then would be a much better place to live in.

Please do not only respond but also exhort Microsoft as one voice of the whole community to do this.

I already know this is not a specific part of this thread but see one thing just led to the logical next and so i cannot stop now because of its wide ranging and tremendous implications.

I agree with everything you have said Prashant. It is going to take time though. Maybe they should also buy up MBAM. Integrating MBAM and its current team into MSE, and I think that would get them a lot of brownie points, as long as it is no worse than the original MBAM, and the public know that MBAM is protecting them, 24/7. If they could also incorporate some stronger modification restrictions on the System folders, to prevent infection, as in 64bit, have this new MSE/MBAM scanning of everything that enters the system, and perhaps some carefully coded kernal override, as that rogues can not disable MSE/MBAM. There is now also scope for craftiness: kernal override for MSE/MBAM, but not for third parties. Would it make us go to MSE, or hate Microsoft. They would have to play it carefully.

 

[pm2397]

Thanks for your inputs in your post #25, Richard and i really appreciate all that you have stated. And yes we are waiting for Jacee!

 

[niemiro]

Thanks for your inputs in your post #25, Richard and i really appreciate all that you have stated. And yes we are waiting for Jacee!

No problems. I did call her as you can see here: http://www.vistax64.com/member.php?u=160742

Maybe she is very busy. Let her come online one more time before asking her again. She is very nice! Just don't nag her, we had an annoying user a few weeks ago. Literally, every 10 minutes he would post on either my profile, or hers, even the Admin's once! Then we would ask for a log file, and he would come back onto our profile. "Well, have you provided the log so we can help you? Nope." Then: "We are looking at your log! Please just give us a few minutes! At that point we both just blocked him! It was like "Please! I need help!" "Please help me!" every few minutes! It annoyed us both! We will give Jacee one more time online!

 

[Jacee]

Why are we waiting on me?

Did you rescan with Malwarebytes? Is it clean or still showing IXP000.TMP?

 

[pm2397]

Why are we waiting on me?

Did you rescan with Malwarebytes? Is it clean or still showing IXP000.TMP?

Common sense did dictate at that time that i do an MBAM rescan on rebooting to check whether the bot.exe was still to be found in the IXP.TMP folder and although that was in my mind but dunno why i didn't do it then.

I hope Jacee you can forgive me for that. However, i have now made amends and i have completed a full rescan with MBAM. The related MBAM log contents below show unfortunately that the bot.exe is still lurking in the IXP000.TMP folder.

MBAM Full Rescan Log:

Malwarebytes' Anti-Malware 1.46
Malwarebytes

Database version: 5009

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18975

11/1/2010 13:58:09
mbam-log-2010-11-01 (13-58-09).txt

Scan type: Full scan (C:\|)
Objects scanned: 442669
Time elapsed: 6 hour(s), 41 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Prashant Mujumdar\AppData\Local\Temp\IXP000.TMP\bot.exe (Worm.P2P) -> Delete on reboot.

Please advise.

Prashant

 

[pm2397]

FAO: niemiro

Richard, i know you are busy but could you possibly recheck whether Jacee is actually aware (and in receipt of in her inbox) of my last post #29 of '5 days back' in reply to Jacee's post # 28). Sir, i am requesting through you because i only just saw that Jacee was online 'a day back' and replied to some other posts on this forum. Could it be possibly that she just simply did not receive info about my above post in her inbox and therefore could not reply to it?

I don't mean to and i cannot afford to offend either of you two because as you have already stated in your post # 27 Jacee is nice and also she is a very busy person. Thanks in advance and i am extremely sorry and will regret it if this post is taken otherwise.

I will now wait patiently for her advice without posting again unless i have some good news regarding the security issues facing me.

Prashant

 

[Lorien]

Hi,

If you sent her a Visitor message she may have missed it as they don''t generate e-mail alerts (and we've missed each other that way a couple of times). Send her a Private Message instead - it's more likely to get her attention. If it was a PM (or a just a regular post which both do generate alerts (though posts only generate the first new post as an alert and others are omitted until the person signs on to the forum), then you simply need to be patient and wait. She sometimes doesn't have time when here to deal with all the items on her plate and may have to logoff before replying to everyone.

We have no way to check the inboxes of others or to know whether or not they've seen messages (perhaps moderators can, but we can't). She may have noticed, intended to reply, got distracted, and then forgot. The post she saw may not have been the one you wanted her to see if an earlier one occurrd. In any event, she'll also see your above post as a reminder (and possibly also this one). If I have occasion to speak with her, I will remind her about this thread and that you are still awaiting a reply from her.

Take care and don't worry - you've offended nobody and have been extraordinarily polite and patient. Unlike chat rooms, forums can sometimes take a bit longer (especially if you want a specific person who is very busy).

 

[niemiro]

No problems! As Lorien has said, you have offended no one, and have been far more patient than most people. I shall keep am eye on this. It looks like she has forgotten with her 30+ forums, so I have sent her another VM. Hopefully she will come now!

 

[pm2397]

FAO: Jacee, niemiro, and Lorien, if you possibly can please throw some light on the following or attempt to explain the following or comment on the following.

Some intriguing points that i have of late noticed in reference to the MBAM full scan on my system:

1. When i do it in normal boot mode, the bot.exe in the IXP000.TMP folder (location already referred to in my earlier posts) is always detected at the fag end of the MBAM scan while MBAM is 'scanning additional items on your system' as mentioned in the MBAM window, but no malware is at all detected while MBAM is scanning the 'as displayed during the scan' all the various different folder paths of the system.

2. The funny thing is that there is no IXP000.TMP folder in the so referred detected location on my system or for that matter in any other location on my system. The only similar folder in that detected path is IXP499.TMP but that is completely empty.

3. When i do the full MBAM scan in 'safe mode' using 'exactly the same settings in MBAM' as used for the normal boot mode scan, surprisingly, the full scan completes without MBAM detecting absolutely any malware whatsoever anywhere on my system including that bot.exe in the same folder path in which the bot.exe was detected in the IXP000.TMP folder during the normal boot mode scan.

4. When i could not find any IXP000.TMP folder anywhere on my system, i used the find option in regedit.exe (opened in elevated mode) to check for 'IXP000.TMP'. Therein i could find references to IXP000.TMP in the MBAM detected folder path in the right pane in at least two different subkeys. But of course no reference there of bot.exe .

5. I have not experimented it yet but i am sure that if i change the default scanner settings of MBAM in normal boot mode to not include the scanning of additional items against heuristics by unticking that option, MBAM full scan will complete the full scan without detecting any malware in the clearly identifiable folder locations of my system.

So, what do you all think of the above observations and what significance and explanation does it have as to removal diagnostics.

Further, is there any specific freely downloadable 'fix/removal tool' for removing the specific bot.exe backdoor trojan horse from my system from the detected location on my system. I searched in Google, but could not make any clear headway.

But i am sure when Jacee is able to devote to the above security issue she will use all her vast experience and hopefully help me clean my system and also guide me as to preventive security measures.

Prashant

 

[Lorien]

Unfortunately, I do not know enough about the MBAM program to explain the findings you have posted (or why you can't find the folder); however, I'm sure Jacee will find the information useful and it may even help her resolve the problem. That's a lot of good work on your part checking out all those alternatives.

As far as removal tools go, I'm not aware of any specific ones (and would prefer to let Jacee address that as using the wrong tool or process may not do the job completely and may make the correct one - if there is one - not work as it should or not work at all). We do not want to make the situation worse by guessing which is what I would be doing if I tried to answer this question. If you do find something, I suggest you post it here to be reviewed for applicability and resist the temptation to just go ahead and try it.

I haven't seen Jacee here in a while, and I don't know her schedule (or how to otherwise contact her). While she will probably notice a VM once she logs into the site, a VM doesn't send an e-mail alert like a PM and so she may not become aware of this until she visits the site. Once again, I must ask you to be patient. We will do what we can to direct her here as soon as possible. For all I know, she may be on a month's vacation in the Bahamas. We simply need to wait.

Sorry I can't help further, but it is beyond my level of expertise and training and I will not risk giving you incorrect advice.

Take care!

 

[pm2397]

FAO: niemiro and Lorien

I just saw that Jacee was online on this forum 'ten hours ago' and has replied back on one thread.

But to be completely fair to Jacee, what i believe is that she may not be replying to this specific thread probably because of the 'tick mark' (that denotes solved) in front of its title and therefore thinks that the issue is already resolved so it does not warrant a reply. Plus i am sure she does not have the time to go through VMs what with her responsibilities of 30+ forums otherwise she would have surely replied. Of course vacations may be far from her mind, Lorien. Therefore maybe a PM to her might be just the only option available but specifically i feel it should be first decided by you whether i need to do that without annoying her or whether it will be better that Richard or Lorien you do that on my behalf? Even with a PM it may well fail to bring it to her notice with time being at a premium for Jacee.

Prashant

 

[niemiro]

Have sent her a PM

 

[Jacee]

Hi pm2397, you have a bot on your computer. This is a 'backdoor trojan', tha is capable of stealing passwords and critical info such as , credit card and banking information.

I would strongly urge you to use a known 'clean' computer and change all your passwords. DO NOT use the infected one.

Having said that, let's see what Combofix can do for us.

First:
Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• If nothing happens or if the tool does not run, please let me know in your next reply

Next:
Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt

***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

 

[pm2397]

Hi pm2397, you have a bot on your computer. This is a 'backdoor trojan', tha is capable of stealing passwords and critical info such as , credit card and banking information.

I would strongly urge you to use a known 'clean' computer and change all your passwords. DO NOT use the infected one.

Having said that, let's see what Combofix can do for us.

First:
Please download RKill by Grinler from one of the 4 links below and save it to your desktop.
Link 1
Link 2
Link 3
Link 4

• Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
• Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
• A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
• If nothing happens or if the tool does not run, please let me know in your next reply

Next:
Download Combofix from any of the links below, and save it to your desktop.<--Important
Link 1
Link 2
Link 3

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
Next: Disconnect from the internet. If you are on Cable or DSL, unplug your computer from the modem.
Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

• Double click combofix.exe and follow the prompts.
• When finished, it will produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Please be patient while the scan runs, at times it may appear to stall.
When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
After rebooting ensure your Security applications have been re-enabled.

In your next reply post:
ComboFix.txt

***A guide and tutorial on "How to use Combofix" can be found here:
A guide and tutorial on using ComboFix

1. Jacee, first of all i am very thankful to you for devoting time to my security issues considering your considerable responsibilities of 30+ forums and consequent tight schedule.

2. Regarding the bot stealing my credit card details and banking details and related passwords:

Jacee, i don't have or use a credit card so the remote potential advantage taker has no financial profit from me. The other good thing that i do is to use the mouse to click in my 'unusually strong password' through a 'key location changing' onscreen keyboard (provided on the specific secure web page by my bank) for my bank account access over the Internet, so no keylogger can take advantage of that. The third thing is that i don't use at all any local POP3 e-mail program to send and receive my e-mail, plus i don't have any address book contacts stored on my machine in MS Outlook etc. So that makes it 'very difficult' for a bot to use my system to infect other systems of my contacts via e-mail. I strictly use only web-mail.

3. Downloaded Rkill exactly as per your instructions.

Next disabled/turned off the Security Software on my system as per instructions in the guide referenced in your post. As the procedure for disabling Emsisoft Anti-Malware (latest free version 5.0.0.84 fully updated being used by me)was not mentioned in the guide referred by you in your post i tried to turn off the settings in a2start.exe (Emsisoft Anti-Malware Security Center) but found that the relevant tick marked settings were all grayed out. Therefore searched in Google and found that a2start.exe depends on a2service.exe (Emsisoft Anti-Malware Service) for its entire functioning. So then opened up Services.msc by 'Run as Administrator', then right clicked the Emsisoft Anti-Malware Service therein and clicked its Properties. Next in the properties window stopped the service and thereafter changed its status from Automatic to disabled. Hope this was what was to be done to disable Emsisoft Anti-Malware.

Anyway there were absolutely no issues in the running of Rkill after i had turned off Windows Firewall, turned off the real time protection of Microsoft Security Essentials, unticked the relevant settings in UnHackMe (Greatis Boot-Watch Anti-Rootkit Partizan software) on my system, and exited SUPERAntiSpyware.

It produced a log within about thirty seconds and terminated two processes (both DllHost.exe in the C:\Windows\System32 folder), besides the rkill.scr itself during its run.

4. Next downloaded and ran Combofix after ensuring all prerequisites exactly per your instructions.

After Combofix ran the system rebooted and Combofix then produced the Log Report.

ComboFix.txt: Contents copied and pasted below.

ComboFix 10-11-12.01 - Prashant Mujumdar 11/15/2010 4:20.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.91.1033.18.2046.963 [GMT 5.5:30]
Running from: c:\users\Prashant Mujumdar\Desktop\Combo-Fix.exe
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.
The following files were disabled during the run:
c:\windows\system32\APSHook.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Prashant Mujumdar\AppData\Roaming\EurekaLog
c:\users\Prashant Mujumdar\AppData\Roaming\EurekaLog\EurekaLog.ini
c:\users\Prashant Mujumdar\AppData\Roaming\inst.exe
c:\users\Prashant Mujumdar\rkill.scr
c:\users\Prashant Mujumdar\SecurityCheck.exe
c:\windows\system32\tmp.reg

.
((((((((((((((((((((((((( Files Created from 2010-10-14 to 2010-11-14 )))))))))))))))))))))))))))))))
.

2010-11-14 23:17 . 2010-11-14 23:17 -------- d-----w- c:\users\Nalin Mujumdar\AppData\Local\temp
2010-11-14 23:17 . 2010-11-14 23:17 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-11-14 20:16 . 2010-11-14 20:16 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2010-11-14 19:36 . 2010-11-14 19:37 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\Regrun
2010-11-14 19:18 . 2010-11-14 19:18 -------- d-----w- c:\program files\Greatis
2010-11-14 18:38 . 2010-10-07 10:51 6146896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{494AC346-15FE-4E70-B462-EBFF13BDA50A}\mpengine.dll
2010-11-12 22:01 . 2010-11-12 22:01 -------- d-----w- c:\documents and settings\epmikani\Application Data\skypePM
2010-11-12 22:01 . 2010-11-12 22:01 -------- d-----w- c:\users\epmikani
2010-11-12 10:24 . 2010-11-12 10:44 -------- d-----w- c:\program files\Spiceworks
2010-11-10 14:08 . 2010-10-07 11:37 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2010-11-10 08:48 . 2010-11-10 10:37 -------- d-----w- c:\programdata\SafeReturner
2010-11-09 04:30 . 2010-11-09 04:30 -------- d-----w- c:\programdata\NoVirusThanks
2010-11-09 04:05 . 2010-11-09 04:05 -------- d-----w- c:\program files\Bonjour
2010-11-09 03:17 . 2010-11-12 06:17 -------- d-----w- c:\program files\NoVirusThanks Anti-Rootkit
2010-11-09 00:07 . 2010-11-09 00:07 -------- d-----w- c:\program files\SystemRequirementsLab
2010-11-09 00:07 . 2010-11-09 01:09 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\SystemRequirementsLab
2010-11-08 16:06 . 2010-11-08 16:06 -------- d-----w- c:\users\Nalin Mujumdar\AppData\Local\Mozilla
2010-11-08 14:18 . 2010-11-08 14:18 -------- d-----w- c:\program files\VirusTotalUploader2
2010-11-08 12:16 . 2010-11-08 12:16 -------- d-----w- c:\windows\RestoreSafeDeleted
2010-11-08 04:31 . 2010-11-09 04:23 -------- d-----w- c:\program files\iPod
2010-11-08 04:31 . 2010-11-09 04:24 -------- d-----w- c:\program files\iTunes
2010-11-08 04:31 . 2010-11-08 04:34 -------- d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-08 04:09 . 2010-11-09 03:46 -------- d-----w- c:\program files\Safari
2010-11-06 21:49 . 2010-11-06 21:49 -------- d-----w- C:\Backreg
2010-11-06 21:23 . 2010-11-14 20:09 2 --shatr- c:\windows\winstart.bat
2010-11-06 21:20 . 2010-11-14 20:07 -------- d-----w- c:\program files\UnHackMe
2010-11-05 05:18 . 2006-11-02 09:45 8704 ----a-w- c:\windows\system32\ctfmon.exe.backup
2010-11-05 05:12 . 2010-11-05 05:12 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\SuperAdBlocker.com
2010-11-05 05:09 . 2010-11-05 05:09 -------- d-----w- c:\windows\system32\URTTemp
2010-11-05 05:09 . 2010-11-11 01:12 -------- d-----w- c:\program files\SuperAdBlocker.com
2010-11-05 00:12 . 2010-11-05 00:12 -------- d-----w- c:\program files\CCleaner
2010-11-02 21:08 . 2010-11-12 12:09 -------- d-----w- C:\PrevxCSI
2010-11-02 14:07 . 2010-11-12 13:38 -------- d-----w- c:\program files\NoVirusThanks
2010-11-02 07:02 . 2010-11-02 07:02 35904 ----a-w- c:\windows\system32\drivers\pah4wydq.sys
2010-11-02 05:55 . 2010-11-02 11:19 34560 ----a-w- c:\windows\system32\drivers\Normandy.sys
2010-11-01 18:48 . 2010-11-01 18:51 -------- d-----w- c:\windows\system32\Adobe
2010-11-01 14:50 . 2010-11-01 14:50 -------- d-----w- c:\program files\Common Files\xing shared
2010-11-01 11:56 . 2010-11-01 11:56 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Local\Mozilla
2010-10-30 15:14 . 2010-10-30 15:14 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\SUPERAntiSpyware.com
2010-10-30 15:13 . 2010-10-30 15:14 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-29 14:40 . 2010-10-29 14:41 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Local\Deployment
2010-10-27 02:45 . 2010-08-26 16:34 1696256 ----a-w- c:\windows\system32\gameux.dll
2010-10-27 02:44 . 2010-08-26 16:33 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2010-10-27 02:44 . 2010-08-26 14:23 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2010-10-26 05:00 . 2010-10-26 05:00 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Local\Sophos
2010-10-26 01:19 . 2010-10-07 10:51 6146896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-25 17:10 . 2010-10-29 04:19 -------- d-----w- c:\programdata\Sophos
2010-10-25 06:33 . 2010-10-25 06:34 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-10-25 06:01 . 2010-10-25 06:06 -------- d-----w- c:\programdata\MFAData
2010-10-25 03:14 . 2010-10-25 03:14 -------- d-----w- c:\program files\Sun
2010-10-23 13:28 . 2010-04-29 10:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-23 13:28 . 2010-04-29 10:09 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-23 13:28 . 2010-10-23 16:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-23 05:53 . 2010-10-23 05:53 -------- d-----w- c:\programdata\InstallMate
2010-10-23 04:29 . 2010-10-23 04:29 -------- d-----w- c:\programdata\SUPERAntiSpyware.com
2010-10-23 01:05 . 2010-10-23 01:06 -------- d-----w- c:\programdata\{8D274659-3D84-4410-A197-C170D180BC76}
2010-10-23 00:02 . 2006-11-02 00:39 1419232 ----a-w- c:\windows\system32\drivers\wdfcoinstaller01005.dll
2010-10-23 00:02 . 2007-06-18 10:42 16768 ----a-w- c:\windows\system32\drivers\HpqKbFiltr.sys
2010-10-22 23:11 . 2007-07-26 10:45 53248 ----a-w- c:\windows\system32\CSVer.dll
2010-10-22 19:18 . 2010-10-07 23:21 6146896 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{15492E9F-6117-4E59-9116-1C37E2A66D87}\mpengine.dll
2010-10-22 00:45 . 2010-10-22 00:45 -------- d-----w- c:\windows\en
2010-10-22 00:41 . 2010-09-22 18:51 39272 ----a-w- c:\windows\system32\drivers\fssfltr.sys
2010-10-22 00:33 . 2010-10-22 00:33 -------- d-----w- c:\program files\Microsoft SQL Server Compact Edition
2010-10-22 00:01 . 2010-10-22 00:01 -------- d-----w- c:\program files\MSN Toolbar
2010-10-22 00:00 . 2010-10-22 00:02 -------- d-----w- c:\program files\Bing Bar Installer
2010-10-22 00:00 . 2009-09-04 12:14 69464 ----a-w- c:\windows\system32\XAPOFX1_3.dll
2010-10-22 00:00 . 2009-09-04 12:14 515416 ----a-w- c:\windows\system32\XAudio2_5.dll
2010-10-22 00:00 . 2009-09-04 11:59 453456 ----a-w- c:\windows\system32\d3dx10_42.dll
2010-10-21 23:58 . 2010-10-21 23:58 469256 ----a-w- c:\program files\Common Files\Windows Live\.cache\d56595ad1cb717b06\InstallManager_WLE_WLE.exe
2010-10-21 23:57 . 2010-10-21 23:57 15712 ----a-w- c:\program files\Common Files\Windows Live\.cache\c8f70f1d1cb717b05\MeshBetaRemover.exe
2010-10-21 23:57 . 2010-10-21 23:57 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\c55f1b4d1cb717b04\DSETUP.dll
2010-10-21 23:57 . 2010-10-21 23:57 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\c55f1b4d1cb717b04\DXSETUP.exe
2010-10-21 23:57 . 2010-10-21 23:57 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\c55f1b4d1cb717b04\dsetup32.dll
2010-10-21 23:57 . 2010-10-21 23:57 94040 ----a-w- c:\program files\Common Files\Windows Live\.cache\c0748fcd1cb717b03\DSETUP.dll
2010-10-21 23:57 . 2010-10-21 23:57 525656 ----a-w- c:\program files\Common Files\Windows Live\.cache\c0748fcd1cb717b03\DXSETUP.exe
2010-10-21 23:57 . 2010-10-21 23:57 1691480 ----a-w- c:\program files\Common Files\Windows Live\.cache\c0748fcd1cb717b03\dsetup32.dll
2010-10-21 23:57 . 2010-11-01 08:08 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Local\Windows Live
2010-10-21 23:53 . 2009-08-04 08:02 754688 ----a-w- c:\windows\system32\webservices.dll
2010-10-21 11:34 . 2010-10-21 11:34 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\Softplicity
2010-10-21 11:13 . 2010-10-21 11:13 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\NCH Software
2010-10-21 11:09 . 2010-10-21 11:09 -------- d-----w- c:\programdata\NCH Swift Sound
2010-10-21 11:08 . 2010-10-21 11:08 -------- d-----w- c:\program files\NCH Swift Sound
2010-10-21 11:08 . 2010-10-21 11:08 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Roaming\NCH Swift Sound
2010-10-21 02:28 . 2010-10-21 02:28 -------- d-----w- c:\program files\ESET
2010-10-18 01:31 . 2010-10-18 01:31 -------- d-----w- c:\users\Prashant Mujumdar\AppData\Local\WindowsUpdate
2010-10-17 03:52 . 2010-10-17 03:52 -------- d-----w- c:\windows\RegBak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-06 00:46 . 2007-05-19 01:21 319456 ----a-w- c:\windows\DIFxAPI.dll
2010-11-01 14:46 . 2003-03-19 03:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-10-19 20:51 . 2009-10-02 20:46 222080 ----a-w- c:\windows\system32\MpSigStub.exe
2010-10-15 07:07 . 2010-06-03 04:52 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-09-22 19:17 . 2010-09-22 19:17 49016 ----a-w- c:\windows\system32\sirenacm.dll
2010-09-22 19:02 . 2010-09-22 19:02 301936 ----a-w- c:\windows\WLXPGSS.SCR
2010-09-20 11:11 . 2010-09-20 10:56 200704 ----a-w- c:\windows\bcmC215.tmp
2010-09-20 11:11 . 2010-09-20 10:56 135168 ----a-w- c:\windows\bcmC1E5.tmp
2010-09-13 13:56 . 2010-10-14 07:39 8147456 ----a-w- c:\windows\system32\wmploc.DLL
2010-09-08 06:01 . 2010-10-14 07:49 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-08 05:57 . 2010-10-14 07:49 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-08 05:57 . 2010-10-14 07:49 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-09-08 05:56 . 2010-10-14 07:48 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-09-08 05:56 . 2010-10-14 07:48 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-09-08 05:47 . 2010-09-08 05:47 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 05:47 . 2010-09-08 05:47 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-08 05:04 . 2010-10-14 07:49 385024 ----a-w- c:\windows\system32\html.iec
2010-09-08 04:26 . 2010-10-14 07:48 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-09-08 04:25 . 2010-10-14 07:48 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2010-09-06 16:20 . 2010-10-14 07:45 125952 ----a-w- c:\windows\system32\srvsvc.dll
2010-09-06 16:19 . 2010-10-14 07:44 17920 ----a-w- c:\windows\system32\netevent.dll
2010-09-06 13:45 . 2010-10-14 07:45 304128 ----a-w- c:\windows\system32\drivers\srv.sys
2010-09-06 13:45 . 2010-10-14 07:44 145408 ----a-w- c:\windows\system32\drivers\srv2.sys
2010-09-06 13:45 . 2010-10-14 07:45 102400 ----a-w- c:\windows\system32\drivers\srvnet.sys
2010-08-31 15:46 . 2010-10-14 07:47 954752 ----a-w- c:\windows\system32\mfc40.dll
2010-08-31 15:46 . 2010-10-14 07:47 954288 ----a-w- c:\windows\system32\mfc40u.dll
2010-08-31 15:44 . 2010-10-14 07:31 531968 ----a-w- c:\windows\system32\comctl32.dll
2010-08-31 13:27 . 2010-10-14 07:30 2038272 ----a-w- c:\windows\system32\win32k.sys
2010-08-26 16:37 . 2010-10-14 07:30 157184 ----a-w- c:\windows\system32\t2embed.dll
2010-08-26 16:33 . 2010-10-27 02:44 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2010-08-26 16:33 . 2010-10-27 02:44 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2010-08-26 16:33 . 2010-10-27 02:44 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2010-08-26 16:33 . 2010-10-27 02:44 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2010-08-23 11:37 . 2010-09-09 12:32 27192 ----a-w- c:\windows\system32\drivers\rspSanity32.sys
2010-08-20 16:05 . 2010-10-14 07:41 867328 ----a-w- c:\windows\system32\wmpmde.dll
2010-08-17 14:11 . 2010-09-15 03:39 128000 ----a-w- c:\windows\system32\spoolsv.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"VistaBatterySaver"="c:\program files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe" [2008-08-22 481280]
"VeohPlugin"="c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" [2010-07-06 2634048]
"SUMo"="c:\program files\KC Softwares\SUMo\SUMo.exe" [2010-11-05 1414656]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"Skype"="c:\program files\Skype\\Phone\Skype.exe" [2010-05-13 26192168]
"PC Suite Tray"="c:\program files\Nokia\Nokia PC Suite 7\PCSuite.exe" [2010-05-14 1479680]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-10-25 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-12-06 202032]
"CognizanceTS"="c:\progra~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll" [2003-12-22 17920]
"ThreatFire"="c:\program files\ThreatFire\TFTray.exe" [2010-01-14 378128]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-10-03 480560]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-12-19 468264]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2009-06-09 7539232]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-08-20 150016]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-05-27 1721640]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2010-10-01 329096]
"NoAutorun"="c:\users\Prashant Mujumdar\Downloads\NoAutorun-win32-bin-1.1.1.21\NoAutorun.exe" [2010-07-23 66048]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2009-11-19 75048]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-01 1164584]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2010-06-09 49208]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe" [2009-02-11 186904]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-02-07 54832]
"PDVD9LanguageShortcut"="c:\program files\CyberLink\PowerDVD9\Language\Language.exe" [2009-04-27 50472]
"PikyAgent"="c:\program files\Conceptworld\PikySuite\PikyAgent.exe" [2009-07-11 103152]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-02-07 71216]
"RemoteControl9"="c:\program files\CyberLink\PowerDVD9\PDVD9Serv.exe" [2009-07-06 87336]
"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2009-05-05 1466368]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2010-04-29 1090952]
"OnScreenDisplay"="c:\program files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-11-01 554288]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2005-08-11 249856]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSSE"="c:\program files\Microsoft Security Essentials\msseces.exe" [2010-09-14 1094224]
"TkBellExe"="c:\program files\real\realplayer\update\realsched.exe" [2010-11-01 274608]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-09-23 421160]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-10-03 13826664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\Currentversion\policies\explorer\Run]
"<NO NAME>"="1 (0x1)" [X]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Aerofoil.lnk - c:\program files\Aerofoil\Aerofoil.exe [2010-5-26 2837504]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer9"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk *\0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2443598800-2901640390-900271084-1000]
"EnableNotificationsRef"=dword:00000006

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 136176]
R3 a2acc;a2acc;c:\program files\EMSISOFT ANTI-MALWARE\a2accx86.sys [2010-09-29 72808]
R3 ATSwpWDF;AuthenTec TruePrint USB WDF Driver;c:\windows\system32\Drivers\ATSwpWDF.sys [2008-09-09 498432]
R3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe [2009-08-24 406016]
R3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-03-25 42368]
R3 Normandy;Normandy SR2; [x]
R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf.sys [2010-07-07 14904]
R3 rspSanity;rspSanity;c:\windows\system32\DRIVERS\rspSanity32.sys [2010-08-23 27192]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
R3 zteusbser;ZTE USB Device for Legacy Serial Communication;c:\windows\system32\DRIVERS\zteusbser.sys [2007-08-20 98432]
R4 a2AntiMalware;Emsisoft Anti-Malware 5.0 - Service;c:\program files\Emsisoft Anti-Malware\a2service.exe [2010-10-19 2806000]
R4 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [x]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S0 pah4wydq;Vba32 Armour Driver;c:\windows\System32\Drivers\pah4wydq.sys [2010-11-02 35904]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-01-14 51984]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-01-14 59664]
S1 a2injectiondriver;a2injectiondriver;c:\program files\Emsisoft Anti-Malware\a2dix86.sys [2010-09-29 41928]
S1 a2util;a-squared Malware-IDS utility driver;c:\program files\Emsisoft Anti-Malware\a2util32.sys [2010-05-05 11776]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-02-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2010-05-10 67656]
S2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/11/22 09:15];c:\program files\CyberLink\PowerDVD9\000.fcl [2009-02-28 14:10 87536]
S2 ASBroker;Logon Session Broker;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 ASChannel;Local Communication Channel;c:\windows\System32\svchost.exe [2008-01-19 21504]
S2 ThreatFire;ThreatFire;c:\program files\ThreatFire\TFService.exe service [x]
S3 NETw5v32;Intel(R) Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 32 Bit;c:\windows\system32\DRIVERS\NETw5v32.sys [2008-11-17 3668480]
S3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-01-14 33552]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
Cognizance REG_MULTI_SZ ASBroker ASChannel
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 14:41]

2010-11-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-10-29 14:41]

2010-11-04 c:\windows\Tasks\HPCeeScheduleForPrashant Mujumdar.job
- c:\program files\Hewlett-Packard\HP Ceement\HPCEE.exe [2009-10-06 22:52]

2010-11-10 c:\windows\Tasks\RunAsStdUser Task for VeohWebPlayer.job
- c:\program files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe [2010-07-06 14:01]

2010-11-14 c:\windows\Tasks\User_Feed_Synchronization-{49327567-96F5-44EE-800F-09E2470CFF96}.job
- c:\windows\system32\msfeedssync.exe [2010-10-14 04:25]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.in/
mStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Page_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mDefault_Search_URL = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
mSearch Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: Send image to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send page to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: live.com\onecare
Trusted Zone: microsoft.com\sftus.one
Trusted Zone: symantec.com\security
TCP: {7A0756D7-96FB-4353-970F-57DCA7FF8C33} = 218.248.255.194
DPF: Microsoft XML Parser for Java - file:///C:/Windows/Java/classes/xmldso.cab
FF - ProfilePath -

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Yahoo Messenger - (no file)
HKLM-Run-<NO NAME> - (no file)
HKU-Default-RunOnce-<NO NAME> - (no file)
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-{FC17E0A7-EAA9-4902-92F8-C83B9FD02246} - c:\program files\InstallShield Installation Information\{FC17E0A7-EAA9-4902-92F8-C83B9FD02246}\setup.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2010-11-15 05:21
Windows 6.0.6002 Service Pack 2 NTFS

detected NTDLL code modification:
ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{95808DC4-FA4A-4c74-92FE-5B863F82066B}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD\000.fcl"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}]
"ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,69,c5,15,24,69,b0,43,9f,04,d8,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,92,69,c5,15,24,69,b0,43,9f,04,d8,\

[HKEY_USERS\S-1-5-21-2443598800-2901640390-900271084-1000_Classes\VirtualStore\MACHINE\SOFTWARE\zbshareware]
@DACL=(02 0000)
"lastcheck"="18"
"times"="6"
"Name"="ledworld"
"Code"="BHJDH17937"

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
"MSCurrentCountry"=dword:00000053

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0002\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000001

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0003\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0005\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet003\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0006\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1060)
c:\program files\ThreatFire\TFWAH.dll

- - - - - - - > 'lsass.exe'(804)
c:\program files\ThreatFire\TFWAH.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvvsvc.exe
c:\program files\Microsoft Security Essentials\MsMpEng.exe
c:\windows\system32\nvvsvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\program files\ThreatFire\TFService.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\program files\HP\QuickPlay\Kernel\TV\QPSched.exe
c:\program files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
c:\program files\UnHackMe\hackmon.exe
c:\program files\Panda USB Vaccine\USBVaccine.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2010-11-15 05:36:34 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-15 00:06

Pre-Run: 46,969,303,040 bytes free
Post-Run: 46,561,689,600 bytes free

- - End Of File - - D5852FA53BD3E5E800504137CABE82C2

------------------------------------------------------------------------------------

5. After all settings of Security Software on my system were re-enabled and system rebooted finally ran HijackThis.

Pasted below are the contents of the hijackthis.log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:38, on 11/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18975)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\winlogon.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Windows\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Bioscrypt\VeriSoft\Bin\AsGHost.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\Program Files\Panda USB Vaccine\USBVaccine.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Program Files\HP\Digital Imaging\bin\HpqSRmon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\BillP Studios\WinPatrol\WinPatrol.exe
C:\Program Files\CyberLink\Shared files\brs.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\HP\HP Software Update\hpwuschd2.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Conceptworld\PikySuite\PikyAgent.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Program Files\Real\RealPlayer\Update\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe
C:\Program Files\KC Softwares\SUMo\SUMo.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Aerofoil\Aerofoil.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Users\Prashant Mujumdar\Desktop\Defogger.exe
C:\Program Files\Emsisoft Anti-Malware\a2service.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Emsisoft Anti-Malware\a2start.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\taskmgr.exe
C:\Windows\system32\prevhost.exe
C:\Windows\System32\NOTEPAD.EXE
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HiJackThis\HijackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = Google
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Home Page Reset - Symantec Corp.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Home Page Reset - Symantec Corp.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Home Page Reset - Symantec Corp.
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll
O2 - BHO: (no name) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - (no file)
O2 - BHO: Bing Bar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\6.3.2322.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: VeriSoft Access Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\Bioscrypt\VeriSoft\Bin\ItIEAddIn.dll
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [CognizanceTS] "rundll32.exe" C:\PROGRA~1\BIOSCR~1\VeriSoft\Bin\ASTSVCC.dll,RegisterModule
O4 - HKLM\..\Run: [ThreatFire] "C:\Program Files\ThreatFire\TFTray.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] "C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [RtHDVCpl] "C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe"
O4 - HKLM\..\Run: [hpqSRMon] "C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe"
O4 - HKLM\..\Run: [SynTPEnh] "%ProgramFiles%\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [NoAutorun] "C:\Users\Prashant Mujumdar\Downloads\NoAutorun-win32-bin-1.1.1.21\NoAutorun.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [BDRegion] C:\Program Files\Cyberlink\Shared files\brs.exe
O4 - HKLM\..\Run: [DivXUpdate] C:\Program Files\DivX\DivX Update\DivXUpdate.exe /CHECKNOW
O4 - HKLM\..\Run: [GrooveMonitor] C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
O4 - HKLM\..\Run: [LanguageShortcut] C:\Program Files\CyberLink\PowerDVD\Language\Language.exe
O4 - HKLM\..\Run: [PDVD9LanguageShortcut] C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe
O4 - HKLM\..\Run: [PikyAgent] C:\Program Files\Conceptworld\PikySuite\PikyAgent.exe /Startup
O4 - HKLM\..\Run: [QuickTime Task] C:\Program Files\QuickTime\QTTask.exe -atboottime
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [RemoteControl9] C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSSE] "c:\Program Files\Microsoft Security Essentials\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [TkBellExe] "C:\program files\real\realplayer\update\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [VistaBatterySaver] "C:\Program Files\SharpSoft\Vista Battery Saver\VistaBatterySaver.exe"
O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"
O4 - HKCU\..\Run: [SUMo] "C:\Program Files\KC Softwares\SUMo\SUMo.exe" /minimized
O4 - HKCU\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -startup
O4 - HKCU\..\Run: [Skype] C:\Program Files\Skype\\Phone\Skype.exe /nosplash /minimized
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [UnHackMe Monitor] C:\Program Files\UnHackMe\hackmon.exe
O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Aerofoil.lnk = C:\Program Files\Aerofoil\Aerofoil.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
O8 - Extra context menu item: Send image to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll
O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O15 - Trusted Zone: Windows Live OneCare
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {44990B00-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlcm.cab
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} - Help and Support
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A0756D7-96FB-4353-970F-57DCA7FF8C33}: NameServer = 218.248.255.194
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
O23 - Service: Emsisoft Anti-Malware 5.0 - Service (a2AntiMalware) - Emsi Software GmbH - C:\Program Files\Emsisoft Anti-Malware\a2service.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Defragmentation-Service (DfSdkS) - mst software GmbH, Germany - C:\Program Files\Ashampoo\Ashampoo WinOptimizer 6\Dfsdks.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 15611 bytes

What next?

Prashant

 

[Jacee]

Let me look this over and I'll get right back to you.

 

[Jacee]

Right now, I see you have three topics open on this ... one here and at BC's
Worm.P2P (Bot.exe) gets redetected again in the IXP000.TMP Folder during every Full Scan By MBAM even after system reboot.
and Malwarebytes!
Worm.P2P (Bot.exe) gets redetected again in the IXP000.TMP Folder during every Full Scan By MBAM even after system reboot. - Malwarebytes Forum

We're all volunteers on anti-malware forums. When you choose multiple forums to ask for the same help, you are using time that could be spent helping another victim.

Which forum would you like to have help you?