.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2008-02-20 32768]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2006-10-30 392832]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2007-08-13 8466432]
"NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2007-08-13 81920]
"NVMixerTray"="c:\program files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 131072]
"Bluetooth Connection Assistant"="c:\program files\Logitech\SetPoint\LBTWiz.exe" [2007-11-15 59920]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Monitor"="c:\program files\LeapFrog\LeapFrog Connect\Monitor.exe" [2008-11-25 356352]
"SMSTray"="c:\program files\Samsung\Samsung Media Studio 5\SMSTray.exe" [2007-12-14 132624]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-04-29 1947928]
"x3watch"="c:\program files\X3watch\x3watch.exe" [2008-06-01 299008]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2007-09-21 55824]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
D-link AirPlus G DWL-G120 Wireless USB.lnk - c:\program files\D-link AirPlus G DWL-G120 Wireless USB\120UTIL.exe [2008-5-8 241664]
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2008-2-20 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2008-2-20 784912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2007-11-15 15:10 72208 ----a-w c:\program files\common files\logitech\bluetooth\LBTWLgn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-04-29 23:03 11952 ----a-w c:\windows\system32\avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c00db89b]
[BU]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Documents and Settings\\Roger Wilson\\Application Data\\Juniper Networks\\Juniper Terminal Services Client\\dsTermServ.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\muzapp.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R2 .norton2009Reset;Norton 2009 Reset;c:\documents and settings\All Users\Application Data\Norton\Norton2009Reset.exe [2009-03-27 280833]
R3 FlyUsb;FLY Fusion;c:\windows\system32\DRIVERS\FlyUsb.sys [2008-11-25 18560]
R4 Roxio UPnP Renderer 11;Roxio UPnP Renderer 11; [x]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2009-04-29 12552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2009-04-29 325896]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2009-04-29 108552]
S1 BIOS;BIOS;c:\windows\System32\drivers\BIOS.sys [2005-03-16 13696]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2009-04-29 298776]
S2 LeapFrog Connect Device Service;LeapFrog Connect Device Service;c:\program files\LeapFrog\LeapFrog Connect\CommandService.exe [2008-11-25 991232]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1c93cf60-f54d-11dd-99fd-044b80808003}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{54fc8c10-da0d-11dd-99eb-044b80808003}]
\Shell\AutoRun\command - rcaeasyrip_setup.exe
\Shell\install\command - rcaeasyrip_setup.exe
\Shell\usermanualEnglish\command - "rcaeasyrip_setup.exe" /pdf_English
\Shell\usermanualFrench\command - "rcaeasyrip_setup.exe" /pdf_French
\Shell\usermanualSpanish\command - "rcaeasyrip_setup.exe" /pdf_Spanish
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d7be9735-d930-11dd-99e8-044b80808003}]
\Shell\AutoRun\command - I:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
2009-05-02 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
.
------- Supplementary Scan -------
.
uStart Page =
hxxp://www.igoogle.com/uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java -
file://c:\windows\Java\classes\xmldso.cabDPF: {549f957e-2f89-11d6-8cfe-00c04f52b225}
FF - ProfilePath - c:\documents and settings\Roger Wilson\Application Data\Mozilla\Firefox\Profiles\ehf4q7qx.default\
FF - prefs.js: browser.startup.homepage -
hxxp://www.igoogle.com/FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPJPI150_14.dll
FF - plugin: c:\program files\Java\jre1.5.0_14\bin\NPOJI610.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2009-05-05 21:02
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(704)
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
c:\program files\common files\logitech\bluetooth\LBTServ.dll
- - - - - - - > 'explorer.exe'(1388)
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Logitech\Bluetooth\LBTServ.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\rundll32.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-05-06 21:07 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-06 02:07
ComboFix2.txt 2009-05-01 23:33
Pre-Run: 48,632,090,624 bytes free
Post-Run: 48,656,621,568 bytes free