I think I still have malware

Hallo

Early this month my laptop was given a clean bill. I still had a few problems. I posted in the software forum about boot troubles. A reply I got suspected that I may still have some malware.

Attached are my logs. I had to run combofix, root repeal and mgtools in safe mode. Please would some one be kind enough to check my logs.

Thankyou.

 

Hallo

Here is my last log file.

 

Hallo chaslang,

Thank you for your reply. There is something hiding in my computer. Every time I try to do something, ie when I opened a zip file, to view the logs I sent you, my firewall warns me :

WINZIP32.exe could not be recognised and is about to modify the protected registry key HKLM\SOFTWAREClasses\winzip.regfile\shell\open\command\ you must make sure WINZIP32.exe is safe. I block it, then I get WINZIP32.exe is trying to access explorer.exe. The parent application that is accessing the target application in memory will allow the parent application to fully control the target application. I block it, and it tries to access services control manager, WINZIP.exe could not be recognised and is about to access the service control manager. The service control manager can be used to perform priveleged operations including installing high privileged apps or even device drivers. I block it and next thing it is trying to acces the keyboaed directly. This goes on and on as I block the requests.

I am getting eg. ipremove.exe is trying to access mcbuilder.exe. If I allow it, I lose my internet connection. I have a reg key "cryptsipdll remove signed datamsg.registrykey, HKEY_local.Machine\software\microsoft\cryptography\oid. I have a iphlpapi. HKLM\SOFTWARE\microsoft\security Center\svc\antivirusoveride iphlpapi.dll, something is going on with dfsreplication. I have 3736 MSIL files. My computer is very busy and when I try to uninstall something I get a message to wait, as something els is installing.

Before doing combofix, I had lost my connection and I had to wait 15 - 20 minutes until I could boot without getting a blue screen,(my boot problem I referred to) After combofix booting was normal and I got the connection back. That ipremove.exe then tried to run, I deleted it. On next boot, I had no connection and found that my firewall was now on "Block all mode"

Some of the above may be normal, I don't know. Every time I do anything, something tries to take full control over various services and programs including my program unlocker.exe.

When I do chkdsk/f there is always an unknown error when checking index files. Yesterday for the first time I got a message doing it, "index entry 000000000002D221 in index $130 of file 8679 is incorrect" This index $130 has come up before after I removed the unknown driver adfs, which had a yellow mark. in non plug and play. After removal, 11 new drivers with a yellow mark appeared. I deleted them and ran chkdsk\f, it then deleted a whole lot of stuff and there were referals to this $130 file.

These are examples of a few odd things.

My dfsreplication file was modified on 28/05/2009, and only 5 logs appeared in my computer dated 13 and 14th June, which is when my problems first really became bad. These files were also marked with $ signs.

I am not being paranoid, there is something nasty hiding in my own files!

 

Thank you chaslang.

 

Hallo chaslang,

I am not sure which forum to go to for help. ( I do not have recovery discs, cannot get them, so a reinstall is not an option.) Please can you advise which forum to go to. I found a file containing over 6900 files which mostly show up as containing 0 bytes, were originally dated 12/06/2009. I zipped them (23.9MB) but when I tried to upload here I got a message "your submission could not be processed because a security token was missing" When I installed java 16 during the read and run me, on 21/08/2009 my problems began again, and these files were modified. I found this at C:\windows\softwaredistribution\download. I ran root repeal using the stealth tab and it found 86 stealth objects.

It seems as though something is hiding as a legitimate vista process and cloning my program files. "Trusted installer" has special permissions under security on a number of files that report malware type activity.


Thanks, and sorry to trouble you.

 

Hallo chaslang, thank you for replying to me.

Yes it was a folder C:\windows\softwaredistribution\download.

It is difficult to explain, as so many of the things happening appear normal, but I know they are not. I have spent quite a lot of time reading about the Comodo firewall, and how to use it. I am the only person who has ever used this laptop, and I always have sharing switched off. I did use messenger programs and sometimes a webcam before I got infected.

Here is an example of what happened when I tried to donload a fresh copy of wise registry cleaner, after my copy had begun odd behaviour.

At 99% download I get a windows message telling me I do not have permission to save the file to this location(be it desktop, program files, my documents) A window similar to the recycle bin deleting a file, appears and says it is copying. I am unable to cancel it. A minute later, without pressing a key, Comodo warns that wiseregistry cleaner.exe is trying to modify a registry key. I block the request, and it tries to access another key, and so on.

A file ntfs.sys has also given me problems after I allowed it to run.

Wercon.exe is very active, and so is HP user etray, ehmsas.exe and svchost.exe ie : I know some of this appears normal.

Comodo warns wercon.exe could not be recognised and is about to modify the protectedregistry key HKLM\SOFTWARE\Policies\microsoft\systemcertificates\root. I block it. Comodo warns wercon.exe could not be recognised and is about to modifty the protected registry key HKUS\S-1-5-2-1-1665639809-2103792194-3670557550-1000\softwarepoliciesand then microsoftsystemcertificates\CA
wermgr.exe is trying to access svchost.exe in memory
wermgr.exe is trying to execute wercon.exe

In Comodo I have to click on ie wermgr.exe to check the date of installation and the security tab. If it has a recent date of installation, and I do not block it, something goes wrong with my system ie. my screen will go so fuzzy, that I can barely see it. I have to reboot. On searching my registry I found the following key :

HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\ime\IMTC70

\FuzzyScheme

Name Type Data

(Default) REG_SZ (value not set)
Data REG_BINARY 87 3f 00 00
Name REG_SZ {EF8C6C27-997A-4af2-BCOE-A15C84790F8C}

If I do not block ipremove.exe, I am then unable to connect to the net. Again this file will show as having been installed within the last week or two. The files with the same names, created at initial installation, give me no problems.

Today, again I was unable to connect to the net after blocking ipremove.exe I checked my firewall and saw it was on Block All Mode. I turned it back to custom policy mode, where I set it and tried again. No connection. I checked comodo again and it was set back to block all mode.
I have a file unlocker, and regassassin which wercon.exe keeps trying to modify without a key being pressed, or a mouse click.
wercon.exe is trying to modify cfp.exe (comodo firewall) When I checked cfp.exe in the comodo window, it says it was installed on 2 September 2009,whilst when I checked cfp.exe in C:\ it was installed on 10 August 2009 which is correct, and the security tab had registered a new account: ?Account unknown (S-1-5-5-0160081)permissions - read, execute,full control, modify, write. I as administrator and tadpole-PC only have permissions to read and execute. This same account has special permissions only ticked in some securty tabs

This sort of thing became much worse after I installed Java update 16, after having uninstalled all java using youruninstaller. I cannot uninstall it without these newly made files popping up, so deleted what java files I found in the registry.

Today I looked at my internet explorer add ons and found 2 that are unknown to me :
Name XML DOM Document 3.0
Publisher Microsoft Corporation
Status Enabled
File date 11 April 2009, 8:28 AM
Version 8.100.5000.0

Name Deployment Toolkit
Publisher Sun Microsystems, Inc.
Status Enabled
File date 22 August 2009, 7:32 PM
Version 6.0.160.1

I have quite a few files\folders dated 11 April 2009 that appear to do odd things.

I checked sun microsystems website, and it looks like this is an old tool. IBM security website wrote the following about it :

Sun Java Runtime Environment ActiveX control code execution
sun-jre-activex-code-execution (50629) High Risk

Description:

Sun Java Runtime Environment ActiveX control (deploytk.dll) could allow a

remote attacker to execute arbitrary code on the system. By persuading a

victim to visit a specially-crafted Web page that passes a .jnlp URL in the

argument to the launch, installLatestJRE or installJRE method, a remote

attacker could exploit this vulnerability and execute arbitrary code on the

system with the privileges of the victim or cause the victim's browser to

crash.

Here is a sample of some of the reg keys I cannot find using google.

HKEY_USERS\S-1-5-21-1665639809-2103792194-3670557550-1000_Classes\.regtrans

-ms
HKEY_USERS\S-1-5-21-1665639809-2103792194-3670557550-1000_Classes\regtrans-

ms_auto_file



The fuzzy screen I was getting only seemed to come when I was using tools like unlocker and regassassin. Before wise registry cleaner behaved oddly, my system crashed when I used it, or my machine would overheat and show a fatal error. There are a number of zero bytes files on my computer with recent dates, mainly the date I installed java, 21 August 2009. Zero bytes NTuser.dat files, that unlocker cannot delete, fileassassin cannot see them, and registry keys, regassassin cannot delete ie

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_LMIRFSDRIVER and sub key 0000

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Class\{36FC9E60-C465-11CF-8056-444553540000} with sub keys 0000 to 0032, then "properties" When I try to view it, "properties cannot be opened. An error is preventing this key from being opened. Access denied.

In program files I have PSSWCORE with no installation date or size and no option to uninstall or delete.

For 2 days my iexplorer stopped working, with a message that microsoft explorer was closing. It would start up and immediately stop. This went on continuously in a loop, even in safe mode. I then totally lost windows explorer (not found on this computer) and got it back using a restore point.

A number of files(which I never have) shared and the security tabs list of accounts have microsofts twin heads logo.

Each time I mistakenly allow the wrong file to run, something else happens. I am denied access to files, reg keys and to download or install some programs, such as microsoft office. I still cannot run chkdsk/f without it reporting an unknown error. My system crashes when I install my nvidia graphics driver. When I get a blue screen I run a vista boot recovery disk, which often reports a bad driver even after disabling and then deleting nvidia. According to my device manager all drivers including non plug and play are working. Unfortunately I cannot take screen shots using mspaint. I tried another paint program and was denied access to save it.

Attached are 2 gmer files, that show possible rootkit activity and a conflicting device report. My computer reports no conflicting devices, yet when I look in the resource tab of VgaSave driver under non plug and play,it has the settings and conflicts below :

ØResource Type: I/O range Setting : 03B0-03BB
ØResource Type: I/O range Setting : 03C0-03DF
ØMemory Range :000A0000-000BFFFF

Input/Output Range 03B0 - 03BB used by:
Mobile Intel(R) PM965/GM965/GL960 Express PCI Express Root Port - 2A01
Input/Output Range 03C0 - 03DF used by:
Mobile Intel(R) PM965/GM965/GL960 Express PCI Express Root Port - 2A01
Memory Range 000A0000 - 000BFFFF used by:
Mobile Intel(R) PM965/GM965/GL960 Express PCI Express Root Port - 2A01


If none of this proves that I still have malware, please tell me what sort of things you need to see, I am getting desperate as I live in a very remote area and my only source of income is being able to use my computer.

Thank you for your time

 

Hallo

I have been running my laptop with UAC turned off as per read and run me, from the time I joined the forum. Even logged in as administrator I am denied access to some of my own files and folders and unable to delete some things, where as prior to getting infected I had no problems. I have been using Vista
for 20 months and could download and save what I wanted, where ever I chose.

I was unable to download the 3 tools in normal mode. In safe mode with networking, I today, finally managed to download Dr.cure and Prevx. When I click the MBR.exe link(in safe mode) in your post I get a message saying "Internet Explorer has stopped working. A problem caused the program to stop working correctly. Windows will close the program and notify you if a solution is found." or "Your current security settings do not allow you to download this file" I have not changed the security settings. I am able to download other files at the moment.

When I run Dr. Cure it in safe mode, after a few minutes my computer crashes, and needs a reboot. In normal mode, I got a message from Prevx saying malicious files were preventing it from running. In safe mode it has a message "Prevx 3.0 could not connect to the internet. Please establish a working connection." I get this even when I have a live connection to Majorgeeks or my e mail at the time. When I click the update button, it says the program is up to date. If I do not close the message window, Prevx runs, but the scanned files remain at 0, even after 40+ minutes. Is there any way I can try to get round this?

I would have done a complete reinstall long ago, but Hewlett-Packard USA refuses to sell me recovery discs, saying I must get them in the country where I purchased the laptop. HP in that country does not return my calls, nor my e mails. Their agents that I tried do not ship out of the country, and the store I bought it from does not return my calls. In my current country I cannot buy a fresh copy of Vista, that is only possible if I buy a new computer to go with it, which is not an option at the moment.

I am getting embarrassed now, but I am completely stuck with my malware, that
you do not think I have!

I will continue trying to get these tools to run, in the hope that there is a way to do it.

Thankyou for your time and patience.

 

Hallo chaslang

I eventually managed to run prevx CSI and DR. Web CureIT. They only found

combofix. I used a public computer to copy MBR.exe to disk which I ran. When

I tried to run the code "%userprofile%\desktop\mbr.exe" -f an error message

came up. "illegal operation attempted on a registry key that has been marked

for deletion" I ran combofix because I was getting a blue screen on booting

unless I left the computer switched off for 30 odd minutes. Combofix deleted a

folder named C:\microsoft. I then ran MBR.exe again with your code. The log

is attached.

Combofix : C:\Qoobox\Quarantine\Registry_backups\tcpip.reg Seeing this made

me think. I had malware in Mid December 2008 that needed a proffessionals

help to remove. A couple of days prior to that I had been given a link to a

program that was supposed to overide the vista limit to the number of web

connections one can have at a time. This link was given to me by the person

whom I claim hacked me in May. The files I downloaded and used to do this are

as follows :

InstallPatch32-18063.bat Type: Windows Batch File

InstallPatch32-22167.bat Type: Windows Batch File

InstallPatch64-22167.bat Type: Windows Batch File

tcpip32-18063.sys File description: TCP/IP Driver Company: Microsoft
Corporation. File version 6.0.6001.18063

tcpip32-22167.sys File description: TCP/IP Driver Company: Microsoft
Corporation. File version 6.0.6001.22167

tcpip64-18063.sys File description: TCP/IP Driver Company: Microsoft
Corporation. File version 6.0.6001.18063

tcpip64-22167.sys File description: TCP/IP Driver Company: Microsoft
Corporation. File version 6.0.6001.22167

UndoVista_TCPIP_limit.reg Type : Registration Entries

Vista_TCPIP_limit_50K.reg Type : Registration Entries

Disable_UAC_Prompt.reg

Enable_UAC_Prompt.reg



There was also something called Ready Driver, to enable an unsigned driver to

run.

When I boot up, I have The following options :

Microsoft Vista
Ready Driver
Ready Driver

I still have these files on my computer at \tadpole\downloads

I have attached the combofix log.

When I ran Gmer there was an entry in red : service C:\windows\system32

\alg.exe? (hidden) value (manual) ALG and a window with :-

warning. Gmer has found system modification caused by ROOTKIT activity

Each time gmer tried to run a full system check my computer switched off when

it reached Shadow copy.

Hoping this info may be of use. Thank you for your time.

 

Hallo chaslang

I am having one last try to convince you that I have still got some malware.

I told you that gmer had found evidence of root kit activity, but each time I tried to run a full system scan my computer switched off. I user gmer to manually go through my folders and files. D:\$recycle.bin\ showed up as red, and so did a number of folders and files in C:\Hewlett-Packard. I have tried to delete the $recycle.bin before with an unlocker and failed. I managed to "injure" it and ran combofix, which deleted c:\$recycle.bin\S-1-5-21-1665639809-2103792194-3670557550-1000. I have for some time noticed unusual copying and recycling when I delete files or install programs. I think this copy is then used as a "legitimate" service. I have a broken internet connection, so I made my own CFscript and used it in combofix as follows :
c:\$recycle.bin\S-1-5-21-1665639809-2103792194-3670557550-1000
D:\$recycle.bin\S-1-5-21-1665639809-2103792194-3670557550-1000



and I have attached the log file, showing what it deleted.

The registry key for S-1-5-21-1665639809-2103792194-3670557550-1000 has now been replaced with S-1-5-21-1665639809-2103792194-3670557550-1008



In the past weeks sometime I found the following data on my machine.

Indirect access to an object has been obtained.
object type : Port
object name\RPC control\actkernel
process ID : 1000
primary user name :Network server
Primary domain : NT authority
primary logon ID : (0x0,0x3E4)
accesses : communicate using port



These are just a few of the reg keys which I think are involved, enumerator \0000. I cannot delete or alter them, they get an error message saying an error is preventing them from being deleted, or I cannot open a the keys to see what data is there. Regassassin does not work on them. I appear to have a few accounts on my machine. Current version, control set 001, 002,003,004 .

HKEY_CLASSES_ROOT\CLSID\{3c6859ce-230b-48a4-be6c-932c0c202048}\LocalServer32
HKEY_CLASSES_ROOT\CLSID\{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}\LocalServer32
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_64f3d4fcc5c084a0
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.0.6001.18000_en-us_672a96f8c2ab9574
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16386_none_8ed67188503ba527
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16609_none_8f2ff7784ff80919
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.20734_none_8f94230d69327e03
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6001.18000_none_910d33844d26b5fb
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6002.18005_none_92f8ac904a488147
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_none_5a0be3599c7fc247
HKEY_LOCAL_MACHINE\COMPONENTS\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_none_5a0be3599c7fc247\f256!trustedinstaller.exe
HKEY_LOCAL_MACHINE\COMPONENTS\Winners\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_none_5a0be3599c7fc247
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3c6859ce-230b-48a4-be6c-932c0c202048}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8F5DF053-3013-4dd8-B5F4-88214E81C0CF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\ComponentDetect\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_0.0.0.0_none_b4e729319550f231
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Performance\Resolvers
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.0.6000.16386_en-us_64f3d4fcc5c084a0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-t..installer.resources_31bf3856ad364e35_6.0.6001.18000_en-us_672a96f8c2ab9574
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16386_none_8ed67188503ba527

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16609_none_8f2ff7784ff80919
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.16609_none_8f2ff7784ff80919
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.20734_none_8f94230d69327e03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6000.20734_none_8f94230d69327e03
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6001.18000_none_910d33844d26b5fb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6001.18000_none_910d33844d26b5fb
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6002.18005_none_92f8ac904a488147
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\Components\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_6.0.6002.18005_none_92f8ac904a488147
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_none_5a0be3599c7fc247
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\DerivedData\VersionedIndex\6.0.6002.18005_001c11ba\ComponentFamilies\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_none_5a0be3599c7fc247\f256!trustedinstaller.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-trustedinstaller_31bf3856ad364e35_none_5a0be3599c7fc247
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Winlogon\Notifications\Components\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TRUSTEDINSTALLER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TrustedInstaller

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SPTD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\*6TO4MP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\*ISATAP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AVG_ANTI-ROOTKIT
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AVGARCLN
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AVGTDIX
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_AVGWFP
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_B9M1HQ
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDGUARD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ECACHE
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_EHSCHED
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_FONTCACHE3.0.0.0
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_LMIRFSDRIVER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_REMOTEACCESS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_REMOTEREGISTRY
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_SHAREDACCESS
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TRUSTEDINSTALLER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\RDP_KBD
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\RDP_MOU
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TrustedInstaller\Enum

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\SafeBoot\Network\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Control\Winlogon\Notifications\Components\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TRUSTEDINSTALLER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TRUSTEDINSTALLER\0000
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\SafeBoot\Network\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Control\Winlogon\Notifications\Components\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TRUSTEDINSTALLER
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TRUSTEDINSTALLER
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TrustedInstaller

I have a lot of drivers, and the siblings are mostly legacy drivers at root\0000.


I also attach a file I named port.txt, I found this on my machine and the IP's at the bottom and the 2 names, I recognise as ones used by the person who has been harrassing me.

If this still does not show malware, I rest my case and leave you in peace.

PS. The public computer is not reading my combo fix logs on my CD, so cannot attach them to this post.