View Full Version : i got a bad virus. please help.
calg235
5 Nov 2008, 1:10pm
i tried to download one of the free registry fix. and it ended up being a virus. my computer would restart at the begin at windows xp. i reloaded windows and got it to start. but now i get a lot of error popup boxes, it disable antivir program and a few others, and it freeze from time to time and also shuts down Internet explorer. please help
thank you
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:15 AM, on 11/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
D:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
D:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
D:\WINDOWS\system32\BacsTray.exe
D:\WINDOWS\BCMSMMSG.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\Program Files\Digital Line Detect\DLG.exe
D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\TEMP\qpi12.tmp
D:\WINDOWS\system32\svchost.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\TEMP\nik14.tmp
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\system32\cmd.exe
D:\WINDOWS\system32\cmd.exe
D:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "D:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Dell Photo AIO Printer 922] "D:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe"
O4 - HKLM\..\Run: [DLBTCATS] rundll32 D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [avgnt] "D:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [prunnet] "D:\DOCUME~1\Owner\LOCALS~1\Temp\prun.exe"
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = D:\Program Files\Digital Line Detect\DLG.exe
O10 - Unknown file in Winsock LSP: d:\windows\system32\nwprovau.dll
O11 - Options group: [searching] Search from the Address bar
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: karna.dat
O20 - Winlogon Notify: netprp - D:\WINDOWS\SYSTEM32\netprp.dll
O20 - Winlogon Notify: wcaiqnj - D:\WINDOWS\SYSTEM32\wcaiqnj32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - D:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: dlbt_device - Dell - D:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: FCI - Unknown owner - D:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: ICF - Unknown owner - D:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
--
End of file - 5062 bytes
Hi calg235 and welcome to Icrontic. :)
Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.
Step 1:
Please download Random's System Iformation Tool (RSIT) (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open.
Please post the contents of both log.txt (will be maximized) and info.txt (will be minimized)
calg235
5 Nov 2008, 7:47pm
i tried downloading it and i keep getting the "no display page" or the "internet connection" i also tried it in safe mode.
That might be due to infections you have there.
Download RSIT on another PC and save onto a USB memory stick and tranfer to the infected machine. Is this possible?
Hi calg235. I withdraw my words, let's try HaxFix instead.
Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe) and save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
E. Exit Haxfix
Select option 1. Make logfile by typing 1 and then pressing Enter
Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
Please post haxlog.txt together with a fresh HijackThis log.
calg235
7 Nov 2008, 4:53pm
i got the rsit on cd. but now my windows desktop wont load. after the windows xp logo display its goes to an all black screen with nothing but my mouse cursor. i tried safe mode, and samething. do i need to the windows xp cd to fix it?
Try to start your computer by using the Last Known Good Configuration feature.
Start your computer.
When you see the "Please select the operating system to start" message, press the F8 key.
When the Windows Advanced Options menu appears, use the ARROW keys to select Last Known Good Configuration (your most recent settings that worked), and then press ENTER.
If you are running other operating systems on your computer, use the ARROW keys to select Microsoft Windows XP, and then press ENTER.
More detailed instructions here > http://www.computerhope.com/issues/ch000626.htm
If this works, it would be ideal to run HaxFix now. Please burn it on CD before starting.
calg235
8 Nov 2008, 9:43pm
i had to reload windows. i couldnt get the haxfix to run on it. but here's the rsit log.
Logfile of random's system information tool 1.04 (written by random/random)
Run by Owner at 2008-11-08 16:35:14
Microsoft Windows XP Home Edition Service Pack 2
System drive D: has 28 GB (95%) free of 29 GB
Total RAM: 254 MB (38% free)
HijackThis download failed
======Scheduled tasks folder======
D:\WINDOWS\tasks\ftaiqwkl.job
======Registry dump======
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ada2c1b-f7bd-4d13-8771-2704a33b8706}]
D:\WINDOWS\system32\geBtSLcC.dll [2008-11-07 245760]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af42a3-94f3-42bd-f434-3604832c897d}]
D:\WINDOWS\system32\siejf93.dll - D:\WINDOWS\system32\siejf93.dll [2008-11-07 10000]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5bf49a2-94f3-42bd-f434-3604812c897d}]
D:\WINDOWS\system32\jsne87fidgf.dll - D:\WINDOWS\system32\jsne87fidgf.dll [2008-11-07 10000]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=D:\WINDOWS\system32\prun.exe [2008-11-07 34816]
"{F3-38-8B-B0-DW}"=D:\WINDOWS\system32\rjwnw64m.exe [2008-11-07 200733]
"bhokintpcih"=D:\WINDOWS\System32\regsvr32.exe [2004-08-12 11776]
"{89cb4c06-9a52-9870-baaa-59d107438ca3}"=D:\WINDOWS\system32\qjdkyvakzwjhxuyo.dll [2008-07-31 160768]
"ExploreUpdSched"=D:\WINDOWS\system32\scntrtdl.exe [2008-11-07 548928]
"jsg8jfgfdfhfhf"=D:\DOCUME~1\Owner\LOCALS~1\Temp\winlogun.exe [2008-11-07 15000]
"IUpd721"=D:\Documents and Settings\Owner\Application Data\NI.GSCNS\IUpd721.exe [2008-11-07 403968]
"xsjfn83jkemfofght"=D:\DOCUME~1\Owner\LOCALS~1\Temp\winlogin.exe [2008-11-07 15000]
"d4ef381f"=D:\WINDOWS\system32\ebtjabgi.dll [2008-11-08 71168]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]
"Lsass Service"=D:\Documents and Settings\Owner\Application Data\Microsoft\Windows\lsass.exe [2008-11-07 65024]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"prunnet"=D:\WINDOWS\system32\prun.exe [2008-11-07 34816]
"jsg8jfgfdfhfhf"=D:\DOCUME~1\Owner\LOCALS~1\Temp\winlogun.exe [2008-11-07 15000]
"gadcom"=D:\Documents and Settings\Owner\Application Data\gadcom\gadcom.exe [2008-11-07 56832]
"xsjfn83jkemfofght"=D:\DOCUME~1\Owner\LOCALS~1\Temp\winlogin.exe [2008-11-07 15000]
"Jnskdfmf9eldfd"=D:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe [2008-11-08 20993]
D:\Documents and Settings\Owner\Start Menu\Programs\Startup
Deewoo.lnk - D:\WINDOWS\system32\scntrtdl.exe
DW_Start.lnk - D:\WINDOWS\system32\rjwnw64m.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLS"="karna.dat"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\c00a2ed6]
D:\WINDOWS\system32\c00A2ED6.mat [2008-11-08 20992]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sys32]
sys32.dll []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\SharedTaskScheduler]
lke3iemrl490kgfgdsfd - {C5AF42A3-94F3-42BD-F434-3604832C897D} - D:\WINDOWS\system32\siejf93.dll [2008-11-07 10000]
mcb7uehuj3n8weuhejsw - {C5BF49A2-94F3-42BD-F434-3604812C897D} - D:\WINDOWS\system32\jsne87fidgf.dll [2008-11-07 10000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"authentication packages"=msv1_0
D:\WINDOWS\system32\geBtSLcC
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableRegistryTools"=1
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145
"NoFolderOptions"=1
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
======List of files/folders created in the last 1 months======
2008-11-08 16:35:17 ----D---- D:\Program Files\trend micro
2008-11-08 16:35:14 ----D---- D:\rsit
2008-11-08 16:24:48 ----D---- D:\Program Files\Webtools
2008-11-08 16:24:12 ----D---- D:\Documents and Settings\Owner\Application Data\IUpd721
2008-11-08 16:21:10 ----SH---- D:\WINDOWS\system32\igbajtbe.ini
2008-11-08 16:21:10 ----A---- D:\WINDOWS\system32\xcvepi.dll
2008-11-08 16:21:09 ----A---- D:\WINDOWS\system32\ijqwimqm.dll
2008-11-08 16:21:06 ----A---- D:\WINDOWS\system32\ebtjabgi.dll
2008-11-08 16:20:00 ----D---- D:\Program Files\Mjcore
2008-11-08 16:19:38 ----A---- D:\WINDOWS\system32\wini108023.exe
2008-11-08 16:18:26 ----A---- D:\WINDOWS\brastk.exe
2008-11-07 21:18:25 ----A---- D:\WINDOWS\system32\delself.bat
2008-11-07 21:18:24 ----A---- D:\WINDOWS\system32\brastk.exe
2008-11-07 21:18:21 ----A---- D:\WINDOWS\system32\dfccfc61-.txt
2008-11-07 21:18:06 ----ASH---- D:\WINDOWS\system32\CcLStBeg.ini2
2008-11-07 21:18:06 ----ASH---- D:\WINDOWS\system32\CcLStBeg.ini
2008-11-07 21:18:00 ----A---- D:\WINDOWS\system32\geBtSLcC.dll
2008-11-07 21:12:58 ----ASH---- D:\WINDOWS\system32\vtUolMDv.dll
2008-11-07 21:05:45 ----A---- D:\WINDOWS\ntbtlog.txt
2008-11-07 21:04:16 ----A---- D:\WINDOWS\system32\whgrmiqbcrzel.dll-uninst.exe
2008-11-07 21:04:06 ----A---- D:\WINDOWS\system32\gside.exe
2008-11-07 21:01:57 ----A---- D:\WINDOWS\system32\rjwnw64m.exe
2008-11-07 20:52:05 ----A---- D:\WINDOWS\system32\jsne87fidgf.dll
2008-11-07 20:51:53 ----A---- D:\WINDOWS\system32\msupdate.exe
2008-11-07 20:51:53 ----A---- D:\WINDOWS\system32\mkrnl.exe
2008-11-07 20:51:48 ----A---- D:\WINDOWS\system32\siejf93.dll
2008-11-07 20:51:46 ----D---- D:\Documents and Settings\Owner\Application Data\NI.GSCNS
2008-11-07 20:51:40 ----A---- D:\WINDOWS\system32\geBsstst.dll
2008-11-07 20:50:36 ----A---- D:\WINDOWS\system32\cwtqqjsamqreua.exe
2008-11-07 20:50:30 ----A---- D:\WINDOWS\system32\scntrtdl.exe
2008-11-07 20:50:28 ----A---- D:\WINDOWS\system32\g62.exe
2008-11-07 20:50:28 ----A---- D:\WINDOWS\system32\atmtd.dll._
2008-11-07 20:50:28 ----A---- D:\WINDOWS\system32\atmtd.dll
2008-11-07 20:50:27 ----D---- D:\Documents and Settings\Owner\Application Data\gadcom
2008-11-07 20:50:18 ----SHD---- D:\WINDOWS\Y2FsdmluIGd1dGhyaWU
2008-11-07 20:50:18 ----D---- D:\Program Files\Network Monitor
2008-11-07 20:50:18 ----A---- D:\WINDOWS\uninstall_nmon.vbs
2008-11-07 20:50:15 ----A---- D:\WINDOWS\system32\hlrrvjvkcp.exe
2008-11-07 20:50:15 ----A---- D:\WINDOWS\system32\dwwnw64r.exe
2008-11-07 20:50:10 ----D---- D:\WINDOWS\system32\X5
2008-11-07 20:50:10 ----D---- D:\WINDOWS\system32\vm
2008-11-07 20:50:10 ----D---- D:\WINDOWS\system32\r2
2008-11-07 20:50:10 ----D---- D:\WINDOWS\system32\ert
2008-11-07 20:50:10 ----D---- D:\WINDOWS\system32\bb
2008-11-07 20:50:08 ----ASH---- D:\WINDOWS\system32\nnnoNfGv.dll
2008-11-07 20:50:06 ----A---- D:\WINDOWS\system32\iifFVnop.dll
2008-11-07 20:50:05 ----D---- D:\WINDOWS\system32\QI19
2008-11-07 20:50:03 ----A---- D:\WINDOWS\system32\prun.exe
2008-11-07 20:33:58 ----D---- D:\Program Files\InstallShield Installation Information
2008-11-07 20:33:46 ----D---- D:\Program Files\Broadcom
2008-11-07 20:33:30 ----D---- D:\Program Files\Common Files\InstallShield
2008-11-07 20:28:02 ----D---- D:\Documents and Settings\Owner\Application Data\Identities
2008-11-07 20:27:59 ----HD---- D:\Program Files\Uninstall Information
2008-11-07 20:27:50 ----ASH---- D:\Documents and Settings\Owner\Application Data\desktop.ini
2008-11-07 20:27:48 ----SD---- D:\Documents and Settings\Owner\Application Data\Microsoft
2008-11-07 20:27:41 ----D---- D:\WINDOWS\SoftwareDistribution
2008-11-07 20:27:38 ----SD---- D:\WINDOWS\system32\Microsoft
2008-11-07 20:27:38 ----D---- D:\WINDOWS\Prefetch
2008-11-07 20:27:38 ----A---- D:\WINDOWS\SchedLgU.Txt
2008-11-07 20:23:24 ----D---- D:\WINDOWS\system32\xircom
2008-11-07 20:23:24 ----D---- D:\Program Files\xerox
2008-11-07 20:23:24 ----D---- D:\Program Files\microsoft frontpage
2008-11-07 20:23:20 ----D---- D:\DELL
2008-11-07 20:23:06 ----A---- D:\WINDOWS\control.ini
2008-11-07 20:22:45 ----A---- D:\WINDOWS\OEWABLog.txt
2008-11-07 20:22:40 ----A---- D:\WINDOWS\system32\mapi32.dll
2008-11-07 20:21:13 ----SD---- D:\WINDOWS\Downloaded Program Files
2008-11-07 20:21:13 ----RD---- D:\WINDOWS\Offline Web Pages
2008-11-07 20:21:13 ----RAH---- D:\WINDOWS\system32\logonui.exe.manifest
2008-11-07 20:21:03 ----RAH---- D:\WINDOWS\system32\cdplayer.exe.manifest
2008-11-07 20:20:56 ----HD---- D:\Program Files\WindowsUpdate
2008-11-07 20:20:31 ----D---- D:\WINDOWS\system32\DirectX
2008-11-07 20:20:13 ----A---- D:\WINDOWS\system32\atrace.dll
2008-11-07 20:20:10 ----A---- D:\WINDOWS\system32\desktop.ini
2008-11-07 20:20:10 ----A---- D:\WINDOWS\desktop.ini
2008-11-07 20:20:04 ----A---- D:\WINDOWS\system32\nmevtmsg.dll
2008-11-07 20:20:03 ----D---- D:\Program Files\Common Files\Services
2008-11-07 20:20:03 ----A---- D:\WINDOWS\system32\acctres.dll
2008-11-07 20:20:01 ----SD---- D:\WINDOWS\Tasks
2008-11-07 20:20:00 ----D---- D:\Program Files\Common Files\MSSoap
2008-11-07 20:20:00 ----A---- D:\WINDOWS\system32\icfgnt5.dll
2008-11-07 20:19:56 ----D---- D:\WINDOWS\srchasst
2008-11-07 20:19:55 ----D---- D:\WINDOWS\system32\Macromed
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wuweb.dll
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wups.dll
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wucltui.dll
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wuauserv.dll
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wuaueng1.dll
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wuaueng.dll
2008-11-07 20:19:52 ----A---- D:\WINDOWS\system32\wuauclt1.exe
2008-11-07 20:19:51 ----A---- D:\WINDOWS\system32\wuauclt.exe
2008-11-07 20:19:51 ----A---- D:\WINDOWS\system32\wuapi.dll
2008-11-07 20:19:51 ----A---- D:\WINDOWS\system32\qmgrprxy.dll
2008-11-07 20:19:51 ----A---- D:\WINDOWS\system32\qmgr.dll
2008-11-07 20:19:51 ----A---- D:\WINDOWS\system32\bitsprx3.dll
2008-11-07 20:19:51 ----A---- D:\WINDOWS\system32\bitsprx2.dll
2008-11-07 20:19:48 ----D---- D:\Program Files\Movie Maker
2008-11-07 20:19:45 ----A---- D:\WINDOWS\system32\safrslv.dll
2008-11-07 20:19:44 ----A---- D:\WINDOWS\system32\safrdm.dll
2008-11-07 20:19:44 ----A---- D:\WINDOWS\system32\safrcdlg.dll
2008-11-07 20:19:44 ----A---- D:\WINDOWS\system32\racpldlg.dll
2008-11-07 20:19:42 ----A---- D:\WINDOWS\system32\fltMc.exe
2008-11-07 20:19:42 ----A---- D:\WINDOWS\system32\fltlib.dll
2008-11-07 20:19:41 ----D---- D:\WINDOWS\system32\Restore
2008-11-07 20:19:41 ----A---- D:\WINDOWS\system32\srsvc.dll
2008-11-07 20:19:41 ----A---- D:\WINDOWS\system32\srrstr.dll
2008-11-07 20:19:41 ----A---- D:\WINDOWS\system32\srclient.dll
2008-11-07 20:19:40 ----A---- D:\WINDOWS\system32\nmmkcert.dll
2008-11-07 20:19:40 ----A---- D:\WINDOWS\system32\msconf.dll
2008-11-07 20:19:40 ----A---- D:\WINDOWS\system32\mnmsrvc.exe
2008-11-07 20:19:40 ----A---- D:\WINDOWS\system32\mnmdd.dll
2008-11-07 20:19:40 ----A---- D:\WINDOWS\system32\isrdbg32.dll
2008-11-07 20:19:40 ----A---- D:\WINDOWS\system32\ils.dll
2008-11-07 20:19:38 ----D---- D:\Program Files\NetMeeting
2008-11-07 20:19:38 ----A---- D:\WINDOWS\system32\msoert2.dll
2008-11-07 20:19:38 ----A---- D:\WINDOWS\system32\msoeacct.dll
2008-11-07 20:19:37 ----A---- D:\WINDOWS\system32\inetres.dll
2008-11-07 20:19:37 ----A---- D:\WINDOWS\system32\inetcomm.dll
2008-11-07 20:19:35 ----D---- D:\Program Files\Outlook Express
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\schedsvc.dll
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\mstinit.exe
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\mstask.dll
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\isign32.dll
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\inetcfg.dll
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\icwphbk.dll
2008-11-07 20:19:35 ----A---- D:\WINDOWS\system32\icwdial.dll
2008-11-07 20:19:30 ----D---- D:\Program Files\Common Files\System
2008-11-07 20:19:27 ----D---- D:\Program Files\Internet Explorer
2008-11-07 20:19:10 ----D---- D:\Program Files\ComPlus Applications
2008-11-07 20:19:08 ----A---- D:\WINDOWS\vbaddin.ini
2008-11-07 20:19:08 ----A---- D:\WINDOWS\vb.ini
2008-11-07 20:19:02 ----D---- D:\WINDOWS\Registration
2008-11-07 20:18:14 ----D---- D:\Program Files\Online Services
2008-11-07 20:18:13 ----D---- D:\Program Files\Windows Media Player
2008-11-07 20:18:07 ----D---- D:\Program Files\Messenger
2008-11-07 20:18:04 ----D---- D:\Program Files\MSN Gaming Zone
2008-11-07 20:18:04 ----A---- D:\WINDOWS\system32\write.exe
2008-11-07 20:17:56 ----A---- D:\WINDOWS\system32\sndvol32.exe
2008-11-07 20:17:55 ----A---- D:\WINDOWS\system32\winchat.exe
2008-11-07 20:17:55 ----A---- D:\WINDOWS\system32\hticons.dll
2008-11-07 20:17:55 ----A---- D:\WINDOWS\system32\avwav.dll
2008-11-07 20:17:55 ----A---- D:\WINDOWS\system32\avtapi.dll
2008-11-07 20:17:55 ----A---- D:\WINDOWS\system32\avmeter.dll
2008-11-07 20:17:49 ----A---- D:\WINDOWS\system32\getuname.dll
2008-11-07 20:17:49 ----A---- D:\WINDOWS\system32\charmap.exe
2008-11-07 20:17:49 ----A---- D:\WINDOWS\system32\calc.exe
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\winmine.exe
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\usrlogon.cmd
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\tskill.exe
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\sol.exe
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\reset.exe
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\mshearts.exe
2008-11-07 20:17:48 ----A---- D:\WINDOWS\system32\freecell.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\tsshutdn.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\tslabels.ini
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\tsdiscon.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\tscon.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\shadow.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\rwinsta.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\regini.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\rdpcfgex.dll
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\qwinsta.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\qappsrv.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\msg.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\logoff.exe
2008-11-07 20:17:47 ----A---- D:\WINDOWS\system32\cdmodem.dll
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\mtxlegih.dll
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\mtxex.dll
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\mtxdm.dll
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\msdtcprf.ini
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\dcomcnfg.exe
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\comrepl.dll
2008-11-07 20:17:46 ----A---- D:\WINDOWS\system32\comaddin.dll
2008-11-07 20:17:45 ----A---- D:\WINDOWS\system32\stclient.dll
2008-11-07 20:17:45 ----A---- D:\WINDOWS\system32\comsnap.dll
2008-11-07 20:17:41 ----A---- D:\WINDOWS\system32\wmimgmt.msc
2008-11-07 20:17:29 ----D---- D:\Program Files\MSN
2008-11-07 20:17:28 ----A---- D:\WINDOWS\system32\sndrec32.exe
2008-11-07 20:17:28 ----A---- D:\WINDOWS\system32\mplay32.exe
2008-11-07 20:17:28 ----A---- D:\WINDOWS\system32\accwiz.exe
2008-11-07 20:17:27 ----A---- D:\WINDOWS\system32\hypertrm.dll
2008-11-07 20:17:26 ----D---- D:\Program Files\Windows NT
2008-11-07 20:17:26 ----A---- D:\WINDOWS\system32\spider.exe
2008-11-07 20:17:26 ----A---- D:\WINDOWS\system32\mspaint.exe
2008-11-07 20:17:26 ----A---- D:\WINDOWS\system32\clipbrd.exe
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\tscupgrd.exe
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\tscfgwmi.dll
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\sessmgr.exe
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\remotepg.dll
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\rdshost.exe
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\rdsaddin.exe
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\rdchost.dll
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\mstscax.dll
2008-11-07 20:17:25 ----A---- D:\WINDOWS\system32\mstsc.exe
2008-11-07 20:17:24 ----D---- D:\WINDOWS\system32\MsDtc
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\termsrv.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\rdpwsx.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\rdpsnd.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\rdpclip.exe
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\qprocess.exe
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\mtxoci.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\msdtcuiu.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\msdtcprx.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\icaapi.dll
2008-11-07 20:17:24 ----A---- D:\WINDOWS\system32\cfgbkend.dll
2008-11-07 20:17:23 ----A---- D:\WINDOWS\system32\xolehlp.dll
2008-11-07 20:17:23 ----A---- D:\WINDOWS\system32\msdtctm.dll
2008-11-07 20:17:23 ----A---- D:\WINDOWS\system32\msdtclog.dll
2008-11-07 20:17:23 ----A---- D:\WINDOWS\system32\msdtc.exe
2008-11-07 20:17:22 ----D---- D:\WINDOWS\system32\Com
2008-11-07 20:17:22 ----A---- D:\WINDOWS\system32\comsvcs.dll
2008-11-07 20:17:22 ----A---- D:\WINDOWS\system32\colbact.dll
2008-11-07 20:17:22 ----A---- D:\WINDOWS\system32\clbcatex.dll
2008-11-07 20:17:22 ----A---- D:\WINDOWS\system32\catsrvut.dll
2008-11-07 20:17:22 ----A---- D:\WINDOWS\system32\catsrvps.dll
2008-11-07 20:17:22 ----A---- D:\WINDOWS\system32\catsrv.dll
2008-11-07 20:17:21 ----A---- D:\WINDOWS\system32\comuid.dll
2008-11-07 20:17:21 ----A---- D:\WINDOWS\system32\clbcatq.dll
2008-11-07 20:17:17 ----A---- D:\WINDOWS\system32\servdeps.dll
2008-11-07 20:17:17 ----A---- D:\WINDOWS\system32\mmfutil.dll
2008-11-07 20:17:17 ----A---- D:\WINDOWS\system32\licwmi.dll
2008-11-07 20:17:17 ----A---- D:\WINDOWS\system32\cmprops.dll
2008-11-07 15:15:27 ----A---- D:\WINDOWS\system32\h323log.txt
2008-11-07 14:58:20 ----A---- D:\WINDOWS\system32\ksuser.dll
2008-11-07 14:58:07 ----A---- D:\WINDOWS\system32\hidserv.dll
2008-11-07 14:56:53 ----A---- D:\WINDOWS\system32\usbui.dll
2008-11-07 14:55:30 ----SHD---- D:\WINDOWS\Installer
2008-11-07 14:55:30 ----A---- D:\WINDOWS\system32\PerfStringBackup.INI
2008-11-07 14:55:29 ----D---- D:\Program Files\Common Files\ODBC
2008-11-07 14:55:29 ----A---- D:\WINDOWS\ODBCINST.INI
2008-11-07 14:55:26 ----D---- D:\Program Files\Common Files\SpeechEngines
2008-11-07 14:55:25 ----RD---- D:\Program Files
2008-11-07 14:55:25 ----D---- D:\Program Files\Common Files\Microsoft Shared
2008-11-07 14:55:25 ----D---- D:\Program Files\Common Files
2008-11-07 14:55:22 ----RA---- D:\WINDOWS\system32\kbdtuq.dll
2008-11-07 14:55:22 ----RA---- D:\WINDOWS\system32\kbdtuf.dll
2008-11-07 14:55:22 ----RA---- D:\WINDOWS\system32\kbdazel.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdycc.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbduzb.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdur.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdtat.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdru1.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdru.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdmon.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdkyr.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdkaz.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdbu.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdblr.dll
2008-11-07 14:55:19 ----RA---- D:\WINDOWS\system32\kbdaze.dll
2008-11-07 14:55:18 ----RA---- D:\WINDOWS\system32\kbdhept.dll
2008-11-07 14:55:18 ----RA---- D:\WINDOWS\system32\kbdhela3.dll
2008-11-07 14:55:18 ----RA---- D:\WINDOWS\system32\kbdhela2.dll
2008-11-07 14:55:17 ----RA---- D:\WINDOWS\system32\kbdhe319.dll
2008-11-07 14:55:17 ----RA---- D:\WINDOWS\system32\kbdhe220.dll
2008-11-07 14:55:17 ----RA---- D:\WINDOWS\system32\kbdhe.dll
2008-11-07 14:55:17 ----RA---- D:\WINDOWS\system32\kbdgkl.dll
2008-11-07 14:55:16 ----RA---- D:\WINDOWS\system32\kbdlv1.dll
2008-11-07 14:55:16 ----RA---- D:\WINDOWS\system32\kbdlv.dll
2008-11-07 14:55:16 ----RA---- D:\WINDOWS\system32\kbdlt1.dll
2008-11-07 14:55:16 ----RA---- D:\WINDOWS\system32\kbdlt.dll
2008-11-07 14:55:16 ----RA---- D:\WINDOWS\system32\kbdest.dll
2008-11-07 14:55:15 ----RA---- D:\WINDOWS\system32\kbdsl1.dll
2008-11-07 14:55:15 ----RA---- D:\WINDOWS\system32\kbdsl.dll
2008-11-07 14:55:15 ----RA---- D:\WINDOWS\system32\kbdro.dll
2008-11-07 14:55:15 ----RA---- D:\WINDOWS\system32\kbdpl1.dll
2008-11-07 14:55:15 ----RA---- D:\WINDOWS\system32\kbdpl.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdycl.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdhu1.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdhu.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdcz2.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdcz1.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdcz.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\kbdcr.dll
2008-11-07 14:55:14 ----RA---- D:\WINDOWS\system32\KBDAL.DLL
2008-11-07 14:55:11 ----A---- D:\WINDOWS\system32\spxcoins.dll
2008-11-07 14:55:11 ----A---- D:\WINDOWS\system32\irclass.dll
2008-11-07 14:55:11 ----A---- D:\WINDOWS\system32\EqnClass.Dll
2008-11-07 14:55:11 ----A---- D:\WINDOWS\system32\dgsetup.dll
2008-11-07 14:55:11 ----A---- D:\WINDOWS\system32\dgrpsetu.dll
2008-11-07 14:55:09 ----N---- D:\WINDOWS\system32\CONFIG.TMP
2008-11-07 14:55:09 ----A---- D:\WINDOWS\TASKMAN.EXE
2008-11-07 14:55:09 ----A---- D:\WINDOWS\system32\batt.dll
2008-11-07 14:55:08 ----A---- D:\WINDOWS\NOTEPAD.EXE
2008-11-07 14:55:07 ----A---- D:\WINDOWS\system32\storprop.dll
2008-11-07 14:54:56 ----ASH---- D:\Documents and Settings\All Users\Application Data\desktop.ini
2008-11-07 14:54:52 ----RA---- D:\WINDOWS\SET8.tmp
2008-11-07 14:54:48 ----RA---- D:\WINDOWS\SET4.tmp
2008-11-07 14:54:47 ----RA---- D:\WINDOWS\SET3.tmp
2008-11-07 14:54:40 ----D---- D:\WINDOWS\system32\CatRoot2
2008-11-07 14:54:40 ----D---- D:\WINDOWS\system32\CatRoot
2008-11-07 14:54:34 ----SD---- D:\Documents and Settings\All Users\Application Data\Microsoft
2008-11-07 14:54:17 ----A---- D:\WINDOWS\setuplog.txt
2008-11-07 14:54:12 ----D---- D:\Documents and Settings
2008-11-07 14:54:11 ----SHD---- D:\System Volume Information
2008-11-07 14:46:13 ----RSHDC---- D:\WINDOWS\system32\dllcache
2008-11-07 14:46:13 ----RSD---- D:\WINDOWS\Fonts
2008-11-07 14:46:13 ----RD---- D:\WINDOWS\Web
2008-11-07 14:46:13 ----HD---- D:\WINDOWS\inf
2008-11-07 14:46:13 ----D---- D:\WINDOWS\WinSxS
2008-11-07 14:46:13 ----D---- D:\WINDOWS\twain_32
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Temp
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\wins
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\wbem
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\usmt
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\spool
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\ShellExt
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\Setup
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\ras
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\oobe
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\npp
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\mui
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\inetsrv
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\IME
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\icsxml
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\ias
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\export
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\drivers
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\dhcp
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\config
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\3com_dmi
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\3076
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\2052
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1054
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1042
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1041
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1037
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1033
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1031
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1028
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32\1025
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system32
2008-11-07 14:46:13 ----D---- D:\WINDOWS\system
2008-11-07 14:46:13 ----D---- D:\WINDOWS\security
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Resources
2008-11-07 14:46:13 ----D---- D:\WINDOWS\repair
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Provisioning
2008-11-07 14:46:13 ----D---- D:\WINDOWS\PeerNet
2008-11-07 14:46:13 ----D---- D:\WINDOWS\pchealth
2008-11-07 14:46:13 ----D---- D:\WINDOWS\mui
2008-11-07 14:46:13 ----D---- D:\WINDOWS\msapps
2008-11-07 14:46:13 ----D---- D:\WINDOWS\msagent
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Media
2008-11-07 14:46:13 ----D---- D:\WINDOWS\java
2008-11-07 14:46:13 ----D---- D:\WINDOWS\ime
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Help
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Driver Cache
2008-11-07 14:46:13 ----D---- D:\WINDOWS\dell
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Debug
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Cursors
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Connection Wizard
2008-11-07 14:46:13 ----D---- D:\WINDOWS\Config
2008-11-07 14:46:13 ----D---- D:\WINDOWS\AppPatch
2008-11-07 14:46:13 ----D---- D:\WINDOWS\addins
2008-11-07 14:46:13 ----D---- D:\WINDOWS
2008-10-14 10:39:48 ----A---- D:\WINDOWS\system32\xpnmelrufrfjzid.dll
======List of files/folders modified in the last 1 months======
2008-11-07 20:23:06 ----A---- D:\WINDOWS\win.ini
2008-11-07 14:55:24 ----A---- D:\WINDOWS\system.ini
======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R1 intelppm;Intel Processor Driver; D:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-12 36096]
R1 kbdhid;Keyboard HID Driver; D:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-12 14848]
R1 usbehcii;usbehcii; D:\WINDOWS\System32\drivers\usbehcii.sys [2008-11-07 86400]
R3 bcm4sbxp;Broadcom 440x 10/100 Integrated Controller XP Driver; D:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys [2003-06-30 43136]
R3 BCMModem;BCM V.90 56K Modem; D:\WINDOWS\system32\DRIVERS\BCMDM.sys [2001-08-17 871388]
R3 hidusb;Microsoft HID Class Driver; D:\WINDOWS\system32\DRIVERS\hidusb.sys [2004-08-12 9600]
R3 MODEMCSA;Unimodem Streaming Filter Device; D:\WINDOWS\system32\drivers\MODEMCSA.sys [2001-08-17 16128]
R3 mouhid;Mouse HID Driver; D:\WINDOWS\system32\DRIVERS\mouhid.sys [2004-08-12 12160]
R3 usbccgp;Microsoft USB Generic Parent Driver; D:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-12 31616]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbehci.sys [2004-08-12 26624]
R3 usbhub;USB2 Enabled Hub; D:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-12 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; D:\WINDOWS\system32\DRIVERS\usbuhci.sys [2004-08-12 20480]
S4 mchinjdrv;mchinjdrv; \??\D:\WINDOWS\TEMP\mc21.tmp []
======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======
R2 cmdService;Command Service; D:\WINDOWS\Y2FsdmluIGd1dGhyaWU\command.exe [2005-08-02 293888]
R2 Network Monitor;Network Monitor; D:\Program Files\Network Monitor\netmon.exe [2006-01-04 94208]
-----------------EOF-----------------
Thank you for the log.
We need HaxFix to clean out one of the infections you have there. It's called Goldun Trojan and it "steals users' information entered for authentication on e-gold online web forms." (source (http://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858)) I regret being confused at the start and asking RSIT first.
Please download HaxFix, run it and post the log file (haxlog.txt).
Use another computer to tranfer the tool to the infected machine, if needed.
calg235
10 Nov 2008, 1:44pm
Thank you for the log.
We need HaxFix to clean out one of the infections you have there. It's called Goldun Trojan and it "steals users' information entered for authentication on e-gold online web forms." (source (http://research.sunbelt-software.com/threatdisplay.aspx?name=Goldun.Fam&threatid=43858)) I regret being confused at the start and asking RSIT first.
Please download HaxFix, run it and post the log file (haxlog.txt).
Use another computer to tranfer the tool to the infected machine, if needed.
I run the haxfix and it won't produce a log. If gets to the point where is say waiting for catchme log and it says there. I left it overnight and still no log.
Please check the private message from me before continuing.
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See HERE (http://www.bleepingcomputer.com/forums/topic114351.html) for help
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/whatnext.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
calg235
11 Nov 2008, 4:00pm
ComboFix 08-11-10.01 - Owner 2008-11-11 10:21:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.128 [GMT -5:00]
Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
The following files were disabled during the run:
d:\windows\system32\zovujiwu.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
d:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
d:\documents and settings\NetworkService\Application Data\NetMon
d:\documents and settings\Owner\Application Data\inst.exe
d:\documents and settings\Owner\Application Data\Microsoft\Windows\lsass.exe
d:\documents and settings\Owner\Local Settings\Temporary Internet Files\bestwiner.stt
d:\documents and settings\Owner\Local Settings\Temporary Internet Files\CPV.stt
d:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
d:\windows\system32\auth.dll
d:\windows\system32\ckqlnrud.dll
d:\windows\system32\comsna.dll
d:\windows\system32\cryptdl.dll
d:\windows\system32\Drivers\TDSSkqlt.sys
d:\windows\system32\geBsstst.dll
d:\windows\system32\geBtSLcC.dll.vir
d:\windows\system32\iifFVnop.dll
d:\windows\system32\ijqwimqm.dll
d:\windows\system32\oabjex.dll
d:\windows\system32\r2
d:\windows\system32\rqRifDwx.dll
d:\windows\system32\ssqNGVoL.dll
d:\windows\system32\ssqnKCVP.dll
d:\windows\system32\TDSScbqp.dll
d:\windows\system32\TDSSnrse.dll
d:\windows\system32\TDSSoiqh.dll
d:\windows\system32\TDSSoiqt.dll
d:\windows\system32\TDSSosvn.dll
d:\windows\system32\TDSSpqxt.dat
d:\windows\system32\TDSSsbhc.log
d:\windows\system32\urqnliGY.dll
d:\windows\system32\wvUnKArp.dll
d:\windows\system32\X5
d:\windows\system32\xcvepi.dll
d:\windows\Tasks\ftaiqwkl.job
.
---- Previous Run -------
.
C:\Autorun.inf
D:\Autorun.inf
d:\docume~1\Owner\LOCALS~1\Temp\tmp2.tmp
d:\program files\Common Files\asembl~1
d:\program files\dobe~1
D:\resycled
d:\resycled\boot.com
D:\setup.exe
d:\windows\system32\MSINET.oca
d:\windows\system32\tsuninst.exe
----- BITS: Possible infected sites -----
hxxp://kakoitodomen.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_CMDSERVICE
-------\Legacy_tdssserv.sys
-------\Service_tdssserv.sys
((((((((((((((((((((((((( Files Created from 2008-10-11 to 2008-11-11 )))))))))))))))))))))))))))))))
.
2008-11-11 10:52 . 2004-08-12 08:56 93,184 --a------ d:\windows\system32\cmuti.dll
2008-11-10 18:57 . 2008-11-10 18:57 27,904 --a------ d:\windows\system32\drivers\ndisprot.sys
2008-11-10 18:45 . 2008-11-10 18:45 <DIR> d-------- d:\documents and settings\All Users\Application Data\Vso
2008-11-10 18:37 . 2008-11-10 18:42 <DIR> d-------- d:\program files\VSO
2008-11-10 18:37 . 2004-05-04 12:53 1,645,320 --a------ d:\windows\gdiplus.dll
2008-11-10 18:37 . 2006-05-20 17:16 1,184,984 --a------ d:\windows\system32\wvc1dmod.dll
2008-11-10 18:37 . 2006-05-11 20:21 626,688 --a------ d:\windows\system32\vp7vfw.dll
2008-11-10 18:37 . 2006-09-29 13:24 217,127 --a------ d:\windows\system32\drv43260.dll
2008-11-10 18:37 . 2006-09-29 13:25 208,935 --a------ d:\windows\system32\drv33260.dll
2008-11-10 18:37 . 2006-09-29 13:26 176,165 --a------ d:\windows\system32\drv23260.dll
2008-11-10 18:37 . 2007-03-18 21:37 65,602 --a------ d:\windows\system32\cook3260.dll
2008-11-10 18:30 . 2008-11-10 18:30 <DIR> d-------- d:\program files\VSO Burning SDK
2008-11-10 18:30 . 2008-11-10 18:30 <DIR> d-------- d:\documents and settings\All Users\Application Data\vsosdk
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\windows\system32\drivers\pcouffin.sys
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\documents and settings\Owner\Application Data\pcouffin.sys
2008-11-10 18:25 . 2008-11-10 18:55 <DIR> d-------- d:\documents and settings\Owner\Application Data\Vso
2008-11-10 15:44 . 2008-11-10 15:44 <DIR> d-------- d:\program files\DivX
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\windows\WinAVI Video Converter 9.0
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\program files\WinAVI Video Converter 9.0
2008-11-10 14:23 . 2004-08-03 23:08 26,496 --a--c--- d:\windows\system32\dllcache\usbstor.sys
2008-11-10 12:06 . 2008-11-10 12:40 <DIR> d--h----- D:\$AVG8.VAULT$
2008-11-10 11:57 . 2008-11-11 09:40 <DIR> d-------- d:\documents and settings\All Users\Application Data\avg8
2008-11-10 11:37 . 2008-11-10 11:37 <DIR> d-------- d:\windows\ERUNT
2008-11-10 11:37 . 2008-11-10 22:07 <DIR> d-------- D:\SDFix
2008-11-10 11:27 . 2008-11-10 11:27 13,312 --a------ d:\documents and settings\Owner\S87ekhV.exe
2008-11-10 11:12 . 2008-11-10 11:30 90,915 --a------ d:\windows\system32\whgrmiqbcrzel.dll-uninst.exe
2008-11-10 11:05 . 2008-11-10 11:05 86,400 --a------ d:\windows\system32\drivers\usbehcii.sys.vir
2008-11-10 11:02 . 2004-08-12 08:55 4,224 --a------ d:\windows\system32\drivers\beep.sys
2008-11-10 11:02 . 2004-08-12 08:55 4,224 --a--c--- d:\windows\system32\dllcache\beep.sys
2008-11-10 10:57 . 2008-11-10 10:57 23,040 --a------ d:\windows\system32\drivers\beep.sys.vir
2008-11-10 10:51 . 2008-11-11 09:39 <DIR> d-------- d:\program files\Trojan Remover
2008-11-10 10:51 . 2008-11-10 10:51 <DIR> d-------- d:\documents and settings\Owner\Application Data\Simply Super Software
2008-11-10 10:51 . 2008-11-10 11:49 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-10 09:50 . 2008-11-10 09:50 <DIR> d---s---- d:\documents and settings\Owner\UserData
2008-11-10 09:29 . 2008-11-10 18:35 <DIR> d-------- d:\program files\DVDFab 5
2008-11-10 08:25 . 2008-11-10 08:25 <DIR> d-------- d:\documents and settings\Owner\Application Data\MSNInstaller
2008-11-10 08:21 . 2008-11-10 08:21 20,992 --ahs---- d:\windows\system32\c007E318.mat
2008-11-09 21:31 . 2008-11-10 08:22 <DIR> d-------- d:\program files\Common Files\zrmk
2008-11-09 21:20 . 2008-11-10 11:27 <DIR> d-------- D:\HaxFix
2008-11-09 21:20 . 2008-11-07 11:51 486,678 --a------ D:\HaxFix.exe
2008-11-09 21:11 . 2008-11-09 21:11 20,992 --ahs---- d:\windows\system32\c00F29A4.mat
2008-11-09 20:58 . 2004-02-10 11:50 155,648 --a------ d:\windows\system32\igfxres.dll
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Win2000
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Lang
2008-11-09 20:54 . 2003-05-14 11:17 106,496 --a------ D:\PCIUtil.dll
2008-11-09 20:54 . 2004-04-09 15:48 69,632 --a------ D:\Instngin.dll
2008-11-09 20:54 . 2004-01-19 11:11 49 --a------ D:\Install.cfg
2008-11-09 18:44 . 2008-11-09 18:44 <DIR> d-------- D:\Intel
2008-11-08 16:35 . 2008-11-08 16:36 <DIR> d-------- D:\rsit
2008-11-08 16:35 . 2008-11-10 08:15 <DIR> d-------- d:\program files\trend micro
2008-11-08 16:24 . 2008-11-08 16:24 <DIR> d-------- d:\documents and settings\Owner\Application Data\IUpd721
2008-11-08 16:20 . 2008-11-10 11:06 20,992 --a------ d:\windows\system32\c00A2ED6.mat.vir
2008-11-07 21:12 . 2008-11-10 11:57 <DIR> d-------- d:\documents and settings\Administrator
2008-11-07 21:12 . 2008-11-07 21:12 60,928 --ahs---- d:\windows\system32\vtUolMDv.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-11 06:13 36,244 --sha-w d:\windows\system32\bisomasu.exe
2008-11-10 16:07 167,976 ----a-w d:\windows\system32\drivers\core.cache.dsk.vir
2008-11-08 01:51 150,528 ----a-w d:\windows\system32\mkrnl.exe
2008-11-08 01:51 10,000 ----a-w d:\windows\system32\siejf93.dll
2008-11-08 01:51 --------- d-----w d:\documents and settings\Owner\Application Data\NI.GSCNS
2008-11-08 01:50 60,928 --sha-w d:\windows\system32\nnnoNfGv.dll
2008-11-08 01:50 34,816 ----a-w d:\windows\system32\prun.exe
2008-11-08 01:33 --------- d-----w d:\program files\InstallShield Installation Information
2008-11-08 01:33 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-08 01:33 --------- d-----w d:\program files\Broadcom
2008-11-08 01:23 --------- d-----w d:\program files\microsoft frontpage
2008-08-10 17:00 59,904 --sha-w d:\windows\system32\fegenope.dll
2008-08-10 17:00 59,904 --sha-w d:\windows\system32\sokazoya.dll
2005-07-29 21:24 472 --sha-r d:\windows\Y2FsdmluIGd1dGhyaWU\sZIPxA5RK3xYx31Vuqo.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58B44ABA-09DD-4D3E-A2D2-DE6E9D1E4D07}]
2004-08-12 08:56 93184 --a------ d:\windows\system32\cmuti.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a10e47af-10cb-47c6-a99e-086f252df1f1}]
2008-08-10 12:00 59904 --ahs---- d:\windows\system32\fegenope.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IUpd721"="d:\documents and settings\Owner\Application Data\NI.GSCNS\IUpd721.exe" [2008-11-07 403968]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="d:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"meyonudupu"="d:\windows\system32\sokazoya.dll" [2008-08-10 59904]
d:\documents and settings\All Users\Start Menu\Programs\Startup\
msupd_0811_upd102329.exe [2008-11-10 120832]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=d:\windows\system32\zovujiwu.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli d:\windows\system32\zovujiwu.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
S3 Ndisprot;ArcNet NDIS Protocol Driver;d:\windows\system32\drivers\Ndisprot.sys [2008-11-10 27904]
.
- - - - ORPHANS REMOVED - - - -
BHO-{AAA5E70E-FFBB-4A96-AA0B-F0ECFCAA8633} - d:\windows\system32\auth.dll
BHO-{F1217759-4770-4C26-8352-2E8C423DB5A6} - d:\windows\system32\auth.dll
HKU-Default-Run-brastk - d:\windows\system32\brastk.exe
.
------- Supplementary Scan -------
.
R0 -: HKLM-Main,Start Page = hxxp://www.google.com
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-11 10:52:38
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: d:\windows\system32\winlogon.exe
-> d:\windows\system32\tsd32.dll
PROCESS: d:\windows\explorer.exe
-> d:\windows\system32\zovujiwu.dll
-> d:\windows\system32\sokazoya.dll
.
Completion time: 2008-11-11 10:54:27 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-11 15:54:21
Pre-Run: 25,608,421,376 bytes free
Post-Run: 26,534,338,560 bytes free
197
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to:
Update Malwarebytes' Anti-Malware
Launch Malwarebytes' Anti-Malware
Then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. please copy and paste the log into your next reply.
If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
calg235
13 Nov 2008, 6:56pm
Malwarebytes' Anti-Malware 1.30
Database version: 1388
Windows 5.1.2600 Service Pack 2
11/13/2008 1:55:24 PM
mbam-log-2008-11-13 (13-55-24).txt
Scan type: Quick Scan
Objects scanned: 43105
Time elapsed: 12 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
D:\WINDOWS\system32\drivers\mrxdavv.sys (Rootkit.Agent.H) -> Delete on reboot.
D:\WINDOWS\system32\k86.bin (Fake.Dropped.Malware) -> Delete on reboot.
Thank you.
Now, open Notepad (don't use any other texteditor than notepad or the script will fail).
Copy & Paste the text in the Code-box below into notepad:
File::
D:\windows\system32\zovujiwu.dll
D:\documents and settings\Owner\S87ekhV.exe
D:\windows\system32\whgrmiqbcrzel.dll-uninst.exe
D:\windows\system32\drivers\usbehcii.sys.vir
D:\windows\system32\drivers\beep.sys.vir
D:\windows\system32\c00A2ED6.mat.vir
D:\windows\system32\c007E318.mat
D:\windows\system32\c00F29A4.mat
D:\windows\system32\bisomasu.exe
D:\windows\system32\drivers\core.cache.dsk.vir
D:\windows\system32\fegenope.dll
D:\windows\system32\sokazoya.dll
D:\windows\system32\prun.exe
D:\windows\system32\nnnoNfGv.dll
D:\windows\system32\siejf93.dll
D:\windows\system32\mkrnl.exe
D:\documents and settings\All Users\Start Menu\Programs\Startup\
msupd_0811_upd102329.exe
Folder::
D:\documents and settings\All Users\Application Data\vsosdk
D:\documents and settings\Owner\Application Data\NI.GSCNS
D:\documents and settings\Owner\Application Data\IUpd721
D:\windows\Y2FsdmluIGd1dGhyaWU\
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{58B44ABA-09DD-4D3E-A2D2-DE6E9D1E4D07}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a10e47af-10cb-47c6-a99e-086f252df1f1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IUpd721"=-
"meyonudupu"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"=hex(7):73,00,63,00,65,00,63,00,6c,00,69,00,00,00,00,00Save this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
calg235
14 Nov 2008, 3:51am
ComboFix 08-11-12.01 - Owner 2008-11-13 22:40:58.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.50 [GMT -5:00]
Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
d:\documents and settings\Owner\S87ekhV.exe
d:\windows\system32\bisomasu.exe
d:\windows\system32\c007E318.mat
d:\windows\system32\c00A2ED6.mat.vir
d:\windows\system32\c00F29A4.mat
d:\windows\system32\drivers\beep.sys.vir
d:\windows\system32\drivers\core.cache.dsk.vir
d:\windows\system32\drivers\usbehcii.sys.vir
d:\windows\system32\fegenope.dll
d:\windows\system32\mkrnl.exe
d:\windows\system32\nnnoNfGv.dll
d:\windows\system32\prun.exe
d:\windows\system32\siejf93.dll
d:\windows\system32\sokazoya.dll
d:\windows\system32\whgrmiqbcrzel.dll-uninst.exe
d:\windows\system32\zovujiwu.dll
d:\documents and settings\All Users\Start Menu\Programs\Startup\ :#:
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\All Users\Application Data\vsosdk
d:\documents and settings\All Users\Application Data\vsosdk\C1BE16A754137C41014C2470A2057A7623E5AD4B8A85E32FFEE272EFB04E00AB.vsoact
d:\windows\system32\k86.bin
d:\windows\system32\swapdm.dll
.
---- Previous Run -------
.
d:\docume~1\Owner\LOCALS~1\Temp\snapsnet.exe
d:\documents and settings\All Users\Application Data\vsosdk
d:\documents and settings\All Users\Application Data\vsosdk\9663FE518798355BE22CD87AC877F061FD6FFAFE77AC20C5814F9AF69CF0B567.vsoact
d:\documents and settings\All Users\Application Data\vsosdk\C1BE16A754137C41014C2470A2057A7623E5AD4B8A85E32FFEE272EFB04E00AB.vsoact
d:\documents and settings\Owner\Application Data\inst.exe
d:\documents and settings\Owner\Application Data\IUpd721
d:\documents and settings\Owner\Application Data\IUpd721\Logs\scns.log
d:\documents and settings\Owner\Application Data\NI.GSCNS
d:\documents and settings\Owner\Application Data\NI.GSCNS\dl.ini
d:\documents and settings\Owner\Application Data\NI.GSCNS\settings.ini
d:\windows\system32\brastk.exe
d:\windows\system32\c00A2ED6.mat.vir
d:\windows\system32\drivers\beep.sys.vir
d:\windows\system32\drivers\core.cache.dsk.vir
d:\windows\system32\k86.bin
d:\windows\system32\MSINET.oca
d:\windows\system32\pac.txt
d:\windows\system32\whgrmiqbcrzel.dll-uninst.exe
d:\windows\Tasks\xozfvsnu.job
d:\windows\Y2FsdmluIGd1dGhyaWU\
d:\windows\Y2FsdmluIGd1dGhyaWU\\sZIPxA5RK3xYx31Vuqo.vbs
.
((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.
2008-11-13 16:57 . 2008-11-13 17:00 <DIR> d-------- d:\windows\system32\sX3i19
2008-11-13 16:56 . 2008-11-13 16:56 35,840 --a------ d:\windows\system32\csewnxroam.exe
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\windows\system32\drivers\ezplay.sys
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\documents and settings\Owner\Application Data\ezplay.sys
2008-11-12 13:40 . 2008-11-12 13:40 59,904 --a------ d:\windows\system32\ssqPhfCU.dll
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a------ d:\windows\system32\drivers\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a--c--- d:\windows\system32\dllcache\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a------ d:\windows\system32\drivers\DMusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a--c--- d:\windows\system32\dllcache\dmusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a------ d:\windows\system32\drivers\splitter.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a--c--- d:\windows\system32\dllcache\splitter.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a------ d:\windows\system32\drivers\kmixer.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a--c--- d:\windows\system32\dllcache\kmixer.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a------ d:\windows\system32\drivers\aec.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a--c--- d:\windows\system32\dllcache\aec.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a------ d:\windows\system32\drivers\sysaudio.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a--c--- d:\windows\system32\dllcache\sysaudio.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a------ d:\windows\system32\drivers\swmidi.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a--c--- d:\windows\system32\dllcache\swmidi.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a------ d:\windows\system32\drivers\drmkaud.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a--c--- d:\windows\system32\dllcache\drmkaud.sys
2008-11-12 11:04 . 2008-11-13 14:10 7 --a------ d:\windows\system32\tmcontrol.bin
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a------ d:\windows\system32\drivers\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a--c--- d:\windows\system32\dllcache\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a------ d:\windows\system32\drivers\drmk.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a--c--- d:\windows\system32\dllcache\drmk.sys
2008-11-12 11:02 . 2002-04-01 13:15 4,816 --a------ d:\windows\system32\drivers\aeaudio.sys
2008-11-12 11:01 . 2008-11-12 11:01 <DIR> d-------- d:\program files\Analog Devices
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a--c--- d:\windows\system32\dllcache\a3d.dll
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a------ d:\windows\system32\a3d.dll
2008-11-12 11:01 . 2002-12-19 17:48 539,008 --a------ d:\windows\system32\drivers\smwdm.sys
2008-11-12 11:01 . 2002-04-17 15:05 45,056 --a------ d:\windows\system32\CleanUp.exe
2008-11-12 11:01 . 2002-12-17 15:11 36,864 --a------ d:\windows\system32\DSndUp.exe
2008-11-12 11:01 . 2002-10-28 11:26 3,744 --a------ d:\windows\system32\drivers\smsens.sys
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\windows\system32\QuickTime
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\QuickTime Alternative
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\Media Player Classic
2008-11-12 09:26 . 2004-09-23 18:57 6,676,480 --a------ d:\windows\system32\QuickTime.qts
2008-11-12 09:26 . 2004-09-23 18:57 747,008 --a------ d:\windows\system32\Indeo4.qtx
2008-11-12 09:26 . 2002-12-20 12:40 675,328 --a------ d:\windows\system32\ir50_32.qtx
2008-11-12 09:26 . 2004-09-23 18:57 430,592 --a------ d:\windows\system32\QuickTimeVR.qtx
2008-11-12 09:26 . 2004-10-27 13:01 360,504 --a------ d:\windows\system32\QTPlugin.ocx
2008-11-12 09:26 . 2004-09-23 18:57 323,072 --a------ d:\windows\system32\QuickTime.cpl
2008-11-12 09:26 . 2004-01-12 17:57 86,016 --a------ d:\windows\system32\QuickTime.ax
2008-11-12 09:26 . 2004-09-23 18:57 70,144 --a------ d:\windows\system32\QuickTimeCheck.ocx
2008-11-12 08:48 . 2008-11-12 08:48 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-11-12 08:48 . 2008-11-12 09:27 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 08:47 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-12 08:31 . 2008-11-13 16:58 <DIR> d-------- d:\documents and settings\Owner\Application Data\CopyToDvd
2008-11-12 08:22 . 2008-11-12 08:22 76,040 --a------ d:\windows\system32\drivers\avgtdix.sys
2008-11-12 08:22 . 2008-11-12 08:22 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-11-12 08:21 . 2008-11-13 08:48 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-11-12 08:21 . 2008-11-12 08:21 <DIR> d-------- d:\program files\AVG
2008-11-12 08:21 . 2008-11-12 08:21 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-11-11 20:54 . 2008-11-11 20:54 8,512 --a------ d:\windows\system32\swapm.sys
2008-11-10 18:57 . 2008-11-10 18:57 27,904 --a------ d:\windows\system32\drivers\ndisprot.sys
2008-11-10 18:45 . 2008-11-13 18:13 <DIR> d-------- d:\documents and settings\All Users\Application Data\Vso
2008-11-10 18:37 . 2008-11-13 17:04 <DIR> d-------- d:\program files\VSO
2008-11-10 18:37 . 2004-05-04 12:53 1,645,320 --a------ d:\windows\gdiplus.dll
2008-11-10 18:37 . 2006-05-20 17:16 1,184,984 --a------ d:\windows\system32\wvc1dmod.dll
2008-11-10 18:37 . 2006-05-11 20:21 626,688 --a------ d:\windows\system32\vp7vfw.dll
2008-11-10 18:37 . 2006-09-29 13:24 217,127 --a------ d:\windows\system32\drv43260.dll
2008-11-10 18:37 . 2006-09-29 13:25 208,935 --a------ d:\windows\system32\drv33260.dll
2008-11-10 18:37 . 2006-09-29 13:26 176,165 --a------ d:\windows\system32\drv23260.dll
2008-11-10 18:37 . 2007-03-18 21:37 65,602 --a------ d:\windows\system32\cook3260.dll
2008-11-10 18:30 . 2008-11-10 18:30 <DIR> d-------- d:\program files\VSO Burning SDK
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\windows\system32\drivers\pcouffin.sys
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\documents and settings\Owner\Application Data\pcouffin.sys
2008-11-10 18:25 . 2008-11-13 21:47 <DIR> d-------- d:\documents and settings\Owner\Application Data\Vso
2008-11-10 15:44 . 2008-11-10 15:44 <DIR> d-------- d:\program files\DivX
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\windows\WinAVI Video Converter 9.0
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\program files\WinAVI Video Converter 9.0
2008-11-10 14:23 . 2004-08-03 23:08 26,496 --a--c--- d:\windows\system32\dllcache\usbstor.sys
2008-11-10 12:06 . 2008-11-13 17:05 <DIR> d--h----- D:\$AVG8.VAULT$
2008-11-10 11:57 . 2008-11-12 08:21 <DIR> d-------- d:\documents and settings\All Users\Application Data\avg8
2008-11-10 11:37 . 2008-11-10 11:37 <DIR> d-------- d:\windows\ERUNT
2008-11-10 11:37 . 2008-11-12 13:10 <DIR> d-------- D:\SDFix
2008-11-10 10:51 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Trojan Remover
2008-11-10 10:51 . 2008-11-10 10:51 <DIR> d-------- d:\documents and settings\Owner\Application Data\Simply Super Software
2008-11-10 10:51 . 2008-11-11 17:19 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-10 09:50 . 2008-11-10 09:50 <DIR> d---s---- d:\documents and settings\Owner\UserData
2008-11-10 09:29 . 2008-11-10 18:35 <DIR> d-------- d:\program files\DVDFab 5
2008-11-10 08:25 . 2008-11-10 08:25 <DIR> d-------- d:\documents and settings\Owner\Application Data\MSNInstaller
2008-11-09 21:31 . 2008-11-10 08:22 <DIR> d-------- d:\program files\Common Files\zrmk
2008-11-09 21:20 . 2008-11-10 11:27 <DIR> d-------- D:\HaxFix
2008-11-09 21:20 . 2008-11-07 11:51 486,678 --a------ D:\HaxFix.exe
2008-11-09 20:58 . 2004-02-10 11:50 155,648 --a------ d:\windows\system32\igfxres.dll
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Win2000
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Lang
2008-11-09 20:54 . 2003-05-14 11:17 106,496 --a------ D:\PCIUtil.dll
2008-11-09 20:54 . 2004-04-09 15:48 69,632 --a------ D:\Instngin.dll
2008-11-09 20:54 . 2004-01-19 11:11 49 --a------ D:\Install.cfg
2008-11-09 18:44 . 2008-11-09 18:44 <DIR> d-------- D:\Intel
2008-11-08 16:35 . 2008-11-08 16:36 <DIR> d-------- D:\rsit
2008-11-08 16:35 . 2008-11-10 08:15 <DIR> d-------- d:\program files\trend micro
2008-11-07 21:12 . 2008-11-10 11:57 <DIR> d-------- d:\documents and settings\Administrator
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-12 16:01 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-12 16:01 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-08 01:33 --------- d-----w d:\program files\Broadcom
2008-11-08 01:23 --------- d-----w d:\program files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot@2008-11-11_10.53.27.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-11 23:11:35 28,672 ----a-w d:\windows\Drivers\beep.sys
- 2008-11-11 02:25:54 913,408 ----a-w d:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-11-12 14:58:06 1,044,480 ----a-w d:\windows\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2008-11-11 02:25:54 8,192 ----a-w d:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-11-12 14:58:06 8,192 ----a-w d:\windows\ERUNT\SDFIX\Users\00000002\UsrClass.dat
- 2008-11-11 14:31:13 16,384 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-12 14:56:57 16,384 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-11 14:31:13 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-12 14:56:57 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2004-08-04 04:15:22 140,928 -c--a-w d:\windows\system32\dllcache\ks.sys
+ 2004-08-04 05:56:44 4,096 -c--a-w d:\windows\system32\dllcache\ksuser.dll
+ 2004-08-04 04:08:04 48,640 -c--a-w d:\windows\system32\dllcache\stream.sys
+ 2004-08-04 05:56:58 23,552 -c--a-w d:\windows\system32\dllcache\wdmaud.drv
+ 2008-11-12 13:21:55 26,824 ----a-w d:\windows\system32\drivers\avgmfx86.sys
- 2004-08-12 14:06:15 140,928 ----a-w d:\windows\system32\drivers\ks.sys
+ 2004-08-04 04:15:22 140,928 ----a-w d:\windows\system32\drivers\ks.sys
- 2004-08-12 14:06:15 48,640 ----a-w d:\windows\system32\drivers\stream.sys
+ 2004-08-04 04:08:04 48,640 ----a-w d:\windows\system32\drivers\stream.sys
- 2004-08-04 00:56:44 4,096 ----a-w d:\windows\system32\ksuser.dll
+ 2004-08-04 05:56:44 4,096 ----a-w d:\windows\system32\ksuser.dll
+ 2003-04-18 21:46:22 1,233,920 ----a-w d:\windows\system32\msxml4.dll
+ 2003-04-18 21:29:26 82,432 ----a-w d:\windows\system32\msxml4r.dll
+ 2008-10-29 18:43:40 32,768 ----a-w d:\windows\system32\QI19\QI191065.exe
- 2004-08-12 14:06:15 23,552 ----a-w d:\windows\system32\wdmaud.drv
+ 2004-08-04 05:56:58 23,552 ----a-w d:\windows\system32\wdmaud.drv
+ 2008-11-13 15:34:00 1,233,920 ----a-w d:\windows\WinSxS\x86_Microsoft.MSXML2_6bd6b9abf345378f_4.20.9818.0_x-ww_8ff50c5d\msxml4.dll
+ 2008-11-13 15:33:59 82,432 ----a-w d:\windows\WinSxS\x86_Microsoft.MSXML2R_6bd6b9abf345378f_4.1.0.0_x-ww_29c3ad6a\msxml4r.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"SDFix"="d:\sdfix\RunThis.bat" [2008-11-06 964661]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-12 1234712]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ s c e l i
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R1 swapm;DRAM Cash Driver;d:\windows\system32\swapm.sys [2008-11-11 8512]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2008-11-12 875288]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\Drivers\avgtdix.sys [2008-11-12 76040]
S3 Ndisprot;ArcNet NDIS Protocol Driver;d:\windows\system32\drivers\Ndisprot.sys [2008-11-10 27904]
.
- - - - ORPHANS REMOVED - - - -
Notify-c00B9908 - c00B9908.mat
Notify-iifdcDwv - iifdcDwv.dll
Notify-swapdm - swapdm.dll
Notify-tuvVMgfC - tuvVMgfC.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-13 22:45:02
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\progra~1\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-11-13 22:49:18 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-11-14 03:48:57
ComboFix2.txt 2008-11-12 15:08:28
ComboFix3.txt 2008-11-11 15:54:29
Pre-Run: 16,436,658,176 bytes free
Post-Run: 16,432,865,280 bytes free
250
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:50:08 PM, on 11/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\trend micro\HijackThis\HijackThis.exe
D:\Program Files\internet explorer\iexplore.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [SDFix] D:\SDFix\RunThis.bat /second
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
--
End of file - 3080 bytes
Step 1:
Run HijackThis and click on the Do a system scan only button
Put a check beside all of the items listed below (if present):
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.antispyexpert.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.spyguardpro.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.antispyexpert.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.spyguardpro.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusremover2008.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
Close all open windows and browsers / email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step 2:
Open Notepad (don't use any other texteditor than notepad or the script will fail).
Copy & Paste the text in the Code-box below into notepad:
File::
D:\windows\system32\csewnxroam.exe
D:\windows\system32\ssqPhfCU.dll
Folder::
D:\windows\system32\sX3i19
D:\HaxFixSave this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Step 3:
Please do a scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: Internet Explorer should be used
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste the report into your next reply.
Please post the ComboFix log and the results of the Kaspersky scan.
calg235
18 Nov 2008, 12:13pm
i ran the Kaspersky scan twice and it stop at 95% and no virus was found.
ComboFix 08-11-16.05 - Owner 2008-11-17 22:23:38.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.105 [GMT -5:00]
Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
d:\windows\system32\csewnxroam.exe
d:\windows\system32\ssqPhfCU.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\Owner\Application Data\gadcom
d:\documents and settings\Owner\Application Data\gadcom\gadcom.exe
d:\documents and settings\Owner\Application Data\gadcom\gadcom.exet0
d:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
d:\program files\Mjcore
d:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-10-18 to 2008-11-18 )))))))))))))))))))))))))))))))
.
2008-11-17 20:50 . 2008-11-17 20:50 26,112 --a------ d:\windows\system32\fccaXPfd.dll
2008-11-17 20:47 . 2008-11-17 20:47 26,112 --a------ d:\windows\system32\khfGaXnM.dll
2008-11-17 20:42 . 2008-11-17 20:42 <DIR> d-------- d:\documents and settings\Owner\Application Data\NI.GSCNS
2008-11-17 20:42 . 2008-11-17 20:42 26,112 --a------ d:\windows\system32\jkkKbXqQ.dll
2008-11-17 20:41 . 2008-11-17 20:41 38,400 --a------ d:\windows\system32\prunnet.exe
2008-11-17 20:41 . 2008-11-17 20:41 26,112 --a------ d:\windows\system32\fccbxxyV.dll
2008-11-16 16:42 . 2008-11-16 16:42 <DIR> d-------- d:\windows\Sun
2008-11-16 16:41 . 2008-11-16 16:41 <DIR> d-------- d:\program files\Java
2008-11-16 16:41 . 2008-11-16 16:41 410,976 --a------ d:\windows\system32\deploytk.dll
2008-11-16 16:41 . 2008-11-16 16:41 73,728 --a------ d:\windows\system32\javacpl.cpl
2008-11-14 22:48 . 2008-11-14 22:48 <DIR> d-------- d:\documents and settings\Owner\Application Data\Corel
2008-11-14 22:39 . 2008-11-14 22:39 <DIR> d-------- d:\program files\Common Files\Borland Shared
2008-11-14 22:37 . 2008-11-14 22:37 <DIR> d-------- d:\windows\ShellNew
2008-11-14 22:36 . 2008-11-14 22:37 <DIR> d-------- d:\program files\WordPerfect Office 12
2008-11-14 22:36 . 2008-11-14 22:36 <DIR> d-------- d:\program files\Common Files\Corel
2008-11-14 15:44 . 2008-11-15 22:00 69 --a------ d:\windows\NeroDigital.ini
2008-11-14 15:14 . 2008-11-14 15:14 <DIR> d-------- d:\program files\NCH Software
2008-11-14 15:14 . 2008-11-14 15:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-14 15:12 . 2008-11-14 15:14 <DIR> d-------- d:\documents and settings\Owner\Application Data\NCH Swift Sound
2008-11-14 15:08 . 2008-11-14 15:13 <DIR> d-------- d:\program files\NCH Swift Sound
2008-11-14 12:19 . 2004-03-02 17:37 125,184 --------- d:\windows\system32\drivers\imagesrv.sys
2008-11-14 12:19 . 2004-03-02 17:37 5,504 --------- d:\windows\system32\drivers\imagedrv.sys
2008-11-14 12:12 . 2000-06-26 11:45 106,496 --a------ d:\windows\system32\TwnLib20.dll
2008-11-14 12:11 . 2004-07-26 17:16 1,568,768 --------- d:\windows\system32\ImagX7.dll
2008-11-14 12:11 . 2004-07-26 17:16 476,320 --------- d:\windows\system32\ImagXpr7.dll
2008-11-14 12:11 . 2004-07-26 17:16 471,040 --------- d:\windows\system32\ImagXRA7.dll
2008-11-14 12:11 . 2004-07-26 17:16 262,144 --------- d:\windows\system32\ImagXR7.dll
2008-11-14 12:11 . 2001-07-09 11:50 155,648 --a------ d:\windows\system32\NeroCheck.exe
2008-11-14 12:10 . 2008-11-14 12:10 <DIR> d-------- d:\program files\Common Files\Ahead
2008-11-14 12:10 . 2008-11-14 12:12 <DIR> d-------- d:\program files\Ahead
2008-11-14 08:13 . 2008-08-07 15:27 4,224 --a------ d:\windows\system32\drivers\beep.sys
2008-11-14 08:13 . 2008-08-07 15:27 4,224 --a--c--- d:\windows\system32\dllcache\beep.sys
2008-11-13 23:38 . 2008-11-13 23:38 <DIR> d-------- d:\documents and settings\All Users\Application Data\Azureus
2008-11-13 23:37 . 2008-11-14 12:00 <DIR> d-------- d:\documents and settings\Owner\Application Data\Azureus
2008-11-13 23:34 . 2008-11-13 23:36 <DIR> d-------- d:\program files\Vuze
2008-11-13 23:34 . 2008-11-13 23:34 <DIR> d-------- d:\program files\Common Files\i4j_jres
2008-11-13 23:07 . 2008-11-13 23:07 <DIR> d-------- d:\documents and settings\All Users\Application Data\vsosdk
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\windows\system32\drivers\ezplay.sys
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\documents and settings\Owner\Application Data\ezplay.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a------ d:\windows\system32\drivers\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a--c--- d:\windows\system32\dllcache\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a------ d:\windows\system32\drivers\DMusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a--c--- d:\windows\system32\dllcache\dmusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a------ d:\windows\system32\drivers\splitter.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a--c--- d:\windows\system32\dllcache\splitter.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a------ d:\windows\system32\drivers\kmixer.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a--c--- d:\windows\system32\dllcache\kmixer.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a------ d:\windows\system32\drivers\aec.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a--c--- d:\windows\system32\dllcache\aec.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a------ d:\windows\system32\drivers\sysaudio.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a--c--- d:\windows\system32\dllcache\sysaudio.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a------ d:\windows\system32\drivers\swmidi.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a--c--- d:\windows\system32\dllcache\swmidi.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a------ d:\windows\system32\drivers\drmkaud.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a--c--- d:\windows\system32\dllcache\drmkaud.sys
2008-11-12 11:04 . 2008-11-13 14:10 7 --a------ d:\windows\system32\tmcontrol.bin
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a------ d:\windows\system32\drivers\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a--c--- d:\windows\system32\dllcache\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a------ d:\windows\system32\drivers\drmk.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a--c--- d:\windows\system32\dllcache\drmk.sys
2008-11-12 11:02 . 2002-04-01 13:15 4,816 --a------ d:\windows\system32\drivers\aeaudio.sys
2008-11-12 11:01 . 2008-11-12 11:01 <DIR> d-------- d:\program files\Analog Devices
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a--c--- d:\windows\system32\dllcache\a3d.dll
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a------ d:\windows\system32\a3d.dll
2008-11-12 11:01 . 2002-12-19 17:48 539,008 --a------ d:\windows\system32\drivers\smwdm.sys
2008-11-12 11:01 . 2002-04-17 15:05 45,056 --a------ d:\windows\system32\CleanUp.exe
2008-11-12 11:01 . 2002-12-17 15:11 36,864 --a------ d:\windows\system32\DSndUp.exe
2008-11-12 11:01 . 2002-10-28 11:26 3,744 --a------ d:\windows\system32\drivers\smsens.sys
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\windows\system32\QuickTime
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\QuickTime Alternative
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\Media Player Classic
2008-11-12 09:26 . 2004-09-23 18:57 6,676,480 --a------ d:\windows\system32\QuickTime.qts
2008-11-12 09:26 . 2004-09-23 18:57 747,008 --a------ d:\windows\system32\Indeo4.qtx
2008-11-12 09:26 . 2002-12-20 12:40 675,328 --a------ d:\windows\system32\ir50_32.qtx
2008-11-12 09:26 . 2004-09-23 18:57 430,592 --a------ d:\windows\system32\QuickTimeVR.qtx
2008-11-12 09:26 . 2004-10-27 13:01 360,504 --a------ d:\windows\system32\QTPlugin.ocx
2008-11-12 09:26 . 2004-09-23 18:57 323,072 --a------ d:\windows\system32\QuickTime.cpl
2008-11-12 09:26 . 2004-01-12 17:57 86,016 --a------ d:\windows\system32\QuickTime.ax
2008-11-12 09:26 . 2004-09-23 18:57 70,144 --a------ d:\windows\system32\QuickTimeCheck.ocx
2008-11-12 08:48 . 2008-11-12 08:48 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-11-12 08:48 . 2008-11-12 09:27 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 08:47 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-12 08:31 . 2008-11-13 16:58 <DIR> d-------- d:\documents and settings\Owner\Application Data\CopyToDvd
2008-11-12 08:22 . 2008-11-12 08:22 76,040 --a------ d:\windows\system32\drivers\avgtdix.sys
2008-11-12 08:22 . 2008-11-12 08:22 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-11-12 08:21 . 2008-11-17 08:02 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-11-12 08:21 . 2008-11-12 08:21 <DIR> d-------- d:\program files\AVG
2008-11-12 08:21 . 2008-11-12 08:21 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-11-11 20:54 . 2008-11-11 20:54 8,512 --a------ d:\windows\system32\swapm.sys
2008-11-10 18:57 . 2008-11-10 18:57 27,904 --a------ d:\windows\system32\drivers\ndisprot.sys
2008-11-10 18:45 . 2008-11-14 10:53 <DIR> d-------- d:\documents and settings\All Users\Application Data\Vso
2008-11-10 18:37 . 2008-11-14 14:18 <DIR> d-------- d:\program files\VSO
2008-11-10 18:37 . 2004-05-04 12:53 1,645,320 --a------ d:\windows\gdiplus.dll
2008-11-10 18:37 . 2006-05-20 17:16 1,184,984 --a------ d:\windows\system32\wvc1dmod.dll
2008-11-10 18:37 . 2006-05-11 20:21 626,688 --a------ d:\windows\system32\vp7vfw.dll
2008-11-10 18:37 . 2006-09-29 13:24 217,127 --a------ d:\windows\system32\drv43260.dll
2008-11-10 18:37 . 2006-09-29 13:25 208,935 --a------ d:\windows\system32\drv33260.dll
2008-11-10 18:37 . 2006-09-29 13:26 176,165 --a------ d:\windows\system32\drv23260.dll
2008-11-10 18:37 . 2007-03-18 21:37 65,602 --a------ d:\windows\system32\cook3260.dll
2008-11-10 18:30 . 2008-11-10 18:30 <DIR> d-------- d:\program files\VSO Burning SDK
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\windows\system32\drivers\pcouffin.sys
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\documents and settings\Owner\Application Data\pcouffin.sys
2008-11-10 18:25 . 2008-11-15 23:14 <DIR> d-------- d:\documents and settings\Owner\Application Data\Vso
2008-11-10 15:44 . 2008-11-10 15:44 <DIR> d-------- d:\program files\DivX
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\windows\WinAVI Video Converter 9.0
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\program files\WinAVI Video Converter 9.0
2008-11-10 14:23 . 2004-08-03 23:08 26,496 --a--c--- d:\windows\system32\dllcache\usbstor.sys
2008-11-10 12:06 . 2008-11-17 20:23 <DIR> d--h----- D:\$AVG8.VAULT$
2008-11-10 11:57 . 2008-11-12 08:21 <DIR> d-------- d:\documents and settings\All Users\Application Data\avg8
2008-11-10 11:37 . 2008-11-10 11:37 <DIR> d-------- d:\windows\ERUNT
2008-11-10 11:37 . 2008-11-14 08:27 <DIR> d-------- D:\SDFix
2008-11-10 10:51 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Trojan Remover
2008-11-10 10:51 . 2008-11-10 10:51 <DIR> d-------- d:\documents and settings\Owner\Application Data\Simply Super Software
2008-11-10 10:51 . 2008-11-11 17:19 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-10 09:50 . 2008-11-10 09:50 <DIR> d---s---- d:\documents and settings\Owner\UserData
2008-11-10 09:29 . 2008-11-10 18:35 <DIR> d-------- d:\program files\DVDFab 5
2008-11-10 08:25 . 2008-11-10 08:25 <DIR> d-------- d:\documents and settings\Owner\Application Data\MSNInstaller
2008-11-09 21:31 . 2008-11-10 08:22 <DIR> d-------- d:\program files\Common Files\zrmk
2008-11-09 21:20 . 2008-11-07 11:51 486,678 --a------ D:\HaxFix.exe
2008-11-09 20:58 . 2004-02-10 11:50 155,648 --a------ d:\windows\system32\igfxres.dll
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Win2000
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 03:46 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-15 03:37 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-08 01:33 --------- d-----w d:\program files\Broadcom
2008-11-08 01:23 --------- d-----w d:\program files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot_2008-11-16_16.35.01.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-12 14:56:57 16,384 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-17 22:59:31 32,768 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-12 14:56:57 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-17 22:59:31 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-17 23:29:47 49,152 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-11-16 21:41:24 144,792 ----a-w d:\windows\system32\java.exe
+ 2008-11-16 21:41:24 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2008-11-16 21:41:24 148,888 ----a-w d:\windows\system32\javaws.exe
+ 2008-11-18 03:28:52 16,384 ----atw d:\windows\temp\Perflib_Perfdata_e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-12 1234712]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WordPerfect Office 1215"="d:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ s c e l i
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\Vuze\\Azureus.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R1 swapm;DRAM Cash Driver;d:\windows\system32\swapm.sys [2008-11-11 8512]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2008-11-12 875288]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\Drivers\avgtdix.sys [2008-11-12 76040]
S1 usbehcii;usbehcii; []
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\d:\windows\system32\drivers\Ndisprot.sys [2008-11-10 27904]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-17 22:29:00
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Java\jre6\bin\jqs.exe
d:\progra~1\AVG\AVG8\avgrsx.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-17 22:34:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-18 03:33:40
ComboFix2.txt 2008-11-16 21:36:18
ComboFix3.txt 2008-11-14 03:49:22
ComboFix4.txt 2008-11-12 15:08:28
ComboFix5.txt 2008-11-18 03:22:18
Pre-Run: 14,902,624,256 bytes free
Post-Run: 14,982,291,456 bytes free
227
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:53 PM, on 11/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\PROGRA~1\AVG\AVG8\avgemc.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\trend micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] D:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=112908 serial=wa12wrx-0000002-hmd lang=EN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
--
End of file - 2493 bytes
Open Notepad (don't use any other texteditor than notepad or the script will fail).
Copy & Paste the text in the Code-box below into notepad:
files::
d:\windows\system32\fccaXPfd.dll
d:\windows\system32\khfGaXnM.dll
d:\windows\system32\jkkKbXqQ.dll
d:\windows\system32\prunnet.exe
d:\windows\system32\fccbxxyV.dll
folder::
d:\documents0and settings\Owner\Application Data\NI.GSCNSSave this as txtfile CFScript
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
calg235
20 Nov 2008, 4:24pm
ComboFix 08-11-19.08 - Owner 2008-11-20 11:08:00.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.82 [GMT -5:00]
Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\resycled
c:\resycled\boot.com
d:\documents and settings\Owner\Application Data\gadcom
d:\documents and settings\Owner\Application Data\gadcom\gadcom.exe
d:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
d:\program files\webhancer
d:\program files\webhancer\Programs\license.txt
d:\program files\webhancer\Programs\readme.txt
d:\program files\webhancer\Programs\sporder.dll
d:\program files\webhancer\Programs\whagent.ini
d:\program files\webhancer\Programs\whinstaller.exe
d:\windows\system32\msansspc.dll
d:\windows\system32\Pncrt.dll
d:\windows\wiaserviv.log
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.
2008-11-18 18:17 . 2008-11-18 18:19 <DIR> d-------- d:\documents and settings\Owner\Application Data\Nero
2008-11-18 16:18 . 2008-11-18 16:18 4,767 --a------ d:\windows\Irremote.ini
2008-11-18 16:03 . 2008-11-18 16:03 <DIR> d-------- d:\program files\Windows Sidebar
2008-11-18 13:23 . 2008-11-18 16:14 <DIR> d-------- d:\program files\Nero
2008-11-18 13:09 . 2008-11-18 15:25 <DIR> d-------- d:\program files\Common Files\Nero
2008-11-18 13:09 . 2008-11-18 15:29 <DIR> d-------- d:\documents and settings\All Users\Application Data\Nero
2008-11-16 16:42 . 2008-11-16 16:42 <DIR> d-------- d:\windows\Sun
2008-11-16 16:41 . 2008-11-16 16:41 <DIR> d-------- d:\program files\Java
2008-11-16 16:41 . 2008-11-16 16:41 410,976 --a------ d:\windows\system32\deploytk.dll
2008-11-16 16:41 . 2008-11-16 16:41 73,728 --a------ d:\windows\system32\javacpl.cpl
2008-11-14 22:48 . 2008-11-14 22:48 <DIR> d-------- d:\documents and settings\Owner\Application Data\Corel
2008-11-14 22:39 . 2008-11-14 22:39 <DIR> d-------- d:\program files\Common Files\Borland Shared
2008-11-14 22:37 . 2008-11-14 22:37 <DIR> d-------- d:\windows\ShellNew
2008-11-14 22:36 . 2008-11-14 22:37 <DIR> d-------- d:\program files\WordPerfect Office 12
2008-11-14 22:36 . 2008-11-14 22:36 <DIR> d-------- d:\program files\Common Files\Corel
2008-11-14 15:44 . 2008-11-18 19:25 69 --a------ d:\windows\NeroDigital.ini
2008-11-14 15:14 . 2008-11-14 15:14 <DIR> d-------- d:\program files\NCH Software
2008-11-14 15:14 . 2008-11-14 15:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-14 15:12 . 2008-11-14 15:14 <DIR> d-------- d:\documents and settings\Owner\Application Data\NCH Swift Sound
2008-11-14 15:08 . 2008-11-14 15:13 <DIR> d-------- d:\program files\NCH Swift Sound
2008-11-14 12:19 . 2004-03-02 17:37 125,184 --------- d:\windows\system32\drivers\imagesrv.sys
2008-11-14 12:19 . 2004-03-02 17:37 5,504 --------- d:\windows\system32\drivers\imagedrv.sys
2008-11-14 12:12 . 2000-06-26 11:45 106,496 --a------ d:\windows\system32\TwnLib20.dll
2008-11-14 12:11 . 2001-07-09 11:50 155,648 --a------ d:\windows\system32\NeroCheck.exe
2008-11-14 12:10 . 2008-11-14 12:10 <DIR> d-------- d:\program files\Common Files\Ahead
2008-11-14 12:10 . 2008-11-14 12:12 <DIR> d-------- d:\program files\Ahead
2008-11-14 08:13 . 2008-08-07 15:27 4,224 --a------ d:\windows\system32\drivers\beep.sys
2008-11-14 08:13 . 2008-08-07 15:27 4,224 --a--c--- d:\windows\system32\dllcache\beep.sys
2008-11-13 23:38 . 2008-11-13 23:38 <DIR> d-------- d:\documents and settings\All Users\Application Data\Azureus
2008-11-13 23:37 . 2008-11-14 12:00 <DIR> d-------- d:\documents and settings\Owner\Application Data\Azureus
2008-11-13 23:34 . 2008-11-13 23:36 <DIR> d-------- d:\program files\Vuze
2008-11-13 23:34 . 2008-11-13 23:34 <DIR> d-------- d:\program files\Common Files\i4j_jres
2008-11-13 23:07 . 2008-11-13 23:07 <DIR> d-------- d:\documents and settings\All Users\Application Data\vsosdk
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\windows\system32\drivers\ezplay.sys
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\documents and settings\Owner\Application Data\ezplay.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a------ d:\windows\system32\drivers\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a--c--- d:\windows\system32\dllcache\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a------ d:\windows\system32\drivers\DMusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a--c--- d:\windows\system32\dllcache\dmusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a------ d:\windows\system32\drivers\splitter.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a--c--- d:\windows\system32\dllcache\splitter.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a------ d:\windows\system32\drivers\kmixer.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a--c--- d:\windows\system32\dllcache\kmixer.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a------ d:\windows\system32\drivers\aec.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a--c--- d:\windows\system32\dllcache\aec.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a------ d:\windows\system32\drivers\sysaudio.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a--c--- d:\windows\system32\dllcache\sysaudio.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a------ d:\windows\system32\drivers\swmidi.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a--c--- d:\windows\system32\dllcache\swmidi.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a------ d:\windows\system32\drivers\drmkaud.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a--c--- d:\windows\system32\dllcache\drmkaud.sys
2008-11-12 11:04 . 2008-11-13 14:10 7 --a------ d:\windows\system32\tmcontrol.bin
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a------ d:\windows\system32\drivers\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a--c--- d:\windows\system32\dllcache\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a------ d:\windows\system32\drivers\drmk.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a--c--- d:\windows\system32\dllcache\drmk.sys
2008-11-12 11:02 . 2002-04-01 13:15 4,816 --a------ d:\windows\system32\drivers\aeaudio.sys
2008-11-12 11:01 . 2008-11-12 11:01 <DIR> d-------- d:\program files\Analog Devices
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a--c--- d:\windows\system32\dllcache\a3d.dll
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a------ d:\windows\system32\a3d.dll
2008-11-12 11:01 . 2002-12-19 17:48 539,008 --a------ d:\windows\system32\drivers\smwdm.sys
2008-11-12 11:01 . 2002-04-17 15:05 45,056 --a------ d:\windows\system32\CleanUp.exe
2008-11-12 11:01 . 2002-12-17 15:11 36,864 --a------ d:\windows\system32\DSndUp.exe
2008-11-12 11:01 . 2002-10-28 11:26 3,744 --a------ d:\windows\system32\drivers\smsens.sys
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\windows\system32\QuickTime
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\QuickTime Alternative
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\Media Player Classic
2008-11-12 09:26 . 2004-09-23 18:57 6,676,480 --a------ d:\windows\system32\QuickTime.qts
2008-11-12 09:26 . 2004-09-23 18:57 747,008 --a------ d:\windows\system32\Indeo4.qtx
2008-11-12 09:26 . 2002-12-20 12:40 675,328 --a------ d:\windows\system32\ir50_32.qtx
2008-11-12 09:26 . 2004-09-23 18:57 430,592 --a------ d:\windows\system32\QuickTimeVR.qtx
2008-11-12 09:26 . 2004-10-27 13:01 360,504 --a------ d:\windows\system32\QTPlugin.ocx
2008-11-12 09:26 . 2004-09-23 18:57 323,072 --a------ d:\windows\system32\QuickTime.cpl
2008-11-12 09:26 . 2004-01-12 17:57 86,016 --a------ d:\windows\system32\QuickTime.ax
2008-11-12 09:26 . 2004-09-23 18:57 70,144 --a------ d:\windows\system32\QuickTimeCheck.ocx
2008-11-12 08:48 . 2008-11-12 08:48 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-11-12 08:48 . 2008-11-12 09:27 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 08:47 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-12 08:31 . 2008-11-20 11:02 <DIR> d-------- d:\documents and settings\Owner\Application Data\CopyToDvd
2008-11-12 08:22 . 2008-11-12 08:22 76,040 --a------ d:\windows\system32\drivers\avgtdix.sys
2008-11-12 08:22 . 2008-11-12 08:22 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-11-12 08:21 . 2008-11-19 08:28 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-11-12 08:21 . 2008-11-12 08:21 <DIR> d-------- d:\program files\AVG
2008-11-12 08:21 . 2008-11-12 08:21 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-11-11 20:54 . 2008-11-11 20:54 8,512 --a------ d:\windows\system32\swapm.sys
2008-11-10 18:57 . 2008-11-10 18:57 27,904 --a------ d:\windows\system32\drivers\ndisprot.sys
2008-11-10 18:45 . 2008-11-18 18:35 <DIR> d-------- d:\documents and settings\All Users\Application Data\Vso
2008-11-10 18:37 . 2008-11-18 19:23 <DIR> d-------- d:\program files\VSO
2008-11-10 18:37 . 2004-05-04 12:53 1,645,320 --a------ d:\windows\gdiplus.dll
2008-11-10 18:37 . 2006-05-20 17:16 1,184,984 --a------ d:\windows\system32\wvc1dmod.dll
2008-11-10 18:37 . 2006-05-11 20:21 626,688 --a------ d:\windows\system32\vp7vfw.dll
2008-11-10 18:37 . 2006-09-29 13:24 217,127 --a------ d:\windows\system32\drv43260.dll
2008-11-10 18:37 . 2006-09-29 13:25 208,935 --a------ d:\windows\system32\drv33260.dll
2008-11-10 18:37 . 2006-09-29 13:26 176,165 --a------ d:\windows\system32\drv23260.dll
2008-11-10 18:37 . 2007-03-18 21:37 65,602 --a------ d:\windows\system32\cook3260.dll
2008-11-10 18:30 . 2008-11-10 18:30 <DIR> d-------- d:\program files\VSO Burning SDK
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\windows\system32\drivers\pcouffin.sys
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\documents and settings\Owner\Application Data\pcouffin.sys
2008-11-10 18:25 . 2008-11-20 09:26 <DIR> d-------- d:\documents and settings\Owner\Application Data\Vso
2008-11-10 15:44 . 2008-11-10 15:44 <DIR> d-------- d:\program files\DivX
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\windows\WinAVI Video Converter 9.0
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\program files\WinAVI Video Converter 9.0
2008-11-10 14:23 . 2004-08-03 23:08 26,496 --a--c--- d:\windows\system32\dllcache\usbstor.sys
2008-11-10 12:06 . 2008-11-20 04:56 <DIR> d--h----- D:\$AVG8.VAULT$
2008-11-10 11:57 . 2008-11-12 08:21 <DIR> d-------- d:\documents and settings\All Users\Application Data\avg8
2008-11-10 11:37 . 2008-11-10 11:37 <DIR> d-------- d:\windows\ERUNT
2008-11-10 11:37 . 2008-11-14 08:27 <DIR> d-------- D:\SDFix
2008-11-10 10:51 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Trojan Remover
2008-11-10 10:51 . 2008-11-10 10:51 <DIR> d-------- d:\documents and settings\Owner\Application Data\Simply Super Software
2008-11-10 10:51 . 2008-11-11 17:19 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-10 09:50 . 2008-11-10 09:50 <DIR> d---s---- d:\documents and settings\Owner\UserData
2008-11-10 09:29 . 2008-11-10 18:35 <DIR> d-------- d:\program files\DVDFab 5
2008-11-10 08:25 . 2008-11-10 08:25 <DIR> d-------- d:\documents and settings\Owner\Application Data\MSNInstaller
2008-11-09 21:31 . 2008-11-10 08:22 <DIR> d-------- d:\program files\Common Files\zrmk
2008-11-09 21:20 . 2008-11-07 11:51 486,678 --a------ D:\HaxFix.exe
2008-11-09 20:58 . 2004-02-10 11:50 155,648 --a------ d:\windows\system32\igfxres.dll
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Win2000
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Lang
2008-11-09 20:54 . 2003-05-14 11:17 106,496 --a------ D:\PCIUtil.dll
2008-11-09 20:54 . 2004-04-09 15:48 69,632 --a------ D:\Instngin.dll
2008-11-09 20:54 . 2004-01-19 11:11 49 --a------ D:\Install.cfg
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 03:46 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-15 03:37 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-08 01:33 --------- d-----w d:\program files\Broadcom
2008-11-08 01:23 --------- d-----w d:\program files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot_2008-11-16_16.35.01.71 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-12 14:56:57 16,384 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2008-11-17 22:59:31 32,768 ----a-w d:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-11-12 14:56:57 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-17 22:59:31 32,768 ----a-w d:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-11-17 23:29:47 49,152 ----a-w d:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2006-03-31 17:40:58 2,388,176 ----a-w d:\windows\system32\d3dx9_30.dll
- 2004-08-12 14:00:52 2,804,224 -c--a-w d:\windows\system32\dllcache\msi.dll
+ 2005-05-03 17:58:36 2,890,240 -c--a-w d:\windows\system32\dllcache\msi.dll
- 2004-08-12 14:00:53 77,312 -c--a-w d:\windows\system32\dllcache\msiexec.exe
+ 2005-05-03 17:58:36 78,848 -c--a-w d:\windows\system32\dllcache\msiexec.exe
- 2004-08-12 14:00:53 331,264 -c--a-w d:\windows\system32\dllcache\msihnd.dll
+ 2005-05-03 17:58:36 271,360 -c--a-w d:\windows\system32\dllcache\msihnd.dll
- 2004-08-12 14:00:54 884,736 -c--a-w d:\windows\system32\dllcache\msimsg.dll
+ 2005-05-03 17:58:36 884,736 -c--a-w d:\windows\system32\dllcache\msimsg.dll
- 2004-08-12 14:00:56 44,032 -c--a-w d:\windows\system32\dllcache\msisip.dll
+ 2005-05-03 17:58:36 15,360 -c--a-w d:\windows\system32\dllcache\msisip.dll
- 2004-07-26 22:16:10 1,568,768 ------w d:\windows\system32\ImagX7.dll
+ 2008-07-04 15:23:36 1,757,184 ----a-w d:\windows\system32\imagX7.dll
- 2004-07-26 22:16:10 476,320 ------w d:\windows\system32\ImagXpr7.dll
+ 2008-07-04 15:23:38 497,296 ----a-w d:\windows\system32\imagXpr7.dll
- 2004-07-26 22:16:10 262,144 ------w d:\windows\system32\ImagXR7.dll
+ 2008-07-04 15:23:42 258,048 ----a-w d:\windows\system32\imagXR7.dll
- 2004-07-26 22:16:10 471,040 ------w d:\windows\system32\ImagXRA7.dll
+ 2008-07-04 15:23:46 802,816 ----a-w d:\windows\system32\imagXRA7.dll
+ 2008-11-16 21:41:24 144,792 ----a-w d:\windows\system32\java.exe
+ 2008-11-16 21:41:24 144,792 ----a-w d:\windows\system32\javaw.exe
+ 2008-11-16 21:41:24 148,888 ----a-w d:\windows\system32\javaws.exe
- 2004-08-12 14:00:52 2,804,224 ----a-w d:\windows\system32\msi.dll
+ 2005-05-03 17:58:36 2,890,240 ----a-w d:\windows\system32\msi.dll
- 2004-08-12 14:00:53 77,312 ----a-w d:\windows\system32\msiexec.exe
+ 2005-05-03 17:58:36 78,848 ----a-w d:\windows\system32\msiexec.exe
- 2004-08-12 14:00:53 331,264 ----a-w d:\windows\system32\msihnd.dll
+ 2005-05-03 17:58:36 271,360 ----a-w d:\windows\system32\msihnd.dll
- 2004-08-12 14:00:54 884,736 ----a-w d:\windows\system32\msimsg.dll
+ 2005-05-03 17:58:36 884,736 ----a-w d:\windows\system32\msimsg.dll
- 2004-08-12 14:00:56 44,032 ----a-w d:\windows\system32\msisip.dll
+ 2005-05-03 17:58:36 15,360 ----a-w d:\windows\system32\msisip.dll
+ 2005-05-03 17:58:20 13,536 ------w d:\windows\system32\spmsg.dll
+ 2006-03-17 20:49:46 368,640 ----a-w d:\windows\system32\twnlib4.dll
+ 2008-11-20 16:15:00 16,384 ----atw d:\windows\temp\Perflib_Perfdata_f8.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-12 1234712]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WordPerfect Office 1215"="d:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ s c e l i
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\Vuze\\Azureus.exe"=
"d:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R1 swapm;DRAM Cash Driver;d:\windows\system32\swapm.sys [2008-11-11 8512]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\Drivers\avgtdix.sys [2008-11-12 76040]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
S1 usbehcii;usbehcii; []
S2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2008-11-12 875288]
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\d:\windows\system32\drivers\Ndisprot.sys [2008-11-10 27904]
.
- - - - ORPHANS REMOVED - - - -
BHO-{a10e47af-10cb-47c6-a99e-086f252df1f1} - d:\windows\system32\fegenope.dll
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 11:15:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Java\jre6\bin\jqs.exe
d:\progra~1\AVG\AVG8\avgrsx.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-20 11:21:33 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 16:21:06
ComboFix2.txt 2008-11-18 03:34:07
ComboFix3.txt 2008-11-16 21:36:18
ComboFix4.txt 2008-11-14 03:49:22
ComboFix5.txt 2008-11-20 16:06:33
Pre-Run: 12,864,491,520 bytes free
Post-Run: 15,643,381,760 bytes free
269
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:43 AM, on 11/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
D:\Program Files\Java\jre6\bin\jqs.exe
D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
D:\PROGRA~1\AVG\AVG8\avgtray.exe
D:\Program Files\Java\jre6\bin\jusched.exe
D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRA~1\AVG\AVG8\avgrsx.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wuauclt.exe
D:\WINDOWS\system32\wscntfy.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\trend micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [IgfxTray] D:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WordPerfect Office 1215] D:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=112908 serial=wa12wrx-0000002-hmd lang=EN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=24931
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - D:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - D:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - D:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
--
End of file - 2647 bytes
There is one leftover...
Open Notepad (don't use any other texteditor than notepad or the script will fail).
Copy & Paste the text in the Code-box below into notepad:
Driver::
usbehciiThen drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.
calg235
24 Nov 2008, 12:20am
ComboFix 08-11-22.02 - Owner 2008-11-23 19:06:00.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.90 [GMT -5:00]
Running from: d:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: d:\documents and settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
d:\documents and settings\Owner\Local Settings\Temporary Internet Files\fbk.sts
d:\windows\IE4 Error Log.txt
d:\windows\system32\ekokuduy.ini
d:\windows\system32\msansspc.dll
d:\windows\wiaserviv.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_USBEHCII
-------\Service_usbehcii
((((((((((((((((((((((((( Files Created from 2008-10-24 to 2008-11-24 )))))))))))))))))))))))))))))))
.
2008-11-22 15:27 . 2008-11-22 16:34 <DIR> d-------- d:\documents and settings\Owner\Application Data\ImgBurn
2008-11-22 15:14 . 2008-11-22 15:14 <DIR> d-------- d:\program files\ImgBurn
2008-11-21 18:09 . 2008-11-21 18:09 54,156 --ah----- d:\windows\QTFont.qfn
2008-11-21 18:09 . 2008-11-21 18:09 1,409 --a------ d:\windows\QTFont.for
2008-11-20 11:46 . 2008-11-20 11:46 <DIR> d--h----- d:\windows\PIF
2008-11-18 18:17 . 2008-11-18 18:19 <DIR> d-------- d:\documents and settings\Owner\Application Data\Nero
2008-11-18 16:18 . 2008-11-18 16:18 4,767 --a------ d:\windows\Irremote.ini
2008-11-18 16:03 . 2008-11-18 16:03 <DIR> d-------- d:\program files\Windows Sidebar
2008-11-18 13:23 . 2008-11-18 16:14 <DIR> d-------- d:\program files\Nero
2008-11-18 13:09 . 2008-11-18 15:25 <DIR> d-------- d:\program files\Common Files\Nero
2008-11-18 13:09 . 2008-11-18 15:29 <DIR> d-------- d:\documents and settings\All Users\Application Data\Nero
2008-11-16 16:42 . 2008-11-16 16:42 <DIR> d-------- d:\windows\Sun
2008-11-16 16:41 . 2008-11-16 16:41 <DIR> d-------- d:\program files\Java
2008-11-16 16:41 . 2008-11-16 16:41 410,976 --a------ d:\windows\system32\deploytk.dll
2008-11-16 16:41 . 2008-11-16 16:41 73,728 --a------ d:\windows\system32\javacpl.cpl
2008-11-14 22:48 . 2008-11-22 23:06 <DIR> d-------- d:\documents and settings\Owner\Application Data\Corel
2008-11-14 22:39 . 2008-11-14 22:39 <DIR> d-------- d:\program files\Common Files\Borland Shared
2008-11-14 22:37 . 2008-11-14 22:37 <DIR> d-------- d:\windows\ShellNew
2008-11-14 22:36 . 2008-11-14 22:37 <DIR> d-------- d:\program files\WordPerfect Office 12
2008-11-14 22:36 . 2008-11-14 22:36 <DIR> d-------- d:\program files\Common Files\Corel
2008-11-14 15:44 . 2008-11-18 19:25 69 --a------ d:\windows\NeroDigital.ini
2008-11-14 15:14 . 2008-11-14 15:14 <DIR> d-------- d:\program files\NCH Software
2008-11-14 15:14 . 2008-11-14 15:14 <DIR> d-------- d:\documents and settings\All Users\Application Data\NCH Swift Sound
2008-11-14 15:12 . 2008-11-14 15:14 <DIR> d-------- d:\documents and settings\Owner\Application Data\NCH Swift Sound
2008-11-14 15:08 . 2008-11-14 15:13 <DIR> d-------- d:\program files\NCH Swift Sound
2008-11-14 12:19 . 2004-03-02 17:37 125,184 --------- d:\windows\system32\drivers\imagesrv.sys
2008-11-14 12:19 . 2004-03-02 17:37 5,504 --------- d:\windows\system32\drivers\imagedrv.sys
2008-11-14 12:12 . 2000-06-26 11:45 106,496 --a------ d:\windows\system32\TwnLib20.dll
2008-11-14 12:11 . 2001-07-09 11:50 155,648 --a------ d:\windows\system32\NeroCheck.exe
2008-11-14 12:10 . 2008-11-14 12:10 <DIR> d-------- d:\program files\Common Files\Ahead
2008-11-14 12:10 . 2008-11-14 12:12 <DIR> d-------- d:\program files\Ahead
2008-11-14 08:13 . 2008-08-07 15:27 4,224 --a------ d:\windows\system32\drivers\beep.sys
2008-11-14 08:13 . 2008-08-07 15:27 4,224 --a--c--- d:\windows\system32\dllcache\beep.sys
2008-11-13 23:38 . 2008-11-13 23:38 <DIR> d-------- d:\documents and settings\All Users\Application Data\Azureus
2008-11-13 23:37 . 2008-11-21 22:48 <DIR> d-------- d:\documents and settings\Owner\Application Data\Azureus
2008-11-13 23:34 . 2008-11-21 08:34 <DIR> d-------- d:\program files\Vuze
2008-11-13 23:34 . 2008-11-13 23:34 <DIR> d-------- d:\program files\Common Files\i4j_jres
2008-11-13 23:07 . 2008-11-23 06:02 <DIR> d-------- d:\documents and settings\All Users\Application Data\vsosdk
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\windows\system32\drivers\ezplay.sys
2008-11-13 14:19 . 2008-11-13 14:19 94,208 --a------ d:\documents and settings\Owner\Application Data\ezplay.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a------ d:\windows\system32\drivers\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:15 82,944 --a--c--- d:\windows\system32\dllcache\wdmaud.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a------ d:\windows\system32\drivers\DMusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 52,864 --a--c--- d:\windows\system32\dllcache\dmusic.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a------ d:\windows\system32\drivers\splitter.sys
2008-11-12 11:06 . 2004-08-03 23:07 6,400 --a--c--- d:\windows\system32\dllcache\splitter.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a------ d:\windows\system32\drivers\kmixer.sys
2008-11-12 11:05 . 2004-08-03 23:07 171,776 --a--c--- d:\windows\system32\dllcache\kmixer.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a------ d:\windows\system32\drivers\aec.sys
2008-11-12 11:05 . 2004-08-03 22:39 142,464 --a--c--- d:\windows\system32\dllcache\aec.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a------ d:\windows\system32\drivers\sysaudio.sys
2008-11-12 11:05 . 2004-08-03 23:15 60,800 --a--c--- d:\windows\system32\dllcache\sysaudio.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a------ d:\windows\system32\drivers\swmidi.sys
2008-11-12 11:05 . 2001-08-17 14:00 54,272 --a--c--- d:\windows\system32\dllcache\swmidi.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a------ d:\windows\system32\drivers\drmkaud.sys
2008-11-12 11:05 . 2004-08-03 23:07 2,944 --a--c--- d:\windows\system32\dllcache\drmkaud.sys
2008-11-12 11:04 . 2008-11-13 14:10 7 --a------ d:\windows\system32\tmcontrol.bin
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a------ d:\windows\system32\drivers\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:15 145,792 --a--c--- d:\windows\system32\dllcache\portcls.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a------ d:\windows\system32\drivers\drmk.sys
2008-11-12 11:03 . 2004-08-03 23:08 60,288 --a--c--- d:\windows\system32\dllcache\drmk.sys
2008-11-12 11:02 . 2002-04-01 13:15 4,816 --a------ d:\windows\system32\drivers\aeaudio.sys
2008-11-12 11:01 . 2008-11-12 11:01 <DIR> d-------- d:\program files\Analog Devices
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a--c--- d:\windows\system32\dllcache\a3d.dll
2008-11-12 11:01 . 2001-09-19 13:32 720,896 --a------ d:\windows\system32\a3d.dll
2008-11-12 11:01 . 2002-12-19 17:48 539,008 --a------ d:\windows\system32\drivers\smwdm.sys
2008-11-12 11:01 . 2002-04-17 15:05 45,056 --a------ d:\windows\system32\CleanUp.exe
2008-11-12 11:01 . 2002-12-17 15:11 36,864 --a------ d:\windows\system32\DSndUp.exe
2008-11-12 11:01 . 2002-10-28 11:26 3,744 --a------ d:\windows\system32\drivers\smsens.sys
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\windows\system32\QuickTime
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\QuickTime Alternative
2008-11-12 09:26 . 2008-11-12 09:26 <DIR> d-------- d:\program files\Media Player Classic
2008-11-12 09:26 . 2004-09-23 18:57 6,676,480 --a------ d:\windows\system32\QuickTime.qts
2008-11-12 09:26 . 2004-09-23 18:57 747,008 --a------ d:\windows\system32\Indeo4.qtx
2008-11-12 09:26 . 2002-12-20 12:40 675,328 --a------ d:\windows\system32\ir50_32.qtx
2008-11-12 09:26 . 2004-09-23 18:57 430,592 --a------ d:\windows\system32\QuickTimeVR.qtx
2008-11-12 09:26 . 2004-10-27 13:01 360,504 --a------ d:\windows\system32\QTPlugin.ocx
2008-11-12 09:26 . 2004-09-23 18:57 323,072 --a------ d:\windows\system32\QuickTime.cpl
2008-11-12 09:26 . 2004-01-12 17:57 86,016 --a------ d:\windows\system32\QuickTime.ax
2008-11-12 09:26 . 2004-09-23 18:57 70,144 --a------ d:\windows\system32\QuickTimeCheck.ocx
2008-11-12 08:48 . 2008-11-12 08:48 <DIR> d-------- d:\program files\Spybot - Search & Destroy
2008-11-12 08:48 . 2008-11-12 09:27 <DIR> d-------- d:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Malwarebytes' Anti-Malware
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\Owner\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-11-12 08:47 <DIR> d-------- d:\documents and settings\All Users\Application Data\Malwarebytes
2008-11-12 08:47 . 2008-10-22 16:10 38,496 --a------ d:\windows\system32\drivers\mbamswissarmy.sys
2008-11-12 08:47 . 2008-10-22 16:10 15,504 --a------ d:\windows\system32\drivers\mbam.sys
2008-11-12 08:31 . 2008-11-23 06:33 <DIR> d-------- d:\documents and settings\Owner\Application Data\CopyToDvd
2008-11-12 08:22 . 2008-11-12 08:22 76,040 --a------ d:\windows\system32\drivers\avgtdix.sys
2008-11-12 08:22 . 2008-11-12 08:22 10,520 --a------ d:\windows\system32\avgrsstx.dll
2008-11-12 08:21 . 2008-11-23 08:27 <DIR> d-------- d:\windows\system32\drivers\Avg
2008-11-12 08:21 . 2008-11-12 08:21 <DIR> d-------- d:\program files\AVG
2008-11-12 08:21 . 2008-11-12 08:21 97,928 --a------ d:\windows\system32\drivers\avgldx86.sys
2008-11-10 18:57 . 2008-11-10 18:57 27,904 --a------ d:\windows\system32\drivers\ndisprot.sys
2008-11-10 18:45 . 2008-11-18 18:35 <DIR> d-------- d:\documents and settings\All Users\Application Data\Vso
2008-11-10 18:37 . 2008-11-18 19:23 <DIR> d-------- d:\program files\VSO
2008-11-10 18:37 . 2004-05-04 12:53 1,645,320 --a------ d:\windows\gdiplus.dll
2008-11-10 18:37 . 2006-05-20 17:16 1,184,984 --a------ d:\windows\system32\wvc1dmod.dll
2008-11-10 18:37 . 2006-05-11 20:21 626,688 --a------ d:\windows\system32\vp7vfw.dll
2008-11-10 18:37 . 2006-09-29 13:24 217,127 --a------ d:\windows\system32\drv43260.dll
2008-11-10 18:37 . 2006-09-29 13:25 208,935 --a------ d:\windows\system32\drv33260.dll
2008-11-10 18:37 . 2006-09-29 13:26 176,165 --a------ d:\windows\system32\drv23260.dll
2008-11-10 18:37 . 2007-03-18 21:37 65,602 --a------ d:\windows\system32\cook3260.dll
2008-11-10 18:30 . 2008-11-10 18:30 <DIR> d-------- d:\program files\VSO Burning SDK
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\windows\system32\drivers\pcouffin.sys
2008-11-10 18:30 . 2008-11-10 18:37 47,360 --a------ d:\documents and settings\Owner\Application Data\pcouffin.sys
2008-11-10 18:25 . 2008-11-23 06:26 <DIR> d-------- d:\documents and settings\Owner\Application Data\Vso
2008-11-10 15:44 . 2008-11-10 15:44 <DIR> d-------- d:\program files\DivX
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\windows\WinAVI Video Converter 9.0
2008-11-10 15:33 . 2008-11-10 15:33 <DIR> d-------- d:\program files\WinAVI Video Converter 9.0
2008-11-10 14:23 . 2004-08-03 23:08 26,496 --a--c--- d:\windows\system32\dllcache\usbstor.sys
2008-11-10 12:06 . 2008-11-23 19:01 <DIR> d--h----- D:\$AVG8.VAULT$
2008-11-10 11:57 . 2008-11-12 08:21 <DIR> d-------- d:\documents and settings\All Users\Application Data\avg8
2008-11-10 11:37 . 2008-11-10 11:37 <DIR> d-------- d:\windows\ERUNT
2008-11-10 11:37 . 2008-11-14 08:27 <DIR> d-------- D:\SDFix
2008-11-10 10:51 . 2008-11-12 08:47 <DIR> d-------- d:\program files\Trojan Remover
2008-11-10 10:51 . 2008-11-10 10:51 <DIR> d-------- d:\documents and settings\Owner\Application Data\Simply Super Software
2008-11-10 10:51 . 2008-11-11 17:19 <DIR> d-a------ d:\documents and settings\All Users\Application Data\TEMP
2008-11-10 09:50 . 2008-11-10 09:50 <DIR> d---s---- d:\documents and settings\Owner\UserData
2008-11-10 09:29 . 2008-11-10 18:35 <DIR> d-------- d:\program files\DVDFab 5
2008-11-10 08:25 . 2008-11-10 08:25 <DIR> d-------- d:\documents and settings\Owner\Application Data\MSNInstaller
2008-11-09 21:31 . 2008-11-10 08:22 <DIR> d-------- d:\program files\Common Files\zrmk
2008-11-09 21:20 . 2008-11-07 11:51 486,678 --a------ D:\HaxFix.exe
2008-11-09 20:58 . 2004-02-10 11:50 155,648 --a------ d:\windows\system32\igfxres.dll
2008-11-09 20:54 . 2008-11-09 20:54 <DIR> d-------- D:\Win2000
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-15 03:46 --------- d--h--w d:\program files\InstallShield Installation Information
2008-11-15 03:37 --------- d-----w d:\program files\Common Files\InstallShield
2008-11-08 01:33 --------- d-----w d:\program files\Broadcom
2008-11-08 01:23 --------- d-----w d:\program files\microsoft frontpage
.
((((((((((((((((((((((((((((( snapshot_2008-11-20_11.20.12.65 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-11-24 00:11:34 16,384 ----atw d:\windows\temp\Perflib_Perfdata_168.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a10e47af-10cb-47c6-a99e-086f252df1f1}]
d:\windows\system32\fegenope.dll [BU]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="d:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="d:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"AVG8_TRAY"="d:\progra~1\AVG\AVG8\avgtray.exe" [2008-11-12 1234712]
"NeroFilterCheck"="d:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"WordPerfect Office 1215"="d:\program files\WordPerfect Office 12\Programs\Registration.exe" [2004-03-08 733184]
"SunJavaUpdateSched"="d:\program files\Java\jre6\bin\jusched.exe" [2008-11-16 136600]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ s c e l i
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"d:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"d:\\Program Files\\Vuze\\Azureus.exe"=
"d:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"=
R1 AvgLdx86;AVG Free AVI Loader Driver x86;d:\windows\system32\Drivers\avgldx86.sys [2008-11-12 97928]
R2 avg8emc;AVG Free8 E-mail Scanner;d:\progra~1\AVG\AVG8\avgemc.exe [2008-11-12 875288]
R2 avg8wd;AVG Free8 WatchDog;d:\progra~1\AVG\AVG8\avgwdsvc.exe [2008-11-12 231704]
R2 AvgTdiX;AVG Free8 Network Redirector;d:\windows\system32\Drivers\avgtdix.sys [2008-11-12 76040]
R2 Nero BackItUp Scheduler 4.0;Nero BackItUp Scheduler 4.0;d:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe [2008-09-30 935208]
S1 swapm;DRAM Cash Driver;d:\windows\system32\swapm.sys []
S3 Ndisprot;ArcNet NDIS Protocol Driver;\??\d:\windows\system32\drivers\Ndisprot.sys [2008-11-10 27904]
.
**************************************************************************
catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-23 19:11:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(616)
d:\windows\system32\rsaenh.dll
- - - - - - - > 'lsass.exe'(672)
d:\windows\system32\msprivs.dll
d:\windows\system32\rsaenh.dll
.
------------------------ Other Running Processes ------------------------
.
d:\program files\Java\jre6\bin\jqs.exe
d:\progra~1\AVG\AVG8\avgrsx.exe
d:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-23 19:17:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-24 00:16:48
ComboFix2.txt 2008-11-20 16:21:39
ComboFix3.txt 2008-11-18 03:34:07
ComboFix4.txt 2008-11-16 21:36:18
ComboFix5.txt 2008-11-24 00:04:41
Pre-Run: 8,642,682,880 bytes free
Post-Run: 8,678,453,248 bytes free
229
Scan your system with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html)
Note: Internet Explorer should be used
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Click on My Computer under Scan and then put the kettle on!
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
Copy and paste the report into your next reply.
calg235
30 Nov 2008, 9:35pm
i keep trying to run it, but it freezes at 20% or 30 minutes into.
OK. Update MBAM and make a full system scan. Post the results here.
calg235
2 Dec 2008, 3:53pm
Malwarebytes' Anti-Malware 1.30
Database version: 1388
Windows 5.1.2600 Service Pack 2
12/2/2008 9:35:49 AM
mbam-log-2008-12-02 (09-35-49).txt
Scan type: Full Scan (D:\|)
Objects scanned: 70350
Time elapsed: 54 minute(s), 3 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 3
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
D:\Program Files\Webtools (Trojan.Agent) -> Quarantined and deleted successfully.
D:\Program Files\Mjcore (Trojan.BHO) -> Quarantined and deleted successfully.
D:\Documents and Settings\Owner\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
D:\Qoobox\Quarantine\D\Program Files\webHancer\Programs\whinstaller.exe.vir (Adware.Webhancer) -> Quarantined and deleted successfully.
D:\Qoobox\Quarantine\D\WINDOWS\system32\tsuninst.exe.vir (Spyware.TargetSaver) -> Quarantined and deleted successfully.
D:\System Volume Information\_restore{AA604518-ED06-458D-9176-5CF7704D68F9}\RP73\A0013860.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
How is your computer running at the moment?
calg235
9 Dec 2008, 10:16pm
fine. no problems
Let's uninstall ComboFix
Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png
When shown the disclaimer, Select "2"
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clean up System Restore
You can find instructions on how to disable and enable System Restore from these guides:
Disable And Enable System Restore (http://forums.majorgeeks.com/showthread.php?t=31668)
Windows XP System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial56.html)
Make Your Internet Explorer More Secure
This can be done by following these simple instructions:
From within Internet Explorer click on the tools menu and then click on Options
Click once on the "Security" tab
Click once on the "Internet" icon so it becomes highlighted
Click once on the Custom Level button.
Change the "Download signed ActiveX" controls to Prompt
Change the "Download unsigned ActiveX" controls to Disable
Change the "Initialize and script ActiveX controls" not marked as safe to Disable
Change the "Launching programs and files in an IFRAME" to Prompt
Change the "Navigate sub-frames across different domains" to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Note that Internet Explorer is not the most secure browser. There are safer (and better) alternatives available like Opera (http://www.opera.com/) and Firefox (http://www.mozilla.org/products/firefox/).
Keep Your System Up to date
It is imperative that you keep your Windows, Antivirus, and other softwares up to date. Otherwise you are not protected against new threats and your system is vulnerable and unsafe. Update your Antivirus software at least once a week, and visit Microsoft Windows Update (http://www.windowsupdate.com) site regularly.
Install SpywareBlaster
SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware, Hijackers, and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Additional Utilities and Tips to Enhance Your Safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) --- The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) --- Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) --- Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Get more knowledge about how to protecet your computer and prevent malware issues by reading these short articles:
12 Ways to get Infected (http://forums.subratam.org/index.php?showtopic=10086) by tashi
How to prevent Malware (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) by miekiemoes
So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html) by Tony Klein
Ten Commandments for Your Computer Sanity (http://icrontic.com/forum/showthread.php?t=39435) by BitDefender
Happy surfing! :D
Glad we could be of assistance! The help you received here was free.
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.
If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead :)
_______________________________
Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 (http://icrontic.com/forum/showthread.php?t=29803) and fold for a cure.
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.