View Full Version : spy.Ursnif.A inside termsrv.dll and Winlogon.exe
Kavukamari
27 Jun 2009, 9:53pm
NOD32 says I have a virus in Winlogon.exe and Termsrv.dll I know I can't delete these because the computer needs them I don't have a windows CD to replace the files, but i could probably get one anyway, i need help to remove these
Hello. :)
Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix) <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include C:\ComboFix.txt for further review (copy and paste it), so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
Kavukamari
29 Jun 2009, 9:30pm
What if I don't have a windows CD? I guess ill get one somewhere...
There is a section inside the guide I linked to:
If you use Windows XP and do not have the Windows CD
Follow the instructions there to download the file from Microsoft.
Kavukamari
4 Jul 2009, 3:24am
ComboFix 09-07-03.03 - Kavu Kamari 07/03/2009 15:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.444 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp
C:\install.exe
C:\test.txt
c:\windows\Installer\3b1a3.msi
c:\windows\Installer\71b5401.msi
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\mlfcache.dat
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.
2009-07-04 00:55 . 2001-08-17 22:48 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2009-07-04 00:54 . 2004-08-04 08:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-07-04 00:54 . 2001-08-17 22:11 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-04 00:54 . 2001-08-17 23:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-04 00:54 . 2001-08-17 22:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-04 00:54 . 2006-02-28 12:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2009-07-04 00:54 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\admxprox.dll
2009-07-04 00:54 . 2004-08-04 08:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2009-07-04 00:54 . 2001-08-17 22:19 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2009-07-04 00:54 . 2001-08-17 22:19 584448 ----a-w- c:\windows\system32\dllcache\adm8810.sys
2009-07-04 00:54 . 2001-08-17 22:11 20160 ----a-w- c:\windows\system32\dllcache\adm8511.sys
2009-07-04 00:54 . 2001-08-17 23:53 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2009-07-04 00:53 . 2001-08-18 08:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2009-07-04 00:53 . 2004-08-04 08:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-07-04 00:53 . 2001-08-17 22:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-07-04 00:53 . 2001-08-17 22:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-07-04 00:53 . 2004-08-04 08:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2009-07-04 00:53 . 2001-08-18 08:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-07-04 00:53 . 2001-08-18 00:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2009-07-04 00:53 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2009-07-04 00:53 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2009-07-04 00:53 . 2001-08-17 22:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-04 00:53 . 2001-08-18 00:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-07-04 00:52 . 2001-08-17 23:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-07-04 00:52 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2009-07-04 00:52 . 2006-02-28 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-07-04 00:52 . 2006-02-28 12:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2009-07-04 00:51 . 2001-08-18 00:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-04 00:51 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-07-04 00:51 . 2006-02-28 12:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-07-04 00:51 . 2006-02-28 12:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-07-04 00:51 . 2006-02-28 12:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-07-04 00:51 . 2006-02-28 12:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-07-04 00:51 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13 -------- d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51 -------- d-----w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49 -------- dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 02:07 . 2007-12-29 03:08 -------- d-----w- c:\program files\Steam
2009-07-04 02:06 . 2008-02-14 06:48 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-03 23:23 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-03 22:59 . 2009-05-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 21:00 . 2009-05-11 01:59 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52 -------- d-----w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 05:29 . 2009-06-03 05:29 -------- d-----w- c:\program files\AskBarDis
2009-06-03 05:29 . 2009-06-03 05:29 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-06-03 03:01 . 2009-04-26 09:30 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50 -------- d-----w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30 -------- d-----w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07 -------- d-----w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16 -------- d-----w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12 -------- d-----w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11 -------- d-----w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11 -------- d-----w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13 -------- d-----w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08 -------- d-----w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24 -------- d-----w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27 -------- d-----w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 02:01 . 2008-12-23 09:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 01:59 . 2009-05-11 01:59 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54 -------- d-----w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38 -------- d-----w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11 -------- d-----w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43 -------- d-----w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 56 --sh--r- c:\windows\system32\1005515D87.sys
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-12 00:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]
c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-3-23 225280]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 16:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\.*e%%g*]
@="-¦g_auto_file"
[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2248)
c:\windows\system32\WININET.dll
c:\documents and settings\Kavu Kamari\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
- - - - - - - > 'explorer.exe'(2660)
c:\windows\system32\WININET.dll
c:\documents and settings\Kavu Kamari\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\program files\MyWaySA\SrchAsDe\deSrcAs.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlcccoms.exe
c:\docume~1\KAVUKA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-07-04 16:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 02:19
Pre-Run: 9,339,797,504 bytes free
Post-Run: 9,290,412,032 bytes free
414 --- E O F --- 2009-06-29 19:51
i hope this program didn't delete anything i need...
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions. It's IMPORTANT to carry out the instructions in the sequence listed below.
There is a potentially unwanted pieces of software I have detected on your PC called AskBar.
More information here:
http://www.spywarelib.com/remove-Adware-AskBar-a.html
We usually deem this optional to remove. But, I strongly suggest you do so by going to Control Panel > Add / Remove Programs and uninstalling it. Reboot your PC after uninstallation is complete.
Then, navigate to the following directory and delete it if it is still present:
c:\program files\AskBarDis
=====================================================
Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
File::
c:\windows\system32\1005515D87.sys
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your next reply please, as well as let me know whether you had removed Askbar.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
Kavukamari
4 Jul 2009, 10:05pm
ComboFix 09-07-03.03 - Kavu Kamari 07/03/2009 16:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kavu Kamari\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FILE ::
"c:\windows\system32\1005515D87.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\1005515D87.sys
c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\null.sys
c:\windows\system32\drivers\null.sys was missing
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0198007.sys
.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.
2009-07-04 03:02 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\dllcache\null.sys
2009-07-04 00:55 . 2001-08-17 22:48 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2009-07-04 00:54 . 2004-08-04 08:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-07-04 00:54 . 2001-08-17 22:11 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-04 00:54 . 2001-08-17 23:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-04 00:54 . 2001-08-17 22:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-04 00:54 . 2006-02-28 12:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2009-07-04 00:54 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\admxprox.dll
2009-07-04 00:54 . 2004-08-04 08:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2009-07-04 00:54 . 2001-08-17 22:19 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2009-07-04 00:54 . 2001-08-17 22:19 584448 ----a-w- c:\windows\system32\dllcache\adm8810.sys
2009-07-04 00:54 . 2001-08-17 22:11 20160 ----a-w- c:\windows\system32\dllcache\adm8511.sys
2009-07-04 00:54 . 2001-08-17 23:53 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2009-07-04 00:53 . 2001-08-18 08:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2009-07-04 00:53 . 2004-08-04 08:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-07-04 00:53 . 2001-08-17 22:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-07-04 00:53 . 2001-08-17 22:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-07-04 00:53 . 2004-08-04 08:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2009-07-04 00:53 . 2001-08-18 08:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-07-04 00:53 . 2001-08-18 00:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2009-07-04 00:53 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2009-07-04 00:53 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2009-07-04 00:53 . 2001-08-17 22:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-04 00:53 . 2001-08-18 00:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-07-04 00:52 . 2001-08-17 23:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-07-04 00:52 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2009-07-04 00:52 . 2006-02-28 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-07-04 00:52 . 2006-02-28 12:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2009-07-04 00:51 . 2001-08-18 00:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-04 00:51 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-07-04 00:51 . 2006-02-28 12:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-07-04 00:51 . 2006-02-28 12:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-07-04 00:51 . 2006-02-28 12:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-07-04 00:51 . 2006-02-28 12:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-07-04 00:51 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13 -------- d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51 -------- d-----w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49 -------- dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 03:08 . 2008-02-14 06:48 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-04 03:07 . 2007-12-29 03:08 -------- d-----w- c:\program files\Steam
2009-07-04 02:46 . 2009-06-03 05:29 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-07-04 02:22 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-03 22:59 . 2009-05-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 21:00 . 2009-05-11 01:59 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52 -------- d-----w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 03:01 . 2009-04-26 09:30 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50 -------- d-----w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30 -------- d-----w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07 -------- d-----w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16 -------- d-----w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12 -------- d-----w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11 -------- d-----w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11 -------- d-----w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13 -------- d-----w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08 -------- d-----w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24 -------- d-----w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27 -------- d-----w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:59 . 2009-05-11 01:59 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54 -------- d-----w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38 -------- d-----w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11 -------- d-----w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43 -------- d-----w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]
c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-3-23 225280]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe"= c:\program files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= c:\program files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Messenger\\msmsgs.exe"= c:\program files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= c:\program files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\uTorrent\\uTorrent.exe"= c:\program files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= c:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"c:\\Program Files\\Steam\\steam.exe"= c:\program files\Steam\steam.exe:*:Enabled:Steam
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= c:\program files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\garrysmod\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\team fortress 2\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\counter-strike source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\day of defeat source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life deathmatch source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life\hl.exe:*:Enabled:Half-Life Launcher
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"= c:\softimage\XSI_6.01_Mod_Tool\Application\bin\XSI.exe:*:Enabled:XSI
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"= c:\program files\Steam\SteamApps\common\peggle deluxe\Peggle.exe:*:Enabled:Peggle Deluxe
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"= c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:*:Enabled:Peggle Extreme
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\Shadowgrounds.exe:*:Enabled:Shadowgrounds
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\ShadowgroundsLauncher.exe:*:Enabled:Shadowgrounds
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"= c:\program files\Steam\SteamApps\common\eets\Eets.exe:*:Enabled:Eets
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"= c:\program files\Steam\SteamApps\common\world of goo\WorldOfGoo.exe:*:Enabled:World of Goo
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"= c:\program files\Steam\SteamApps\common\bullet candy\BulletCandyV2.exe:*:Enabled:Bullet Candy
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\ShadowgroundsEditor.exe:*:Enabled:Shadowgrounds Editor
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"= c:\program files\uTorrent\utorrent-1.8.2.upx.exe:*:Enabled:µTorrent
"c:\\Program Files\\Skype\\Phone\\Skype.exe"= c:\program files\Skype\Phone\Skype.exe:*:Enabled:Skype
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"= c:\program files\Steam\SteamApps\common\peggle nights\PeggleNights.exe:*:Enabled:Peggle Nights
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= c:\program files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"= c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:*:Enabled:Left 4 Dead Dedicated Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 17:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\.*e%%g*]
@="-¦g_auto_file"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
"{21701DD0-9D7E-43f7-A1B2-E92ED6E90A51}"=hex:ef,12,30,55,c0,8a,2f,9f,d5,7b,ec,
55,20,39,3f,ec,5e,85,51,91,80,5c,f6,6d,9c,aa,c6,01
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\docume~1\KAVUKA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\dlcccoms.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-07-04 17:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 03:15
ComboFix2.txt 2009-07-04 02:19
Pre-Run: 9,307,774,976 bytes free
Post-Run: 9,287,135,232 bytes free
527 --- E O F --- 2009-06-29 19:51
my internet broke for a day...
oh also, combofix says not to open any programs when it's preparing the log, but then all of my startup programs start, will this create problems? it didn't seem to create problems...
Hi,
If ComboFix auto-executes, then don't worry about the startup progams opening.
I also noticed that you have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar
Viewpoint Experience Technology
If you are having trouble removing Viewpoint, I suggest that you use ViewpointKiller. You may download it from this link (http://bellsouthpwp.net/p/r/prprogramsstudios/viewpointkiller.zip).
Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop. Run ViewpointKiller, and select File > Do All Killings. Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with. A logfile will be created in the folder you unzipped ViewpointKiller to, please paste the contents here.
=====================================================
Now go HERE (http://www.pandasecurity.com/activescan/index/) to run Panda ActiveScan 2.0
Click the big green Scan now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
The scan may take some time. Once it is completed, please hit the notepad icon next to the text Export to:
Save it to a convenient location such as your Desktop
Post the contents of the ActiveScan.txt in your next reply, as well as the ViewPointKiller logfile if you ran it.
Kavukamari
5 Jul 2009, 3:35am
oh by the way, I uninstalled that askbar thing, and i uninstalled viewpoint. (viewpoint uninstalled just fine... i think)
also eset found the same virus (Ursnif.A) in a file that's like A01[more numbers here].exe in the recovery sector and deleted it, just thought you might want to know
also eset found the same virus (Ursnif.A) in a file that's like A01[more numbers here].exe in the recovery sector and deleted it, just thought you might want to know
That's probably your old System Restore points.
Will you run the Panda ActiveScan?
Kavukamari
5 Jul 2009, 4:20am
Yes, I'm running it right now.
OK - I'll wait for it to be posted up.
Kavukamari
5 Jul 2009, 10:15am
;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-07-04 23:11:58
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 9
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0 3.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Kavu Kamari\Cookies\kavu_kamari@atdmt[1].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Kavu Kamari\Cookies\kavu_kamari@atdmt[2].txt
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@fastclick[2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt
00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@zedo[1].txt
00172825 Joke/Stress Jokes No 0 Yes No C:\Documents and Settings\Kavu Kamari\Desktop\!My Computer Folder\Installed games\n_v1pc\N downloads\Screen Buddies\stressreducer.exe
00335980 Application/MyWay HackTools Yes 0 Yes No C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\Kavu Kamari\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
02164907 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\DIGStream\digstream.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0195882.sys
03074964 Trj/CI.A Virus/Trojan No 0 No No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP766\A0180945.exe[winupdae.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location �
;===================================================================================================================================================================================
No C:\Program Files\Rainmeter\Skins\Dark_Rainmeter\SystemInfo\empty.exe �
No C:\Program Files\Rainmeter\Skins\HUD.Vision\Black\util\fileExec.exe �
No C:\Program Files\Rainmeter\Skins\HUD.Vision\White\util\fileExec.exe �
No I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\HUD.Vision\White\UTIL\fileExec.exe �
No I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\HUD.Vision\Black\UTIL\fileExec.exe �
No I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\Dark_Rainmeter\SystemInfo\EMPTY.EXE �
No I:\Kavukamari\Misc\Rainmeter Skins\Dark_Rainmeter.zip[Dark_Rainmeter/SystemInfo/empty.exe] �
No I:\Kavukamari\Misc\Rainmeter Skins\coryskins.rar[Skins\HUD.Vision\White\util\fileExec.exe] �
No I:\Kavukamari\Misc\Rainmeter Skins\coryskins.rar[Skins\HUD.Vision\Black\util\fileExec.exe] �
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description �
;===================================================================================================================================================================================
;===================================================================================================================================================================================
there's the log from the activescan panda thing
Hi,
Please go to Control Panel > Add/Remove Programs and uninstall the following if found:
MyWaySA
After that, reboot your PC.
Then navigate to and delete the following file:
C:\Documents and Settings\Kavu Kamari\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
As well as the following folder if still existent:
C:\Program Files\MyWaySA\
Reboot your PC once more.
Can I know how your PC is running at this point in time?
Kavukamari
5 Jul 2009, 11:42pm
It seems to be running fine, but I believe termsrv.dll never got cleaned
Run a scan with NOD32 now, does it still give out any alerts (termsrv.dll or any other stuff)?
Kavukamari
6 Jul 2009, 5:09am
yea, it still says termsrv.dll is infected, if eset deletes it, will it do anything to my computer?
Yes, because termsrv.dll is a legitimate system file.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:
:filefind
termsrv.dll
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Kavukamari
6 Jul 2009, 5:48am
SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 18:41 on 05/07/2009 by Kavu Kamari (Administrator - Elevation successful)
========== filefind ==========
Searching for "termsrv.dll"
C:\i_386\termsrv.dll --a--- 295424 bytes [19:51 31/12/2005] [01:49 10/03/2005] C29A5286E64D97385178452D5F307B98
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll -----c 295424 bytes [07:56 12/11/2008] [01:49 10/03/2005] C29A5286E64D97385178452D5F307B98
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [05:43 20/09/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [10:37 16/08/2005] [06:29 29/11/2008] (Unable to calculate MD5)
-=End Of File=-
da log.
OK....
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Delete CFScript.txt from your desktop first.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
FCopy::
c:\windows\ServicePackFiles\i386\termsrv.dll|c:\windows\system32\termsrv.dll
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your next reply please, as well as let me know the latest results from a NOD32 scan.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
Kavukamari
6 Jul 2009, 7:49am
ComboFix 09-07-03.03 - Kavu Kamari 07/05/2009 20:19.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.631 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kavu Kamari\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.
2009-07-06 04:08 . 2009-07-06 04:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET
2009-07-05 06:07 . 2009-07-05 06:15 -------- d-----w- c:\program files\Pokemon World Online
2009-07-05 02:15 . 2008-06-20 03:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-05 02:13 . 2009-07-05 02:13 -------- d-----w- c:\program files\Panda Security
2009-07-04 21:58 . 2009-07-04 21:58 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 04:42 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\drivers\null.sys
2009-07-04 04:05 . 2009-07-04 04:05 -------- d-sh--w- c:\documents and settings\Kavu Kamari\PrivacIE
2009-07-04 03:02 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\dllcache\null.sys
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13 -------- d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51 -------- d-----w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49 -------- dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 01:01 . 2009-05-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-05 23:12 . 2008-02-14 06:48 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-05 23:05 . 2009-05-11 01:59 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-07-05 22:38 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-05 22:33 . 2007-12-29 03:08 -------- d-----w- c:\program files\Steam
2009-07-05 02:11 . 2005-12-08 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2009-07-04 02:46 . 2009-06-03 05:29 -------- d-----w- c:\program files\Ask & Record Toolbar
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52 -------- d-----w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02 -------- d-----w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 03:01 . 2009-04-26 09:30 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50 -------- d-----w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30 -------- d-----w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07 -------- d-----w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19 -------- d-----w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18 -------- d-----w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16 -------- d-----w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56 -------- d-----w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12 -------- d-----w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11 -------- d-----w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56 -------- d-----w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11 -------- d-----w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13 -------- d-----w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08 -------- d-----w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06 -------- d-----w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24 -------- d-----w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27 -------- d-----w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 02:01 . 2008-12-23 09:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 01:59 . 2009-05-11 01:59 -------- d-----w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54 -------- d-----w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38 -------- d-----w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11 -------- d-----w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43 -------- d-----w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-07-04_02.05.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-05 22:32 . 2009-07-05 22:32 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2005-08-16 10:18 . 2009-07-05 22:36 63732 c:\windows\system32\perfc009.dat
- 2005-08-16 10:18 . 2009-05-22 03:07 63732 c:\windows\system32\perfc009.dat
+ 2005-08-16 10:18 . 2009-07-05 22:36 404082 c:\windows\system32\perfh009.dat
- 2005-08-16 10:18 . 2009-05-22 03:07 404082 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]
c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/4/2009 4:15 PM 28544]
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]
--- Other Services/Drivers In Memory ---
*Deregistered* - PROCEXP111
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-06 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]
2009-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-05 20:33
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\.*e%%g*]
@="-¦g_auto_file"
[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\software\Classes\e%%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-06 20:34
ComboFix-quarantined-files.txt 2009-07-06 06:34
ComboFix2.txt 2009-07-04 04:45
ComboFix4.txt 2009-07-04 02:19
Pre-Run: 30,297,817,088 bytes free
Post-Run: 30,372,638,720 bytes free
331 --- E O F --- 2009-06-29 19:51
I'll virus scan and post anything that comes up when it finishes
OK, I'll wait for the NOD32 results. :)
Kavukamari
6 Jul 2009, 11:08am
I think everything's good.
Java is outdated on your PC.
Please download JavaRa (http://prm753.bchea.org/click/click.php?id=9) to your desktop and unzip it to its own folder
Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
Accept any prompts.
Open JavaRa.exe again and select Search For Updates.
Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.
=============================================================
It's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /u
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
If you'll reply after you have seen this, I will be able to have this thread archived. Thanks. :)
Kavukamari
6 Jul 2009, 7:29pm
Thanks for all the help! I installed the latest java and I'm pretty sure all the "ursnif.a" notifications have stopped popping up.
Glad we could be of assistance! The help you received here was free.
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan (http://icrontic.com/forum/private.php?do=newpm&u=2703) with a link to your thread.
If you are not the user who started this thread, you must start your own Thread (http://icrontic.com/forum/newthread.php?do=newthread&f=57) instead :)
_______________________________
Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 (http://icrontic.com/forum/showthread.php?t=29803) and fold for a cure.
vBulletin® v3.8.1, Copyright ©2000-2009, Jelsoft Enterprises Ltd.