spy.Ursnif.A inside termsrv.dll and Winlogon.exe
Kavukamari
Hawaii
NOD32 says I have a virus in Winlogon.exe and Termsrv.dll I know I can't delete these because the computer needs them I don't have a windows CD to replace the files, but i could probably get one anyway, i need help to remove these
0
Comments
Let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:
Go here ======> A guide and tutorial on using ComboFix <====== Go here
Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should get a prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include C:\ComboFix.txt for further review (copy and paste it), so that we may continue cleansing the system.
Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
If you use Windows XP and do not have the Windows CD
Follow the instructions there to download the file from Microsoft.
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.444 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp
C:\install.exe
C:\test.txt
c:\windows\Installer\3b1a3.msi
c:\windows\Installer\71b5401.msi
c:\windows\kb913800.exe
c:\windows\system32\bszip.dll
c:\windows\system32\mlfcache.dat
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\system32\dllcache\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\Legacy_TDSSSERV.SYS
\Service_TDSSserv.sys
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.
2009-07-04 00:55 . 2001-08-17 22:48 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2009-07-04 00:54 . 2004-08-04 08:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-07-04 00:54 . 2001-08-17 22:11 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-04 00:54 . 2001-08-17 23:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-04 00:54 . 2001-08-17 22:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-04 00:54 . 2006-02-28 12:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2009-07-04 00:54 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\admxprox.dll
2009-07-04 00:54 . 2004-08-04 08:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2009-07-04 00:54 . 2001-08-17 22:19 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2009-07-04 00:54 . 2001-08-17 22:19 584448 ----a-w- c:\windows\system32\dllcache\adm8810.sys
2009-07-04 00:54 . 2001-08-17 22:11 20160 ----a-w- c:\windows\system32\dllcache\adm8511.sys
2009-07-04 00:54 . 2001-08-17 23:53 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2009-07-04 00:53 . 2001-08-18 08:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2009-07-04 00:53 . 2004-08-04 08:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-07-04 00:53 . 2001-08-17 22:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-07-04 00:53 . 2001-08-17 22:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-07-04 00:53 . 2004-08-04 08:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2009-07-04 00:53 . 2001-08-18 08:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-07-04 00:53 . 2001-08-18 00:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2009-07-04 00:53 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2009-07-04 00:53 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2009-07-04 00:53 . 2001-08-17 22:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-04 00:53 . 2001-08-18 00:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-07-04 00:52 . 2001-08-17 23:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-07-04 00:52 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2009-07-04 00:52 . 2006-02-28 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-07-04 00:52 . 2006-02-28 12:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2009-07-04 00:51 . 2001-08-18 00:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-04 00:51 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-07-04 00:51 . 2006-02-28 12:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-07-04 00:51 . 2006-02-28 12:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-07-04 00:51 . 2006-02-28 12:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-07-04 00:51 . 2006-02-28 12:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-07-04 00:51 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-07-03 23:22 . 2009-07-03 23:22
d
w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22
d
w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13
d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912
w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51
d
w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800
w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272
w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49
dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 02:07 . 2007-12-29 03:08
d
w- c:\program files\Steam
2009-07-04 02:06 . 2008-02-14 06:48
d
w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-03 23:23 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-03 22:59 . 2009-05-08 13:21
d
w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 21:00 . 2009-05-11 01:59
d
w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52
d
w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02
d
w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32
d
w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 05:29 . 2009-06-03 05:29
d
w- c:\program files\AskBarDis
2009-06-03 05:29 . 2009-06-03 05:29
d
w- c:\program files\Ask & Record Toolbar
2009-06-03 03:01 . 2009-04-26 09:30
d
w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27
d
w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37
d
w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49
d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50
d
w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30
d
w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07
d
w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19
d
w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40
d
w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18
d
w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16
d
w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16
d
w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56
d
w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48
d
w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38
d
w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38
d
w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38
d
w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12
d
w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11
d
w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56
d
w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22
d
w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11
d
w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13
d
w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08
d
w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06
d
w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43
d
w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43
d
w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24
d
w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27
d
w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05
d
w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05
d
w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 02:01 . 2008-12-23 09:38
d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-05-11 01:59 . 2009-05-11 01:59
d
w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54
d
w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38
d
w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07
d
w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11
d
w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01
d
w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08
d
w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07
d
w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43
d
w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 56 --sh--r- c:\windows\system32\1005515D87.sys
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2009-02-12 00:40 365960 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"Ask and Record FLV Service"="c:\program files\Ask & Record Toolbar\FLVSrvc.exe" [2009-03-10 156672]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]
c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-3-23 225280]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 16:03
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\software\Classes\.*e%Â%g*]
@="-¦g_auto_file"
[HKEY_LOCAL_MACHINE\software\Classes\e%Â%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\software\Classes\e%Â%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2248)
c:\windows\system32\WININET.dll
c:\documents and settings\Kavu Kamari\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
- - - - - - - > 'explorer.exe'(2660)
c:\windows\system32\WININET.dll
c:\documents and settings\Kavu Kamari\Local Settings\Application Data\FLVService\lib\FLVSrvLib.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\program files\MyWaySA\SrchAsDe\deSrcAs.dll
c:\windows\system32\dla\tfswshx.dll
c:\windows\system32\tfswapi.dll
c:\windows\system32\dla\tfswcres.dll
c:\program files\Microsoft Office\Office10\msohev.dll
.
Other Running Processes
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\dllhost.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlcccoms.exe
c:\docume~1\KAVUKA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\Windows Live\Contacts\wlcomm.exe
.
**************************************************************************
.
Completion time: 2009-07-04 16:19 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 02:19
Pre-Run: 9,339,797,504 bytes free
Post-Run: 9,290,412,032 bytes free
414 --- E O F --- 2009-06-29 19:51
i hope this program didn't delete anything i need...
There is a potentially unwanted pieces of software I have detected on your PC called AskBar.
More information here:
http://www.spywarelib.com/remove-Adware-AskBar-a.html
We usually deem this optional to remove. But, I strongly suggest you do so by going to Control Panel > Add / Remove Programs and uninstalling it. Reboot your PC after uninstallation is complete.
Then, navigate to the following directory and delete it if it is still present:
c:\program files\AskBarDis
=====================================================
Next,
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your next reply please, as well as let me know whether you had removed Askbar.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -10:00]
Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Kavu Kamari\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
FILE ::
"c:\windows\system32\1005515D87.sys"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0000\~df394b.tmp
c:\windows\system32\1005515D87.sys
c:\windows\system32\drivers\beep.sys
c:\windows\system32\drivers\null.sys
c:\windows\system32\drivers\null.sys was missing
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0198007.sys
.
((((((((((((((((((((((((( Files Created from 2009-06-04 to 2009-07-04 )))))))))))))))))))))))))))))))
.
2009-07-04 03:02 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\dllcache\null.sys
2009-07-04 00:55 . 2001-08-17 22:48 281600 ----a-w- c:\windows\system32\dllcache\atimtai.sys
2009-07-04 00:54 . 2004-08-04 08:31 36224 ----a-w- c:\windows\system32\dllcache\an983.sys
2009-07-04 00:54 . 2001-08-17 22:11 16969 ----a-w- c:\windows\system32\dllcache\amb8002.sys
2009-07-04 00:54 . 2001-08-17 23:49 26624 ----a-w- c:\windows\system32\dllcache\alifir.sys
2009-07-04 00:54 . 2001-08-17 22:11 27678 ----a-w- c:\windows\system32\dllcache\ali5261.sys
2009-07-04 00:54 . 2006-02-28 12:00 49664 ----a-w- c:\windows\system32\dllcache\adrot.dll
2009-07-04 00:54 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\admxprox.dll
2009-07-04 00:54 . 2004-08-04 08:32 10880 ----a-w- c:\windows\system32\dllcache\admjoy.sys
2009-07-04 00:54 . 2001-08-17 22:19 747392 ----a-w- c:\windows\system32\dllcache\adm8830.sys
2009-07-04 00:54 . 2001-08-17 22:19 584448 ----a-w- c:\windows\system32\dllcache\adm8810.sys
2009-07-04 00:54 . 2001-08-17 22:11 20160 ----a-w- c:\windows\system32\dllcache\adm8511.sys
2009-07-04 00:54 . 2001-08-17 23:53 7424 ----a-w- c:\windows\system32\dllcache\adicvls.sys
2009-07-04 00:53 . 2001-08-18 08:36 61440 ----a-w- c:\windows\system32\dllcache\acerscad.dll
2009-07-04 00:53 . 2004-08-04 08:32 84480 ----a-w- c:\windows\system32\dllcache\ac97via.sys
2009-07-04 00:53 . 2001-08-17 22:20 297728 ----a-w- c:\windows\system32\dllcache\ac97sis.sys
2009-07-04 00:53 . 2001-08-17 22:20 96256 ----a-w- c:\windows\system32\dllcache\ac97intc.sys
2009-07-04 00:53 . 2004-08-04 08:32 231552 ----a-w- c:\windows\system32\dllcache\ac97ali.sys
2009-07-04 00:53 . 2001-08-18 08:36 462848 ----a-w- c:\windows\system32\dllcache\a3dapi.dll
2009-07-04 00:53 . 2001-08-18 00:55 38400 ----a-w- c:\windows\system32\dllcache\8514a.dll
2009-07-04 00:53 . 2008-04-13 18:46 48128 ----a-w- c:\windows\system32\dllcache\61883.sys
2009-07-04 00:53 . 2008-04-13 18:40 12288 ----a-w- c:\windows\system32\dllcache\4mmdat.sys
2009-07-04 00:53 . 2001-08-17 22:48 148352 ----a-w- c:\windows\system32\dllcache\3dfxvsm.sys
2009-07-04 00:53 . 2001-08-18 00:55 689216 ----a-w- c:\windows\system32\dllcache\3dfxvs.dll
2009-07-04 00:52 . 2001-08-17 23:28 762780 ----a-w- c:\windows\system32\dllcache\3cwmcru.sys
2009-07-04 00:52 . 2008-04-13 18:46 53376 ----a-w- c:\windows\system32\dllcache\1394bus.sys
2009-07-04 00:52 . 2006-02-28 12:00 11264 ----a-w- c:\windows\system32\dllcache\1394vdbg.sys
2009-07-04 00:52 . 2006-02-28 12:00 7168 ----a-w- c:\windows\system32\dllcache\wamregps.dll
2009-07-04 00:51 . 2001-08-18 00:56 66048 ----a-w- c:\windows\system32\dllcache\s3legacy.dll
2009-07-04 00:51 . 2006-02-28 12:00 19968 ----a-w- c:\windows\system32\dllcache\inetsloc.dll
2009-07-04 00:51 . 2006-02-28 12:00 7680 ----a-w- c:\windows\system32\dllcache\inetmgr.exe
2009-07-04 00:51 . 2006-02-28 12:00 169984 ----a-w- c:\windows\system32\dllcache\iisui.dll
2009-07-04 00:51 . 2006-02-28 12:00 5632 ----a-w- c:\windows\system32\dllcache\iisrstap.dll
2009-07-04 00:51 . 2006-02-28 12:00 14336 ----a-w- c:\windows\system32\dllcache\iisreset.exe
2009-07-04 00:51 . 2006-02-28 12:00 6144 ----a-w- c:\windows\system32\dllcache\ftpsapi2.dll
2009-07-03 23:22 . 2009-07-03 23:22
d
w- c:\program files\Steinberg
2009-07-03 23:22 . 2009-07-03 23:22
d
w- c:\program files\Elevayta Creativity Tools
2009-06-30 02:13 . 2009-06-30 02:13
d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache
2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll
2009-06-29 19:51 . 2009-06-02 10:12 102912
w- c:\windows\system32\dllcache\iecompat.dll
2009-06-29 19:51 . 2009-06-29 19:51
d
w- c:\windows\ie8updates
2009-06-29 19:49 . 2009-04-30 21:22 12800
w- c:\windows\system32\dllcache\xpshims.dll
2009-06-29 19:49 . 2009-04-30 21:22 246272
w- c:\windows\system32\dllcache\ieproxy.dll
2009-06-29 19:46 . 2009-06-29 19:49
dc-h--w- c:\windows\ie8
2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll
2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-04 03:08 . 2008-02-14 06:48
d
w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent
2009-07-04 03:07 . 2007-12-29 03:08
d
w- c:\program files\Steam
2009-07-04 02:46 . 2009-06-03 05:29
d
w- c:\program files\Ask & Record Toolbar
2009-07-04 02:22 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe
2009-07-03 22:59 . 2009-05-08 13:21
d
w- c:\documents and settings\All Users\Application Data\Google Updater
2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat
2009-06-29 21:00 . 2009-05-11 01:59
d
w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional
2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-06-28 05:44 . 2006-01-19 00:52
d
w- c:\program files\Dl_cats
2009-06-12 00:48 . 2005-12-08 09:02
d
w- c:\program files\Microsoft Works
2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat
2009-06-04 04:02 . 2007-12-02 07:32
d
w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0
2009-06-03 03:01 . 2009-04-26 09:30
d
w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss
2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-01 16:59 . 2006-12-03 03:27
d
w- c:\program files\Spybot - Search & Destroy
2009-06-01 06:30 . 2009-05-30 07:37
d
w- c:\documents and settings\Kavu Kamari\Application Data\vlc
2009-06-01 00:07 . 2005-12-08 08:49
d--h--w- c:\program files\InstallShield Installation Information
2009-06-01 00:02 . 2009-05-31 23:50
d
w- c:\program files\VOCALOID2
2009-05-31 22:41 . 2006-12-03 03:27
d
w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-30 20:08 . 2009-05-30 07:30
d
w- c:\program files\OpenOffice Shortcuts
2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe
2009-05-30 07:07 . 2009-05-30 07:07
d
w- c:\program files\JRE
2009-05-30 07:07 . 2009-02-16 08:19
d
w- c:\program files\OpenOffice.org 3
2009-05-30 07:02 . 2008-03-09 17:40
d
w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2
2009-05-30 05:18 . 2009-05-30 05:18
d
w- c:\program files\Common Files\Stardock
2009-05-30 05:18 . 2009-04-10 01:16
d
w- c:\program files\Stardock
2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys
2009-05-29 04:16 . 2009-05-29 04:16
d
w- c:\program files\Common Files\Adobe AIR
2009-05-29 04:16 . 2006-01-07 01:56
d
w- c:\program files\Common Files\Adobe
2009-05-28 06:48 . 2009-05-28 06:48
d
w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-05-28 06:48 . 2009-05-28 06:38
d
w- c:\program files\NCH Swift Sound
2009-05-28 06:38 . 2009-05-28 06:38
d
w- c:\program files\NCH Software
2009-05-28 06:38 . 2009-05-28 06:38
d
w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound
2009-05-25 06:12 . 2009-05-25 06:12
d
w- c:\program files\Celestia
2009-05-25 05:14 . 2008-05-02 18:11
d
w- c:\program files\Google
2009-05-25 01:10 . 2009-05-24 23:56
d
w- c:\program files\Messenger Plus! Live
2009-05-25 00:22 . 2009-05-25 00:22
d
w- c:\documents and settings\All Users\Application Data\Messenger Plus!
2009-05-24 21:11 . 2009-05-24 21:11
d
w- c:\program files\Lame for Audacity
2009-05-22 08:26 . 2007-07-18 05:13
d
w- c:\program files\mIRC
2009-05-22 04:53 . 2008-04-13 03:08
d
w- c:\program files\Audacity
2009-05-22 03:06 . 2009-05-22 03:06
d
w- c:\program files\Microsoft Virtual PC
2009-05-20 09:20 . 2009-05-20 07:43
d
w- c:\program files\ManyCam
2009-05-20 09:20 . 2009-05-20 07:43
d
w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam
2009-05-17 10:20 . 2009-05-09 05:24
d
w- c:\program files\RealMyst
2009-05-17 09:30 . 2009-05-17 09:27
d
w- c:\program files\Vextractor
2009-05-16 03:05 . 2009-05-16 03:05
d
w- c:\program files\ID3 renamer
2009-05-16 03:05 . 2009-05-16 03:05
d
w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer
2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll
2009-05-11 01:59 . 2009-05-11 01:59
d
w- c:\program files\Any Video Converter Professional
2009-05-11 00:12 . 2009-05-10 23:54
d
w- c:\program files\Blaze Media Pro
2009-05-10 21:38 . 2009-05-10 21:38
d
w- c:\program files\Recuva
2009-05-09 06:18 . 2009-05-09 06:07
d
w- c:\program files\DAEMON Tools Lite
2009-05-09 06:11 . 2009-05-09 06:11
d
w- c:\program files\Mattel Interactive
2009-05-09 06:09 . 2009-05-09 06:01
d
w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite
2009-05-09 06:08 . 2009-05-09 06:08
d
w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite
2009-05-09 06:07 . 2009-05-09 06:07
d
w- c:\program files\DAEMON Tools Toolbar
2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys
2009-05-09 05:53 . 2009-05-09 05:43
d
w- c:\program files\VirtualCloneDrive
2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll
2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat
2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe
2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat
2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe
2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll
2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll
2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll
2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE
2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal]
@="{C5994560-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified]
@="{C5994561-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict]
@="{C5994562-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked]
@="{C5994563-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly]
@="{C5994564-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted]
@="{C5994565-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded]
@="{C5994566-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored]
@="{C5994567-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned]
@="{C5994568-53D9-4125-87C9-F193FC689CB2}"
[HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}]
2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-03-29 413696]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968]
"MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160]
c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-3-23 225280]
Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)
"NoCustomizeWebView"= 0 (0x0)
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler]
"{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmadmin]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmboot.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmio.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmload.sys]
@="Driver"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dmserver]
@="Service"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sr.sys]
@="FSFilter System Recovery"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SRService]
@="Service"
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\steam.exe"=
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"=
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"=
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"= c:\program files\Common Files\AOL\ACS\AOLacsd.exe:*:Enabled:AOL
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"= c:\program files\Common Files\AOL\ACS\AOLDial.exe:*:Enabled:AOL
"c:\\Program Files\\America Online 9.0\\waol.exe"= c:\program files\America Online 9.0\waol.exe:*:Enabled:America Online 9.0
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= c:\program files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"= %windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019
"c:\\Program Files\\Messenger\\msmsgs.exe"= c:\program files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger
"c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= c:\program files\SmartFTP Client\SmartFTP.exe:*:Enabled:SmartFTP Client 2.5
"%windir%\\Network Diagnostic\\xpnetdiag.exe"= %windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000
"c:\\Program Files\\uTorrent\\uTorrent.exe"= c:\program files\uTorrent\uTorrent.exe:*:Enabled:µTorrent
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"= c:\program files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour
"c:\\Program Files\\Steam\\steam.exe"= c:\program files\Steam\steam.exe:*:Enabled:Steam
"c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= c:\program files\Electronic Arts\EADM\Core.exe:*:Enabled:EA Download Manager
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\garrysmod\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\team fortress 2\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life 2 deathmatch\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\counter-strike source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\day of defeat source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life deathmatch source\hl2.exe:*:Enabled:hl2
"c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"= c:\program files\Steam\SteamApps\kavukamari\half-life\hl.exe:*:Enabled:Half-Life Launcher
"c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"= c:\softimage\XSI_6.01_Mod_Tool\Application\bin\XSI.exe:*:Enabled:XSI
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"= c:\program files\Steam\SteamApps\common\peggle deluxe\Peggle.exe:*:Enabled:Peggle Deluxe
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"= c:\program files\Steam\SteamApps\common\peggle extreme\PeggleExtreme.exe:*:Enabled:Peggle Extreme
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\Shadowgrounds.exe:*:Enabled:Shadowgrounds
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\ShadowgroundsLauncher.exe:*:Enabled:Shadowgrounds
"c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"= c:\program files\Steam\SteamApps\common\eets\Eets.exe:*:Enabled:Eets
"c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"= c:\program files\Steam\SteamApps\common\world of goo\WorldOfGoo.exe:*:Enabled:World of Goo
"c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"= c:\program files\Steam\SteamApps\common\bullet candy\BulletCandyV2.exe:*:Enabled:Bullet Candy
"c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"= c:\program files\Steam\SteamApps\common\shadowgrounds\ShadowgroundsEditor.exe:*:Enabled:Shadowgrounds Editor
"c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"= c:\program files\uTorrent\utorrent-1.8.2.upx.exe:*:Enabled:µTorrent
"c:\\Program Files\\Skype\\Phone\\Skype.exe"= c:\program files\Skype\Phone\Skype.exe:*:Enabled:Skype
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"= c:\program files\Steam\SteamApps\common\peggle nights\PeggleNights.exe:*:Enabled:Peggle Nights
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= c:\program files\Windows Live\Messenger\wlcsdk.exe:*:Enabled:Windows Live Call
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= c:\program files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= c:\program files\Steam\SteamApps\common\left 4 dead\left4dead.exe:*:Enabled:Left 4 Dead
"c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"= c:\program files\Steam\SteamApps\common\left 4 dead\srcds.exe:*:Enabled:Left 4 Dead Dedicated Server
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"= 1900:UDP:LocalSubNet:Disabled:@xpsp2res.dll,-22007
"2869:TCP"= 2869:TCP:LocalSubNet:Disabled:@xpsp2res.dll,-22008
R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896]
R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632]
S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104]
S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter
DcomLaunch REG_MULTI_SZ DcomLaunch TermService
WudfServiceGroup REG_MULTI_SZ WUDFSvc
eapsvcs REG_MULTI_SZ eaphost
dot3svc REG_MULTI_SZ dot3svc
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - LocalService
Alerter
LmHosts
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
2009-07-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
2009-07-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13]
.
.
Supplementary Scan
.
uStart Page = hxxp://www.hawaiiantel.net/
mWindow Title = By Hawaiian Telcom
uInternet Settings,ProxyOverride = *.local
IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS
IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003
IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002
IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000
IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001
Trusted Zone: imageshack.us\toolbar
FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 17:09
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
LOCKED REGISTRY KEYS
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*]
@Class="Shell"
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*\OpenWithList]
@Class="Shell"
"a"="NOTEPAD.EXE"
"MRUList"="a"
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*\OpenWithProgids]
"-¦g_auto_file"=hex(0):
[HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*]
"datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19,
dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\
"rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\.*e%Â%g*]
@="-¦g_auto_file"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10b.exe"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{8D8763AB-E93B-4812-964E-F04E0008FD50}\Version]
@Denied: (A) (Everyone)
"{21701DD0-9D7E-43f7-A1B2-E92ED6E90A51}"=hex:ef,12,30,55,c0,8a,2f,9f,d5,7b,ec,
55,20,39,3f,ec,5e,85,51,91,80,5c,f6,6d,9c,aa,c6,01
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx"
"ThreadingModel"="Apartment"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\Flash10b.ocx, 1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}]
@Denied: (A 2) (Everyone)
@="IFlashBroker2"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
@Denied: (A 2) (Everyone)
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
@="Shockwave Flash"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
@Denied: (A 2) (Everyone)
@=""
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
@="FlashBroker"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\e%Â%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
[HKEY_LOCAL_MACHINE\SOFTWARESoftware\Classes\e%Â%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command]
@=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1"
.
DLLs Loaded Under Running Processes
- - - - - - - > 'winlogon.exe'(1120)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(2716)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll
c:\program files\TortoiseSVN\bin\TortoiseStub.dll
c:\program files\TortoiseSVN\bin\TortoiseSVN.dll
c:\program files\TortoiseSVN\bin\intl3_tsvn.dll
c:\program files\SmartFTP Client\sfShellTools.dll
c:\windows\system32\ieframe.dll
c:\progra~1\WINDOW~3\wmpband.dll
c:\program files\Stardock\Fences\DesktopDock.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client\smarthook.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Other Running Processes
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
c:\program files\TortoiseSVN\bin\TSVNCache.exe
c:\windows\system32\rundll32.exe
c:\docume~1\KAVUKA~1\LOCALS~1\temp\clclean.0001
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\windows\system32\CTSVCCDA.EXE
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Common Files\Logitech\KHAL\KHALMNPR.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
c:\windows\system32\dlcccoms.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2009-07-04 17:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-04 03:15
ComboFix2.txt 2009-07-04 02:19
Pre-Run: 9,307,774,976 bytes free
Post-Run: 9,287,135,232 bytes free
527 --- E O F --- 2009-06-29 19:51
my internet broke for a day...
oh also, combofix says not to open any programs when it's preparing the log, but then all of my startup programs start, will this create problems? it didn't seem to create problems...
If ComboFix auto-executes, then don't worry about the startup progams opening.
I also noticed that you have Viewpoint installed.
Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
If you are having trouble removing Viewpoint, I suggest that you use ViewpointKiller. You may download it from this link.
Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop. Run ViewpointKiller, and select File > Do All Killings. Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with. A logfile will be created in the folder you unzipped ViewpointKiller to, please paste the contents here.
=====================================================
Now go HERE to run Panda ActiveScan 2.0
also eset found the same virus (Ursnif.A) in a file that's like A01[more numbers here].exe in the recovery sector and deleted it, just thought you might want to know
Will you run the Panda ActiveScan?
;*********************************************************************************************************************************************************************************** ANALYSIS: 2009-07-04 23:11:58 PROTECTIONS: 1 MALWARE: 15 SUSPECTS: 9 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== ESET Smart Security 3.0 3.0 Yes Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@casalemedia[1].txt 00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Kavu Kamari\Cookies\kavu_kamari@atdmt[1].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Kavu Kamari\Cookies\kavu_kamari@atdmt[2].txt 00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt 00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@fastclick[2].txt 00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@ad.yieldmanager[1].txt 00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@apmebf[1].txt 00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt 00170554 Cookie/Overture TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@overture[2].txt 00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Guest\Cookies\guest@zedo[1].txt 00172825 Joke/Stress Jokes No 0 Yes No C:\Documents and Settings\Kavu Kamari\Desktop\!My Computer Folder\Installed games\n_v1pc\N downloads\Screen Buddies\stressreducer.exe 00335980 Application/MyWay HackTools Yes 0 Yes No C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll 00527204 Application/PRScheduler HackTools Yes 0 Yes No C:\Documents and Settings\Kavu Kamari\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe 02164907 Generic Malware Virus/Trojan No 0 Yes No C:\Program Files\DIGStream\digstream.exe 02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP815\A0195882.sys 03074964 Trj/CI.A Virus/Trojan No 0 No No C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP766\A0180945.exe[winupdae.exe] ;=================================================================================================================================================================================== SUSPECTS Sent Location ;=================================================================================================================================================================================== No C:\Program Files\Rainmeter\Skins\Dark_Rainmeter\SystemInfo\empty.exe No C:\Program Files\Rainmeter\Skins\HUD.Vision\Black\util\fileExec.exe No C:\Program Files\Rainmeter\Skins\HUD.Vision\White\util\fileExec.exe No I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\HUD.Vision\White\UTIL\fileExec.exe No I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\HUD.Vision\Black\UTIL\fileExec.exe No I:\Kavukamari\Misc\Rainmeter Skins\My\Skins\Dark_Rainmeter\SystemInfo\EMPTY.EXE No I:\Kavukamari\Misc\Rainmeter Skins\Dark_Rainmeter.zip[Dark_Rainmeter/SystemInfo/empty.exe] No I:\Kavukamari\Misc\Rainmeter Skins\coryskins.rar[Skins\HUD.Vision\White\util\fileExec.exe] No I:\Kavukamari\Misc\Rainmeter Skins\coryskins.rar[Skins\HUD.Vision\Black\util\fileExec.exe] ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description ;=================================================================================================================================================================================== ;===================================================================================================================================================================================there's the log from the activescan panda thingPlease go to Control Panel > Add/Remove Programs and uninstall the following if found:
MyWaySA
After that, reboot your PC.
Then navigate to and delete the following file:
C:\Documents and Settings\Kavu Kamari\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
As well as the following folder if still existent:
C:\Program Files\MyWaySA\
Reboot your PC once more.
Can I know how your PC is running at this point in time?
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txtda log.
It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Delete CFScript.txt from your desktop first.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Open *notepad* and copy/paste the text in the quotebox below into it:
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.
Refering to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt in your next reply please, as well as let me know the latest results from a NOD32 scan.
*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
ComboFix 09-07-03.03 - Kavu Kamari 07/05/2009 20:19.4 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.631 [GMT -10:00] Running from: c:\documents and settings\Kavu Kamari\Desktop\ComboFix.exe Command switches used :: c:\documents and settings\Kavu Kamari\Desktop\CFScript.txt AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0} FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\docume~1\KAVUKA~1\LOCALS~1\Temp\clclean.0001.dir.0001\~df394b.tmp c:\documents and settings\Kavu Kamari\Local Settings\Temp\clclean.0001.dir.0001\~df394b.tmp . --------------- FCopy --------------- c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll . ((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 ))))))))))))))))))))))))))))))) . 2009-07-06 04:08 . 2009-07-06 04:08 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\ESET 2009-07-05 06:07 . 2009-07-05 06:15 -------- d-----w- c:\program files\Pokemon World Online 2009-07-05 02:15 . 2008-06-20 03:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys 2009-07-05 02:13 . 2009-07-05 02:13 -------- d-----w- c:\program files\Panda Security 2009-07-04 21:58 . 2009-07-04 21:58 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache 2009-07-04 04:42 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\drivers\null.sys 2009-07-04 04:05 . 2009-07-04 04:05 -------- d-sh--w- c:\documents and settings\Kavu Kamari\PrivacIE 2009-07-04 03:02 . 2004-08-10 11:00 2944 ----a-w- c:\windows\system32\dllcache\null.sys 2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Steinberg 2009-07-03 23:22 . 2009-07-03 23:22 -------- d-----w- c:\program files\Elevayta Creativity Tools 2009-06-30 02:13 . 2009-06-30 02:13 -------- d-sh--w- c:\documents and settings\Kavu Kamari\IETldCache 2009-06-29 22:14 . 2008-10-30 21:57 3851784 ----a-w- c:\windows\system32\d3dx9_39.dll 2009-06-29 19:51 . 2009-06-02 10:12 102912 ------w- c:\windows\system32\dllcache\iecompat.dll 2009-06-29 19:51 . 2009-06-29 19:51 -------- d-----w- c:\windows\ie8updates 2009-06-29 19:49 . 2009-04-30 21:22 12800 ------w- c:\windows\system32\dllcache\xpshims.dll 2009-06-29 19:49 . 2009-04-30 21:22 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll 2009-06-29 19:46 . 2009-06-29 19:49 -------- dc-h--w- c:\windows\ie8 2009-06-07 05:15 . 2009-03-29 05:52 94208 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEServer.dll 2009-06-07 05:15 . 2009-03-29 05:52 102400 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Soldat\Battleye\BEClient.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-07-06 01:01 . 2009-05-08 13:21 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater 2009-07-05 23:12 . 2008-02-14 06:48 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\uTorrent 2009-07-05 23:05 . 2009-05-11 01:59 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\Any Video Converter Professional 2009-07-05 22:38 . 2008-08-02 21:30 169936 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\FlashGot.exe 2009-07-05 22:33 . 2007-12-29 03:08 -------- d-----w- c:\program files\Steam 2009-07-05 02:11 . 2005-12-08 08:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint 2009-07-04 02:46 . 2009-06-03 05:29 -------- d-----w- c:\program files\Ask & Record Toolbar 2009-07-02 03:33 . 2008-01-16 05:33 61 ----a-w- c:\windows\popcinfot.dat 2009-06-29 20:40 . 2009-02-16 08:42 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys 2009-06-28 05:44 . 2006-01-19 00:52 -------- d-----w- c:\program files\Dl_cats 2009-06-12 00:48 . 2005-12-08 09:02 -------- d-----w- c:\program files\Microsoft Works 2009-06-04 04:05 . 2006-01-28 21:00 9030 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\wklnhst.dat 2009-06-04 04:02 . 2007-12-02 07:32 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\gtk-2.0 2009-06-03 03:01 . 2009-04-26 09:30 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\dvdcss 2009-06-03 02:56 . 2009-05-22 03:44 165232 ---ha-w- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll 2009-06-01 16:59 . 2006-12-03 03:27 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-06-01 06:30 . 2009-05-30 07:37 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\vlc 2009-06-01 00:07 . 2005-12-08 08:49 -------- d--h--w- c:\program files\InstallShield Installation Information 2009-06-01 00:02 . 2009-05-31 23:50 -------- d-----w- c:\program files\VOCALOID2 2009-05-31 22:41 . 2006-12-03 03:27 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-05-30 20:08 . 2009-05-30 07:30 -------- d-----w- c:\program files\OpenOffice Shortcuts 2009-05-30 19:50 . 2006-01-03 18:02 97440 ----a-w- c:\documents and settings\Kavu Kamari\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-05-30 07:09 . 2009-05-30 07:09 7424000 ----a-r- c:\documents and settings\Kavu Kamari\Application Data\Microsoft\Installer\{E6B87DC4-2B3D-4483-ADFF-E483BF718991}\soffice.exe 2009-05-30 07:07 . 2009-05-30 07:07 -------- d-----w- c:\program files\JRE 2009-05-30 07:07 . 2009-02-16 08:19 -------- d-----w- c:\program files\OpenOffice.org 3 2009-05-30 07:02 . 2008-03-09 17:40 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2 2009-05-30 05:18 . 2009-05-30 05:18 -------- d-----w- c:\program files\Common Files\Stardock 2009-05-30 05:18 . 2009-04-10 01:16 -------- d-----w- c:\program files\Stardock 2009-05-30 04:15 . 2008-03-11 02:37 1 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\OpenOffice.org2\user\uno_packages\cache\stamp.sys 2009-05-29 04:16 . 2009-05-29 04:16 -------- d-----w- c:\program files\Common Files\Adobe AIR 2009-05-29 04:16 . 2006-01-07 01:56 -------- d-----w- c:\program files\Common Files\Adobe 2009-05-28 06:48 . 2009-05-28 06:48 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound 2009-05-28 06:48 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Swift Sound 2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\program files\NCH Software 2009-05-28 06:38 . 2009-05-28 06:38 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\NCH Swift Sound 2009-05-25 06:12 . 2009-05-25 06:12 -------- d-----w- c:\program files\Celestia 2009-05-25 05:14 . 2008-05-02 18:11 -------- d-----w- c:\program files\Google 2009-05-25 01:10 . 2009-05-24 23:56 -------- d-----w- c:\program files\Messenger Plus! Live 2009-05-25 00:22 . 2009-05-25 00:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Messenger Plus! 2009-05-24 21:11 . 2009-05-24 21:11 -------- d-----w- c:\program files\Lame for Audacity 2009-05-22 08:26 . 2007-07-18 05:13 -------- d-----w- c:\program files\mIRC 2009-05-22 04:53 . 2008-04-13 03:08 -------- d-----w- c:\program files\Audacity 2009-05-22 03:06 . 2009-05-22 03:06 -------- d-----w- c:\program files\Microsoft Virtual PC 2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\program files\ManyCam 2009-05-20 09:20 . 2009-05-20 07:43 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ManyCam 2009-05-17 10:20 . 2009-05-09 05:24 -------- d-----w- c:\program files\RealMyst 2009-05-17 09:30 . 2009-05-17 09:27 -------- d-----w- c:\program files\Vextractor 2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\program files\ID3 renamer 2009-05-16 03:05 . 2009-05-16 03:05 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\ID3 renamer 2009-05-13 05:15 . 2005-08-16 10:18 915456 ----a-w- c:\windows\system32\wininet.dll 2009-05-11 02:01 . 2008-12-23 09:38 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP 2009-05-11 01:59 . 2009-05-11 01:59 -------- d-----w- c:\program files\Any Video Converter Professional 2009-05-11 00:12 . 2009-05-10 23:54 -------- d-----w- c:\program files\Blaze Media Pro 2009-05-10 21:38 . 2009-05-10 21:38 -------- d-----w- c:\program files\Recuva 2009-05-09 06:18 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Lite 2009-05-09 06:11 . 2009-05-09 06:11 -------- d-----w- c:\program files\Mattel Interactive 2009-05-09 06:09 . 2009-05-09 06:01 -------- d-----w- c:\documents and settings\Kavu Kamari\Application Data\DAEMON Tools Lite 2009-05-09 06:08 . 2009-05-09 06:08 -------- d-----w- c:\documents and settings\All Users\Application Data\DAEMON Tools Lite 2009-05-09 06:07 . 2009-05-09 06:07 -------- d-----w- c:\program files\DAEMON Tools Toolbar 2009-05-09 06:01 . 2009-05-09 06:01 721904 ----a-w- c:\windows\system32\drivers\sptd.sys 2009-05-09 05:53 . 2009-05-09 05:43 -------- d-----w- c:\program files\VirtualCloneDrive 2009-05-07 15:32 . 2005-08-16 10:18 345600 ----a-w- c:\windows\system32\localspl.dll 2009-04-17 12:26 . 2005-08-16 10:18 1847168 ----a-w- c:\windows\system32\win32k.sys 2009-04-16 01:54 . 2009-04-16 01:54 152576 ----a-w- c:\documents and settings\Kavu Kamari\Application Data\Sun\Java\jre1.6.0_13\lzma.dll 2009-04-15 14:51 . 2005-08-16 10:18 585216 ----a-w- c:\windows\system32\rpcrt4.dll 2009-04-14 02:16 . 2009-04-14 02:16 1079 ----a-w- c:\windows\system32\unins000.dat 2009-04-14 02:16 . 2009-04-14 02:16 695578 ----a-w- c:\windows\system32\unins000.exe 2009-04-09 05:57 . 2009-04-09 05:57 134 ----a-w- c:\documents and settings\Guest\Application Data\wklnhst.dat 2009-04-08 17:08 . 2009-04-08 17:08 64512 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u4\HTML\item_templ\coach\RunGdp.exe 2009-04-08 17:06 . 2009-04-08 17:06 698511 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\AutoMaintenance.dll 2009-04-08 17:06 . 2009-04-08 17:06 225280 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u2\HTML\AutoMaintenance\Images.dll 2009-04-08 17:05 . 2009-04-08 17:05 1896448 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\dplugins\2.0.1.571\DiagPlugin.dll 2009-04-08 17:05 . 2009-04-08 17:05 123138 ----a-w- c:\documents and settings\Guest\Application Data\GTek\GTUpdate\AUpdate\Channels\ch_u1\HTML\MakeDesktopShortcut.EXE 2009-04-08 17:03 . 2009-04-08 17:03 96648 ----a-w- c:\documents and settings\Guest\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2007-05-29 04:45 . 2006-01-19 03:03 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys . ((((((((((((((((((((((((((((( SnapShot@2009-07-04_02.05.12 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-05 22:32 . 2009-07-05 22:32 16384 c:\windows\Temp\Perflib_Perfdata_7a4.dat + 2005-08-16 10:18 . 2009-07-05 22:36 63732 c:\windows\system32\perfc009.dat - 2005-08-16 10:18 . 2009-05-22 03:07 63732 c:\windows\system32\perfc009.dat + 2005-08-16 10:18 . 2009-07-05 22:36 404082 c:\windows\system32\perfh009.dat - 2005-08-16 10:18 . 2009-05-22 03:07 404082 c:\windows\system32\perfh009.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseNormal] @="{C5994560-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994560-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseModified] @="{C5994561-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994561-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseConflict] @="{C5994562-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994562-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseLocked] @="{C5994563-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994563-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseReadOnly] @="{C5994564-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994564-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseDeleted] @="{C5994565-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994565-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseAdded] @="{C5994566-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994566-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\8TortoiseIgnored] @="{C5994567-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994567-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\9TortoiseUnversioned] @="{C5994568-53D9-4125-87C9-F193FC689CB2}" [HKEY_CLASSES_ROOT\CLSID\{C5994568-53D9-4125-87C9-F193FC689CB2}] 2008-01-17 03:52 80384 ----a-w- c:\program files\Common Files\TortoiseOverlays\TortoiseOverlays.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-03 102400] "DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784] "Steam"="c:\program files\steam\steam.exe" [2009-06-11 1217784] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-05-21 68856] "uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2008-10-10 270128] "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-07 3885408] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360] "SetDefaultMIDI"="MIDIDef.exe" - c:\windows\MIDIDEF.EXE [2004-12-22 24576] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584] "ATIPTA"="c:\program files\ATI TECHNOLOGIES\ATI CONTROL PANEL\ATIPTAXX.EXE" [2005-08-06 344064] "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248] "CTSysVol"="c:\program files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 57344] "UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112] "VoiceCenter"="c:\program files\Creative\VoiceCenter\AndreaVC.exe" [2005-02-23 1159168] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696] "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920] "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035] "DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-06-07 69632] "dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 425984] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384] "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-02 61440] "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2008-10-25 1451264] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-28 35696] "SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-23 339968] "MBMon"="CTMBHA.DLL" - c:\windows\system32\CTMBHA.DLL [2005-05-19 1345520] "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" - c:\windows\KHALMNPR.Exe [2006-01-21 28160] c:\documents and settings\Kavu Kamari\Start Menu\Programs\Startup\ Rainmeter.lnk - c:\program files\Rainmeter\Rainmeter.exe [2006-1-21 118784] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2005-12-7 24576] Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2007-2-5 528384] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 806912] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "EditLevel"= 0 (0x0) "NoCommonGroups"= 0 (0x0) "NoCustomizeWebView"= 0 (0x0) [hkey_local_machine\software\microsoft\windows\currentversion\explorer\SharedTaskScheduler] "{EC654325-1273-C2A9-2B7C-45A29BCE2FBD}"= "c:\program files\Stardock\Fences\DesktopDock.dll" [2009-02-25 517480] [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusOverride"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\SmartFTP Client\\SmartFTP.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Steam\\steam.exe"= "c:\\Program Files\\Electronic Arts\\EADM\\Core.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\garrysmod\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\team fortress 2\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life 2 deathmatch\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\counter-strike source\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\day of defeat source\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life deathmatch source\\hl2.exe"= "c:\\Program Files\\Steam\\SteamApps\\kavukamari\\half-life\\hl.exe"= "c:\\Softimage\\XSI_6.01_Mod_Tool\\Application\\bin\\XSI.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\peggle deluxe\\Peggle.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\Shadowgrounds.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsLauncher.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\eets\\Eets.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\world of goo\\WorldOfGoo.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\bullet candy\\BulletCandyV2.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\shadowgrounds\\ShadowgroundsEditor.exe"= "c:\\Program Files\\uTorrent\\utorrent-1.8.2.upx.exe"= "c:\\Program Files\\Skype\\Phone\\Skype.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\peggle nights\\PeggleNights.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\left4dead.exe"= "c:\\Program Files\\Steam\\SteamApps\\common\\left 4 dead\\srcds.exe"= R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/4/2009 4:15 PM 28544] R2 ekrn;Eset Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [10/24/2008 8:51 PM 468224] R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [12/12/2008 4:50 PM 113896] R3 ManyCam;ManyCam Virtual Webcam, WDM Video Capture Driver;c:\windows\system32\drivers\ManyCam.sys [1/14/2008 12:06 AM 21632] S2 gupdate1c9dcf794dd1ffa;Google Update Service (gupdate1c9dcf794dd1ffa);c:\program files\Google\Update\GoogleUpdate.exe [5/24/2009 7:13 PM 133104] S3 jbridgep;jbridgep;\??\c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys --> c:\docume~1\KAVUKA~1\LOCALS~1\Temp\jbridgep.sys [?] --- Other Services/Drivers In Memory --- *Deregistered* - PROCEXP111 [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder 2009-07-06 c:\windows\Tasks\Google Software Updater.job - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-05-02 13:21] 2009-07-05 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13] 2009-07-06 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-05-25 05:13] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.hawaiiantel.net/ mWindow Title = By Hawaiian Telcom uInternet Settings,ProxyOverride = *.local IE: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZNxmk788DKUS IE: Post Image to Blog - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5003 IE: Tag This Image - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5002 IE: Upload All Images to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5000 IE: Upload Image to ImageShack - c:\windows\ImageShackToolbar\ImageShackToolbar.dll/5001 Trusted Zone: imageshack.us\toolbar FF - ProfilePath - c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\ FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll FF - component: c:\documents and settings\Kavu Kamari\Application Data\Mozilla\Firefox\Profiles\ecu83qsz.default\extensions\keyscrambler@qfx.software.corporation\components\KeyScramblerIE.dll FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll FF - plugin: c:\program files\Google\Update\1.2.183.7\npGoogleOneClick8.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} . ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-07-05 20:33 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKLM\Software\Microsoft\Windows\CurrentVersion\Run DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*] @Class="Shell" @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) [HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*\OpenWithList] @Class="Shell" "a"="NOTEPAD.EXE" "MRUList"="a" [HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*e%Â%g*\OpenWithProgids] "-¦g_auto_file"=hex(0): [HKEY_USERS\S-1-5-21-3742254441-2087475824-740500050-1005\Software\SecuROM\License information*] "datasecu"=hex:bd,65,f7,de,98,89,8b,46,bb,e8,92,29,9a,a9,61,1f,ca,6a,d5,ac,19, dd,11,bc,54,f0,d4,29,63,1b,29,d1,03,c5,33,ea,61,51,fa,8b,e1,46,94,32,58,4f,\ "rkeysecu"=hex:cb,bd,f2,61,5a,4e,c6,95,f2,29,8b,82,ba,6b,3d,44 [HKEY_LOCAL_MACHINE\software\Classes\.*e%Â%g*] @="-¦g_auto_file" [HKEY_LOCAL_MACHINE\software\Classes\e%Â%g*_*a*u*t*o*_*f*i*l*e*\shell\edit\command] @=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1" [HKEY_LOCAL_MACHINE\software\Classes\e%Â%g*_*a*u*t*o*_*f*i*l*e*\shell\open\command] @=expand:"%SystemRoot%\\system32\\NOTEPAD.EXE %1" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(1120) c:\windows\system32\Ati2evxx.dll . Completion time: 2009-07-06 20:34 ComboFix-quarantined-files.txt 2009-07-06 06:34 ComboFix2.txt 2009-07-04 04:45 ComboFix4.txt 2009-07-04 02:19 Pre-Run: 30,297,817,088 bytes free Post-Run: 30,372,638,720 bytes free 331 --- E O F --- 2009-06-29 19:51I'll virus scan and post anything that comes up when it finishes
Please download JavaRa to your desktop and unzip it to its own folder
=============================================================
It's time to remove ComboFix.
Go to to Start > Run
Type in box
combofix /u
Note: the space between the X and the /u
Press Enter.
This command will:
Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.
If you'll reply after you have seen this, I will be able to have this thread archived. Thanks.
This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.
If you are not the user who started this thread, you must start your own Thread instead
_______________________________
Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.