Welcome Guest ( Log In | Join )

Discover the best free computer help!
Learn more about Geeks to Go by taking the tour. Spyware, virus, trojan, fake security or privacy alerts? Read the malware cleaning guide. Want to reply to a topic, start a new one, or remove the advertising? Join today (always free).
      
 
 Closed TopicStart new topic
Small issue with wmsncs.exe [RESOLVED]
Reddoguk
post Sep 28 2008, 11:40 AM
Post #1


New Member
*
Posts: 7
OS: XP
Hi guys,
so i just did a reformat and forgot to install my protection before i went online. sad.gif
Now i have this virus wmsncs.exe. My Nod32 has cleaned most of it, but some remains are left over and i get an error message on boot. My problem is i cant remove the (NET Runtime Optimization Service v2.1.41329_X86) from services, its disabled and says it doesnt exist. Also want to fix the error, Windows cannot find "C:\WINDOWS\Fonts\wmsncs.exe".
Any help would be Much appieciated. Thx


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24:42, on 28/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\1222536337\ee\AOLSoftware.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1222536337\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CD3D69B-CB28-468A-BD36-0C592C742ACC}: NameServer = 92.31.242.20 92.31.242.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CD3D69B-CB28-468A-BD36-0C592C742ACC}: NameServer = 92.31.242.20 92.31.242.21
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5055 bytes
Go to the top of the page
 
+Quote Post
Rorschach112
post Sep 28 2008, 11:45 AM
Post #2


GeekU Teacher
Group Icon
Posts: 19,886
From: Dublin
OS: XP
Hello

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
Go to the top of the page
 
+Quote Post
Reddoguk
post Sep 28 2008, 01:04 PM
Post #3


New Member
*
Posts: 7
OS: XP
ComboFix 08-09-27.05 - Darren 2008-09-28 19:52:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1623 [GMT 1:00]
Running from: C:\Documents and Settings\Darren\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Darren\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 18:50 . 2008-09-28 18:50 <DIR> d-------- C:\Logs
2008-09-28 18:42 . 2008-09-28 18:42 <DIR> d-------- C:\WINDOWS\Sun
2008-09-28 17:30 . 2008-09-28 17:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-28 17:13 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-28 17:13 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-28 17:13 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-28 16:44 . 2008-09-28 16:44 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-28 16:42 . 2008-09-28 16:42 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-28 16:42 . 2008-09-28 16:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-28 16:42 . 2008-09-28 16:43 <DIR> d-------- C:\9569fc90e3d0628ebe380c56c37f
2008-09-28 16:42 . 2008-09-28 16:42 <DIR> d-------- C:\6966e908a8ea17e6b2e9
2008-09-28 16:37 . 2004-08-04 08:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-28 16:27 . 2008-09-28 16:28 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\Ventrilo
2008-09-28 16:26 . 2008-09-28 16:26 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-28 16:07 . 2008-09-28 16:13 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-09-28 16:07 . 2008-09-28 16:07 <DIR> d-------- C:\WINDOWS\Logs
2008-09-28 15:57 . 2008-09-28 15:57 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-28 15:13 . 2008-09-28 19:08 <DIR> d-------- C:\Program Files\World of Warcraft
2008-09-28 06:43 . 2008-09-28 15:25 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-09-28 06:26 . 2008-09-28 06:26 <DIR> d-------- C:\Documents and Settings\Darren\DoctorWeb
2008-09-28 06:03 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-28 06:02 . 2008-09-28 06:03 <DIR> d-------- C:\Program Files\Java
2008-09-28 06:02 . 2008-09-28 06:02 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-28 05:07 . 2008-09-28 05:07 <DIR> d---s---- C:\Documents and Settings\Darren\UserData
2008-09-28 04:37 . 2008-09-28 04:37 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-09-28 04:37 . 2008-09-28 16:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 04:37 . 2008-09-28 04:37 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\TuneUp Software
2008-09-28 04:37 . 2008-09-28 04:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-09-28 04:37 . 2008-09-28 04:37 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-09-28 04:37 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-09-28 04:26 . 2008-09-28 04:26 <DIR> d-------- C:\WINDOWS\nview
2008-09-28 04:26 . 2008-08-15 23:22 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-09-28 04:26 . 2008-09-28 17:49 198,944 --a------ C:\WINDOWS\system32\nvapps.xml
2008-09-28 04:26 . 2008-08-15 23:22 18,335 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-09-28 04:23 . 2008-09-28 04:23 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-09-28 04:23 . 2008-09-28 04:23 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-09-28 04:23 . 2008-09-28 04:23 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-09-28 04:22 . 2008-04-13 19:45 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-09-28 04:22 . 2008-04-13 17:39 142,592 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-09-28 04:22 . 2008-04-13 20:17 83,072 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-09-28 04:22 . 2008-04-13 20:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-09-28 04:22 . 2008-04-13 19:45 56,576 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-09-28 04:22 . 2008-04-13 19:45 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-09-28 04:22 . 2008-04-13 19:39 7,552 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2008-09-28 04:22 . 2008-04-13 19:45 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-09-28 04:22 . 2008-04-13 19:45 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-09-28 04:22 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss
2008-09-28 04:21 . 2008-09-28 04:21 <DIR> d-------- C:\Program Files\Realtek
2008-09-28 04:20 . 2008-09-28 04:20 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-09-28 04:18 . 2008-07-10 04:07 7,143 --a------ C:\WINDOWS\system32\nvide.nvu
2008-09-28 04:17 . 2008-08-27 13:58 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-09-28 04:16 . 2008-09-28 04:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-28 04:16 . 2008-09-28 04:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-28 04:16 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-09-28 04:15 . 2008-09-28 04:15 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\InstallShield
2008-09-28 04:14 . 2008-09-28 04:16 <DIR> d-------- C:\Program Files\AMD
2008-09-28 04:14 . 2007-06-29 14:47 34,304 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2008-09-28 02:42 . 2008-09-28 02:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-09-28 02:42 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\peernet
2008-09-28 02:41 . 2008-09-28 02:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 02:37 . 2008-09-28 17:07 <DIR> d-------- C:\WINDOWS\EHome
2008-09-28 02:15 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-09-28 02:15 . 2008-04-14 05:42 11,264 --------- C:\WINDOWS\system32\spnpinst.exe
2008-09-28 02:15 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-09-28 02:15 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-09-28 02:10 . 2008-03-03 14:25 5,702 --ah----- C:\WINDOWS\nod32restoretemdono.reg
2008-09-28 02:10 . 2008-03-03 18:21 568 --ah----- C:\WINDOWS\nod32fixtemdono.reg
2008-09-28 02:08 . 2008-09-28 02:08 <DIR> d-------- C:\Program Files\ESET
2008-09-28 02:08 . 2008-09-28 02:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET
2008-09-28 02:05 . 2008-04-14 01:11 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-09-28 01:52 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-28 01:52 . 2008-09-28 15:44 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-28 01:52 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-28 01:50 . 2008-04-14 01:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-28 01:50 . 2008-04-14 01:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-28 01:50 . 2008-04-14 01:11 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-09-28 01:50 . 2008-04-14 01:11 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-09-28 01:47 . 2008-09-28 01:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 01:47 . 2008-09-28 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 01:46 . 2008-07-18 22:09 563,912 --a------ C:\WINDOWS\system32\wuapi.dll
2008-09-28 01:46 . 2008-07-18 22:09 325,832 --a------ C:\WINDOWS\system32\wucltui.dll
2008-09-28 01:46 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-09-28 01:46 . 2008-07-18 22:09 205,000 --a------ C:\WINDOWS\system32\wuweb.dll
2008-09-28 01:46 . 2008-04-14 01:12 183,296 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-09-28 01:46 . 2008-04-14 01:12 165,888 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-09-28 01:46 . 2008-07-18 22:10 36,552 --a------ C:\WINDOWS\system32\wups.dll
2008-09-28 01:30 . 2008-09-28 01:30 <DIR> d-------- C:\Program Files\uTorrent
2008-09-28 01:30 . 2008-09-28 04:36 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\uTorrent
2008-09-28 00:58 . 2008-09-28 00:58 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-09-28 00:54 . 2008-09-28 00:54 79 --a------ C:\WINDOWS\system32\i
2008-09-28 00:46 . 2008-09-28 00:47 113,152 --ah----- C:\WINDOWS\system32\dotrakj.exe
2008-09-27 19:03 . 2008-09-28 17:22 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-09-27 19:03 . 2008-09-28 16:50 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-09-27 19:02 . 2008-09-27 18:14 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 04:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-28 03:21 319,488 ----a-w C:\WINDOWS\HideWin.exe
2008-09-27 17:28 --------- d-----w C:\Program Files\Common Files\aolback
2008-09-27 17:28 --------- d-----w C:\Program Files\AOL 9.0 VR
2008-09-27 17:28 --------- d-----w C:\Documents and Settings\Darren\Application Data\AOL
2008-09-27 17:27 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-09-27 17:27 --------- d-----w C:\Program Files\Common Files\aolshare
2008-09-27 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-27 17:26 --------- d-----w C:\Program Files\Viewpoint
2008-09-27 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-27 17:23 --------- d-----w C:\Program Files\VoyagerTest
2008-09-27 17:23 --------- d-----w C:\Program Files\Common Files\FTL Shared
2008-09-27 17:23 --------- d-----w C:\Program Files\BT Voyager 105 ADSL Modem
2008-09-27 17:22 --------- d-----w C:\Program Files\VoyagerModem105Drivers
2008-09-27 17:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-09 17:39 16,851,968 ----a-w C:\WINDOWS\RTHDCPL.EXE
2008-09-09 17:07 4,813,824 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-20 17:35 453,152 ----a-w C:\WINDOWS\system32\nvusmb.exe
2008-08-20 17:35 122,880 ----a-w C:\WINDOWS\system32\NVCOSMB.DLL
2008-08-19 12:26 77,824 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-08-15 22:22 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2008-08-06 14:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 19:10 1,684,736 ----a-w C:\WINDOWS\system32\drivers\Ambfilt.sys
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-29 14:42 528,384 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-12 07:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 07:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 07:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DSLSTATEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe" [2003-06-28 1658965]
"DSLAGENTEXE"="C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe" [2003-08-19 16384]
"%FP%Friendly fts.exe"="C:\Program Files\VoyagerTest\fts.exe" [2003-05-06 72192]
"HostManager"="C:\Program Files\Common Files\AOL\1222536337\ee\AOLSoftware.exe" [2006-11-14 50736]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-06-10 1447168]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2008-07-22 77824]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-08-15 13570048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-08-15 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RTHDCPL"="RTHDCPL.EXE" [2008-09-09 C:\WINDOWS\RTHDCPL.EXE]
"nwiz"="nwiz.exe" [2008-08-15 C:\WINDOWS\system32\nwiz.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1222536337\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2008-08-18 145952]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-06-10 34312]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 81920]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 138402]
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 104375]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\System32\regedt32.exe [2003-03-31 3584]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-09-28 355584]
S4 NET Runtime Optimization Service v2.1.41329_X86;NET Runtime Optimization Service v2.1.41329_X86;C:\WINDOWS\Fonts\wmsncs.exe [ ]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - PROCEXP90
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-NvidMediaCenter - C:\Program Files\Common Files\System\wmsncs.exe
HKU-Default-Run-Spool Driver Service - C:\WINDOWS\System32\spool\drivers\wmsncs.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Darren\Application Data\Mozilla\Firefox\Profiles\ci60wjb5.default\
FF -: plugin - C:\Program Files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 19:55:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-28 19:57:29
ComboFix-quarantined-files.txt 2008-09-28 18:57:23

Pre-Run: 146,590,208,000 bytes free
Post-Run: 146,596,798,464 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn /usepmtimer

222 --- E O F --- 2008-09-28 02:00:24
Go to the top of the page
 
+Quote Post
Reddoguk
post Sep 28 2008, 01:05 PM
Post #4


New Member
*
Posts: 7
OS: XP
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:05:11, on 28/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\1222536337\ee\AOLSoftware.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\CF3870.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
F2 - REG:system.ini: Shell=explorer.exe "C:\WINDOWS\Fonts\wmsncs.exe"
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1222536337\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{1CD3D69B-CB28-468A-BD36-0C592C742ACC}: NameServer = 92.31.242.20 92.31.242.21
O17 - HKLM\System\CS1\Services\Tcpip\..\{1CD3D69B-CB28-468A-BD36-0C592C742ACC}: NameServer = 92.31.242.20 92.31.242.21
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 5174 bytes
Go to the top of the page
 
+Quote Post
Rorschach112
post Sep 28 2008, 01:09 PM
Post #5


GeekU Teacher
Group Icon
Posts: 19,886
From: Dublin
OS: XP
You got infected because you downloaded a cracked version of Eset, in the future you will have to reformat as you wont get help here



Please click on Start > Control Panel > Add/Remove Programs and uninstall the following programs(if present):

ESET




1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

QUOTE
File::
C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\nod32fixtemdono.reg
C:\WINDOWS\system32\i
C:\WINDOWS\system32\dotrakj.exe
C:\WINDOWS\system32\DRIVERS\epfwtdir.sys

Folder::
C:\Program Files\ESET
C:\Documents and Settings\All Users\Application Data\ESET

Registry::

Driver::
epfwtdir
NET Runtime Optimization Service v2.1.41329_X86

KillAll::

Sysrst::


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
Go to the top of the page
 
+Quote Post
Reddoguk
post Sep 28 2008, 01:44 PM
Post #6


New Member
*
Posts: 7
OS: XP
ComboFix 08-09-27.05 - Darren 2008-09-28 20:32:48.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1743 [GMT 1:00]
Running from: C:\Documents and Settings\Darren\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Darren\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\nod32fixtemdono.reg
C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\system32\dotrakj.exe
C:\WINDOWS\system32\DRIVERS\epfwtdir.sys
C:\WINDOWS\system32\i
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\ESET
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\Charon\FNDC.NFI
C:\Documents and Settings\All Users\Application Data\ESET\ESET NOD32 Antivirus\EpfwUser.dat
C:\WINDOWS\nod32restoretemdono.reg
C:\WINDOWS\system32\dotrakj.exe
C:\WINDOWS\system32\i

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EPFWTDIR
-------\Legacy_NET_RUNTIME_OPTIMIZATION_SERVICE_V2.1.41329_X86
-------\Service_NET Runtime Optimization Service v2.1.41329_X86


((((((((((((((((((((((((( Files Created from 2008-08-28 to 2008-09-28 )))))))))))))))))))))))))))))))
.

2008-09-28 18:50 . 2008-09-28 18:50 <DIR> d-------- C:\Logs
2008-09-28 18:42 . 2008-09-28 18:42 <DIR> d-------- C:\WINDOWS\Sun
2008-09-28 17:30 . 2008-09-28 17:30 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-28 17:13 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-09-28 17:13 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\system32\en
2008-09-28 17:13 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\l2schemas
2008-09-28 16:44 . 2008-09-28 16:44 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-09-28 16:42 . 2008-09-28 16:42 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-09-28 16:42 . 2008-09-28 16:43 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-09-28 16:42 . 2008-09-28 16:43 <DIR> d-------- C:\9569fc90e3d0628ebe380c56c37f
2008-09-28 16:42 . 2008-09-28 16:42 <DIR> d-------- C:\6966e908a8ea17e6b2e9
2008-09-28 16:37 . 2004-08-04 08:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-09-28 16:27 . 2008-09-28 16:28 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\Ventrilo
2008-09-28 16:26 . 2008-09-28 16:26 <DIR> d-------- C:\Program Files\Ventrilo
2008-09-28 16:07 . 2008-09-28 16:13 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2008-09-28 16:07 . 2008-09-28 16:07 <DIR> d-------- C:\WINDOWS\Logs
2008-09-28 15:57 . 2008-09-28 15:57 2,422 --a------ C:\WINDOWS\system32\wpa.bak
2008-09-28 15:13 . 2008-09-28 19:08 <DIR> d-------- C:\Program Files\World of Warcraft
2008-09-28 06:43 . 2008-09-28 15:25 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-09-28 06:26 . 2008-09-28 06:26 <DIR> d-------- C:\Documents and Settings\Darren\DoctorWeb
2008-09-28 06:03 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-09-28 06:02 . 2008-09-28 06:03 <DIR> d-------- C:\Program Files\Java
2008-09-28 06:02 . 2008-09-28 06:02 <DIR> d-------- C:\Program Files\Common Files\Java
2008-09-28 05:07 . 2008-09-28 05:07 <DIR> d---s---- C:\Documents and Settings\Darren\UserData
2008-09-28 04:37 . 2008-09-28 04:37 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-09-28 04:37 . 2008-09-28 16:26 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-09-28 04:37 . 2008-09-28 04:37 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\TuneUp Software
2008-09-28 04:37 . 2008-09-28 04:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-09-28 04:37 . 2008-09-28 04:37 355,584 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-09-28 04:37 . 2008-05-29 09:28 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-09-28 04:26 . 2008-09-28 04:26 <DIR> d-------- C:\WINDOWS\nview
2008-09-28 04:26 . 2008-08-15 23:22 453,152 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-09-28 04:26 . 2008-09-28 20:37 198,944 --a------ C:\WINDOWS\system32\nvapps.xml
2008-09-28 04:26 . 2008-08-15 23:22 18,335 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-09-28 04:23 . 2008-09-28 04:23 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-09-28 04:23 . 2008-09-28 04:23 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-09-28 04:23 . 2008-09-28 04:23 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-09-28 04:22 . 2008-04-13 19:45 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2008-09-28 04:22 . 2008-04-13 17:39 142,592 --a------ C:\WINDOWS\system32\drivers\aec.sys
2008-09-28 04:22 . 2008-04-13 20:17 83,072 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2008-09-28 04:22 . 2008-04-13 20:15 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2008-09-28 04:22 . 2008-04-13 19:45 56,576 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2008-09-28 04:22 . 2008-04-13 19:45 52,864 --a------ C:\WINDOWS\system32\drivers\dmusic.sys
2008-09-28 04:22 . 2008-04-13 19:39 7,552 --a------ C:\WINDOWS\system32\drivers\mskssrv.sys
2008-09-28 04:22 . 2008-04-13 19:45 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-09-28 04:22 . 2008-04-13 19:45 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2008-09-28 04:22 . 2007-11-14 15:18 553 --a------ C:\WINDOWS\USetup.iss
2008-09-28 04:21 . 2008-09-28 04:21 <DIR> d-------- C:\Program Files\Realtek
2008-09-28 04:20 . 2008-09-28 04:20 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-09-28 04:18 . 2008-07-10 04:07 7,143 --a------ C:\WINDOWS\system32\nvide.nvu
2008-09-28 04:17 . 2008-08-27 13:58 453,152 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-09-28 04:16 . 2008-09-28 04:16 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-09-28 04:16 . 2008-09-28 04:21 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-09-28 04:16 . 2006-07-01 22:39 36,864 --a------ C:\WINDOWS\system32\drivers\AmdK8.sys
2008-09-28 04:15 . 2008-09-28 04:15 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\InstallShield
2008-09-28 04:14 . 2008-09-28 04:16 <DIR> d-------- C:\Program Files\AMD
2008-09-28 04:14 . 2007-06-29 14:47 34,304 --a------ C:\WINDOWS\system32\drivers\AmdLLD.sys
2008-09-28 02:42 . 2008-09-28 02:42 <DIR> d-------- C:\WINDOWS\provisioning
2008-09-28 02:42 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\peernet
2008-09-28 02:41 . 2008-09-28 02:41 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-09-28 02:37 . 2008-09-28 17:07 <DIR> d-------- C:\WINDOWS\EHome
2008-09-28 02:15 . 2002-04-15 21:11 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-09-28 02:15 . 2008-04-14 05:42 11,264 --------- C:\WINDOWS\system32\spnpinst.exe
2008-09-28 02:15 . 2004-08-02 14:20 7,208 --------- C:\WINDOWS\system32\secupd.sig
2008-09-28 02:15 . 2004-08-02 14:20 4,569 --------- C:\WINDOWS\system32\secupd.dat
2008-09-28 02:05 . 2008-04-14 01:11 1,082,368 --a------ C:\WINDOWS\system32\esent.dll
2008-09-28 01:52 . 2008-09-28 17:13 <DIR> d-------- C:\WINDOWS\system32\bits
2008-09-28 01:52 . 2008-09-28 15:44 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-09-28 01:52 . 2007-08-10 20:46 26,488 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-09-28 01:50 . 2008-04-14 01:12 354,304 --a------ C:\WINDOWS\system32\winhttp.dll
2008-09-28 01:50 . 2008-04-14 01:12 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-09-28 01:50 . 2008-04-14 01:11 8,192 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-09-28 01:50 . 2008-04-14 01:11 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-09-28 01:47 . 2008-09-28 01:49 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-09-28 01:47 . 2008-09-28 02:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-28 01:46 . 2008-07-18 22:09 563,912 --a------ C:\WINDOWS\system32\wuapi.dll
2008-09-28 01:46 . 2008-07-18 22:09 325,832 --a------ C:\WINDOWS\system32\wucltui.dll
2008-09-28 01:46 . 2008-07-18 22:09 215,752 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-09-28 01:46 . 2008-07-18 22:09 205,000 --a------ C:\WINDOWS\system32\wuweb.dll
2008-09-28 01:46 . 2008-04-14 01:12 183,296 --a------ C:\WINDOWS\system32\wuaueng1.dll
2008-09-28 01:46 . 2008-04-14 01:12 165,888 --a------ C:\WINDOWS\system32\wuauclt1.exe
2008-09-28 01:46 . 2008-07-18 22:10 36,552 --a------ C:\WINDOWS\system32\wups.dll
2008-09-28 01:30 . 2008-09-28 01:30 <DIR> d-------- C:\Program Files\uTorrent
2008-09-28 01:30 . 2008-09-28 04:36 <DIR> d-------- C:\Documents and Settings\Darren\Application Data\uTorrent
2008-09-28 00:58 . 2008-09-28 00:58 <DIR> d-------- C:\Program Files\Sunbelt Software
2008-09-27 19:03 . 2008-09-28 20:24 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2008-09-27 19:03 . 2008-09-28 16:50 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2008-09-27 19:02 . 2008-09-27 18:14 261 --a------ C:\WINDOWS\system32\$winnt$.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-28 04:03 --------- d-----w C:\Program Files\Common Files\AOL
2008-09-28 03:21 319,488 ----a-w C:\WINDOWS\HideWin.exe
2008-09-27 17:28 --------- d-----w C:\Program Files\Common Files\aolback
2008-09-27 17:28 --------- d-----w C:\Program Files\AOL 9.0 VR
2008-09-27 17:28 --------- d-----w C:\Documents and Settings\Darren\Application Data\AOL
2008-09-27 17:27 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-09-27 17:27 --------- d-----w C:\Program Files\Common Files\aolshare
2008-09-27 17:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-09-27 17:26 --------- d-----w C:\Program Files\Viewpoint
2008-09-27 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-09-27 17:23 --------- d-----w C:\Program Files\VoyagerTest
2008-09-27 17:23 --------- d-----w C:\Program Files\Common Files\FTL Shared
2008-09-27 17:23 --------- d-----w C:\Program Files\BT Voyager 105 ADSL Modem
2008-09-27 17:22 --------- d-----w C:\Program Files\VoyagerModem105Drivers
2008-09-27 17:13 --------- d-----w C:\Program Files\microsoft frontpage
2008-09-09 17:39 16,851,968 ----a-w C:\WINDOWS\RTHDCPL.EXE
2008-09-09 17:07 4,813,824 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-08-20 17:35 453,152 ----a-w C:\WINDOWS\system32\nvusmb.exe
2008-08-20 17:35 122,880 ----a-w C:\WINDOWS\system32\NVCOSMB.DLL
2008-08-19 12:26 77,824 ----a-w C:\WINDOWS\SOUNDMAN.EXE
2008-08-15 22:22 86,016 ----a-w C:\WINDOWS\system32\nvmctray.dll
2008-08-06 14:51 1,200,128 ----a-w C:\WINDOWS\RtlUpd.exe
2008-08-05 19:10 1,684,736 ----a-w C:\WINDOWS\system32\drivers\Ambfilt.sys
2008-07-31 09:41 68,616 ----a-w C:\WINDOWS\system32\XAPOFX1_1.dll
2008-07-31 09:41 238,088 ----a-w C:\WINDOWS\system32\xactengine3_2.dll
2008-07-31 09:40 509,448 ----a-w C:\WINDOWS\system32\XAudio2_2.dll
2008-07-29 14:42 528,384 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-07-18 21:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 21:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 21:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 21:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-12 07:18 467,984 ----a-w C:\WINDOWS\system32\d3dx10_39.dll
2008-07-12 07:18 3,851,784 ----a-w C:\WINDOWS\system32\D3DX9_39.dll
2008-07-12 07:18 1,493,528 ----a-w C:\WINDOWS\system32\D3DCompiler_39.dll
.

((((((((((((((((((((((((((((( snapshot@2008-09-28_19.56.19.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
.
((((((((((((((((((((((((((((((((((((((( System Restore )))))))))))))))))))))))))))))))))))))))))))))))))))
.

2008-09-28 20:29 413 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegBHO-Global.reg
2008-09-28 19:49 413 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000182.reg

2008-09-28 20:29 2170 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDPF-Global.reg
2008-09-28 19:49 2170 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000181.reg

2008-09-28 20:29 60 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegDummy-Darren.reg
2008-09-28 19:49 60 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000193.reg

2008-09-28 20:29 77 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtBat-Global.reg
2008-09-28 19:49 77 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000166.reg

2008-09-28 20:29 77 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtCmd-Global.reg
2008-09-28 19:49 77 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000160.reg

2008-09-28 20:29 77 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtCom-Global.reg
2008-09-28 19:49 77 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000165.reg

2008-09-28 20:29 77 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtExe-Global.reg
2008-09-28 19:49 77 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000164.reg

2008-09-28 20:29 77 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtPif-Global.reg
2008-09-28 19:49 77 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000163.reg

2008-09-28 20:29 86 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtReg-Global.reg
2008-09-28 19:49 86 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000161.reg

2008-09-28 20:29 77 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegExtScr-Global.reg
2008-09-28 19:49 77 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000162.reg

2008-09-28 20:29 81 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBME-Global.reg
2008-09-28 19:49 81 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000177.reg

2008-09-28 20:29 116 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP1-Global.reg
2008-09-28 19:49 116 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000171.reg

2008-09-28 20:29 352 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2a-Global.reg
2008-09-28 19:49 367 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000041.reg
2008-09-28 20:00 352 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000170.reg

2008-09-28 20:29 516 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP2b-Global.reg
2008-09-28 19:49 552 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000042.reg
2008-09-28 20:00 516 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000169.reg

2008-09-28 20:29 277 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP3-Global.reg
2008-09-28 19:49 277 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000168.reg

2008-09-28 20:29 116 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBP4-Global.reg
2008-09-28 19:49 83 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000167.reg

2008-09-28 20:29 81 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB1-Global.reg
2008-09-28 19:49 81 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000183.reg

2008-09-28 20:29 240 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGBTB2-Global.reg
2008-09-28 19:49 240 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000179.reg

2008-09-28 20:29 114 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGCP-Global.reg
2008-09-28 19:49 114 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000158.reg

2008-09-28 20:29 88 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGIESH-Global.reg
2008-09-28 19:49 88 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000146.reg

2008-09-28 20:29 244 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGNTCVW-Global.reg
2008-09-28 19:49 89 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000156.reg

2008-09-28 20:29 372 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGNTCVWL-Global.reg
2008-09-28 19:49 372 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000044.reg
2008-09-28 20:00 372 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000154.reg

2008-09-28 20:29 761 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1-Global.reg
2008-09-28 19:49 873 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000038.reg
2008-09-28 20:25 761 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000188.reg

2008-09-28 20:29 205 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS1SM-Global.reg
2008-09-28 19:49 205 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000151.reg

2008-09-28 20:29 86 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2-Global.reg
2008-09-28 19:49 86 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000187.reg

2008-09-28 20:29 205 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS2SM-Global.reg
2008-09-28 19:49 205 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000150.reg

2008-09-28 20:29 90 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3-Global.reg
2008-09-28 19:49 90 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000186.reg

2008-09-28 20:29 180 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS3SM-Global.reg
2008-09-28 19:49 81 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000149.reg

2008-09-28 20:29 94 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGS4-Global.reg
2008-09-28 19:49 94 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000185.reg

2008-09-28 20:29 13640 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGSS-Global.reg
2008-09-28 19:49 13640 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000142.reg

2008-09-28 20:29 383 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGSSODL-Global.reg
2008-09-28 19:49 383 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000152.reg

2008-09-28 20:29 3671 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegGWLN-Global.reg
2008-09-28 19:49 3671 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000145.reg

2008-09-28 20:29 80 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBME-Darren.reg
2008-09-28 19:49 80 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000178.reg

2008-09-28 20:29 115 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP1-Darren.reg
2008-09-28 19:49 115 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000176.reg

2008-09-28 20:29 290 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2a-Darren.reg
2008-09-28 19:49 290 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000175.reg

2008-09-28 20:29 450 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP2b-Darren.reg
2008-09-28 19:49 450 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000174.reg

2008-09-28 20:29 177 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP3-Darren.reg
2008-09-28 19:49 79 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000173.reg

2008-09-28 20:29 115 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBP4-Darren.reg
2008-09-28 19:49 115 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000172.reg

2008-09-28 20:29 3892 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB1-Darren.reg
2008-09-28 19:49 3892 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000184.reg

2008-09-28 20:29 367 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUBTB2-Darren.reg
2008-09-28 19:49 367 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000180.reg

2008-09-28 20:29 113 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUCP-Darren.reg
2008-09-28 19:49 113 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000159.reg

2008-09-28 20:29 136 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUDesk-Darren.reg
2008-09-28 19:49 136 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000148.reg

2008-09-28 20:29 132 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUIESH-Darren.reg
2008-09-28 19:49 132 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000147.reg

2008-09-28 20:29 235 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVW-Darren.reg
2008-09-28 19:49 208 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000043.reg
2008-09-28 20:00 235 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000157.reg

2008-09-28 20:29 390 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUNTCVWL-Darren.reg
2008-09-28 19:49 390 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000155.reg

2008-09-28 20:29 81 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS1-Darren.reg
2008-09-28 19:49 163 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000192.reg

2008-09-28 20:29 85 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS2-Darren.reg
2008-09-28 19:49 85 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000191.reg

2008-09-28 20:29 89 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS3-Darren.reg
2008-09-28 19:49 89 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000190.reg

2008-09-28 20:29 93 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUS4-Darren.reg
2008-09-28 19:49 93 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000189.reg

2008-09-28 20:29 105 C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2\RegUSSODL-Darren.reg
2008-09-28 19:49 105 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000153.reg

C:\Program Files\ESET\ESET NOD32 Antivirus\unins000.exe
{5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000057.exeC:\WINDOWS\system32\drivers\easdrv.sys
2008-06-10 18:48 53256 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000058.sys

C:\WINDOWS\Installer\{2204AF25-80E5-468E-B46D-795685B35DEB}\callmsi.exe
2008-09-28 02:08 10134 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000132.exe

C:\WINDOWS\Installer\{2204AF25-80E5-468E-B46D-795685B35DEB}\egui.exe
2008-09-28 02:08 136448 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000133.exe

C:\WINDOWS\LastGood.Tmp\system32\DRIVERS\eamon.sys
2008-06-10 18:47 39944 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000138.sys

C:\WINDOWS\LastGood.Tmp\system32\DRIVERS\easdrv.sys
2008-06-10 18:48 53256 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000139.sys

C:\WINDOWS\LastGood.Tmp\system32\DRIVERS\epfwtdir.sys
2008-06-10 18:56 34312 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000140.sys

C:\WINDOWS\nod32fixtemdono.reg
2008-03-03 18:21 568 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP2\A0000056.reg

C:\WINDOWS\nod32restoretemdono.reg
2008-03-03 14:25 5702 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP4\A0000203.reg

C:\WINDOWS\system32\dotrakj.exe
2008-09-28 00:47 113152 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP4\A0000204.exe

C:\WINDOWS\system32\drivers\eamon.sys
2008-06-10 18:47 39944 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000059.sys

C:\WINDOWS\system32\drivers\epfwtdir.sys
2008-06-10 18:56 34312 {5AE69EA5-1983-4BCD-B1CF-68ED17BB193B}\RP3\A0000060.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\1222536337\\ee\\aolsoftware.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2008-08-18 145952]
R1 fwdrv;Firewall Driver;C:\WINDOWS\system32\drivers\fwdrv.sys [2005-12-15 274432]
R1 khips;Kerio HIPS Driver;C:\WINDOWS\system32\drivers\khips.sys [2005-12-15 81920]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2008-04-14 14336]
R3 lanusb;GlobeSpan USB ADSL LAN Modem;C:\WINDOWS\system32\DRIVERS\glausb.sys [2003-08-15 138402]
R3 PPPoEWin;PPPoEWin Miniport;C:\WINDOWS\system32\DRIVERS\PPPoEWin.SYS [2003-09-25 104375]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-09-28 355584]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-28 20:38:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4ss.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\Sunbelt Software\Personal Firewall 4\kpf4gui.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\1222536337\ee\aolsoftware.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
.
**************************************************************************
.
Completion time: 2008-09-28 20:40:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-28 19:40:17
ComboFix2.txt 2008-09-28 18:57:31

Pre-Run: 146,590,334,976 bytes free
Post-Run: 146,529,095,680 bytes free

354 --- E O F --- 2008-09-28 02:00:24
Go to the top of the page
 
+Quote Post
Rorschach112
post Sep 28 2008, 02:25 PM
Post #7


GeekU Teacher
Group Icon
Posts: 19,886
From: Dublin
OS: XP
Hello

Please download the OTMoveIt3 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    CODE
    :Processes
    explorer.exe

    :Services

    :Reg

    :Files
    C:\WINDOWS\system32\drivers\eamon.sys
    C:\WINDOWS\nod32fixtemdono.reg
    C:\WINDOWS\nod32restoretemdono.reg
    C:\WINDOWS\system32\drivers\epfwtdir.sys


    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.




Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



Please do an online scan with Kaspersky WebScanner

Make sure you are using Internet Explorer for this. Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next pos