Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

DSS, deckards system scanner [RESOLVED]


  • This topic is locked This topic is locked

#1
grassi

grassi

    Member

  • Member
  • PipPipPip
  • 123 posts
hello, im trying to get deckards system scanner to work for days now, but it freezes on examing registry? I have spybot, spyblaster, spyguard, adaware se, and avg free scanner, i exit out of all of them also going into options and disabling where i can, maybe im missing something. Same thing over and over, ive tried it for about a week now 2, 3 sometimes more a day. Well here is my Hjt log, maybe it can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:59:04 PM, on 08-02-19
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\HP\KBD\KBD.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe
C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\CTFaMicetra.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CreativeMS2020] C:\Program Files\Creative\Fatal1ty Professional Laser Mouse\ctusbms.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128469640765
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O20 - Winlogon Notify: dellog32 - C:\WINDOWS\SYSTEM32\dellog32.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: STOPzilla Service (szserver) - Unknown owner - C:\Program Files\Common Files\STOPzilla!\SZServer.exe (file missing)

--
End of file - 7400 bytes
  • 0

Advertisements


#2
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Can you try run DSS in Safe Mode

Do this from Normal Mode

Go to this site:
http://www.virustotal.com/
On top you'll find 'Browse'
Click the browse button and browse to the file:

C:\WINDOWS\SYSTEM32\dellog32.dll

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Once scanned, copy and paste the results as well in your next reply.
  • 0

#3
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
Hello Rorshach112,

sorry about that misunderstanding, but lemme explain a little more quick. we tried numerous attempts at Tech support, to figure out what happend with dss. On 2-28-2008 my buddy marked that thread as resolved (its in that post), As we had no luck. Since shes assistant mngr, and i have known her for a while now, she pmed. me knowing/remembering i had this problem she told me she opened that thread back up and to try what she found might have been the problem, it didnt work. That was on 3-12-08 nothing since then. I would never post another active thread if i knew someone was working on it somewhere else, i have more appreciation and respect for that. I thought you closed my thread without letting me explain, i see not. Thanks for your time if your still around.

That hjt log is old, as you might want a new one. That dellog was caught by tech support, we couldnt figure out what it was. So i believe we had hjt fix it, and they had me rename it to dellog32.old. Everything seemed fine but i still have it, its just not running(i think). Anyway here is a link to the scan..

http://www.virustota...565ccaec7db5120

Edited by grassi, 29 April 2008 - 07:25 PM.

  • 0

#4
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
No problem. I only closed the thread as they had ran so many tools over at that site, that it would have been better to keep going over there

Can you upload the dellog32.old file to this site


CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "dellog32.old"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:


    • dellog32.old

  • Click Open.
  • Click Post.
Thank you!



Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
okay, here is your logs, i have 2 questions/concerns though. I saved the xp sp2 recovery to my desktop so i just have the icon there. Is that all i do with that? Also i went into my trendmicro folder to run HJT log, and noticed i have 2 HJT icons, 1 was HJT and the other was HP OWNER, i clicked on Hp owner as it had the most recent date when "created".
Also pnkbstr A and B is short for PunkBuster an online anticheat gaming program i have to have installed for an online multiplayer game i play. Also i noticed C:\sqmdata03.sqm wasnt on my last scan with comboscan over at tech support and this new scan seems to have a lot of them?

ComboFix 08-04-29.3 - HP_Owner 2008-04-30 11:54:27.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1165 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-25 16:17 . 2007-11-15 10:06 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-04-16 17:08 . 2008-04-16 17:08 22,328 --a------ C:\Documents and Settings\HP_Owner\Application Data\PnkBstrK.sys
2008-04-13 11:58 . 2008-04-13 11:58 244 --ah----- C:\sqmnoopt17.sqm
2008-04-13 11:58 . 2008-04-13 11:58 232 --ah----- C:\sqmdata17.sqm
2008-04-13 11:41 . 2008-04-13 11:41 244 --ah----- C:\sqmnoopt16.sqm
2008-04-13 11:41 . 2008-04-13 11:41 232 --ah----- C:\sqmdata16.sqm
2008-04-13 04:59 . 2008-04-13 04:59 16 --a------ C:\WINDOWS\popcinfo.dat
2008-04-13 04:26 . 2008-04-13 04:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt13.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata13.sqm
2008-04-12 10:28 . 2008-04-12 10:28 244 --ah----- C:\sqmnoopt12.sqm
2008-04-12 10:28 . 2008-04-12 10:28 232 --ah----- C:\sqmdata12.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt09.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata09.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt07.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata07.sqm
2008-04-09 17:58 . 2008-04-09 17:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-09 17:58 . 2008-04-09 17:58 232 --ah----- C:\sqmdata06.sqm
2008-04-09 17:55 . 2008-04-09 17:55 244 --ah----- C:\sqmnoopt05.sqm
2008-04-09 17:55 . 2008-04-09 17:55 232 --ah----- C:\sqmdata05.sqm
2008-04-09 17:50 . 2008-04-09 17:50 244 --ah----- C:\sqmnoopt04.sqm
2008-04-09 17:50 . 2008-04-09 17:50 232 --ah----- C:\sqmdata04.sqm
2008-04-09 03:02 . 2008-04-09 03:02 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-30 10:14 . 2008-03-30 10:14 244 --ah----- C:\sqmnoopt03.sqm
2008-03-30 10:14 . 2008-03-30 10:14 244 --ah----- C:\sqmnoopt02.sqm
2008-03-30 10:14 . 2008-03-30 10:14 232 --ah----- C:\sqmdata03.sqm
2008-03-30 10:14 . 2008-03-30 10:14 232 --ah----- C:\sqmdata02.sqm
2008-03-24 19:33 . 2008-03-24 19:33 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Logitech
2008-03-24 19:32 . 2007-11-15 10:07 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-03-24 19:32 . 2007-11-15 10:07 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-03-24 19:32 . 2007-11-15 10:07 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-03-24 19:32 . 2007-11-15 10:07 76,304 --a------ C:\WINDOWS\system32\KemXML.dll
2008-03-21 21:22 . 2008-03-21 21:22 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 06:04 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-29 06:04 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-25 20:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-14 21:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-04-14 21:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 15:11 --------- d-----w C:\Program Files\SpywareGuard
2008-03-24 23:31 --------- d-----w C:\Program Files\Logitech
2008-03-24 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-24 23:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 19:53 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2005-12-21 03:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mscomp]
@={89BDD0AB-5A19-4853-A47E-0EC759700527}

[HKEY_CLASSES_ROOT\CLSID\{89BDD0AB-5A19-4853-A47E-0EC759700527}]
2007-04-16 11:52 1365193 --a------ C:\WINDOWS\system32\winbios.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 23:52 180269]
"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-20 23:32 7630848]
"nwiz"="nwiz.exe" [2006-10-20 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-20 23:32 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-21 21:22 385024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-24 19:32:10 784912]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-12 00:20:09 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]
S3 ctms2020;Creative HID USB Filter Driver1;C:\WINDOWS\system32\DRIVERS\ctms2020.Sys [2006-05-09 15:12]
S3 jswmidin;jswmidin;C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\jswmidin.sys []
S3 PciCon;PciCon;E:\PciCon.sys []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 11:55:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 11:57:40
ComboFix-quarantined-files.txt 2008-04-30 15:57:30

Pre-Run: 62,533,017,600 bytes free
Post-Run: 62,526,435,328 bytes free

153 --- E O F --- 2008-04-08 19:06:48



________________________________________________________________________________
__________________
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:20 PM, on 08-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HP_Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128469640765
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) -
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5893 bytes

Edited by grassi, 30 April 2008 - 10:20 AM.

  • 0

#6
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Also i noticed C:\sqmdata03.sqm wasnt on my last scan with comboscan over at tech support and this new scan seems to have a lot of them?

They are related to Windows Live Messenger


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\winbios.dll

Folder::

Registry::

Driver::
jswmidin
PciCon


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Also delete this file

C:\WINDOWS\SYSTEM32\dellog32.dll.old or is it C:\WINDOWS\SYSTEM32\dellog32.old


Reboot and post a new HijackThis log
  • 0

#7
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
okay buddy, i deleted C:\WINDOWS\SYSTEM32\dellog32.old (that was the correct spelling). I imagine you found what that was? Just wondering, cuz we had no clue =). Hope that i dragged that config into combofix correctly? When i dropped it in, i got the comboscan pop up window to run itl. It finished and auto. restarted my cpu. The log popped up on desktop as usuall, not in "C:\ComboFix.txt" Can you tell if i did it ok?


ComboFix 08-04-29.3 - HP_Owner 2008-04-30 16:38:10.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1135 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\winbios.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\winbios.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_JSWMIDIN
-------\Legacy_PCICON
-------\Service_jswmidin
-------\Service_PciCon


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-25 16:17 . 2007-11-15 10:06 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-04-16 17:08 . 2008-04-16 17:08 22,328 --a------ C:\Documents and Settings\HP_Owner\Application Data\PnkBstrK.sys
2008-04-13 11:58 . 2008-04-13 11:58 244 --ah----- C:\sqmnoopt17.sqm
2008-04-13 11:58 . 2008-04-13 11:58 232 --ah----- C:\sqmdata17.sqm
2008-04-13 11:41 . 2008-04-13 11:41 244 --ah----- C:\sqmnoopt16.sqm
2008-04-13 11:41 . 2008-04-13 11:41 232 --ah----- C:\sqmdata16.sqm
2008-04-13 04:59 . 2008-04-13 04:59 16 --a------ C:\WINDOWS\popcinfo.dat
2008-04-13 04:26 . 2008-04-13 04:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt13.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata13.sqm
2008-04-12 10:28 . 2008-04-12 10:28 244 --ah----- C:\sqmnoopt12.sqm
2008-04-12 10:28 . 2008-04-12 10:28 232 --ah----- C:\sqmdata12.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt09.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata09.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt07.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata07.sqm
2008-04-09 17:58 . 2008-04-09 17:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-09 17:58 . 2008-04-09 17:58 232 --ah----- C:\sqmdata06.sqm
2008-04-09 17:55 . 2008-04-09 17:55 244 --ah----- C:\sqmnoopt05.sqm
2008-04-09 17:55 . 2008-04-09 17:55 232 --ah----- C:\sqmdata05.sqm
2008-04-09 17:50 . 2008-04-09 17:50 244 --ah----- C:\sqmnoopt04.sqm
2008-04-09 17:50 . 2008-04-09 17:50 232 --ah----- C:\sqmdata04.sqm
2008-04-09 03:02 . 2008-04-09 03:02 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-30 10:14 . 2008-03-30 10:14 244 --ah----- C:\sqmnoopt03.sqm
2008-03-30 10:14 . 2008-03-30 10:14 244 --ah----- C:\sqmnoopt02.sqm
2008-03-30 10:14 . 2008-03-30 10:14 232 --ah----- C:\sqmdata03.sqm
2008-03-30 10:14 . 2008-03-30 10:14 232 --ah----- C:\sqmdata02.sqm
2008-03-24 19:33 . 2008-03-24 19:33 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Logitech
2008-03-24 19:32 . 2007-11-15 10:07 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-03-24 19:32 . 2007-11-15 10:07 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-03-24 19:32 . 2007-11-15 10:07 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-03-24 19:32 . 2007-11-15 10:07 76,304 --a------ C:\WINDOWS\system32\KemXML.dll
2008-03-21 21:22 . 2008-03-21 21:22 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 06:04 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-25 20:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-14 21:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-04-14 21:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 15:11 --------- d-----w C:\Program Files\SpywareGuard
2008-03-24 23:31 --------- d-----w C:\Program Files\Logitech
2008-03-24 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-24 23:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 19:53 --------- d-----w C:\Program Files\Java
2005-12-21 03:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot@2008-04-30_11.57.23.17 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 15:51:44 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-30 20:40:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2005-10-21 00:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{049942F4-8EFB-FC52-0BBD-66FB78B66CFB}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{049942F4-8EFB-FC52-0BBD-66FB78B66CFB}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{07A129F4-66E6-FFD1-0BD6-5EF87BC954F8}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{07A129F4-66E6-FFD1-0BD6-5EF87BC954F8}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{08246AFC-0DBD-F500-0395-DBF7688DD1F7}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{08246AFC-0DBD-F500-0395-DBF7688DD1F7}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{08E29347-5D0D-F059-B86C-1DF7CB6917F7}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{08E29347-5D0D-F059-B86C-1DF7CB6917F7}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{0D58B7AD-758C-F5D6-5248-A7F221ECADF2}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{0D58B7AD-758C-F5D6-5248-A7F221ECADF2}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{0F63BC4E-BAC4-F706-B143-9CF0C24C96F0}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{0F63BC4E-BAC4-F706-B143-9CF0C24C96F0}.dat
- 2008-04-30 15:54:38 1,191,936 ----a-w C:\WINDOWS\system32\mapstyle\{123F5362-775F-E96A-9DAC-C0EDF6A7CAED}.dat
+ 2008-04-30 20:38:14 1,191,936 ----a-w C:\WINDOWS\system32\mapstyle\{123F5362-775F-E96A-9DAC-C0EDF6A7CAED}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{168CD28A-8B22-EEF7-752D-73E9051E79E9}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{168CD28A-8B22-EEF7-752D-73E9051E79E9}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{185F1881-CA70-E0AC-7EE7-A0E70EDCAAE7}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{185F1881-CA70-E0AC-7EE7-A0E70EDCAAE7}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{1B77AEA7-AABD-E302-5851-88E42B5A82E4}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{1B77AEA7-AABD-E302-5851-88E42B5A82E4}.dat
- 2008-04-30 15:54:38 2,177,024 ----a-w C:\WINDOWS\system32\mapstyle\{1E23C985-4CE0-E46A-7A36-DCE11731D6E1}.dat
+ 2008-04-30 20:38:14 2,177,024 ----a-w C:\WINDOWS\system32\mapstyle\{1E23C985-4CE0-E46A-7A36-DCE11731D6E1}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{1F067F3B-B80D-E5DF-C480-F9E0A980F3E0}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{1F067F3B-B80D-E5DF-C480-F9E0A980F3E0}.dat
- 2008-04-30 15:54:38 1,191,936 ----a-w C:\WINDOWS\system32\mapstyle\{263C2C45-3D89-DD98-BAD3-C3D9D1BFC9D9}.dat
+ 2008-04-30 20:38:14 1,191,936 ----a-w C:\WINDOWS\system32\mapstyle\{263C2C45-3D89-DD98-BAD3-C3D9D1BFC9D9}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{28E50B81-02C3-DF15-7EF4-1AD70DEE10D7}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{28E50B81-02C3-DF15-7EF4-1AD70DEE10D7}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{2A64486A-C3B1-D266-95B7-9BD5E6B291D5}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{2A64486A-C3B1-D266-95B7-9BD5E6B291D5}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{2E75200E-535D-D6AD-F1DF-8AD181D580D1}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{2E75200E-535D-D6AD-F1DF-8AD181D580D1}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{347FB455-E82C-CC5E-AA4B-80CBD9438ACB}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{347FB455-E82C-CC5E-AA4B-80CBD9438ACB}.dat
- 2008-04-30 15:54:38 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{3498B6D4-26AA-C819-2B49-67CB5E496DCB}.dat
+ 2008-04-30 20:38:14 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{3498B6D4-26AA-C819-2B49-67CB5E496DCB}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{35D1B4AE-F7E2-CE3C-514B-2ECA3A0B24CA}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{35D1B4AE-F7E2-CE3C-514B-2ECA3A0B24CA}.dat
- 2007-04-16 15:52:53 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{3F222721-B46A-C8F1-DED8-DDC0AEC6D7C0}.dat
+ 2007-04-16 15:52:53 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{3F222721-B46A-C8F1-DED8-DDC0AEC6D7C0}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{41430E82-D243-B997-7DF1-BCBE16E0B6BE}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{41430E82-D243-B997-7DF1-BCBE16E0B6BE}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{445A0C60-6EA9-BC48-9FF3-A5BBEC6BAFBB}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{445A0C60-6EA9-BC48-9FF3-A5BBEC6BAFBB}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{451ED925-0155-BC7F-DA26-E1BAB107EBBA}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{451ED925-0155-BC7F-DA26-E1BAB107EBBA}.dat
- 2008-04-30 15:54:38 1,126,400 ----a-w C:\WINDOWS\system32\mapstyle\{49B6A742-6F66-B36F-BD58-49B6D65843B6}.dat
+ 2008-04-30 20:38:14 1,126,400 ----a-w C:\WINDOWS\system32\mapstyle\{49B6A742-6F66-B36F-BD58-49B6D65843B6}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4AB3BE80-1FF9-B2F1-7F41-4CB50F5446B5}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4AB3BE80-1FF9-B2F1-7F41-4CB50F5446B5}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4AE19AB7-7E92-B201-4865-1EB53B4714B5}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4AE19AB7-7E92-B201-4865-1EB53B4714B5}.dat
+ 2007-04-16 15:52:53 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4B25078C-CA40-BCE1-73F8-DAB404FED0B4}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4D3BBA3B-E2A5-B5EB-C445-C4B2B45BCEB2}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{4D3BBA3B-E2A5-B5EB-C445-C4B2B45BCEB2}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{4EA6EAD6-2F71-B5E5-2915-59B1443153B1}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{4EA6EAD6-2F71-B5E5-2915-59B1443153B1}.dat
- 2007-04-16 15:52:53 8,693,760 ----a-w C:\WINDOWS\system32\mapstyle\{54486730-0D4A-A38F-CF98-B7ABA69ABDAB}.dat
+ 2007-04-16 15:52:53 8,742,912 ----a-w C:\WINDOWS\system32\mapstyle\{54486730-0D4A-A38F-CF98-B7ABA69ABDAB}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{54FF7208-5AB7-ACD1-F78D-00AB84DE0AAB}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{54FF7208-5AB7-ACD1-F78D-00AB84DE0AAB}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{5632CA88-F12B-A1D0-7735-CDA90376C7A9}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{5632CA88-F12B-A1D0-7735-CDA90376C7A9}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{56BDFE43-450F-AE9F-BC01-42A9C8CD48A9}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{56BDFE43-450F-AE9F-BC01-42A9C8CD48A9}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{58FD1FA4-662C-A470-5BE0-02A730CC08A7}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{58FD1FA4-662C-A470-5BE0-02A730CC08A7}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{5978DD8E-1E38-A16B-7122-87A605B68DA6}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{5978DD8E-1E38-A16B-7122-87A605B68DA6}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{5A840540-5E50-A73D-BFFA-7BA5DAE071A5}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{5A840540-5E50-A73D-BFFA-7BA5DAE071A5}.dat
- 2007-04-16 15:52:53 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{5E7C6ACB-09A2-A9AC-3495-83A143DE89A1}.dat
+ 2007-04-16 15:52:53 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{5E7C6ACB-09A2-A9AC-3495-83A143DE89A1}.dat
+ 2007-04-16 15:52:53 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{610377F7-8F37-96C0-0888-FC9E7882F69E}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{62E4A31D-7BE6-951D-E25C-1B9D964D119D}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{62E4A31D-7BE6-951D-E25C-1B9D964D119D}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{63340107-1185-9A36-F8FE-CB9C88E4C19C}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{63340107-1185-9A36-F8FE-CB9C88E4C19C}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{68BB1008-6E22-911D-F7EF-44979C834E97}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{68BB1008-6E22-911D-F7EF-44979C834E97}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{71989040-32C4-8BCB-BF6F-678ED46D6D8E}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{71989040-32C4-8BCB-BF6F-678ED46D6D8E}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{724B7AA3-DBCB-8B47-5C85-B48D2CB0BE8D}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{724B7AA3-DBCB-8B47-5C85-B48D2CB0BE8D}.dat
- 2008-04-30 15:54:38 1,208,320 ----a-w C:\WINDOWS\system32\mapstyle\{76F620A1-E3C8-8DEC-5EDF-098935F70389}.dat
+ 2008-04-30 20:38:14 1,208,320 ----a-w C:\WINDOWS\system32\mapstyle\{76F620A1-E3C8-8DEC-5EDF-098935F70389}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7A8AB198-9E3D-82B1-674E-7585142B7F85}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7A8AB198-9E3D-82B1-674E-7585142B7F85}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7ABF437B-6F58-825A-84BC-4085F4B34A85}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7ABF437B-6F58-825A-84BC-4085F4B34A85}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7C95F015-CEC5-8414-EA0F-6A83990C6083}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7C95F015-CEC5-8414-EA0F-6A83990C6083}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7D30D735-2BB0-8170-CA28-CF82A129C582}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{7D30D735-2BB0-8170-CA28-CF82A129C582}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{8B161CCF-0B2B-738D-30E3-E97440C4E374}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{8B161CCF-0B2B-738D-30E3-E97440C4E374}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{8FBD7E12-DCFE-77EB-ED81-42709D4B4870}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{8FBD7E12-DCFE-77EB-ED81-42709D4B4870}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{9E3B1D77-84ED-66B3-88E2-C461E337CE61}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{9E3B1D77-84ED-66B3-88E2-C461E337CE61}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{9F302DAF-76BF-6289-50D2-CF603DC8C560}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{9F302DAF-76BF-6289-50D2-CF603DC8C560}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{9FEB9C81-ECC2-6745-7E63-14600DD41E60}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{9FEB9C81-ECC2-6745-7E63-14600DD41E60}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{A09765E0-087C-5C7E-1F9A-685F749A625F}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{A09765E0-087C-5C7E-1F9A-685F749A625F}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{A9020FBB-91C0-527C-44F0-FD562FA8F756}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{A9020FBB-91C0-527C-44F0-FD562FA8F756}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{AA6D4465-B69E-52C9-9ABB-9255EA5D9855}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{AA6D4465-B69E-52C9-9ABB-9255EA5D9855}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{B050D920-F47D-4869-DF26-AF4FAB22A54F}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{B050D920-F47D-4869-DF26-AF4FAB22A54F}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{B337CB30-BFF0-4B3F-CF34-C84CBB77C24C}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{B337CB30-BFF0-4B3F-CF34-C84CBB77C24C}.dat
- 2008-04-30 15:54:38 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{B660C972-316A-4C2C-8D36-9F49E8379549}.dat
+ 2008-04-30 20:38:14 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{B660C972-316A-4C2C-8D36-9F49E8379549}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{B701D139-CAE2-40ED-C62E-FE48B214F448}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{B701D139-CAE2-40ED-C62E-FE48B214F448}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{B91B914B-BA5E-4185-B46E-E446C76BEE46}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{B91B914B-BA5E-4185-B46E-E446C76BEE46}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{BB822C82-62C3-43D7-7DD3-7D440E1C7744}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{BB822C82-62C3-43D7-7DD3-7D440E1C7744}.dat
- 2008-04-30 15:54:38 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{CCD7A580-B3E3-34FB-7F5A-28330B3C2233}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{CCD7A580-B3E3-34FB-7F5A-28330B3C2233}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{CCDE6491-932F-3321-6E9B-21331B9B2B33}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{CCDE6491-932F-3321-6E9B-21331B9B2B33}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{D29E3303-0BEF-2A48-FCCC-612D8FC46B2D}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{D29E3303-0BEF-2A48-FCCC-612D8FC46B2D}.dat
+ 2007-04-16 15:52:53 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{D73A28AA-465C-20FE-55D7-C52822DFCF28}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{DF2281AB-0E5E-25B7-547E-DD203F46D720}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{DF2281AB-0E5E-25B7-547E-DD203F46D720}.dat
- 2007-04-16 15:52:53 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{E1BB73A2-B532-1661-5D8C-441E2E8F4E1E}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{E1BB73A2-B532-1661-5D8C-441E2E8F4E1E}.dat
+ 2007-04-16 15:52:53 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{E795DACA-48F0-1050-3525-6A1842216018}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{E9BD853C-1247-1E5A-C37A-4216B0654816}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{E9BD853C-1247-1E5A-C37A-4216B0654816}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{ECC8EE92-7D8D-1479-6D11-37131D8B3D13}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{ECC8EE92-7D8D-1479-6D11-37131D8B3D13}.dat
- 2008-04-30 15:54:38 1,126,400 ----a-w C:\WINDOWS\system32\mapstyle\{EE9FE4BC-61A2-1778-431B-601128146A11}.dat
+ 2008-04-30 20:38:14 1,126,400 ----a-w C:\WINDOWS\system32\mapstyle\{EE9FE4BC-61A2-1778-431B-601128146A11}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{EF3785F0-9763-1520-0F7A-C8106446C210}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{EF3785F0-9763-1520-0F7A-C8106446C210}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{F0341B99-336A-093A-66E4-CB0F0DCAC10F}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{F0341B99-336A-093A-66E4-CB0F0DCAC10F}.dat
+ 2007-04-16 15:52:53 1,093,632 ----a-w C:\WINDOWS\system32\mapstyle\{F6864C23-4E75-0142-DCB3-7909ABB97309}.dat
- 2007-04-16 15:52:53 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{F6AC45E8-4173-017A-17BA-530963AF5909}.dat
+ 2008-04-30 20:38:14 2,193,408 ----a-w C:\WINDOWS\system32\mapstyle\{F6AC45E8-4173-017A-17BA-530963AF5909}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{F926184F-88F3-04EC-B0E7-D906C5E7D306}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{F926184F-88F3-04EC-B0E7-D906C5E7D306}.dat
+ 2007-04-16 15:52:53 8,693,760 ----a-w C:\WINDOWS\system32\mapstyle\{FAC76A9E-9656-0D04-6195-3805089F3205}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{FBB486CC-CAEC-033C-3379-4B0443AF4104}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{FBB486CC-CAEC-033C-3379-4B0443AF4104}.dat
- 2008-04-30 15:54:38 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{FFD6DC71-874E-0791-8E23-2900FDAB2300}.dat
+ 2008-04-30 20:38:14 1,110,016 ----a-w C:\WINDOWS\system32\mapstyle\{FFD6DC71-874E-0791-8E23-2900FDAB2300}.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mscomp]
@={89BDD0AB-5A19-4853-A47E-0EC759700527}

[HKEY_CLASSES_ROOT\CLSID\{89BDD0AB-5A19-4853-A47E-0EC759700527}]
C:\WINDOWS\system32\winbios.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 23:52 180269]
"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-20 23:32 7630848]
"nwiz"="nwiz.exe" [2006-10-20 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-20 23:32 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-21 21:22 385024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-24 19:32:10 784912]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-12 00:20:09 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]
S3 ctms2020;Creative HID USB Filter Driver1;C:\WINDOWS\system32\DRIVERS\ctms2020.Sys [2006-05-09 15:12]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 16:40:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
.
**************************************************************************
.
Completion time: 2008-04-30 16:45:27 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-30 20:45:16
ComboFix2.txt 2008-04-30 15:57:42

Pre-Run: 62,512,721,920 bytes free
Post-Run: 62,452,547,584 bytes free

335 --- E O F --- 2008-04-08 19:06:48

________________________________________________________________________________
___________________


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:01:55 PM, on 08-04-30
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HP_Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AutoTBar] c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} -
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1128469640765
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - http://ipgweb.cce.hp...oads/msxml4.cab
O16 - DPF: {8A0019EB-51FA-4AE5-A40B-C0496BBFC739} (Verizon Wireless Media Upload) - http://picture.vzw.c...loadControl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_05) -
O16 - DPF: {A2EBA59E-C601-4AE3-900B-6B61F29500BE} -
O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

--
End of file - 5909 bytes

Edited by grassi, 30 April 2008 - 03:05 PM.

  • 0

#8
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::

Folder::

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mscomp]
"@"=-
[-HKEY_CLASSES_ROOT\CLSID\{89BDD0AB-5A19-4853-A47E-0EC759700527}]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
Heres my comboscan, im havin trouble with Kaspersky, it took an hr. but there was no option to save as text. I cant get the window to maximize, so i might not beable to see it. Gonna try and get the window bigger. Probably be the next post. editeddefinelty cant figure out why kaspersky's window wont let me maximize it.okay i tried again and it worked fine see attatchment for report. (think i keep mixing up comboscan and combofix, Sorry).


ComboFix 08-04-29.3 - HP_Owner 2008-04-30 18:16:31.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1173 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-30 )))))))))))))))))))))))))))))))
.

2008-04-25 16:17 . 2007-11-15 10:06 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-04-16 17:08 . 2008-04-16 17:08 22,328 --a------ C:\Documents and Settings\HP_Owner\Application Data\PnkBstrK.sys
2008-04-13 11:58 . 2008-04-13 11:58 244 --ah----- C:\sqmnoopt17.sqm
2008-04-13 11:58 . 2008-04-13 11:58 232 --ah----- C:\sqmdata17.sqm
2008-04-13 11:41 . 2008-04-13 11:41 244 --ah----- C:\sqmnoopt16.sqm
2008-04-13 11:41 . 2008-04-13 11:41 232 --ah----- C:\sqmdata16.sqm
2008-04-13 04:59 . 2008-04-13 04:59 16 --a------ C:\WINDOWS\popcinfo.dat
2008-04-13 04:26 . 2008-04-13 04:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt13.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata13.sqm
2008-04-12 10:28 . 2008-04-12 10:28 244 --ah----- C:\sqmnoopt12.sqm
2008-04-12 10:28 . 2008-04-12 10:28 232 --ah----- C:\sqmdata12.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt09.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata09.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt07.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata07.sqm
2008-04-09 17:58 . 2008-04-09 17:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-09 17:58 . 2008-04-09 17:58 232 --ah----- C:\sqmdata06.sqm
2008-04-09 17:55 . 2008-04-09 17:55 244 --ah----- C:\sqmnoopt05.sqm
2008-04-09 17:55 . 2008-04-09 17:55 232 --ah----- C:\sqmdata05.sqm
2008-04-09 17:50 . 2008-04-09 17:50 244 --ah----- C:\sqmnoopt04.sqm
2008-04-09 17:50 . 2008-04-09 17:50 232 --ah----- C:\sqmdata04.sqm
2008-04-09 03:02 . 2008-04-09 03:02 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-30 10:14 . 2008-03-30 10:14 244 --ah----- C:\sqmnoopt03.sqm
2008-03-30 10:14 . 2008-03-30 10:14 244 --ah----- C:\sqmnoopt02.sqm
2008-03-30 10:14 . 2008-03-30 10:14 232 --ah----- C:\sqmdata03.sqm
2008-03-30 10:14 . 2008-03-30 10:14 232 --ah----- C:\sqmdata02.sqm
2008-03-24 19:33 . 2008-03-24 19:33 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Logitech
2008-03-24 19:32 . 2007-11-15 10:07 170,512 --a------ C:\WINDOWS\system32\kemutb.dll
2008-03-24 19:32 . 2007-11-15 10:07 141,840 --a------ C:\WINDOWS\system32\KemUtil.dll
2008-03-24 19:32 . 2007-11-15 10:07 117,264 --a------ C:\WINDOWS\system32\KemWnd.dll
2008-03-24 19:32 . 2007-11-15 10:07 76,304 --a------ C:\WINDOWS\system32\KemXML.dll
2008-03-21 21:22 . 2008-03-21 21:22 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-29 06:04 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-29 06:04 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-25 20:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-14 21:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-04-14 21:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 15:11 --------- d-----w C:\Program Files\SpywareGuard
2008-03-24 23:31 --------- d-----w C:\Program Files\Logitech
2008-03-24 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-24 23:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 19:53 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2005-12-21 03:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mscomp]
@={89BDD0AB-5A19-4853-A47E-0EC759700527}

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 23:52 180269]
"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-20 23:32 7630848]
"nwiz"="nwiz.exe" [2006-10-20 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-20 23:32 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-21 21:22 385024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-24 19:32:10 784912]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-12 00:20:09 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]
S3 ctms2020;Creative HID USB Filter Driver1;C:\WINDOWS\system32\DRIVERS\ctms2020.Sys [2006-05-09 15:12]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 18:17:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-30 18:18:27
ComboFix-quarantined-files.txt 2008-04-30 22:17:49
ComboFix2.txt 2008-04-30 20:45:27
ComboFix3.txt 2008-04-30 15:57:42

Pre-Run: 62,433,288,192 bytes free
Post-Run: 62,423,863,296 bytes free

150 --- E O F --- 2008-04-08 19:06:48

Attached Files


Edited by grassi, 30 April 2008 - 09:50 PM.

  • 0

#10
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ntreg.exe

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\Mscomp]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and tell me how your PC is running
  • 0

Advertisements


#11
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
seems okay. Didnt know if you wanted a log, here it is, just incase

ComboFix 08-04-29.3 - HP_Owner 2008-05-01 9:12:13.7 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1170 [GMT -4:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\ntreg.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ntreg.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-01 to 2008-05-01 )))))))))))))))))))))))))))))))
.

2008-04-30 18:24 . 2008-04-30 18:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-30 18:24 . 2008-04-30 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-25 16:17 . 2007-11-15 10:06 301,656 --a------ C:\WINDOWS\system32\BtCoreIf.dll
2008-04-16 17:08 . 2008-04-16 17:08 22,328 --a------ C:\Documents and Settings\HP_Owner\Application Data\PnkBstrK.sys
2008-04-13 11:58 . 2008-04-13 11:58 244 --ah----- C:\sqmnoopt17.sqm
2008-04-13 11:58 . 2008-04-13 11:58 232 --ah----- C:\sqmdata17.sqm
2008-04-13 11:41 . 2008-04-13 11:41 244 --ah----- C:\sqmnoopt16.sqm
2008-04-13 11:41 . 2008-04-13 11:41 232 --ah----- C:\sqmdata16.sqm
2008-04-13 04:59 . 2008-04-13 04:59 16 --a------ C:\WINDOWS\popcinfo.dat
2008-04-13 04:26 . 2008-04-13 04:59 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 244 --ah----- C:\sqmnoopt13.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata15.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata14.sqm
2008-04-12 10:29 . 2008-04-12 10:29 232 --ah----- C:\sqmdata13.sqm
2008-04-12 10:28 . 2008-04-12 10:28 244 --ah----- C:\sqmnoopt12.sqm
2008-04-12 10:28 . 2008-04-12 10:28 232 --ah----- C:\sqmdata12.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 244 --ah----- C:\sqmnoopt09.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata11.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata10.sqm
2008-04-12 10:27 . 2008-04-12 10:27 232 --ah----- C:\sqmdata09.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 244 --ah----- C:\sqmnoopt07.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata08.sqm
2008-04-09 18:11 . 2008-04-09 18:11 232 --ah----- C:\sqmdata07.sqm
2008-04-09 17:58 . 2008-04-09 17:58 244 --ah----- C:\sqmnoopt06.sqm
2008-04-09 17:58 . 2008-04-09 17:58 232 --ah----- C:\sqmdata06.sqm
2008-04-09 17:55 . 2008-04-09 17:55 244 --ah----- C:\sqmnoopt05.sqm
2008-04-09 17:55 . 2008-04-09 17:55 232 --ah----- C:\sqmdata05.sqm
2008-04-09 17:50 . 2008-04-09 17:50 244 --ah----- C:\sqmnoopt04.sqm
2008-04-09 17:50 . 2008-04-09 17:50 232 --ah----- C:\sqmdata04.sqm
2008-04-09 03:02 . 2008-04-09 03:02 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-01 04:06 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-05-01 04:06 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-25 20:17 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logitech
2008-04-25 20:17 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-04-14 21:59 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-04-14 21:49 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-11 15:11 --------- d-----w C:\Program Files\SpywareGuard
2008-03-24 23:33 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Logitech
2008-03-24 23:31 --------- d-----w C:\Program Files\Logitech
2008-03-24 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-03-24 23:04 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-22 01:22 --------- d-----w C:\Program Files\QuickTime
2008-03-21 19:53 --------- d-----w C:\Program Files\Java
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2005-12-21 03:49 774,144 ----a-w C:\Program Files\RngInterstitial.dll
.

((((((((((((((((((((((((((((( snapshot_2008-04-30_16.45.04.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 20:40:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-01 13:07:24 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-08 05:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-14 23:43 233472]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 19:04 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 20:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-08-11 23:52 180269]
"AutoTBar"="c:\Program Files\HP\Digital Imaging\bin\AUTOTBAR.EXE" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 06:43 57344]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-20 23:32 7630848]
"nwiz"="nwiz.exe" [2006-10-20 23:32 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-20 23:32 86016]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-21 21:22 385024]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 20:05:35 360448]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-03-24 19:32:10 784912]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2004-08-12 00:20:09 16423]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Wolfenstein - Enemy Territory\\ET.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\WINDOWS\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=

R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2006-12-20 08:00]
S3 ctms2020;Creative HID USB Filter Driver1;C:\WINDOWS\system32\DRIVERS\ctms2020.Sys [2006-05-09 15:12]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-01 09:13:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-01 9:15:29
ComboFix-quarantined-files.txt 2008-05-01 13:15:16
ComboFix2.txt 2008-04-30 22:18:28
ComboFix3.txt 2008-04-30 20:45:27
ComboFix4.txt 2008-04-30 15:57:42

Pre-Run: 62,380,691,456 bytes free
Post-Run: 62,369,906,688 bytes free

158 --- E O F --- 2008-04-08 19:06:48
  • 0

#12
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Your logs are clean ! We need to do a few things

Follow these steps to uninstall Combofix and tools used in the removal of malware
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    Posted Image


You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
  • 0

#13
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
okay did the 1st part, but for java i only have "java™ 6 update 5" no "Java Runtime Environment (JRE)" in the name? Do i remove that?
  • 0

#14
Rorschach112

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Yes that is the one you want to remove

Let me know how the rest of the steps go
  • 0

#15
grassi

grassi

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 123 posts
okay completed all, and everything seems ok. Maybe faster on Reboot. Gonna reboot now.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP