Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Virtumonde, TOP RATED SPYWARE, TrojanDownloader.xs and more

Started by ei2kpi , Apr 02 2008 09:09 PM

  • Please log in to reply

#1
ei2kpi
Posted 02 April 2008 - 09:09 PM

ei2kpi

    New Member

  • Member
  • Pip
  • 8 posts
So this all started when my friend emailed me a file which I opened by mistake. (I know you're not supposed to do that but i clicked it by mistake)

I started getting a yellow triangle with an exclamation mark in my system tray, popups saying I have some Abebot virus, TrojanDownloader.xs, my registry is completely infected and that I should buy their anti-spyware programs.

Here are screen shots of the messages i Got :
Abebot.JPG trojan.JPG registry.JPG triangle.JPG

I tried the usual Symantec antivirus and spybot first. Symantec found nothing but spybot found a LOT of stuff which I cleaned but it didnt help.

Next when I restarted my computer, the icons just never came up and instead I got a windows message saying some win32 generic host process had crashed and if I wanted to send an error report. Using the send to microsoft button, I somehow got IE working and then ran explorer.exe using taskmanager to get the icons back. I immidiately did a back up of all my stuff and set about re-formatting my hardisk.

Reformatting stage:
I have 4 Drives (partitions) over two disks. The first disk contains my C Drive as well as another archives partition while the second one contains a Linux ext3 partition as well as another archives partition. I backed up my stuff onto the two archive partitions and then reformatted my C Drive only and reinstalled XP Prof.

AND AS SOON AS I BOOTED UP THE SAME POP-UPS WERE THERE WAITING FOR ME!!!

Thats when I found this forum with someone asking what I thought was similar to my problem. I followed all the steps, did a combofix, Hijack This Log as well as a kaspersky scan. nothing seems to have helped!

Please help me!

The logs are pasted below:

HiJack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:59 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0013)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Documents and Settings\All Users\Application Data\hudsfyvu\nyjelcng.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\WINDOWS\system32\dqbgtolu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: (no name) - {7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA} - C:\WINDOWS\system32\batmete.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [aucwgzbi] C:\WINDOWS\system32\vejyhetg.exe
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe
O4 - HKLM\..\Policies\Explorer\Run: [TB0OVSNt8J] C:\Documents and Settings\All Users\Application Data\hudsfyvu\nyjelcng.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O20 - Winlogon Notify: geBRihfe - geBRihfe.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 5958 bytes

ComboFix Log:

ComboFix 08-04-01.2 - Family 2008-04-02 23:23:20.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.132 [GMT 8:00]
Running from: C:\Documents and Settings\Family\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Family\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\aconti.exe
C:\WINDOWS\adbar.dll
C:\WINDOWS\cbinst$.exe
C:\WINDOWS\daxtime.dll
C:\WINDOWS\dp0.dll
C:\WINDOWS\eventlowg.dll
C:\WINDOWS\fhfmm-Uninstaller.exe
C:\WINDOWS\fhfmm.exe
C:\WINDOWS\fkwggshm.exe
C:\WINDOWS\hcwprn.exe
C:\WINDOWS\hotporn.exe
C:\WINDOWS\ie_32.exe
C:\WINDOWS\iexplorr23.dll
C:\WINDOWS\kkcomp$.exe
C:\WINDOWS\kkcomp.dll
C:\WINDOWS\kkcomp.exe
C:\WINDOWS\kvnab$.exe
C:\WINDOWS\kvnab.dll
C:\WINDOWS\kvnab.exe
C:\WINDOWS\liqad$.exe
C:\WINDOWS\liqad.dll
C:\WINDOWS\liqad.exe
C:\WINDOWS\liqui-Uninstaller.exe
C:\WINDOWS\liqui.dll
C:\WINDOWS\liqui.exe
C:\WINDOWS\ngd.dll
C:\WINDOWS\pbar.dll
C:\WINDOWS\settn.dll
C:\WINDOWS\spredirect.dll
C:\WINDOWS\system32\ace16win.dll
C:\WINDOWS\system32\aivskurq.dll
C:\WINDOWS\system32\dpqaqlqx.bin
C:\WINDOWS\system32\stfv.bin
C:\WINDOWS\system32\vvgeowbv.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wbeCheck.exe
C:\WINDOWS\wbeInst$.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\xadbrk.dll
C:\WINDOWS\xadbrk.exe
C:\WINDOWS\xadbrk_.exe
C:\WINDOWS\xxxvideo.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-02 to 2008-04-02 )))))))))))))))))))))))))))))))
.

2008-04-02 22:58 . 2008-04-02 22:58 102,400 --a------ C:\WINDOWS\system32\vejyhetg.exe
2008-04-02 22:00 . 2008-04-02 22:00 <DIR> d-------- C:\Program Files\HighCriteria
2008-04-02 22:00 . 2006-05-11 10:48 106,496 --a------ C:\WINDOWS\system32\DrvTrNTl.dll
2008-04-02 22:00 . 2006-05-17 21:53 54,272 --a------ C:\WINDOWS\system32\DrvTrNTm.dll
2008-04-02 21:58 . 2008-04-02 21:58 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-02 21:58 . 2008-04-02 21:59 <DIR> d-------- C:\Documents and Settings\Family\Contacts
2008-04-02 21:51 . 2008-04-02 21:51 <DIR> d-------- C:\Program Files\VideoLAN
2008-04-02 21:50 . 2008-04-02 21:51 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:48 . 2008-04-02 22:06 1,681 --a------ C:\WINDOWS\mozver.dat
2008-04-02 21:46 . 2008-04-02 21:57 <DIR> d-------- C:\Program Files\Windows Live
2008-04-02 21:46 . 2008-04-02 21:53 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-02 21:46 . 2008-04-02 21:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 21:45 . 2008-04-02 21:46 <DIR> d-------- C:\Program Files\Google
2008-04-02 21:42 . 2008-04-02 21:42 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 21:36 . 2008-04-02 21:36 <DIR> d-------- C:\Program Files\A4Tech
2008-04-02 21:24 . 2008-04-02 21:24 <DIR> d-------- C:\Program Files\Windows Sidebar
2008-04-02 21:23 . 2008-04-02 21:32 <DIR> d-------- C:\Program Files\Symantec
2008-04-02 21:23 . 2008-04-02 21:32 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-04-02 21:23 . 2008-04-02 21:32 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-04-02 21:23 . 2008-04-02 21:32 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-04-02 21:23 . 2008-04-02 21:32 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-04-02 20:49 . 2008-04-02 21:38 <DIR> d-------- C:\Program Files\Norton AntiVirus
2008-04-02 20:33 . 2008-04-02 21:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 20:32 . 2008-04-02 22:09 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-02 20:16 . 2008-04-02 21:02 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-02 20:15 . 2008-04-02 20:15 <DIR> d-------- C:\Documents and Settings\Family\Application Data\Windows Desktop Search
2008-04-02 20:13 . 2008-04-02 20:13 <DIR> d-------- C:\Program Files\Windows Desktop Search
2008-04-02 20:12 . 2008-04-02 20:12 <DIR> d--hs---- C:\Documents and Settings\Family\UserData
2008-04-02 19:28 . 2001-08-29 05:00 94,720 --a------ C:\WINDOWS\system32\CNMLM20.DLL
2008-04-02 19:28 . 2001-09-13 16:30 36,864 --a------ C:\WINDOWS\system32\CNMCP20.EXE
2008-04-02 19:28 . 2001-08-29 05:00 5,632 --a------ C:\WINDOWS\system32\CNMVS20.DLL
2008-04-02 19:26 . 2008-04-02 19:26 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-02 19:20 . 2008-04-02 19:21 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-04-02 19:18 . 2008-04-02 19:18 <DIR> dr-h----- C:\MSOCache
2008-04-02 19:18 . 2008-04-02 19:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-02 19:10 . 2008-04-02 19:10 <DIR> d-------- C:\Program Files\PowerISO
2008-04-02 19:07 . 2008-04-02 19:07 13,646 --a------ C:\WINDOWS\system32\wpa.bak
2008-04-02 18:51 . 2008-04-02 18:51 708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 18:42 . 2008-04-02 18:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\hudsfyvu
2008-04-02 18:42 . 2008-04-02 18:42 102,400 --a------ C:\WINDOWS\system32\dqbgtolu.exe
2008-04-02 18:29 . 2008-04-02 19:35 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:29 . 2006-06-02 02:47 163,840 -----c--- C:\WINDOWS\system32\dllcache\jgdw400.dll
2008-04-02 18:29 . 2006-06-02 02:47 27,648 -----c--- C:\WINDOWS\system32\dllcache\jgpl400.dll
2008-04-02 18:29 . 2007-01-03 11:21 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-04-02 18:11 . 2008-04-02 18:11 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:11 . 2004-10-08 08:26 159,744 -ra------ C:\WINDOWS\system32\igfxres.dll
2008-04-02 18:10 . 2008-04-02 18:10 <DIR> d-------- C:\Program Files\Realtek
2008-04-02 18:10 . 2008-04-02 18:10 <DIR> d-------- C:\Program Files\GIGABYTE
2008-04-02 18:08 . 2008-04-02 18:08 <DIR> d-------- C:\Program Files\Intel
2008-04-02 18:07 . 2008-04-02 18:10 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 18:07 . 2008-04-02 18:07 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2008-04-02 17:08 . 2008-04-02 17:08 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 17:08 . 2004-08-04 00:56 79,360 --a------ C:\WINDOWS\system32\CNBJMON2.DLL
2008-04-02 17:08 . 2001-07-21 18:52 33,489 --a------ C:\WINDOWS\system32\CNBJHLP2.HLP
2008-04-02 17:08 . 2001-07-21 18:52 1,075 --a------ C:\WINDOWS\system32\CNBJHLP2.CNT

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-02 10:26 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-04-02 08:54 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-06 13:32 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 13:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 13:32 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
.

------- Sigcheck -------

2008-04-02 18:26 502272 32cc6d444728812f7c57f4800f779396 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-04-02_22.58.59.62 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-02 13:57:04 29,926 ----a-r C:\WINDOWS\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
+ 2008-04-02 14:59:39 29,926 ----a-r C:\WINDOWS\Installer\{508CE775-4BA4-4748-82DF-FE28DA9F03B0}\MsblIco.Exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-04-02 21:33 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA}]
C:\WINDOWS\system32\batmete.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syngclrf"="C:\WINDOWS\system32\dqbgtolu.exe" [2008-04-02 18:42 102400]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"aucwgzbi"="C:\WINDOWS\system32\vejyhetg.exe" [2008-04-02 22:58 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2004-10-08 08:31 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-10-08 08:27 126976]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 15:10 61952 C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [2004-10-13 14:01 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2004-10-13 16:17 2742272 C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-02-14 11:01 51048]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2007-08-25 12:53 714608]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [2007-06-25 15:32 65536]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 05:22 3739648]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [2006-05-12 01:32 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2007-02-05 15:40:46 118784]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"TB0OVSNt8J"= C:\Documents and Settings\All Users\Application Data\hudsfyvu\nyjelcng.exe

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2007-02-05 15:39 294400]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBRihfe]
geBRihfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 SymIMMP;SymIMMP;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 08:27]
S3 SymIM;Symantec Network Security Intermediate Filter Service;C:\WINDOWS\system32\DRIVERS\SymIM.sys [2007-08-10 08:27]

*Newly Created Service* - USNJSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-04-02 13:28:28 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Family.job"
- C:\Program Files\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-02 23:24:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-02 23:24:50
ComboFix-quarantined-files.txt 2008-04-02 15:24:47
ComboFix2.txt 2008-04-02 14:59:40
Pre-Run: 26,018,533,376 bytes free
Post-Run: 26,011,463,680 bytes free
.
2008-04-02 10:30:06 --- E O F ---

KasperSky Log

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.Crwl Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.1.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010016.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010017.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010018.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001001A.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010035.ci Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010035.wid Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010035.wsb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy2.gthr Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_56c.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\ccSubSDK\submissions.idx Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\volatile.DAT Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-04-02_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{5DFE14F3-E78F-476C-ABB7-C15AE594D3A0}.ldb Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\Shl_{5DFE14F3-E78F-476C-ABB7-C15AE594D3A0}.sds Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\1126F3B8.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\2211C339.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cert8.db Object is locked skipped

C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\history.dat Object is locked skipped

C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\key3.db Object is locked skipped

C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\parent.lock Object is locked skipped

C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\search.sqlite Object is locked skipped

C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\urlclassifier2.sqlite Object is locked skipped

C:\Documents and Settings\Family\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\Cache\_CACHE_001_ Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\Cache\_CACHE_002_ Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\Cache\_CACHE_003_ Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\Cache\_CACHE_MAP_ Object is locked skipped

C:\Documents and Settings\Family\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Family\Local Settings\History\History.IE5\MSHist012008040320080404\index.dat Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Temp\Perflib_Perfdata_7f4.dat Object is locked skipped

C:\Documents and Settings\Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Family\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Family\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Desktop Search\Logs\UNCFATPHLog.txt Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\QooBox\Quarantine\catchme2008-04-02_225732.29.zip/Documents and Settings/Family/Desktop/catchme.zip/geBRihfe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped

C:\QooBox\Quarantine\catchme2008-04-02_225732.29.zip/Documents and Settings/Family/Desktop/catchme.zip Infected: not-a-virus:AdWare.Win32.Virtumonde.lvo skipped

C:\QooBox\Quarantine\catchme2008-04-02_225732.29.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{4179A91C-A144-40CB-899E-E3B254A9A3D4}\RP2\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\JET6B2D.tmp Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\My Documents\Varun\WarezP2P.exe/stream/data0005 Infected: Packed.Win32.PolyCrypt.d skipped

D:\My Documents\Varun\WarezP2P.exe/stream/data0022/Cabs.w1.cab/HyperbarSS3.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped

D:\My Documents\Varun\WarezP2P.exe/stream/data0022/Cabs.w1.cab/Hyperbar.dll Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped

D:\My Documents\Varun\WarezP2P.exe/stream/data0022/Cabs.w1.cab Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped

D:\My Documents\Varun\WarezP2P.exe/stream/data0022 Infected: not-a-virus:AdWare.Win32.HyperBar.b skipped

D:\My Documents\Varun\WarezP2P.exe/stream/data0029 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\My Documents\Varun\WarezP2P.exe/stream Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

D:\My Documents\Varun\WarezP2P.exe NSIS: infected - 7 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{4179A91C-A144-40CB-899E-E3B254A9A3D4}\RP2\change.log Object is locked skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\System Volume Information\_restore{4179A91C-A144-40CB-899E-E3B254A9A3D4}\RP2\change.log Object is locked skipped

E:\Varun-Room\Shared\Software\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

E:\Varun-Room\Shared\Software\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

E:\Varun-Room\Shared\Software\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

E:\Varun-Room\Shared\Software\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped

E:\Varun-Room\Shared\Software\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped


I REALLY NEED YOUR HELP!

Edited by ei2kpi, 03 April 2008 - 12:56 AM.

  • 0

Advertisements

#2
koko_crunch
Posted 07 April 2008 - 12:34 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Hello ei2kpi and Welcome to Geeks to Go!

After reviewing your log, I found signs of malware in your system. Please read this post completely before proceeding with the fix. If you have questions, please don't hesitate to ask... :)


First,

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [aucwgzbi] C:\WINDOWS\system32\vejyhetg.exe
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe
O4 - HKLM\..\Policies\Explorer\Run: [TB0OVSNt8J] C:\Documents and Settings\All Users\Application Data\hudsfyvu\nyjelcng.exe
O20 - Winlogon Notify: geBRihfe - geBRihfe.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.
Close HiJackThis.



Next, please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\dqbgtolu.exe
    C:\WINDOWS\system32\vejyhetg.exe
    C:\WINDOWS\system32\tsdsbmhg.exe
    C:\Documents and Settings\All Users\Application Data\hudsfyvu\nyjelcng.exe
    C:\WINDOWS\system32\geBRihfe.dll
    C:\Documents and Settings\All Users\Application Data\hudsfyvu

  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Finally,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Log required on next post.

- OTMoveit2 log
- DSS log - main.txt and extra.txt
  • 0

#3
ei2kpi
Posted 07 April 2008 - 09:17 PM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
DSS Log:
Deckard's System Scanner v20071014.68
Run by Family on 2008-04-08 11:11:25
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-04-08 03:11:29 UTC - RP9 - Deckard's System Scanner Restore Point
8: 2008-04-07 05:42:39 UTC - RP8 - System Checkpoint
7: 2008-04-06 03:39:38 UTC - RP7 - System Checkpoint
6: 2008-04-04 18:45:43 UTC - RP6 - System Checkpoint
5: 2008-04-03 15:44:02 UTC - RP5 - Software Distribution Service 3.0


-- First Restore Point --
1: 2008-04-02 14:57:53 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Family.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:12:27 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dqbgtolu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Documents and Settings\Family\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Family.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA} - C:\WINDOWS\system32\batmete.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6327 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Audio Controller
Device ID: PCI\VEN_1102&DEV_0004&SUBSYS_00511102&REV_03\4&10A6A55&0&08F0
Manufacturer:
Name: Multimedia Audio Controller
PNP Device ID: PCI\VEN_1102&DEV_0004&SUBSYS_00511102&REV_03\4&10A6A55&0&08F0
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Input Device
Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_03\4&10A6A55&0&09F0
Manufacturer:
Name: PCI Input Device
PNP Device ID: PCI\VEN_1102&DEV_7003&SUBSYS_00401102&REV_03\4&10A6A55&0&09F0
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-04-07 21:03:18 558 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Family.job


-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-07 12:50:20 0 d-------- C:\Documents and Settings\Family\Incomplete
2008-04-07 12:49:57 0 d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-04-07 12:49:06 0 d-------- C:\Program Files\LimeWire
2008-04-06 12:46:43 0 d-------- C:\WINDOWS\Sun
2008-04-06 12:46:43 0 d-------- C:\Documents and Settings\Family\Application Data\Sun
2008-04-05 23:10:01 0 d-------- C:\Program Files\uTorrent
2008-04-05 23:09:57 0 d-------- C:\Documents and Settings\Family\Application Data\uTorrent
2008-04-05 11:49:03 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-05 11:49:02 0 d-------- C:\Documents and Settings\Family\Application Data\skypePM
2008-04-05 11:46:35 0 d-------- C:\Documents and Settings\Family\Application Data\Skype
2008-04-05 11:45:19 0 d-------- C:\Program Files\Skype
2008-04-05 11:45:19 0 d-------- C:\Program Files\Common Files\Skype
2008-04-05 11:45:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-04-04 00:01:22 0 d-------- C:\Documents and Settings\Family\Application Data\vlc
2008-04-03 15:33:17 0 d-------- C:\Program Files\Java
2008-04-03 15:33:00 0 d-------- C:\Program Files\Common Files\Java
2008-04-03 11:07:54 0 d-------- C:\Program Files\Trend Micro
2008-04-03 00:39:29 0 d--hs---- C:\WINDOWS\Installer
2008-04-03 00:39:28 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-03 00:39:25 0 d-------- C:\Program Files
2008-04-03 00:39:25 0 d-------- C:\Program Files\Common Files
2008-04-03 00:39:25 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-03 00:38:57 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-03 00:38:57 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-03 00:38:57 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-03 00:38:57 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Start Menu
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-03 00:38:57 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-03 00:38:43 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-03 00:38:43 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-03 00:38:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-03 00:38:37 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-03 00:38:37 0 d--h----- C:\Documents and Settings\All Users\Application Data
2008-04-03 00:38:37 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-03 00:37:52 0 d--hs---- C:\System Volume Information
2008-04-03 00:37:52 0 d-------- C:\Documents and Settings
2008-04-03 00:30:03 0 d-------- C:\WINDOWS
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\WinSxS
2008-04-03 00:30:03 0 dr------- C:\WINDOWS\Web
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\twain_32
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\wins
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\wbem
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\usmt
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\spool
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\Setup
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ras
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\oobe
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\npp
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\mui
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\IME
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ias
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\export
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-03 00:30:03 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\config
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\3076
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\2052
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1054
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1042
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1041
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1037
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1033
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1031
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1028
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1025
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\security
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Resources
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\repair
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Provisioning
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\PeerNet
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\pchealth
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\mui
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\msapps
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\msagent
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Media
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\java
2008-04-03 00:30:03 0 d--h----- C:\WINDOWS\inf
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\ime
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Help
2008-04-03 00:30:03 0 dr--s---- C:\WINDOWS\Fonts
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\ehome
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Driver Cache
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\dell
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Debug
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Cursors
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Config
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\AppPatch
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\addins
2008-04-02 23:27:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:27:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 23:24:51 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-02 22:47:22 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 22:47:22 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 22:47:22 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 22:47:22 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 22:06:49 0 d-------- C:\Documents and Settings\Family\Application Data\Adobe
2008-04-02 22:00:11 0 d-------- C:\Program Files\HighCriteria
2008-04-02 22:00:10 54272 --a------ C:\WINDOWS\system32\DrvTrNTm.dll <Not Verified; High Criteria inc.; Total Recorder (Professional Edition)>
2008-04-02 22:00:10 106496 --a------ C:\WINDOWS\system32\DrvTrNTl.dll <Not Verified; High Criteria inc.; Total Recorder (Professional Edition)>
2008-04-02 21:58:48 0 d-------- C:\Documents and Settings\Family\Contacts
2008-04-02 21:58:01 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-02 21:51:30 0 d-------- C:\Program Files\VideoLAN
2008-04-02 21:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 21:50:41 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:48:57 1681 --a------ C:\WINDOWS\mozver.dat
2008-04-02 21:46:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-02 21:46:31 0 d-------- C:\Program Files\Windows Live
2008-04-02 21:46:20 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 21:46:18 0 d-------- C:\Documents and Settings\Family\Application Data\Macromedia
2008-04-02 21:45:52 0 d-------- C:\Program Files\Google
2008-04-02 21:42:03 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 21:41:55 0 d-------- C:\Documents and Settings\Family\Application Data\Mozilla
2008-04-02 21:36:02 0 d-------- C:\Program Files\A4Tech
2008-04-02 21:35:51 0 d-------- C:\Documents and Settings\Family\Application Data\WinRAR
2008-04-02 21:24:27 0 d-------- C:\Program Files\Windows Sidebar
2008-04-02 21:23:00 0 d-------- C:\Program Files\Symantec
2008-04-02 20:49:55 0 d-------- C:\Program Files\Norton AntiVirus
2008-04-02 20:33:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 20:32:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-02 20:16:26 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-02 20:13:34 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-02 20:12:18 0 d--hs---- C:\Documents and Settings\Family\UserData
2008-04-02 19:35:08 0 d-------- C:\WINDOWS\network diagnostic
2008-04-02 19:28:51 5632 --a------ C:\WINDOWS\system32\CNMVS20.DLL
2008-04-02 19:28:50 94720 --a------ C:\WINDOWS\system32\CNMLM20.DLL <Not Verified; CANON INC.; Canon BJ Raster Printer Driver for Microsoft Windows XP / Windows 2000>
2008-04-02 19:28:37 36864 --a------ C:\WINDOWS\system32\CNMCP20.EXE
2008-04-02 19:28:36 0 d--h----- C:\BJPrinter
2008-04-02 19:26:19 0 d-------- C:\Program Files\Microsoft Works
2008-04-02 19:20:12 0 d-------- C:\WINDOWS\SHELLNEW
2008-04-02 19:18:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-02 19:18:25 0 dr-h----- C:\MSOCache
2008-04-02 19:10:03 0 d-------- C:\Program Files\PowerISO
2008-04-02 18:51:22 708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 18:29:40 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-02 18:29:38 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:13:12 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-02 18:11:53 0 d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:10:58 0 d-------- C:\Program Files\GIGABYTE
2008-04-02 18:10:57 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-02 18:10:38 0 d-------- C:\WINDOWS\OPTIONS
2008-04-02 18:10:18 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-02 18:10:10 40448 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-04-02 18:10:10 8376832 -----n--- C:\WINDOWS\RTHDCPL.exe <Not Verified; Realtek Semiconductor Corp.; Realtek HD Audio Sound Effect Manager>
2008-04-02 18:10:01 0 d-------- C:\Program Files\Realtek
2008-04-02 18:08:06 0 d-------- C:\Program Files\Intel
2008-04-02 18:07:27 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-02 18:07:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 18:07:22 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-02 17:51:24 0 d-------- C:\Documents and Settings\Family\Application Data\Identities
2008-04-02 17:51:17 0 dr-h----- C:\Documents and Settings\Family\SendTo
2008-04-02 17:51:17 0 dr-h----- C:\Documents and Settings\Family\Recent
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\PrintHood
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\NetHood
2008-04-02 17:51:17 0 d-------- C:\Documents and Settings\Family\My Documents
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\Local Settings
2008-04-02 17:51:17 0 dr------- C:\Documents and Settings\Family\Favorites
2008-04-02 17:51:17 0 d-------- C:\Documents and Settings\Family\Desktop
2008-04-02 17:51:17 0 d--hs---- C:\Documents and Settings\Family\Cookies
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\Application Data
2008-04-02 17:51:16 0 d--h----- C:\Documents and Settings\Family\Templates
2008-04-02 17:51:16 0 d-------- C:\Documents and Settings\Family\Start Menu
2008-04-02 17:51:16 2359296 --ah----- C:\Documents and Settings\Family\NTUSER.DAT
2008-04-02 17:08:25 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-02 17:08:24 0 d-------- C:\WINDOWS\Prefetch
2008-04-02 17:08:23 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 17:08:23 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-02 17:08:23 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-02 17:08:23 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-02 17:08:23 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-02 17:08:23 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-02 16:57:38 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-02 16:57:38 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-02 16:57:38 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-02 16:57:38 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-02 16:57:38 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-02 16:54:57 0 d-------- C:\WINDOWS\system32\xircom
2008-04-02 16:54:57 0 d-------- C:\Program Files\microsoft frontpage
2008-04-02 16:54:46 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-02 16:54:46 0 d-------- C:\DELL
2008-04-02 16:54:38 0 -rahs---- C:\MSDOS.SYS
2008-04-02 16:54:38 0 -rahs---- C:\IO.SYS
2008-04-02 16:54:38 0 --a------ C:\CONFIG.SYS
2008-04-02 16:54:38 0 --a------ C:\AUTOEXEC.BAT
2008-04-02 16:53:42 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-02 16:53:33 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-02 16:53:33 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-02 16:53:24 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-02 16:53:08 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-02 16:52:38 0 d---s---- C:\WINDOWS\Tasks
2008-04-02 16:52:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-02 16:52:35 0 d-------- C:\WINDOWS\srchasst
2008-04-02 16:52:34 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-02 16:52:28 0 d-------- C:\Program Files\Movie Maker
2008-04-02 16:52:22 0 d-------- C:\WINDOWS\system32\Restore
2008-04-02 16:51:49 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-02 16:51:36 0 d-------- C:\WINDOWS\Registration
2008-04-02 16:51:29 0 d-------- C:\Program Files\Online Services
2008-04-02 16:51:24 0 d-------- C:\Program Files\Messenger
2008-04-02 16:51:22 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-02 16:50:52 0 d-------- C:\Program Files\Windows NT
2008-04-02 16:50:49 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-02 16:50:48 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-03 00:38:57 62 --ahs---- C:\Documents and Settings\Family\Application Data\desktop.ini
2008-04-02 18:26:30 502272 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/02/2008 09:33 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA}]
C:\WINDOWS\system32\batmete.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/08/2004 08:31 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/08/2004 08:27 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 03:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 02:01 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 04:17 PM C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [08/25/2007 12:53 PM]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [06/25/2007 03:32 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 05:22 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [05/12/2006 01:32 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syngclrf"="C:\WINDOWS\system32\dqbgtolu.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"rpsacezw"="C:\WINDOWS\system32\tsdsbmhg.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SymLnch"="C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd11113-02e5-11dd-8951-000feae467c6}]
Auto\command- Recycler.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycler.exe




-- End of Deckard's System Scanner: finished at 2008-04-08 11:13:31 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 3.00GHz
CPU 1: Intel® Pentium® 4 CPU 3.00GHz
Percentage of Memory in Use: 67%
Physical Memory (total/avail): 503.48 MiB / 166.04 MiB
Pagefile Memory (total/avail): 1230 MiB / 849.84 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1892.66 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 29.84 GiB total, 22.93 GiB free.
D: is Fixed (NTFS) - 8.63 GiB total, 1.64 GiB free.
E: is Fixed (NTFS) - 44.68 GiB total, 1.83 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)
H: is Fixed (NTFS) - 10 GiB total, 9.95 GiB free.

\\.\PHYSICALDRIVE1 - ST320011A - 18.65 GiB - 2 partitions
\PARTITION0 - Installable File System - 10 GiB - H:
\PARTITION1 - Installable File System - 8.63 GiB - D:

\\.\PHYSICALDRIVE0 - ST380817AS - 74.53 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 29.84 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 44.68 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: Norton AntiVirus v15.0.0.58 (Symantec Corporation)
AV: Norton AntiVirus v15.0.0.58 (Symantec Corporation)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Family\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-COMPUTER
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Family
LOGONSERVER=\\HOME-COMPUTER
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Family\LOCALS~1\Temp
TMP=C:\DOCUME~1\Family\LOCALS~1\Temp
USERDOMAIN=HOME-COMPUTER
USERNAME=Family
USERPROFILE=C:\Documents and Settings\Family
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Family (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> "C:\Program Files\Symantec\LiveUpdate\LSETUP.EXE" /U
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
A4Tech iKeyWorks 7.80 --> C:\Program Files\A4Tech\Keyboard\Uninst32.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
AppCore --> MsiExec.exe /I{EFB5B3B5-A280-4E25-BE1C-634EEFE32C1B}
BJC-265SP --> C:\WINDOWS\system32\CNMCP20.EXE -@C:\WINDOWS\IsUninst.exe -f"C:\BJPrinter\CNMWINDOWS\Canon BJC-265SP Installer\Inst\DeIsL1.isu" -pCanon BJC-265SP-c"C:\BJPrinter\CNMWINDOWS\Canon BJC-265SP Installer\Inst\bjinst.dll
ccCommon --> MsiExec.exe /I{B24E05CC-46FF-4787-BBB8-5CD516AFB118}
Component Framework --> MsiExec.exe /I{31478BE1-CDE5-4753-A8B2-F6D4BC1FBE09}
DriverCD --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\GIGABYTE\DriverCD\Uninst.isu"
getPlus®_dll --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
Google Talk (remove only) --> "C:\Program Files\Google\Google Talk\uninstall.exe"
High Definition Audio Driver Package - KB835221 --> C:\WINDOWS\$NtUninstallKB835221WXP$\spuninst\spuninst.exe
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Intel® Graphics Media Accelerator Driver --> RUNDLL32.EXE C:\WINDOWS\system32\ialmrem.dll,UninstallW2KIGfx2ID PCI\VEN_8086&DEV_2782 PCI\VEN_8086&DEV_2582
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
Kaspersky Online Scanner --> C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LimeWire PRO 4.12.3 --> "C:\Program Files\LimeWire\uninstall.exe"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /x {E80F62FF-5D3C-4A19-8409-9721F2928206} /l*v "C:\Documents and Settings\All Users\Application Data\LuUninstall.LiveUpdate"
LiveUpdate (Symantec Corporation) --> MsiExec.exe /X{E80F62FF-5D3C-4A19-8409-9721F2928206}
Microsoft Office Access MUI (English) 2007 --> MsiExec.exe /X{90120000-0015-0409-0000-0000000FF1CE}
Microsoft Office Access Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0117-0409-0000-0000000FF1CE}
Microsoft Office Enterprise 2007 --> "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\Office Setup Controller\setup.exe" /uninstall ENTERPRISE /dll OSETUP.DLL
Microsoft Office Enterprise 2007 --> MsiExec.exe /X{90120000-0030-0000-0000-0000000FF1CE}
Microsoft Office Excel MUI (English) 2007 --> MsiExec.exe /X{90120000-0016-0409-0000-0000000FF1CE}
Microsoft Office Groove MUI (English) 2007 --> MsiExec.exe /X{90120000-00BA-0409-0000-0000000FF1CE}
Microsoft Office Groove Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0114-0409-0000-0000000FF1CE}
Microsoft Office InfoPath MUI (English) 2007 --> MsiExec.exe /X{90120000-0044-0409-0000-0000000FF1CE}
Microsoft Office OneNote MUI (English) 2007 --> MsiExec.exe /X{90120000-00A1-0409-0000-0000000FF1CE}
Microsoft Office Outlook MUI (English) 2007 --> MsiExec.exe /X{90120000-001A-0409-0000-0000000FF1CE}
Microsoft Office PowerPoint MUI (English) 2007 --> MsiExec.exe /X{90120000-0018-0409-0000-0000000FF1CE}
Microsoft Office Proof (English) 2007 --> MsiExec.exe /X{90120000-001F-0409-0000-0000000FF1CE}
Microsoft Office Proof (French) 2007 --> MsiExec.exe /X{90120000-001F-040C-0000-0000000FF1CE}
Microsoft Office Proof (Spanish) 2007 --> MsiExec.exe /X{90120000-001F-0C0A-0000-0000000FF1CE}
Microsoft Office Proofing (English) 2007 --> MsiExec.exe /X{90120000-002C-0409-0000-0000000FF1CE}
Microsoft Office Publisher MUI (English) 2007 --> MsiExec.exe /X{90120000-0019-0409-0000-0000000FF1CE}
Microsoft Office Shared MUI (English) 2007 --> MsiExec.exe /X{90120000-006E-0409-0000-0000000FF1CE}
Microsoft Office Shared Setup Metadata MUI (English) 2007 --> MsiExec.exe /X{90120000-0115-0409-0000-0000000FF1CE}
Microsoft Office Word MUI (English) 2007 --> MsiExec.exe /X{90120000-001B-0409-0000-0000000FF1CE}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (2.0.0.13) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
Norton AntiVirus --> MsiExec.exe /X{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}
Norton AntiVirus (Symantec Corporation) --> "C:\Program Files\Common Files\Symantec Shared\SymSetup\{77FFBA7E-0973-4F39-BBDB-AC2F537578D2}_15_0_0_58\Setup.exe" /X
Norton AntiVirus Help --> MsiExec.exe /I{34EEB1F5-E939-40A1-A6BA-957282A4B2C8}
Norton Protection Center --> MsiExec.exe /I{62120008-8E1E-4807-860D-A8B48F8552DB}
PowerISO --> "C:\Program Files\PowerISO\uninstall.exe"
REALTEK Gigabit and Fast Ethernet NIC Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{94FB906A-CF42-4128-A509-D353026A607E}\SETUP.EXE" -l0x9 REMOVE
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\setup.exe" REMOVE
Security Update for Excel 2007 (KB946974) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {85E83E2E-AF9B-439B-B4F9-EB9B7EF6A00E}
Security Update for Office 2007 (KB947801) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {02B5A17B-01BE-4BA6-95F1-1CBB46EBC76E}
Security Update for Outlook 2007 (KB946983) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {66B9496E-C0C3-4065-9868-85CCA92126C3}
Skype™ 3.6 --> MsiExec.exe /X{5C82DAE5-6EB0-4374-9254-BE3319BA4E82}
SPBBC 32bit --> MsiExec.exe /I{77772678-817F-4401-9301-ED1D01A8DA56}
SymNet --> MsiExec.exe /I{2DA85B02-13C0-4E6D-9A76-22E6B3DD0CB2}
Total Recorder 6.0 --> "C:\Program Files\HighCriteria\TotalRecorder\setup.exe" U
Update for Outlook 2007 Junk Email Filter (kb947945) --> msiexec /package {90120000-0030-0000-0000-0000000FF1CE} /uninstall {E397056B-7AE5-4FF1-8B13-276BF8201847}
VideoLAN VLC media player 0.8.6e --> C:\Program Files\VideoLAN\VLC\uninstall.exe
Windows Live installer --> MsiExec.exe /X{A7E4ECCA-4A8E-4258-8EC8-2DCCF5B11320}
Windows Live Messenger --> MsiExec.exe /X{508CE775-4BA4-4748-82DF-FE28DA9F03B0}
Windows Live Sign-in Assistant --> MsiExec.exe /I{AFA4E5FD-ED70-4D92-99D0-162FD56DC986}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type681 / Success
Event Submitted/Written: 04/07/2008 06:05:27 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type680 / Error
Event Submitted/Written: 04/07/2008 06:05:19 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007041F from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type653 / Success
Event Submitted/Written: 04/07/2008 05:28:55 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type652 / Error
Event Submitted/Written: 04/07/2008 05:28:44 PM
Event ID/Source: 4609 / EventSystem
Event Description:
The COM+ Event System detected a bad return code during its internal processing. HRESULT was 8007041F from line 44 of d:\qxp_slp\com\com1x\src\events\tier1\eventsystemobj.cpp. Please contact Microsoft Product Support Services to report this error.

Event Record #/Type628 / Success
Event Submitted/Written: 04/07/2008 04:54:53 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type1266 / Warning
Event Submitted/Written: 04/08/2008 07:44:26 AM
Event ID/Source: 36 / W32Time
Event Description:
The time service has not been able to synchronize the system time
for 49152 seconds because none of the time providers has been able to
provide a usable time stamp. The system clock is unsynchronized.

Event Record #/Type1231 / Error
Event Submitted/Written: 04/07/2008 06:05:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service EventSystem with arguments ""
in order to run the server:
{1BE1F766-5536-11D1-B726-00C04FB926AF}

Event Record #/Type1230 / Error
Event Submitted/Written: 04/07/2008 06:05:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service netman with arguments ""
in order to run the server:
{BA126AE5-2166-11D1-B1D0-00805FC1270E}

Event Record #/Type1229 / Error
Event Submitted/Written: 04/07/2008 06:05:19 PM
Event ID/Source: 10005 / DCOM
Event Description:
DCOM got error "%%1055" attempting to start the service winmgmt with arguments ""
in order to run the server:
{8BC3F05E-D86B-11D0-A075-00C04FB68820}

Event Record #/Type1225 / Error
Event Submitted/Written: 04/07/2008 06:02:05 PM
Event ID/Source: 7 / Cdrom
Event Description:
The device, \Device\CdRom0, has a bad block.



-- End of Deckard's System Scanner: finished at 2008-04-08 11:13:31 ------------

OTMove it Log:
C:\WINDOWS\system32\dqbgtolu.exe moved successfully.
C:\WINDOWS\system32\vejyhetg.exe moved successfully.
C:\WINDOWS\system32\tsdsbmhg.exe moved successfully.
C:\Documents and Settings\All Users\Application Data\hudsfyvu\nyjelcng.exe moved successfully.
File/Folder C:\WINDOWS\system32\geBRihfe.dll not found.
C:\Documents and Settings\All Users\Application Data\hudsfyvu moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04082008_110505

New HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:16:33 AM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\dqbgtolu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Family\Desktop\Hijackthis\HiJackThis_v2.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA} - C:\WINDOWS\system32\batmete.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Sh
  • 0

#4
koko_crunch
Posted 07 April 2008 - 11:51 PM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Much better. :)

Next,

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
  • 0

#5
ei2kpi
Posted 08 April 2008 - 01:27 AM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hi koko crunch....
bit of a problem.. so I deleted my old combofix and downloaded the one you asked me to. but it doesnt open!
It shows the blue command prompt window for a moment then it dissapears and nothing after that.

Dunno if it will help but here is my current hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:26:09 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA} - C:\WINDOWS\system32\batmete.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6302 bytes
  • 0

#6
koko_crunch
Posted 08 April 2008 - 03:19 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
That's a bit odd, we'll try Combofix later. For the meantime,

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#7
koko_crunch
Posted 08 April 2008 - 03:22 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
also

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#8
ei2kpi
Posted 08 April 2008 - 05:14 AM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Alright so now DSS.exe only gave me a main.txt report... no extra.txt...

(running the other panda scan now)

here it is:

Deckard's System Scanner v20071014.68
Run by Family on 2008-04-08 19:10:09
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Family.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:10:16 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Family\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Family.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA} - C:\WINDOWS\system32\batmete.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6240 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-07 12:50:20 0 d-------- C:\Documents and Settings\Family\Incomplete
2008-04-07 12:49:57 0 d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-04-07 12:49:06 0 d-------- C:\Program Files\LimeWire
2008-04-06 12:46:43 0 d-------- C:\WINDOWS\Sun
2008-04-06 12:46:43 0 d-------- C:\Documents and Settings\Family\Application Data\Sun
2008-04-05 23:10:01 0 d-------- C:\Program Files\uTorrent
2008-04-05 23:09:57 0 d-------- C:\Documents and Settings\Family\Application Data\uTorrent
2008-04-05 11:49:03 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-05 11:49:02 0 d-------- C:\Documents and Settings\Family\Application Data\skypePM
2008-04-05 11:46:35 0 d-------- C:\Documents and Settings\Family\Application Data\Skype
2008-04-05 11:45:19 0 d-------- C:\Program Files\Skype
2008-04-05 11:45:19 0 d-------- C:\Program Files\Common Files\Skype
2008-04-05 11:45:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-04-04 00:01:22 0 d-------- C:\Documents and Settings\Family\Application Data\vlc
2008-04-03 15:33:17 0 d-------- C:\Program Files\Java
2008-04-03 15:33:00 0 d-------- C:\Program Files\Common Files\Java
2008-04-03 11:07:54 0 d-------- C:\Program Files\Trend Micro
2008-04-03 00:39:29 0 d--hs---- C:\WINDOWS\Installer
2008-04-03 00:39:28 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-03 00:39:25 0 d-------- C:\Program Files
2008-04-03 00:39:25 0 d-------- C:\Program Files\Common Files
2008-04-03 00:39:25 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-03 00:38:57 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-03 00:38:57 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-03 00:38:57 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-03 00:38:57 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Start Menu
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-03 00:38:57 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-03 00:38:43 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-03 00:38:43 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-03 00:38:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-03 00:38:37 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-03 00:38:37 0 d--h----- C:\Documents and Settings\All Users\Application Data
2008-04-03 00:38:37 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-03 00:37:52 0 d--hs---- C:\System Volume Information
2008-04-03 00:37:52 0 d-------- C:\Documents and Settings
2008-04-03 00:30:03 0 d-------- C:\WINDOWS
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\WinSxS
2008-04-03 00:30:03 0 dr------- C:\WINDOWS\Web
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\twain_32
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\wins
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\wbem
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\usmt
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\spool
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\Setup
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ras
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\oobe
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\npp
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\mui
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\IME
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ias
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\export
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-03 00:30:03 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\config
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\3076
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\2052
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1054
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1042
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1041
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1037
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1033
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1031
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1028
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1025
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\security
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Resources
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\repair
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Provisioning
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\PeerNet
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\pchealth
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\mui
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\msapps
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\msagent
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Media
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\java
2008-04-03 00:30:03 0 d--h----- C:\WINDOWS\inf
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\ime
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Help
2008-04-03 00:30:03 0 dr--s---- C:\WINDOWS\Fonts
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\ehome
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Driver Cache
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\dell
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Debug
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Cursors
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Config
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\AppPatch
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\addins
2008-04-02 23:27:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:27:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 23:24:51 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-02 22:47:22 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 22:47:22 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 22:47:22 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 22:47:22 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 22:06:49 0 d-------- C:\Documents and Settings\Family\Application Data\Adobe
2008-04-02 22:00:11 0 d-------- C:\Program Files\HighCriteria
2008-04-02 22:00:10 54272 --a------ C:\WINDOWS\system32\DrvTrNTm.dll <Not Verified; High Criteria inc.; Total Recorder (Professional Edition)>
2008-04-02 22:00:10 106496 --a------ C:\WINDOWS\system32\DrvTrNTl.dll <Not Verified; High Criteria inc.; Total Recorder (Professional Edition)>
2008-04-02 21:58:48 0 d-------- C:\Documents and Settings\Family\Contacts
2008-04-02 21:58:01 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-02 21:51:30 0 d-------- C:\Program Files\VideoLAN
2008-04-02 21:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 21:50:41 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:48:57 1681 --a------ C:\WINDOWS\mozver.dat
2008-04-02 21:46:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-02 21:46:31 0 d-------- C:\Program Files\Windows Live
2008-04-02 21:46:20 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 21:46:18 0 d-------- C:\Documents and Settings\Family\Application Data\Macromedia
2008-04-02 21:45:52 0 d-------- C:\Program Files\Google
2008-04-02 21:42:03 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 21:41:55 0 d-------- C:\Documents and Settings\Family\Application Data\Mozilla
2008-04-02 21:36:02 0 d-------- C:\Program Files\A4Tech
2008-04-02 21:35:51 0 d-------- C:\Documents and Settings\Family\Application Data\WinRAR
2008-04-02 21:24:27 0 d-------- C:\Program Files\Windows Sidebar
2008-04-02 21:23:00 0 d-------- C:\Program Files\Symantec
2008-04-02 20:49:55 0 d-------- C:\Program Files\Norton AntiVirus
2008-04-02 20:33:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 20:32:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-02 20:16:26 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-02 20:13:34 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-02 20:12:18 0 d--hs---- C:\Documents and Settings\Family\UserData
2008-04-02 19:35:08 0 d-------- C:\WINDOWS\network diagnostic
2008-04-02 19:28:51 5632 --a------ C:\WINDOWS\system32\CNMVS20.DLL
2008-04-02 19:28:50 94720 --a------ C:\WINDOWS\system32\CNMLM20.DLL <Not Verified; CANON INC.; Canon BJ Raster Printer Driver for Microsoft Windows XP / Windows 2000>
2008-04-02 19:28:37 36864 --a------ C:\WINDOWS\system32\CNMCP20.EXE
2008-04-02 19:28:36 0 d--h----- C:\BJPrinter
2008-04-02 19:26:19 0 d-------- C:\Program Files\Microsoft Works
2008-04-02 19:20:12 0 d-------- C:\WINDOWS\SHELLNEW
2008-04-02 19:18:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-02 19:18:25 0 dr-h----- C:\MSOCache
2008-04-02 19:10:03 0 d-------- C:\Program Files\PowerISO
2008-04-02 18:51:22 708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 18:29:40 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-02 18:29:38 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:13:12 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-02 18:11:53 0 d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:10:58 0 d-------- C:\Program Files\GIGABYTE
2008-04-02 18:10:57 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-02 18:10:38 0 d-------- C:\WINDOWS\OPTIONS
2008-04-02 18:10:18 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-02 18:10:10 40448 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-04-02 18:10:10 8376832 -----n--- C:\WINDOWS\RTHDCPL.exe <Not Verified; Realtek Semiconductor Corp.; Realtek HD Audio Sound Effect Manager>
2008-04-02 18:10:01 0 d-------- C:\Program Files\Realtek
2008-04-02 18:08:06 0 d-------- C:\Program Files\Intel
2008-04-02 18:07:27 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-02 18:07:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 18:07:22 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-02 17:51:24 0 d-------- C:\Documents and Settings\Family\Application Data\Identities
2008-04-02 17:51:17 0 dr-h----- C:\Documents and Settings\Family\SendTo
2008-04-02 17:51:17 0 dr-h----- C:\Documents and Settings\Family\Recent
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\PrintHood
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\NetHood
2008-04-02 17:51:17 0 d-------- C:\Documents and Settings\Family\My Documents
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\Local Settings
2008-04-02 17:51:17 0 dr------- C:\Documents and Settings\Family\Favorites
2008-04-02 17:51:17 0 d-------- C:\Documents and Settings\Family\Desktop
2008-04-02 17:51:17 0 d--hs---- C:\Documents and Settings\Family\Cookies
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\Application Data
2008-04-02 17:51:16 0 d--h----- C:\Documents and Settings\Family\Templates
2008-04-02 17:51:16 0 d-------- C:\Documents and Settings\Family\Start Menu
2008-04-02 17:51:16 2359296 --ah----- C:\Documents and Settings\Family\NTUSER.DAT
2008-04-02 17:08:25 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-02 17:08:24 0 d-------- C:\WINDOWS\Prefetch
2008-04-02 17:08:23 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 17:08:23 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-02 17:08:23 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-02 17:08:23 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-02 17:08:23 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-02 17:08:23 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-02 16:57:38 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-02 16:57:38 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-02 16:57:38 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-02 16:57:38 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-02 16:57:38 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-02 16:54:57 0 d-------- C:\WINDOWS\system32\xircom
2008-04-02 16:54:57 0 d-------- C:\Program Files\microsoft frontpage
2008-04-02 16:54:46 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-02 16:54:46 0 d-------- C:\DELL
2008-04-02 16:54:38 0 -rahs---- C:\MSDOS.SYS
2008-04-02 16:54:38 0 -rahs---- C:\IO.SYS
2008-04-02 16:54:38 0 --a------ C:\CONFIG.SYS
2008-04-02 16:54:38 0 --a------ C:\AUTOEXEC.BAT
2008-04-02 16:53:42 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-02 16:53:33 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-02 16:53:33 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-02 16:53:24 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-02 16:53:08 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-02 16:52:38 0 d---s---- C:\WINDOWS\Tasks
2008-04-02 16:52:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-02 16:52:35 0 d-------- C:\WINDOWS\srchasst
2008-04-02 16:52:34 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-02 16:52:28 0 d-------- C:\Program Files\Movie Maker
2008-04-02 16:52:22 0 d-------- C:\WINDOWS\system32\Restore
2008-04-02 16:51:49 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-02 16:51:36 0 d-------- C:\WINDOWS\Registration
2008-04-02 16:51:29 0 d-------- C:\Program Files\Online Services
2008-04-02 16:51:24 0 d-------- C:\Program Files\Messenger
2008-04-02 16:51:22 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-02 16:50:52 0 d-------- C:\Program Files\Windows NT
2008-04-02 16:50:49 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-02 16:50:48 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-03 00:38:57 62 --ahs---- C:\Documents and Settings\Family\Application Data\desktop.ini
2008-04-02 18:26:30 502272 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/02/2008 09:33 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA}]
C:\WINDOWS\system32\batmete.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/08/2004 08:31 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/08/2004 08:27 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 03:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 02:01 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 04:17 PM C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [08/25/2007 12:53 PM]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [06/25/2007 03:32 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 05:22 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [05/12/2006 01:32 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"syngclrf"="C:\WINDOWS\system32\dqbgtolu.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]
"rpsacezw"="C:\WINDOWS\system32\tsdsbmhg.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SymLnch"="C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"disableregistrytools"=0 (0x0)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd11113-02e5-11dd-8951-000feae467c6}]
Auto\command- Recycler.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Recycler.exe




-- End of Deckard's System Scanner: finished at 2008-04-08 19:11:04 ------------
  • 0

#9
ei2kpi
Posted 08 April 2008 - 07:23 AM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
and here is the active scan:

;*******************************************************************************
*********************************************************************************
*******************
ANALYSIS: 2008-04-08 21:20:40
PROTECTIONS: 1
MALWARE: 39
SUSPECTS: 0
;*******************************************************************************
*********************************************************************************
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
=================================================================================
===================
Norton AntiVirus 15.0.0.58 Yes Yes
;===============================================================================
=================================================================================
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
=================================================================================
===================
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@casalemedia[1].txt
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.casalemedia.com/]
00139060 Cookie/Casalemedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.casalemedia.com/]
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@doubleclick[2].txt
00139061 Cookie/Doubleclick TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.doubleclick.net/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.atdmt.com/]
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@atdmt[2].txt
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.tradedoubler.com/]
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.tradedoubler.com/]
00145393 Cookie/Tradedoubler TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@tradedoubler[1].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@fastclick[2].txt
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.fastclick.net/]
00145457 Cookie/FastClick TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.fastclick.net/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@tribalfusion[1].txt
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.tribalfusion.com/]
00145731 Cookie/Tribalfusion TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.tribalfusion.com/]
00145738 Cookie/Mediaplex TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.mediaplex.com/]
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.linksynergy.com/]
00145807 Cookie/Linksynergy TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.linksynergy.com/]
00145869 Cookie/SpyLog TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@spylog[2].txt
00145881 Cookie/NewMedia TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.anm.co.uk/]
00147824 Cookie/Clickbank TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.clickbank.net/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.com.com/]
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@com[1].txt
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.yadro.ru/]
00167647 Cookie/Yadro TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.yadro.ru/]
00167724 Cookie/HotLog TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.hotlog.ru/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@statcounter[1].txt
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167753 Cookie/Statcounter TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.statcounter.com/]
00167760 Cookie/Hitslink TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][1].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][2].txt
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168056 Cookie/YieldManager TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[ad.yieldmanager.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.apmebf.com/]
00168061 Cookie/Apmebf TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@apmebf[1].txt
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.burstnet.com/]
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.burstnet.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.888.com/]
00168095 Cookie/888 TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.888.com/]
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@adtech[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@advertising[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.advertising.com/]
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.advertising.com/]
00169286 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.sextracker.com/]
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][1].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][2].txt
00170304 Cookie/WebtrendsLive TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[statse.webtrendslive.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.ads.pointroll.com/]
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.questionmarket.com/]
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@questionmarket[2].txt
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.zedo.com/]
00172221 Cookie/Zedo TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@zedo[2].txt
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.bluestreak.com/]
00173520 Cookie/Bluestreak TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@bluestreak[2].txt
00184846 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@adrevolver[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.adultfriendfinder.com/]
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.adultfriendfinder.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.go.com/]
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@go[1].txt
00199984 Cookie/Searchportal TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][1].txt
00207936 Cookie/Adviva TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\family@adviva[2].txt
00251542 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[counter5.sextracker.com/]
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\6h88aybw.default\cookies.txt[.atwola.com/]
00337702 Trj/SpamtaLoad.BH Virus/Trojan No 0 Yes No archive folders\inbox\mail server report.\update-kb3828-x86.zl9
00337702 Trj/SpamtaLoad.BH Virus/Trojan No 0 Yes No archives\inbox\mail server report.\update-kb3828-x86.zl9
00337702 Trj/SpamtaLoad.BH Virus/Trojan No 0 Yes No archive folders\inbox\mail server report.\update-kb3828-x86.zl9
00337702 Trj/SpamtaLoad.BH Virus/Trojan No 0 Yes No archive folders\inbox\mail server report.\update-kb3828-x86.zl9
01185375 Application/Psexec.A HackTools No 0 Yes No C:\System Volume Information\_restore{4179A91C-A144-40CB-899E-E3B254A9A3D4}\RP2\A0000067.EXE
01185375 Application/Psexec.A HackTools No 0 Yes No C:\WINDOWS\PSEXESVC.EXE
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Family\Cookies\[email protected][1].txt
;===============================================================================
=================================================================================
===================
SUSPECTS
Sent Location LZ
;===============================================================================
=================================================================================
===================
;===============================================================================
=================================================================================
===================
VULNERABILITIES
Id Severity Description LZ
;===============================================================================
=================================================================================
===================
182048 HIGH MS07-069 LZ
176382 HIGH MS07-057 LZ
170906 HIGH MS07-045 LZ
170904 HIGH MS07-043 LZ
164913 HIGH MS07-033 LZ
160623 HIGH MS07-027 LZ
150253 HIGH MS07-016 LZ
;===============================================================================
=================================================================================
===================
  • 0

#10
koko_crunch
Posted 08 April 2008 - 07:48 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Moving on... :)

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7ED18513-0A0E-40BB-9F3E-B8EEC9E6DBDA} - C:\WINDOWS\system32\batmete.dll (file missing)
O4 - HKCU\..\Run: [syngclrf] C:\WINDOWS\system32\dqbgtolu.exe
O4 - HKCU\..\Run: [rpsacezw] C:\WINDOWS\system32\tsdsbmhg.exe

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.


Next,

Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    [x-code]C:\WINDOWS\system32\Recycler.exe
    HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd11113-02e5-11dd-8951-000feae467c6}
    [/x-code]
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Reboot computer.

Post back with

- OTMoveIt log
- New DSS log main.txt
  • 0

Advertisements

#11
ei2kpi
Posted 08 April 2008 - 08:09 AM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
OTMove it:

File/Folder C:\WINDOWS\system32\Recycler.exe not found.
< HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd11113-02e5-11dd-8951-000feae467c6} >
Registry key HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0bd11113-02e5-11dd-8951-000feae467c6}\\ deleted successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04082008_220615

DSS:

Deckard's System Scanner v20071014.68
Run by Family on 2008-04-08 22:07:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 504 MiB (512 MiB recommended).


-- HijackThis (run as Family.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:39 PM, on 4/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\ALCWZRD.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Family\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Family.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symant...ex/symdlmgr.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 6195 bytes

-- Files created between 2008-03-08 and 2008-04-08 -----------------------------

2008-04-08 19:16:04 0 d-------- C:\Program Files\Panda Security
2008-04-08 19:16:03 0 d-------- C:\WINDOWS\LastGood
2008-04-07 12:50:20 0 d-------- C:\Documents and Settings\Family\Incomplete
2008-04-07 12:49:57 0 d-------- C:\Documents and Settings\Family\Application Data\LimeWire
2008-04-07 12:49:06 0 d-------- C:\Program Files\LimeWire
2008-04-06 12:46:43 0 d-------- C:\WINDOWS\Sun
2008-04-06 12:46:43 0 d-------- C:\Documents and Settings\Family\Application Data\Sun
2008-04-05 23:10:01 0 d-------- C:\Program Files\uTorrent
2008-04-05 23:09:57 0 d-------- C:\Documents and Settings\Family\Application Data\uTorrent
2008-04-05 11:49:03 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat
2008-04-05 11:49:02 0 d-------- C:\Documents and Settings\Family\Application Data\skypePM
2008-04-05 11:46:35 0 d-------- C:\Documents and Settings\Family\Application Data\Skype
2008-04-05 11:45:19 0 d-------- C:\Program Files\Skype
2008-04-05 11:45:19 0 d-------- C:\Program Files\Common Files\Skype
2008-04-05 11:45:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-04-04 00:01:22 0 d-------- C:\Documents and Settings\Family\Application Data\vlc
2008-04-03 15:33:17 0 d-------- C:\Program Files\Java
2008-04-03 15:33:00 0 d-------- C:\Program Files\Common Files\Java
2008-04-03 11:07:54 0 d-------- C:\Program Files\Trend Micro
2008-04-03 00:39:29 0 d--hs---- C:\WINDOWS\Installer
2008-04-03 00:39:28 0 d-------- C:\Program Files\Common Files\ODBC
2008-04-03 00:39:25 0 d-------- C:\Program Files
2008-04-03 00:39:25 0 d-------- C:\Program Files\Common Files
2008-04-03 00:39:25 0 d-------- C:\Program Files\Common Files\SpeechEngines
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\Templates
2008-04-03 00:38:57 0 dr------- C:\Documents and Settings\Default User\Start Menu
2008-04-03 00:38:57 0 dr-h----- C:\Documents and Settings\Default User\SendTo
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\Recent
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\PrintHood
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\Default User\NetHood
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\My Documents
2008-04-03 00:38:57 0 dr-h----- C:\Documents and Settings\Default User\Local Settings
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\Favorites
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\Default User\Desktop
2008-04-03 00:38:57 0 d---s---- C:\Documents and Settings\Default User\Cookies
2008-04-03 00:38:57 0 d--h----- C:\Documents and Settings\All Users\Templates
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Start Menu
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Favorites
2008-04-03 00:38:57 0 dr------- C:\Documents and Settings\All Users\Documents
2008-04-03 00:38:57 0 d-------- C:\Documents and Settings\All Users\Desktop
2008-04-03 00:38:43 0 d-------- C:\WINDOWS\system32\CatRoot2
2008-04-03 00:38:43 0 d-------- C:\WINDOWS\system32\CatRoot
2008-04-03 00:38:37 0 dr-h----- C:\Documents and Settings\Default User\Application Data
2008-04-03 00:38:37 0 d---s---- C:\Documents and Settings\Default User\Application Data\Microsoft
2008-04-03 00:38:37 0 d--h----- C:\Documents and Settings\All Users\Application Data
2008-04-03 00:38:37 0 d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2008-04-03 00:37:52 0 d--hs---- C:\System Volume Information
2008-04-03 00:37:52 0 d-------- C:\Documents and Settings
2008-04-03 00:30:03 0 d-------- C:\WINDOWS
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\WinSxS
2008-04-03 00:30:03 0 dr------- C:\WINDOWS\Web
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\twain_32
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\wins
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\wbem
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\usmt
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\spool
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ShellExt
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\Setup
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ras
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\oobe
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\npp
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\mui
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\inetsrv
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\IME
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\icsxml
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\ias
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\export
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers\etc
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\drivers\disdn
2008-04-03 00:30:03 0 dr-hs--c- C:\WINDOWS\system32\dllcache
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\dhcp
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\config
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\3com_dmi
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\3076
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\2052
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1054
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1042
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1041
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1037
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1033
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1031
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1028
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system32\1025
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\system
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\security
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Resources
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\repair
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Provisioning
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\PeerNet
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\pchealth
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\mui
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\msapps
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\msagent
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Media
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\java
2008-04-03 00:30:03 0 d--h----- C:\WINDOWS\inf
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\ime
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Help
2008-04-03 00:30:03 0 dr--s---- C:\WINDOWS\Fonts
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\ehome
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Driver Cache
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\dell
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Debug
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Cursors
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Connection Wizard
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\Config
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\AppPatch
2008-04-03 00:30:03 0 d-------- C:\WINDOWS\addins
2008-04-02 23:27:43 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-02 23:27:42 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-02 23:24:51 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>
2008-04-02 22:47:22 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-04-02 22:47:22 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-04-02 22:47:22 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-04-02 22:47:22 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-02 22:06:49 0 d-------- C:\Documents and Settings\Family\Application Data\Adobe
2008-04-02 22:00:11 0 d-------- C:\Program Files\HighCriteria
2008-04-02 22:00:10 54272 --a------ C:\WINDOWS\system32\DrvTrNTm.dll <Not Verified; High Criteria inc.; Total Recorder (Professional Edition)>
2008-04-02 22:00:10 106496 --a------ C:\WINDOWS\system32\DrvTrNTl.dll <Not Verified; High Criteria inc.; Total Recorder (Professional Edition)>
2008-04-02 21:58:48 0 d-------- C:\Documents and Settings\Family\Contacts
2008-04-02 21:58:01 0 d------c- C:\WINDOWS\system32\DRVSTORE
2008-04-02 21:51:30 0 d-------- C:\Program Files\VideoLAN
2008-04-02 21:51:10 0 d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2008-04-02 21:50:41 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-02 21:48:57 1681 --a------ C:\WINDOWS\mozver.dat
2008-04-02 21:46:51 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-02 21:46:31 0 d-------- C:\Program Files\Windows Live
2008-04-02 21:46:20 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-04-02 21:46:18 0 d-------- C:\Documents and Settings\Family\Application Data\Macromedia
2008-04-02 21:45:52 0 d-------- C:\Program Files\Google
2008-04-02 21:42:03 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-02 21:41:55 0 d-------- C:\Documents and Settings\Family\Application Data\Mozilla
2008-04-02 21:36:02 0 d-------- C:\Program Files\A4Tech
2008-04-02 21:35:51 0 d-------- C:\Documents and Settings\Family\Application Data\WinRAR
2008-04-02 21:24:27 0 d-------- C:\Program Files\Windows Sidebar
2008-04-02 21:23:00 0 d-------- C:\Program Files\Symantec
2008-04-02 20:49:55 0 d-------- C:\Program Files\Norton AntiVirus
2008-04-02 20:33:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-02 20:32:30 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-02 20:16:26 0 d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-04-02 20:13:34 0 d-------- C:\Program Files\Windows Desktop Search
2008-04-02 20:12:18 0 d--hs---- C:\Documents and Settings\Family\UserData
2008-04-02 19:35:08 0 d-------- C:\WINDOWS\network diagnostic
2008-04-02 19:28:51 5632 --a------ C:\WINDOWS\system32\CNMVS20.DLL
2008-04-02 19:28:50 94720 --a------ C:\WINDOWS\system32\CNMLM20.DLL <Not Verified; CANON INC.; Canon BJ Raster Printer Driver for Microsoft Windows XP / Windows 2000>
2008-04-02 19:28:37 36864 --a------ C:\WINDOWS\system32\CNMCP20.EXE
2008-04-02 19:28:36 0 d--h----- C:\BJPrinter
2008-04-02 19:26:19 0 d-------- C:\Program Files\Microsoft Works
2008-04-02 19:20:12 0 d-------- C:\WINDOWS\SHELLNEW
2008-04-02 19:18:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-02 19:18:25 0 dr-h----- C:\MSOCache
2008-04-02 19:10:03 0 d-------- C:\Program Files\PowerISO
2008-04-02 18:51:22 708 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-02 18:29:40 0 d-------- C:\WINDOWS\system32\PreInstall
2008-04-02 18:29:38 0 d--h----- C:\WINDOWS\$hf_mig$
2008-04-02 18:13:12 0 d-------- C:\WINDOWS\system32\SoftwareDistribution
2008-04-02 18:11:53 0 d-------- C:\WINDOWS\system32\Lang
2008-04-02 18:10:58 0 d-------- C:\Program Files\GIGABYTE
2008-04-02 18:10:57 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2008-04-02 18:10:38 0 d-------- C:\WINDOWS\OPTIONS
2008-04-02 18:10:18 0 d-------- C:\WINDOWS\system32\RTCOM
2008-04-02 18:10:10 40448 -----n--- C:\WINDOWS\system32\ChCfg.exe
2008-04-02 18:10:10 8376832 -----n--- C:\WINDOWS\RTHDCPL.exe <Not Verified; Realtek Semiconductor Corp.; Realtek HD Audio Sound Effect Manager>
2008-04-02 18:10:01 0 d-------- C:\Program Files\Realtek
2008-04-02 18:08:06 0 d-------- C:\Program Files\Intel
2008-04-02 18:07:27 0 d-------- C:\WINDOWS\system32\ReinstallBackups
2008-04-02 18:07:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-02 18:07:22 0 d-------- C:\Program Files\Common Files\InstallShield
2008-04-02 17:51:24 0 d-------- C:\Documents and Settings\Family\Application Data\Identities
2008-04-02 17:51:17 0 dr-h----- C:\Documents and Settings\Family\SendTo
2008-04-02 17:51:17 0 dr-h----- C:\Documents and Settings\Family\Recent
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\PrintHood
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\NetHood
2008-04-02 17:51:17 0 d-------- C:\Documents and Settings\Family\My Documents
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\Local Settings
2008-04-02 17:51:17 0 dr------- C:\Documents and Settings\Family\Favorites
2008-04-02 17:51:17 0 d-------- C:\Documents and Settings\Family\Desktop
2008-04-02 17:51:17 0 d--hs---- C:\Documents and Settings\Family\Cookies
2008-04-02 17:51:17 0 d--h----- C:\Documents and Settings\Family\Application Data
2008-04-02 17:51:16 0 d--h----- C:\Documents and Settings\Family\Templates
2008-04-02 17:51:16 0 d-------- C:\Documents and Settings\Family\Start Menu
2008-04-02 17:51:16 2359296 --ah----- C:\Documents and Settings\Family\NTUSER.DAT
2008-04-02 17:08:25 0 d-------- C:\WINDOWS\SoftwareDistribution
2008-04-02 17:08:24 0 d-------- C:\WINDOWS\Prefetch
2008-04-02 17:08:23 0 d---s---- C:\WINDOWS\system32\Microsoft
2008-04-02 17:08:23 262144 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT
2008-04-02 17:08:23 0 d--h----- C:\Documents and Settings\LocalService\Local Settings
2008-04-02 17:08:23 0 d--hs---- C:\Documents and Settings\LocalService\Cookies
2008-04-02 17:08:23 0 d-------- C:\Documents and Settings\LocalService\Application Data
2008-04-02 17:08:23 0 d---s---- C:\Documents and Settings\LocalService\Application Data\Microsoft
2008-04-02 16:57:38 262144 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT
2008-04-02 16:57:38 0 d--h----- C:\Documents and Settings\NetworkService\Local Settings
2008-04-02 16:57:38 0 d--hs---- C:\Documents and Settings\NetworkService\Cookies
2008-04-02 16:57:38 0 d-------- C:\Documents and Settings\NetworkService\Application Data
2008-04-02 16:57:38 0 d---s---- C:\Documents and Settings\NetworkService\Application Data\Microsoft
2008-04-02 16:54:57 0 d-------- C:\WINDOWS\system32\xircom
2008-04-02 16:54:57 0 d-------- C:\Program Files\microsoft frontpage
2008-04-02 16:54:46 225280 ---h----- C:\Documents and Settings\Default User\NTUSER.DAT
2008-04-02 16:54:46 0 d-------- C:\DELL
2008-04-02 16:54:38 0 -rahs---- C:\MSDOS.SYS
2008-04-02 16:54:38 0 -rahs---- C:\IO.SYS
2008-04-02 16:54:38 0 --a------ C:\CONFIG.SYS
2008-04-02 16:54:38 0 --a------ C:\AUTOEXEC.BAT
2008-04-02 16:53:42 0 d--hs---- C:\Documents and Settings\All Users\DRM
2008-04-02 16:53:33 0 dr------- C:\WINDOWS\Offline Web Pages
2008-04-02 16:53:33 0 d---s---- C:\WINDOWS\Downloaded Program Files
2008-04-02 16:53:24 0 d--h----- C:\Program Files\WindowsUpdate
2008-04-02 16:53:08 0 d-------- C:\WINDOWS\system32\DirectX
2008-04-02 16:52:38 0 d---s---- C:\WINDOWS\Tasks
2008-04-02 16:52:38 0 d-------- C:\Program Files\Common Files\MSSoap
2008-04-02 16:52:35 0 d-------- C:\WINDOWS\srchasst
2008-04-02 16:52:34 0 d-------- C:\WINDOWS\system32\Macromed
2008-04-02 16:52:28 0 d-------- C:\Program Files\Movie Maker
2008-04-02 16:52:22 0 d-------- C:\WINDOWS\system32\Restore
2008-04-02 16:51:49 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2008-04-02 16:51:36 0 d-------- C:\WINDOWS\Registration
2008-04-02 16:51:29 0 d-------- C:\Program Files\Online Services
2008-04-02 16:51:24 0 d-------- C:\Program Files\Messenger
2008-04-02 16:51:22 0 d-------- C:\Program Files\MSN Gaming Zone
2008-04-02 16:50:52 0 d-------- C:\Program Files\Windows NT
2008-04-02 16:50:49 0 d-------- C:\WINDOWS\system32\MsDtc
2008-04-02 16:50:48 0 d-------- C:\WINDOWS\system32\Com


-- Find3M Report ---------------------------------------------------------------

2008-04-03 00:38:57 62 --ahs---- C:\Documents and Settings\Family\Application Data\desktop.ini
2008-04-02 18:26:30 502272 --a------ C:\WINDOWS\system32\winlogon.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
04/02/2008 09:33 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [10/08/2004 08:31 AM]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [10/08/2004 08:27 AM]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [03/17/2004 03:10 PM C:\WINDOWS\system32\Hdaudpropshortcut.exe]
"SoundMan"="SOUNDMAN.EXE" [10/13/2004 02:01 PM C:\WINDOWS\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [10/13/2004 04:17 PM C:\WINDOWS\ALCWZRD.EXE]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [02/14/2008 11:01 AM]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [08/25/2007 12:53 PM]
"iKeyWorks"="C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe" [06/25/2007 03:32 PM]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [01/02/2007 05:22 AM]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [01/11/2008 10:16 PM]
"TotalRecorderScheduler"="C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe" [05/12/2006 01:32 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 08:00 PM]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [10/18/2007 11:34 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SymLnch"="C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\Family\Application Data\Symantec\Layouts\Norton AntiVirus\15.0\SymAllLanguages\NAV_ESD\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"disableregistrytools"=0 (0x0)

*Newly Created Service* - RKPAVPROC



-- End of Deckard's System Scanner: finished at 2008-04-08 22:08:28 ------------
  • 0

#12
koko_crunch
Posted 08 April 2008 - 09:42 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Looking good. :)

Next up,

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back

Reboot computer...


We're almost done here. Are there other issues you wish to address? How's your computer running?
  • 0

#13
ei2kpi
Posted 08 April 2008 - 11:04 AM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Alright... so this is sdfix:


SDFix: Version 1.167
Run by Administrator on Wed 04/09/2008 at 12:19 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1351.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-09 00:47:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""
"DeviceNotSelectedTimeout"="15"
"GDIProcessHandleQuota"=dword:00002710
"Spooler"="yes"
"swapdisk"=""
"TransmissionRetryTimeout"="90"
"USERProcessHandleQuota"=dword:00002710

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"="C:\\Program Files\\Google\\Google Talk\\googletalk.exe:*:Enabled:Google Talk"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 9 Aug 2007 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Thu 9 Aug 2007 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT6.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT4.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT8.tmp"
Sat 30 Jun 2007 797,088 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\379c3e87f4016899bd06cdf1184d31ce\BIT3A.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT7.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT9.tmp"
Fri 4 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT5.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\00766461b1b00d8469999536d8f8d6e4\download\BIT6E.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0077a7fa5d15590d526d63a5048a5445\download\BIT7D.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0091ab299e899a5920ad91739ad99c67\download\BIT74.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\021bbe9f2a0e31da1414f03ea6d62389\download\BIT5F.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\05dc5f0b39a115d1962503e7297cdba7\download\BIT77.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a7407b49e4a15c0b9a45c0426de5360\download\BIT61.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0c114cf5b19927cfea8b29c83de1ed86\download\BIT86.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1230492412c0d92c55a03b0de671f167\download\BIT89.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\131ae35a2f5be2cefedd349d083bb253\download\BIT7A.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1d8773e3b9bba05290b442f31de09a2e\download\BIT69.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\208c1a8c52f47d7b2df4baa21f58d3da\download\BIT87.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\299966e551b4462ae94e39e251e277b6\download\BIT79.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2abaeb659824de5967ddf7181c6befdb\download\BIT7E.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2d7809720343ee9223ce4d88d99bf3c2\download\BIT82.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\30afadc4c35db2f5d8b4c076a49edc7b\download\BIT66.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\32e99364da67a7850c38a7a4e067a1ed\download\BIT8B.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\33831624a2e810dc854ea2f820d0dd53\download\BIT6A.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\37fefde58a963f27982e5f97ce053f7f\download\BIT88.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\393673217fc83f2b990ca70aa98f1df8\download\BIT80.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4387300ca1dcf29784a47c30e67cb637\download\BIT67.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\download\BIT6B.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4cbc0c1da652794a86c37dbd177bef9d\download\BIT75.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\52b72a8354f3c8a72b1aee0b2a11d368\download\BIT73.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\55b5c397ff94db07e8c1c336efaf0a7b\download\BIT76.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\download\BIT6D.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\7b94d041c29d0b8d724c97ae0005e71b\download\BIT8A.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\881d7070640a4412a784782616794afa\download\BIT71.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8a10de02595aa748279afc6c628f49a8\download\BIT78.tmp"
Sat 3 Jun 2006 204,282 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\962449eaea2a809dd7a3a95c81a023bd\download\BIT4F.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\972f9ceb5c3be430fe6cdcb43653d74d\download\BIT84.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4a9ccd1806461c53ce89bdd6f4591bf\download\BIT70.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\a4eec31189780c76a955690dc00fbe64\download\BIT64.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\adc42e4e6905251cac80b18a8dccd42a\download\BIT6F.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\aebb83db003f77a45671fd2c1557da38\download\BIT85.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b3ba2a040ecf3ac2cd2da399851bda00\download\BIT81.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\download\BIT72.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c87932aedce288373d0b6a6c23f00c8a\download\BIT68.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c9cdbfcd49200c55d94bb81819c80f2b\download\BIT83.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d037d9bbbbdf880e477c3840b38c3180\download\BIT7F.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d1c98689cdcd0ea9312780ffc77a2cbe\download\BIT65.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d424e8f655073b64c82b6f4f138d5f7e\download\BIT7B.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ed6cff8bccff865b52b93292e144ada6\download\BIT60.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ee52836d5c671146809a1dc54498be1f\download\BIT7C.tmp"
Wed 2 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f941c900a413f153861a4032214a1aec\download\BIT6C.tmp"

Finished!
  • 0

#14
koko_crunch
Posted 08 April 2008 - 11:15 AM

koko_crunch

    Trusted Helper

  • Retired Staff
  • 1,751 posts
Much better. :)

We're nearly done, just another scan to be sure we didn't miss any.
How's your computer running? Are there other concerns you wish to address?

Next,

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Then

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

  • 0

#15
ei2kpi
Posted 14 April 2008 - 09:52 PM

ei2kpi

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
hello koko crunch! sorry for the later reply... had to take my mom to the hospital... shes fine now btw.. haha

the problem was completely fixed... so thanks a LOT!!!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP