Ok, I went step by step per your instructions.
Click Start , then Run
Type notepad.exe in the Run Box.
I copy and pasted.....
File::
C:\WINDOWS\service.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BA8C76D-27F5-4A5D-BC48-066AB64E0394}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Service"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"5cfa73f7"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"Service"=-
I then did a "save as" and copy and pasted CFScript.txt into the files name, save as type is default "text document .txt", and encoding is default ANSI.
A text document is now on my desktop named CFScript and looks exactly like the animation on step 4. I also dragged and drop the file exactly as shown in the animation.
I had to download a fresh copy of combofix cause I guess it was out of date.
When it ran mcafee found elcar test and removed it.
I saved the log to desktop but again I wasn't able to see or do anything in windows except pull up taskmanager to restart.
Few things to note.
I don't have a file in windows named service. The text document name is CFScript and is a .txt file that looks exactly like the animation, it's name is not CFScript.txt and is a txt file.
If I did something wrong before I hope I did it correctly this time.
Just for FYI purposes, I have a video camera that I can hold and video the screen as it goes through the process if it's needed.
ComboFix 08-05-07.1 - Owner 2008-05-09 9:23:13.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1042 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!FILE ::
C:\WINDOWS\service.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\smp.bat
.
((((((((((((((((((((((((( Files Created from 2008-04-09 to 2008-05-09 )))))))))))))))))))))))))))))))
.
2008-05-07 12:53 . 2008-05-07 12:53 <DIR> d-------- C:\Program Files\Ventrilo
2008-05-07 12:53 . 2008-05-07 12:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Ventrilo
2008-05-05 03:13 . 2008-05-05 03:13 <DIR> d-------- C:\Program Files\City Interactive
2008-05-02 13:30 . 2008-05-02 13:30 <DIR> d-------- C:\Program Files\Sierra Online
2008-05-02 13:30 . 2008-05-02 13:30 <DIR> dr-h----- C:\Documents and Settings\Owner\Application Data\SecuROM
2008-04-30 09:19 . 2008-04-30 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2008-04-30 09:19 . 2008-04-30 09:19 4,096 --a------ C:\WINDOWS\d3dx.dat
2008-04-30 09:18 . 2008-04-30 09:18 <DIR> d-------- C:\WINDOWS\Westward II Heroes of the Frontier [h33t] [oi812heet]
2008-04-30 09:18 . 2008-04-30 11:47 <DIR> d-------- C:\Program Files\Westward II Heroes of the Frontier [h33t] [oi812heet]
2008-04-29 22:43 . 2008-04-29 22:43 <DIR> d-------- C:\Program Files\Paradox Interactive
2008-04-29 18:37 . 2008-04-29 18:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-29 18:37 . 2008-04-29 18:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-29 16:46 . 2008-04-29 16:46 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-04-29 16:37 . 2008-04-29 16:37 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2008-04-29 16:37 . 2008-04-29 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-29 16:19 . 2008-05-02 13:02 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Touchstone
2008-04-29 15:47 . 2008-04-29 15:47 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Leadertech
2008-04-29 15:30 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\Touchstone
2008-04-29 15:28 . 2008-05-02 13:03 120 --a------ C:\WINDOWS\disney.ini
2008-04-27 15:46 . 2008-04-27 15:46 <DIR> d-------- C:\Program Files\Bethesda Softworks
2008-04-26 12:21 . 2008-04-26 12:22 <DIR> d-------- C:\Program Files\MagicISO
2008-04-26 08:15 . 2008-04-26 08:15 <DIR> d-------- C:\Program Files\2K Games
2008-04-25 13:40 . 2008-05-09 09:23 1,024 --ah----- C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-04-24 12:18 . 2008-04-24 12:18 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes
2008-04-24 12:17 . 2008-05-03 03:18 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-24 12:17 . 2008-04-24 12:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-24 12:14 . 2008-04-24 12:14 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 07:07 . 2008-04-23 07:07 <DIR> d-------- C:\WINDOWS\system32\config\systemprofile\Application Data\Webroot
2008-04-22 16:40 . 2008-04-22 16:40 <DIR> d-------- C:\Program Files\Kalypso
2008-04-21 16:34 . 2008-04-21 16:34 <DIR> d-------- C:\Documents and Settings\Owner\Logs
2008-04-21 16:27 . 2008-04-21 16:27 <DIR> d-------- C:\Logs
2008-04-21 13:13 . 2008-04-22 16:50 <DIR> d-------- C:\Program Files\World of Warcraft
2008-04-21 13:13 . 2008-04-21 13:13 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Program Files\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-04-16 17:53 . 2008-04-16 17:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Webroot
2008-04-16 17:53 . 2007-01-25 21:57 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2008-04-16 17:53 . 2007-01-25 21:57 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2008-04-16 17:53 . 2007-01-25 21:57 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2008-04-16 17:53 . 2007-01-25 21:57 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2008-04-16 17:51 . 2008-04-16 17:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-16 16:23 . 2008-04-16 16:23 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\McAfee
2008-04-13 22:21 . 2008-04-14 13:54 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Petroglyph
2008-04-13 22:19 . 2008-04-13 22:19 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\LucasArts
2008-04-13 22:19 . 2008-05-02 13:30 107,888 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-04-13 22:12 . 2008-05-05 05:09 <DIR> d-------- C:\Program Files\LucasArts
2008-04-13 12:36 . 2008-04-13 12:40 <DIR> d-------- C:\Program Files\illusion
2008-04-13 10:49 . 2008-04-13 12:24 3,020 --a------ C:\WINDOWS\system32\tmp.reg
2008-04-13 02:35 . 2008-04-29 15:30 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-04-13 02:35 . 2008-04-29 15:30 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\WINDOWS\Crusaders - Thy Kingdom Come
2008-04-13 02:29 . 2008-04-13 02:29 <DIR> d-------- C:\NeocoreGames
2008-04-09 04:30 . 2008-04-09 04:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\InstallShield
2008-04-09 04:13 . 2008-04-09 04:13 <DIR> d-------- C:\Program Files\Firaxis Games
2008-04-09 04:12 . 2005-05-26 15:34 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-09 01:42 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2008-05-08 13:06 --------- d-----w C:\Program Files\BOINC
2008-05-08 02:06 --------- d-----w C:\Documents and Settings\Owner\Application Data\Vso
2008-05-07 16:52 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-06 14:52 --------- d-----w C:\Program Files\eMule
2008-05-05 09:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 20:32 --------- d-----w C:\Program Files\McAfee
2008-04-21 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-16 20:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-04-11 18:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\Apple Computer
2008-04-06 21:39 --------- d-----w C:\Documents and Settings\Owner\Application Data\Hewlett-Packard
2008-04-06 21:35 --------- d-----w C:\Program Files\Hewlett-Packard
2008-04-06 21:35 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-04-05 21:22 --------- d-----w C:\Program Files\TechSmith
2008-04-05 21:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\TechSmith
2008-04-04 18:55 --------- d-----w C:\Program Files\Common Files\ChessBase
2008-04-04 18:55 --------- d-----w C:\Program Files\ChessBase
2008-04-04 00:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Jane s Hotel Family Hero
2008-04-03 22:37 --------- d-----w C:\Program Files\LG Drivers
2008-04-03 22:16 --------- d-----w C:\Program Files\BitPim
2008-04-03 20:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\ChessBase
2008-03-28 17:25 --------- d-----w C:\Program Files\MySpace
2008-03-28 17:25 --------- d-----w C:\Documents and Settings\Owner\Application Data\MySpace
2008-03-28 16:57 --------- d-----w C:\Program Files\Game Elements
2008-03-27 20:58 --------- d-----w C:\Documents and Settings\Owner\Application Data\CyberLink
2008-03-27 20:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-27 20:55 --------- d-----w C:\Program Files\CyberLink
2008-03-27 20:53 505,392 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-03-27 20:23 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2008-03-26 05:46 --------- d--h--w C:\Documents and Settings\All Users\Application Data\{0E8E33D8-193A-414A-A909-0F101A142D26}
2008-03-26 05:44 --------- d-----w C:\Program Files\Stardock Games
2008-03-26 05:40 --------- d-----w C:\Program Files\DAEMON Tools Lite
2008-03-26 05:37 717,296 ----a-w C:\WINDOWS\system32\drivers\sptd.sys
2008-03-26 05:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\DAEMON Tools
2008-03-26 05:33 --------- d-----w C:\Program Files\[bleep] NFO Viewer
2008-03-25 20:18 --------- d-----w C:\Program Files\Raxco
2008-03-25 20:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Raxco
2008-03-25 19:44 --------- d-----w C:\Program Files\Common Files\McAfee
2008-03-25 19:07 47,360 ----a-w C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-25 19:07 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2008-03-25 19:07 --------- d-----w C:\Program Files\VSO
2008-03-25 18:53 --------- d-----w C:\Program Files\uTorrent
2008-03-25 18:32 --------- d-----w C:\Program Files\VideoLAN
2008-03-25 18:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\vlc
2008-03-25 17:58 --------- d-----w C:\Program Files\Windows Defender
2008-03-25 17:31 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-25 17:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-25 17:18 --------- d-----w C:\Program Files\McAfee.com
2008-03-25 17:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-25 17:03 --------- d-----w C:\Program Files\Java
2008-03-21 22:42 --------- d-----w C:\Program Files\Bonjour
2008-03-21 22:42 --------- d-----w C:\Program Files\Apple Software Update
2008-03-21 22:41 --------- d-----w C:\Program Files\Common Files\Apple
2008-03-21 22:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-03-21 22:40 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-03-21 22:39 --------- d-----w C:\Program Files\Common Files\Java
2008-03-21 22:38 --------- d-----w C:\Program Files\Common Files\Adobe
2008-03-21 22:38 --------- d-----w C:\Program Files\BurnAware Free Edition
2008-03-21 22:37 --------- d-----w C:\Program Files\7-Zip
2008-03-21 22:23 --------- d-----w C:\Program Files\PKWARE
2008-03-21 22:23 --------- d-----w C:\Program Files\Essentials Codec Pack
2008-03-21 22:23 --------- d-----w C:\Program Files\DivX
2008-03-21 22:23 --------- d-----w C:\Program Files\Common Files\PKWARE
2008-03-21 22:22 --------- d-----w C:\Program Files\Combined Community Codec Pack
2008-03-21 22:21 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-03-21 22:03 --------- d-----w C:\Program Files\VIA
2008-03-21 22:02 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-21 22:01 --------- d-----w C:\Program Files\MSI
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek Sound Manager
2008-03-21 22:00 --------- d-----w C:\Program Files\Realtek AC97
2008-03-21 22:00 --------- d-----w C:\Program Files\AvRack
2008-03-21 21:59 --------- d-----w C:\Program Files\MSBuild
2008-03-21 21:59 --------- d-----w C:\Program Files\AMD
2008-03-21 21:56 --------- d-----w C:\Program Files\Reference Assemblies
2008-03-21 21:54 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-03-21 21:17 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-21 20:20 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-04 18:00 811,776 ----a-w C:\WINDOWS\boinc.scr
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.
((((((((((((((((((((((((((((( snapshot_2008-05-02_ 5.42.53.81 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-30 02:45:44 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
+ 2008-05-05 09:13:40 53,248 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.AudioVideoPlayback\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.AudioVideoPlayback.dll
- 2008-04-30 02:45:44 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
+ 2008-05-05 09:13:40 12,800 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Diagnostics\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Diagnostics.dll
- 2008-04-30 02:45:45 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
+ 2008-05-05 09:13:40 473,600 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3D\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3D.dll
- 2008-04-30 02:45:38 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:34 2,676,224 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:38 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:35 2,846,720 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2903.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:39 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:36 563,712 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2904.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:40 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:36 567,296 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2905.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:40 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:36 576,000 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2906.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:41 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:37 577,024 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2907.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:41 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:37 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2908.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:42 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:38 577,536 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2909.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:42 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:38 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2910.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:45 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
+ 2008-05-05 09:13:40 578,560 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.Direct3DX\1.0.2911.0__31bf3856ad364e35\Microsoft.DirectX.Direct3DX.dll
- 2008-04-30 02:45:45 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
+ 2008-05-05 09:13:41 145,920 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectDraw\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectDraw.dll
- 2008-04-30 02:45:46 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
+ 2008-05-05 09:13:41 159,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectInput\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectInput.dll
- 2008-04-30 02:45:46 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
+ 2008-05-05 09:13:41 364,544 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectPlay\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectPlay.dll
- 2008-04-30 02:45:46 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
+ 2008-05-05 09:13:42 178,176 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX.DirectSound\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.DirectSound.dll
- 2008-04-30 02:45:43 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
+ 2008-05-05 09:13:39 223,232 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.DirectX\1.0.2902.0__31bf3856ad364e35\Microsoft.DirectX.dll
- 2008-05-01 09:29:06 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-09 13:08:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-05 09:10:50 2,686 ----a-r C:\WINDOWS\Installer\{4E074808-1B86-4230-A9EB-0904942EC4AE}\ARPPRODUCTICON.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-03-21 04:30 486856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-12-05 02:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RUNDLL32.exe" [2006-02-28 08:00 33280 C:\WINDOWS\system32\rundll32.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 577536 C:\WINDOWS\soundman.exe]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" [ ]
"Media Codec Update Service"="C:\Program Files\Essentials Codec Pack\update.exe" [2007-04-08 12:44 303104]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 18:20 866584]
"BDRegion"="C:\Program Files\Cyberlink\Shared Files\brs.exe" [2008-02-21 10:24 91432]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2008-01-22 14:23 81920]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2007-10-11 12:06 62760]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-01-25 21:58 4865600]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2008-02-01 16:32 8699904]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-09 18:21:38 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-09 18:11:12 28672]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= ctwdm32.dll
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\ff_vfw.dll
"vidc.wmv3"= C:\PROGRA~1\COMBIN~1\Filters\wmv9vcm.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\Stardock Games\\Sins of a Solar Empire\\Sins of a Solar Empire.exe"=
"C:\\Program Files\\CyberLink\\PowerDVD\\PowerDVD.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War\\GameData\\sweaw.exe"=
"C:\\Program Files\\LucasArts\\Star Wars Empire at War Forces of Corruption\\swfoc.exe"=
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2006-10-17 20:22]
R2 {95808DC4-FA4A-4C74-92FE-5B863F82066B};{95808DC4-FA4A-4C74-92FE-5B863F82066B};C:\Program Files\CyberLink\PowerDVD\
000.fcl [2008-01-18 23:01]
R2 LANPkt;Realtek LANPkt Protocol;C:\WINDOWS\system32\DRIVERS\LANPkt.sys [2003-09-17 15:57]
R2 PD91Agent;PD91Agent;"C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe" [2008-01-16 10:52]
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys [2004-08-03 18:31]
R3 Diag69xp;Diag69xp;C:\WINDOWS\system32\Drivers\Diag69xp.sys [2003-09-02 11:25]
S3 PD91Engine;PD91Engine;"C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe" [2008-01-16 10:52]
S3 samhid;samhid;C:\WINDOWS\system32\drivers\samhid.sys [2006-01-07 12:09]
S3 USB-100;Realtek RTL8150 USB 10/100 Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\RTL8150.SYS [2006-05-10 16:22]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\LaunchEAW.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-05 13:24:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-06 21:39:29 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1207517937.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-09 13:11:47 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-05-09 09:24:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\{95808DC4-FA4A-4C74-92FE-5B863F82066B}]
"ImagePath"="\??\C:\Program Files\CyberLink\PowerDVD\
000.fcl"
.
Completion time: 2008-05-09 9:25:50
ComboFix-quarantined-files.txt 2008-05-09 13:25:45
ComboFix2.txt 2008-05-02 09:43:18
ComboFix3.txt 2008-04-26 15:06:14
ComboFix4.txt 2008-04-25 17:47:17
Pre-Run: 227,554,496,512 bytes free
Post-Run: 227,548,483,584 bytes free
292 --- E O F --- 2008-05-06 23:10:11
----------------------------------------------------------------- xd
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:58:20 AM, on 5/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Cyberlink\Shared Files\brs.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [Media Codec Update Service] "C:\Program Files\Essentials Codec Pack\update.exe" -silent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [BDRegion] "C:\Program Files\Cyberlink\Shared Files\brs.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone:
http://*.mcafee.comO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky...can_unicode.cabO23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PD91Agent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Agent.exe
O23 - Service: PD91Engine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk2008\PD91Engine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 7786 bytes
Edited by renaldoaoa, 09 May 2008 - 08:06 AM.