Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Hijack This Log [RESOLVED]

Started by jimmayy , May 19 2008 09:34 PM

  • This topic is locked This topic is locked

#1
jimmayy
Posted 19 May 2008 - 09:34 PM

jimmayy

    New Member

  • Member
  • Pip
  • 9 posts
Hi
Here's my Hijackthis log
I get the windows security alert with "windows has detecteed an internet attack attempt...click here to DL spyware remover for total protection"
Also, "Security Warning! worm.netbooster detected on you machine..."
I also get the taskbar popup with the red X and telling me my machine has a virus
Thank you if you can help in any possible way!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:53:08 PM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Linksys\WMP300N\WLService.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Linksys\WMP300N\WMP300N.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Timmayy\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\xwusuhzh.exe,
O2 - BHO: C:\WINDOWS\system32\jfiehayd.dll - {c5af49a2-94f3-42bd-f434-2604812c897d} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {10B9E92F-421E-44B2-A093-9DE0F3FAB2BC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: nnnnoffc - nnnnOffc.dll (file missing)
O21 - SSODL: pxgdslro - {2FD1C0B8-86E7-4C41-A979-95AB8202ED6D} - C:\WINDOWS\pxgdslro.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DCPFLICS (dcpflics) - Unknown owner - C:\Program Files\DCPFLICS\DCPFLICS.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Linksys\WMP300N\WLService.exe

--
End of file - 8113 bytes
  • 0

Advertisements

#2
Rorschach112
Posted 20 May 2008 - 08:59 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding.


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum.




Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

  • 0

#3
jimmayy
Posted 20 May 2008 - 08:51 PM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Thanks Rorschach for the quick response :)
Here's my sdfix report but unfortunately DSS keeps crashing on me Is there another way?
Thanks for your help It seems that sdfix has cleaned it
Is there anything u recommend besides norton,mcafee,onecare etc (Ive had bad experiences with all of em) to
use for security?

Thanks again for your help!! :)

SDFix: Version 1.184
Run by Timmayy on Tue 05/20/2008 at 07:14 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
gsbgqpwwfw

Path :
\??\C:\WINDOWS\system32\gsbgqpwwfw.sys

gsbgqpwwfw - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\128868~1 - Deleted
C:\Documents and Settings\Everyone Else\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Timmayy\Favorites\Error Cleaner.url - Deleted
C:\Documents and Settings\Everyone Else\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Timmayy\Favorites\Privacy Protector.url - Deleted
C:\Documents and Settings\Everyone Else\Favorites\Spyware&Malware Protection.url - Deleted
C:\Documents and Settings\Timmayy\Favorites\Spyware&Malware Protection.url - Deleted
C:\WINDOWS\eova.exe - Deleted
C:\WINDOWS\pxgdslro.dll - Deleted
C:\WINDOWS\system32\gsbgqpwwfw.sys - Deleted



Folder C:\Program Files\Helper - Removed
Folder C:\WINDOWS\system32\dFrnx06 - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-20 19:21:04
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{8AC25C6A-D4B3-FF2F-2A61-C75CA1DB6116}\Install\VxDs]
"CTE_32 Name"="2454584:{301564B2-67A6-1A66-9C4E-A1FE91DE9752}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\{ADD916B7-3238-B642-38AC-F31A4E6EE8C3}\Install\VxDs]
"DefaultSettings"="-19:{3C7DA433-1047-9FC4-00BA-978A09424856}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{3C77D917-9CFE-517E-2230-D333DDD81DEA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Install\xga-1-{3C77D917-9CFE-517E-2230-D333DDD81DEA}\Version 1.1]
"dat"="806585365:{9E90E198-8905-262D-63A2-CC39661E6807}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{3C77D917-9CFE-517E-2230-D333DDD81DEA}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Install VBX\Current\Install\xga-1-{3C77D917-9CFE-517E-2230-D333DDD81DEA}\Version 3.x]
"dat"="1767914624:{22337310-E578-A721-024F-FAA3FE0B5727}"

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Windows OneCare Live\\WinSSIntro.exe"="C:\\Program Files\\Microsoft Windows OneCare Live\\WinSSIntro.exe:*:Enabled:Windows Live OneCare"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"="C:\\Program Files\\Winamp Remote\\bin\\Orb.exe:*:Enabled:Orb"
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe:*:Enabled:OrbTray"
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"="C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe:*:Enabled:Orb Stream Client"
"D:\\Games\\HellgateLondon\\Launcher.exe"="D:\\Games\\HellgateLondon\\Launcher.exe:*:Enabled:Hellgate: London"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Home & Business 2007\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"="C:\\Program Files\\Autodesk\\Backburner\\monitor.exe:*:Enabled:backburner 2.3 monitor"
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"="C:\\Program Files\\Autodesk\\Backburner\\manager.exe:*:Enabled:backburner 2.3 manager"
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"="C:\\Program Files\\Autodesk\\Backburner\\server.exe:*:Enabled:backburner 2.3 server"
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"="C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe:*:Enabled:Autodesk 3ds Max 2008 32-bit"
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"="C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe:*:Enabled:Crysis_32_sp_demo"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 11 Apr 2005 4,348 A..H. --- "C:\Musica\My Shared Folder\License Backup\drmv1key.bak"
Tue 10 Oct 2006 20 A..H. --- "C:\Musica\My Shared Folder\License Backup\drmv1lic.bak"
Tue 10 Oct 2006 9,855 A.SH. --- "C:\Musica\My Shared Folder\License Backup\drmv2key.bak"

Finished!
  • 0

#4
Rorschach112
Posted 21 May 2008 - 04:23 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
I will recommend some stuff at the end

Do this

Please visit this web page for instructions for downloading and running ComboFix

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058.

Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#5
jimmayy
Posted 22 May 2008 - 07:59 AM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Heres Combofix log:
btw I did install recovery console, so i dont know why it says i didn't (because I didn't restart after installation?)
Thanks

ComboFix 08-05-21.2 - Timmayy 2008-05-22 6:52:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2879 [GMT -7:00]
Running from: C:\Documents and Settings\Timmayy\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\DfNnonnn.ini
C:\WINDOWS\system32\DfNnonnn.ini2
C:\WINDOWS\system32\lhjlmluk.ini
C:\WINDOWS\system32\MSINET.oca

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-20 21:10 . 2008-05-20 21:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-20 21:08 . 2008-05-20 21:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 20:58 . 2008-05-22 06:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Program Files\AVG
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\AVGTOOLBAR
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 20:58 . 2008-05-20 20:58 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-20 20:58 . 2008-05-20 20:58 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-20 20:58 . 2008-05-20 20:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-20 19:36 . 2008-05-20 19:36 <DIR> d-------- C:\Deckard
2008-05-20 19:12 . 2008-05-20 19:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 19:08 . 2008-05-20 19:31 <DIR> d-------- C:\SDFix
2008-05-20 07:13 . 2008-05-20 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\TmpRecentIcons
2008-05-18 17:15 . 2008-05-20 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 00:45 . 2008-05-20 22:50 <DIR> d-------- C:\Program Files\DCPFLICS
2008-05-17 16:14 . 2008-05-19 23:51 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\TmpRecentIcons
2008-05-17 15:55 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-17 15:55 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-17 15:53 . 2008-05-17 15:53 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-17 15:45 . 2008-05-17 15:45 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-17 14:31 . 2008-05-17 14:31 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-05-17 14:31 . 2008-05-17 14:31 1 --a------ C:\WINDOWS\system32\kr_done1de
2008-05-17 14:30 . 2008-05-20 19:22 54,784 --a------ C:\WINDOWS\system32\gh.l
2008-05-17 14:30 . 2008-05-20 19:22 32,768 --a------ C:\WINDOWS\system32\yl.po
2008-05-17 14:30 . 2008-05-20 19:22 28,672 --a------ C:\WINDOWS\system32\mn.n
2008-05-17 14:30 . 2008-05-20 19:22 28,672 --a------ C:\WINDOWS\system32\ccs.so
2008-05-17 14:30 . 2008-05-20 19:22 28,672 --a------ C:\WINDOWS\system32\bmf.cs
2008-05-17 14:30 . 2008-05-17 15:08 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-05-17 14:02 . 2008-05-18 16:36 <DIR> d-------- C:\Temp
2008-05-17 14:02 . 2008-05-17 14:02 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\NVIDIA
2008-05-17 13:22 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-17 13:22 . 2008-05-22 06:38 182,441 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-17 13:22 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-05-17 13:22 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-05-17 13:22 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-05-17 13:22 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-17 12:57 . 2008-05-17 12:57 <DIR> d-------- C:\Program Files\Realtek
2008-05-17 12:56 . 2007-07-26 02:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-17 12:49 . 2008-05-17 12:49 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-05-17 12:46 . 2008-05-17 12:46 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-05-17 12:18 . 2008-05-17 12:18 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-17 11:44 . 2008-05-17 11:48 <DIR> d-------- C:\WINDOWS\NV38523848.TMP
2008-05-17 11:31 . 2008-05-17 11:37 <DIR> d-------- C:\WINDOWS\NV28322484.TMP
2008-05-17 03:48 . 2008-05-17 11:21 <DIR> d-------- C:\WINDOWS\NV28122816.TMP
2008-05-17 03:38 . 2008-05-17 03:38 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-17 03:38 . 2008-05-17 03:38 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-05-17 03:38 . 2008-05-17 03:38 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-05-17 03:36 . 2008-05-17 12:27 <DIR> d-------- C:\Program Files\ASUS
2008-05-17 03:36 . 2006-01-10 01:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-05-17 03:36 . 2006-10-18 12:12 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-05-17 03:36 . 2008-05-17 03:36 666 --a------ C:\WINDOWS\setup.iss
2008-05-17 03:32 . 2008-05-17 12:57 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-05-17 03:31 . 2008-05-17 03:31 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-05-17 03:24 . 2008-05-17 03:24 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-05-17 03:21 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-05-17 03:21 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-05-17 03:21 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-05-17 03:21 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-05-17 03:20 . 2008-05-17 12:57 15,746 --a------ C:\WINDOWS\Ascd_log.ini
2008-05-17 03:20 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-05-17 03:18 . 2008-05-17 12:46 15,498 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-17 03:18 . 2007-07-31 20:39 12,536 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-17 03:18 . 2004-08-12 19:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Program Files\Linksys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\InstallShield
2008-05-02 22:46 . 2008-05-02 22:46 13,529,088 --a------ C:\WINDOWS\system32\nvcpl.dll
2008-04-28 17:12 . 2008-04-28 17:12 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\Nero
2008-04-28 17:10 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\Everyone Else
2008-04-28 06:59 . 2008-04-28 06:59 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-28 06:48 . 2008-04-28 06:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-04-28 06:48 . 2008-04-19 17:22 182 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-28 06:47 . 2008-04-02 22:17 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Roxio
2008-04-28 06:44 . 2008-04-28 06:59 256 --a------ C:\Documents and Settings\Timmayy\pool.bin
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-28 06:41 . 2007-07-27 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-28 06:09 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-04-28 06:09 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-28 06:07 . 2008-04-28 06:08 <DIR> d-------- C:\Program Files\Roxio
2008-04-28 06:07 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-04-28 06:06 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-04-28 06:05 . 2008-04-28 06:05 <DIR> d-------- C:\Program Files\Research In Motion
2008-04-27 23:55 . 2008-04-27 23:55 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Research In Motion
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Apple Computer
2008-04-27 22:27 . 2008-04-27 22:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-27 22:27 . 2008-04-27 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-27 22:26 . 2008-05-20 23:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 22:26 . 2008-04-22 22:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 22:25 . 2008-04-27 22:25 <DIR> d-------- C:\Program Files\QuickTime
2008-04-27 22:25 . 2008-04-27 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-27 22:15 . 2005-11-18 16:07 3,272,704 --a------ C:\WINDOWS\system32\sapphire_ae.old
2008-04-27 22:15 . 2005-11-20 20:42 3,272,704 --a------ C:\WINDOWS\system32\sapphire_ae.dll
2008-04-27 22:14 . 2008-04-27 22:14 <DIR> d-------- C:\Program Files\GenArts
2008-04-27 21:31 . 2008-04-27 22:23 <DIR> d-------- C:\Program Files\Winamp Remote
2008-04-27 21:31 . 2008-04-06 11:57 <DIR> d-------- C:\Program Files\Winamp
2008-04-27 21:31 . 2008-04-06 15:26 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Winamp
2008-04-27 21:31 . 2008-04-27 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-04-27 20:52 . 2008-04-27 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-27 12:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-27 12:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-27 12:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-26 22:27 . 2008-04-26 22:27 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Nero
2008-04-26 22:25 . 2008-04-26 22:25 <DIR> d-------- C:\Program Files\Nero
2008-04-26 22:25 . 2008-04-26 22:26 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-26 22:25 . 2008-04-26 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-26 22:04 . 2008-04-26 22:04 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 21:57 . 2008-04-26 21:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-26 21:50 . 2008-04-26 21:50 4 --a------ C:\WINDOWS\system32\ulfconfig0103.ulf
2008-04-26 21:48 . 2008-04-26 21:48 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-26 21:33 . 2008-04-26 21:33 <DIR> d-------- C:\Program Files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 13:38 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\WTablet
2008-05-21 05:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-21 05:03 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-17 21:30 577,536 ----a-w C:\WINDOWS\system32\user32.DLL
2008-05-17 20:45 5,939 ----a-w C:\Program Files\install.log
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-28 13:09 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-04-28 13:06 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-23 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-20 02:11 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\AdobeUM
2008-04-19 23:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-19 23:00 --------- d-----w C:\Program Files\eRightSoft
2008-04-19 22:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 20:58 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Autodesk
2008-04-19 20:38 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-19 20:38 --------- d-----w C:\Program Files\Autodesk
2008-04-12 23:41 --------- d-----w C:\Program Files\Tablet
2008-04-12 22:04 --------- d-----w C:\Program Files\Handbrake
2008-04-12 21:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 21:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 21:18 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Nero8
2008-04-12 18:29 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\dvdcss
2008-04-10 06:00 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Ahead
2008-04-07 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-07 04:17 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\vlc
2008-04-07 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-04-07 03:24 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Intuit
2008-04-07 03:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-07 03:12 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 03:11 --------- d-----w C:\Program Files\TurboTax
2008-03-30 21:00 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-23 18:11 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-23 18:11 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-03-23 18:11 --------- d-----w C:\Program Files\Common Files\Softimage
2008-03-23 17:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\Real
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-23 16:45 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-03-23 16:45 --------- d-----w C:\Program Files\Common Files\Java
2008-03-23 16:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\element5 Shared
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Alias Shared
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-03-23 16:41 --------- d-----w C:\Program Files\Ahead
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2007-07-27 12:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll.000
577,536 2008-05-17 21:30:32 C:\WINDOWS\system32\user32.DLL
577,536 2008-05-17 21:30:32 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-07-27 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-05-17 14:30 577536 eda96cb1c2a0aff31ae322e53ada2552 C:\WINDOWS\system32\user32.DLL
2008-05-17 14:30 577536 eda96cb1c2a0aff31ae322e53ada2552 C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-20 20:58 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-20 20:58 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-27 20:57:56 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1999-04-09 13:57:54 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnoffc]
nnnnOffc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\TMH\\Bit_Torrent\\Azureus\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Games\\HellgateLondon\\Launcher.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60614:TCP"= 60614:TCP:@xpsp2res.dll,-22005
"63893:TCP"= 63893:TCP:@xpsp2res.dll,-22005
"18832:TCP"= 18832:TCP:@xpsp2res.dll,-22005
"19535:TCP"= 19535:TCP:@xpsp2res.dll,-22005

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 20:58]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-20 20:58]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 20:58]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-20 20:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;C:\WINDOWS\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 06:17]
S2 WMP300NSvc;WMP300NSvc;"C:\Program Files\Linksys\WMP300N\WLService.exe" "WMP300N.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe
\Shell\setup\command - F:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 05:27:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 06:53:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 6:54:17
ComboFix-quarantined-files.txt 2008-05-22 13:53:48

Pre-Run: 428,888,588,288 bytes free
Post-Run: 428,882,567,168 bytes free

301 --- E O F --- 2008-05-17 20:52:00
  • 0

#6
Rorschach112
Posted 22 May 2008 - 08:46 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

You can restart your PC


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\kr_done1de
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\yl.po
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\hljwugsf.bin
F:\autorun.exe
F:\setup.exe

Folder::

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#7
jimmayy
Posted 22 May 2008 - 07:39 PM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ok here's the log for the combofix.txt:

ComboFix 08-05-21.2 - Timmayy 2008-05-22 18:34:39.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2896 [GMT -7:00]
Running from: C:\Documents and Settings\Timmayy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Timmayy\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\kr_done1de
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\yl.po
F:\autorun.exe
F:\setup.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blackster.scr
C:\WINDOWS\system32\bmf.cs
C:\WINDOWS\system32\ccs.so
C:\WINDOWS\system32\gh.l
C:\WINDOWS\system32\hljwugsf.bin
C:\WINDOWS\system32\kr_done1de
C:\WINDOWS\system32\mn.n
C:\WINDOWS\system32\yl.po

.
((((((((((((((((((((((((( Files Created from 2008-04-23 to 2008-05-23 )))))))))))))))))))))))))))))))
.

2008-05-20 21:10 . 2008-05-20 21:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-20 21:08 . 2008-05-20 21:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 20:58 . 2008-05-22 06:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Program Files\AVG
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\AVGTOOLBAR
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 20:58 . 2008-05-20 20:58 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-20 20:58 . 2008-05-20 20:58 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-20 20:58 . 2008-05-20 20:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-20 19:36 . 2008-05-20 19:36 <DIR> d-------- C:\Deckard
2008-05-20 19:12 . 2008-05-20 19:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 19:08 . 2008-05-20 19:31 <DIR> d-------- C:\SDFix
2008-05-20 07:13 . 2008-05-20 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\TmpRecentIcons
2008-05-18 17:15 . 2008-05-20 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 00:45 . 2008-05-20 22:50 <DIR> d-------- C:\Program Files\DCPFLICS
2008-05-17 16:14 . 2008-05-19 23:51 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\TmpRecentIcons
2008-05-17 15:55 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-17 15:55 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-17 15:53 . 2008-05-17 15:53 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-17 15:45 . 2008-05-17 15:45 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-17 14:30 . 2008-05-17 15:08 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-05-17 14:02 . 2008-05-18 16:36 <DIR> d-------- C:\Temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\NVIDIA
2008-05-17 13:22 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-17 13:22 . 2008-05-22 18:30 182,441 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-17 13:22 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-05-17 13:22 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-05-17 13:22 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-05-17 13:22 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-17 12:57 . 2008-05-17 12:57 <DIR> d-------- C:\Program Files\Realtek
2008-05-17 12:56 . 2007-07-26 02:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-17 12:49 . 2008-05-17 12:49 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-05-17 12:46 . 2008-05-17 12:46 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-05-17 12:18 . 2008-05-17 12:18 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-17 11:44 . 2008-05-17 11:48 <DIR> d-------- C:\WINDOWS\NV38523848.TMP
2008-05-17 11:31 . 2008-05-17 11:37 <DIR> d-------- C:\WINDOWS\NV28322484.TMP
2008-05-17 03:48 . 2008-05-17 11:21 <DIR> d-------- C:\WINDOWS\NV28122816.TMP
2008-05-17 03:38 . 2008-05-17 03:38 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-17 03:38 . 2008-05-17 03:38 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-05-17 03:38 . 2008-05-17 03:38 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-05-17 03:36 . 2008-05-17 12:27 <DIR> d-------- C:\Program Files\ASUS
2008-05-17 03:36 . 2006-01-10 01:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-05-17 03:36 . 2006-10-18 12:12 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-05-17 03:36 . 2008-05-17 03:36 666 --a------ C:\WINDOWS\setup.iss
2008-05-17 03:32 . 2008-05-17 12:57 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-05-17 03:31 . 2008-05-17 03:31 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-05-17 03:24 . 2008-05-17 03:24 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-05-17 03:21 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-05-17 03:21 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-05-17 03:21 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-05-17 03:21 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-05-17 03:20 . 2008-05-17 12:57 15,746 --a------ C:\WINDOWS\Ascd_log.ini
2008-05-17 03:20 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-05-17 03:18 . 2008-05-17 12:46 15,498 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-17 03:18 . 2007-07-31 20:39 12,536 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-17 03:18 . 2004-08-12 19:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Program Files\Linksys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\InstallShield
2008-05-02 22:46 . 2008-05-02 22:46 13,529,088 --a------ C:\WINDOWS\system32\nvcpl.dll
2008-04-28 17:12 . 2008-04-28 17:12 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\Nero
2008-04-28 17:10 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\Everyone Else
2008-04-28 06:59 . 2008-04-28 06:59 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-28 06:48 . 2008-04-28 06:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-04-28 06:48 . 2008-04-19 17:22 182 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-28 06:47 . 2008-04-02 22:17 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Roxio
2008-04-28 06:44 . 2008-04-28 06:59 256 --a------ C:\Documents and Settings\Timmayy\pool.bin
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-28 06:41 . 2007-07-27 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-28 06:09 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-04-28 06:09 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-28 06:07 . 2008-04-28 06:08 <DIR> d-------- C:\Program Files\Roxio
2008-04-28 06:07 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-04-28 06:06 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-04-28 06:05 . 2008-04-28 06:05 <DIR> d-------- C:\Program Files\Research In Motion
2008-04-27 23:55 . 2008-04-27 23:55 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Research In Motion
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Apple Computer
2008-04-27 22:27 . 2008-04-27 22:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-27 22:27 . 2008-04-27 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-27 22:26 . 2008-05-20 23:26 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 22:26 . 2008-04-22 22:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 22:25 . 2008-04-27 22:25 <DIR> d-------- C:\Program Files\QuickTime
2008-04-27 22:25 . 2008-04-27 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-27 22:15 . 2005-11-18 16:07 3,272,704 --a------ C:\WINDOWS\system32\sapphire_ae.old
2008-04-27 22:15 . 2005-11-20 20:42 3,272,704 --a------ C:\WINDOWS\system32\sapphire_ae.dll
2008-04-27 22:14 . 2008-04-27 22:14 <DIR> d-------- C:\Program Files\GenArts
2008-04-27 21:31 . 2008-04-27 22:23 <DIR> d-------- C:\Program Files\Winamp Remote
2008-04-27 21:31 . 2008-04-06 11:57 <DIR> d-------- C:\Program Files\Winamp
2008-04-27 21:31 . 2008-04-06 15:26 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Winamp
2008-04-27 21:31 . 2008-04-27 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-04-27 20:52 . 2008-04-27 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-27 12:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-27 12:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-27 12:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-26 22:27 . 2008-04-26 22:27 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Nero
2008-04-26 22:25 . 2008-04-26 22:25 <DIR> d-------- C:\Program Files\Nero
2008-04-26 22:25 . 2008-04-26 22:26 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-26 22:25 . 2008-04-26 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-26 22:04 . 2008-04-26 22:04 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 21:57 . 2008-04-26 21:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-26 21:50 . 2008-04-26 21:50 4 --a------ C:\WINDOWS\system32\ulfconfig0103.ulf
2008-04-26 21:48 . 2008-04-26 21:48 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-26 21:33 . 2008-04-26 21:33 <DIR> d-------- C:\Program Files\PowerISO
2008-04-26 21:04 . 2008-04-26 21:04 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-04-26 20:46 . 2008-05-19 22:48 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-04-26 20:46 . 2008-04-26 20:46 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-26 20:45 . 2007-03-29 05:56 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2008-04-26 20:45 . 2007-03-29 05:56 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2008-04-25 23:55 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-04-25 21:36 . 2008-05-19 21:03 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Azureus
2008-04-25 21:36 . 2008-04-25 21:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-23 01:30 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\WTablet
2008-05-23 01:30 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-21 05:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 21:30 577,536 ----a-w C:\WINDOWS\system32\user32.DLL
2008-05-17 20:45 5,939 ----a-w C:\Program Files\install.log
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-28 13:09 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-04-28 13:06 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-23 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-20 02:11 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\AdobeUM
2008-04-19 23:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-19 23:00 --------- d-----w C:\Program Files\eRightSoft
2008-04-19 22:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 20:58 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Autodesk
2008-04-19 20:38 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-19 20:38 --------- d-----w C:\Program Files\Autodesk
2008-04-12 23:41 --------- d-----w C:\Program Files\Tablet
2008-04-12 22:04 --------- d-----w C:\Program Files\Handbrake
2008-04-12 21:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 21:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 21:18 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Nero8
2008-04-12 18:29 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\dvdcss
2008-04-10 06:00 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Ahead
2008-04-07 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-07 04:17 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\vlc
2008-04-07 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-04-07 03:24 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Intuit
2008-04-07 03:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-07 03:12 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 03:11 --------- d-----w C:\Program Files\TurboTax
2008-03-30 21:00 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-25 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-03-23 18:11 --------- d-----w C:\Program Files\Common Files\xing shared
2008-03-23 18:11 --------- d-----w C:\Program Files\Common Files\Sony Shared
2008-03-23 18:11 --------- d-----w C:\Program Files\Common Files\Softimage
2008-03-23 17:17 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\Real
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\Nullsoft
2008-03-23 17:16 --------- d-----w C:\Program Files\Common Files\NSV
2008-03-23 16:45 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-03-23 16:45 --------- d-----w C:\Program Files\Common Files\Java
2008-03-23 16:45 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\element5 Shared
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Corel
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\AOL
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Alias Shared
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Ahead
2008-03-23 16:44 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-03-23 16:41 --------- d-----w C:\Program Files\Ahead
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.
C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below)
577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
577,024 2007-07-27 12:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll.000
577,536 2008-05-17 21:30:32 C:\WINDOWS\system32\user32.DLL
577,536 2008-05-17 21:30:32 C:\WINDOWS\system32\dllcache\user32.dll


------- Sigcheck -------

2005-03-02 11:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 08:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2007-07-27 05:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 11:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2008-05-17 14:30 577536 eda96cb1c2a0aff31ae322e53ada2552 C:\WINDOWS\system32\user32.DLL
2008-05-17 14:30 577536 eda96cb1c2a0aff31ae322e53ada2552 C:\WINDOWS\system32\dllcache\user32.dll
.
((((((((((((((((((((((((((((( snapshot@2008-05-22_ 6.53.45.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 13:38:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-23 01:29:58 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-20 20:58 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-20 20:58 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-27 20:57:56 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1999-04-09 13:57:54 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnoffc]
nnnnOffc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\TMH\\Bit_Torrent\\Azureus\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Games\\HellgateLondon\\Launcher.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60614:TCP"= 60614:TCP:@xpsp2res.dll,-22005
"63893:TCP"= 63893:TCP:@xpsp2res.dll,-22005
"18832:TCP"= 18832:TCP:@xpsp2res.dll,-22005
"19535:TCP"= 19535:TCP:@xpsp2res.dll,-22005

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 20:58]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-20 20:58]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 20:58]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-20 20:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;C:\WINDOWS\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 06:17]
S2 WMP300NSvc;WMP300NSvc;"C:\Program Files\Linksys\WMP300N\WLService.exe" "WMP300N.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 05:27:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 18:36:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-22 18:37:14
ComboFix-quarantined-files.txt 2008-05-23 01:36:43
ComboFix2.txt 2008-05-22 13:54:18

Pre-Run: 428,882,989,056 bytes free
Post-Run: 428,860,047,360 bytes free

320 --- E O F --- 2008-05-17 20:52:00
  • 0

#8
Rorschach112
Posted 23 May 2008 - 05:32 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
You need to install the Recovery Console, restart your PC, then run ComboFix again

There is an infection present that can only be removed if you have the Recovery Console installed

Let me know how that goes
  • 0

#9
jimmayy
Posted 24 May 2008 - 08:36 PM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ok heres the latest ComboFix:
Thanx

ComboFix 08-05-21.2 - Timmayy 2008-05-24 19:10:42.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2882 [GMT -7:00]
Running from: C:\Documents and Settings\Timmayy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Timmayy\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-23 19:59 . 2008-05-23 20:10 1,049,814 --a------ C:\original.jpg
2008-05-23 19:59 . 2008-05-23 20:10 1,049,814 --a------ C:\extended.jpg
2008-05-23 19:50 . 2008-05-23 19:50 <DIR> d-------- C:\Program Files\Cucusoft
2008-05-23 19:50 . 2008-05-23 19:50 <DIR> d-------- C:\ConverterOutput
2008-05-23 19:50 . 2004-10-12 14:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-05-23 19:50 . 2004-10-12 14:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-05-23 19:50 . 2004-10-05 16:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-05-23 19:50 . 2004-10-12 14:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-05-23 19:50 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-05-23 19:50 . 2004-10-04 01:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-05-20 21:10 . 2008-05-20 21:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-20 21:08 . 2008-05-20 21:08 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 20:58 . 2008-05-24 18:57 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Program Files\AVG
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\AVGTOOLBAR
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 20:58 . 2008-05-20 20:58 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-20 20:58 . 2008-05-20 20:58 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-20 20:58 . 2008-05-20 20:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-20 19:36 . 2008-05-20 19:36 <DIR> d-------- C:\Deckard
2008-05-20 19:12 . 2008-05-20 19:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 19:08 . 2008-05-20 19:31 <DIR> d-------- C:\SDFix
2008-05-20 07:13 . 2008-05-20 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\TmpRecentIcons
2008-05-18 17:15 . 2008-05-20 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 00:45 . 2008-05-20 22:50 <DIR> d-------- C:\Program Files\DCPFLICS
2008-05-17 16:14 . 2008-05-19 23:51 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\TmpRecentIcons
2008-05-17 15:55 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-17 15:55 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-17 15:53 . 2008-05-17 15:53 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-17 15:45 . 2008-05-17 15:45 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-17 14:30 . 2008-05-17 15:08 16,768 --a------ C:\WINDOWS\system32\tcpip_patcher.sys
2008-05-17 14:02 . 2008-05-22 23:13 <DIR> d-------- C:\Temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\NVIDIA
2008-05-17 13:22 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-17 13:22 . 2008-05-24 19:32 182,441 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-17 13:22 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-05-17 13:22 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-05-17 13:22 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-05-17 13:22 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-17 12:57 . 2008-05-17 12:57 <DIR> d-------- C:\Program Files\Realtek
2008-05-17 12:56 . 2007-07-26 02:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-17 12:49 . 2008-05-17 12:49 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-05-17 12:46 . 2008-05-17 12:46 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-05-17 12:18 . 2008-05-17 12:18 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-17 11:44 . 2008-05-17 11:48 <DIR> d-------- C:\WINDOWS\NV38523848.TMP
2008-05-17 11:31 . 2008-05-17 11:37 <DIR> d-------- C:\WINDOWS\NV28322484.TMP
2008-05-17 03:48 . 2008-05-17 11:21 <DIR> d-------- C:\WINDOWS\NV28122816.TMP
2008-05-17 03:38 . 2008-05-17 03:38 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-17 03:38 . 2008-05-17 03:38 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-05-17 03:38 . 2008-05-17 03:38 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-05-17 03:36 . 2008-05-17 12:27 <DIR> d-------- C:\Program Files\ASUS
2008-05-17 03:36 . 2006-01-10 01:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-05-17 03:36 . 2006-10-18 12:12 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-05-17 03:36 . 2008-05-17 03:36 666 --a------ C:\WINDOWS\setup.iss
2008-05-17 03:32 . 2008-05-17 12:57 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-05-17 03:31 . 2008-05-17 03:31 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-05-17 03:24 . 2008-05-17 03:24 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-05-17 03:21 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-05-17 03:21 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-05-17 03:21 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-05-17 03:21 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-05-17 03:20 . 2008-05-17 12:57 15,746 --a------ C:\WINDOWS\Ascd_log.ini
2008-05-17 03:20 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-05-17 03:18 . 2008-05-17 12:46 15,498 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-17 03:18 . 2007-07-31 20:39 12,536 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-17 03:18 . 2004-08-12 19:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Program Files\Linksys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\InstallShield
2008-05-02 22:46 . 2008-05-02 22:46 13,529,088 --a------ C:\WINDOWS\system32\nvcpl.dll
2008-04-28 17:12 . 2008-04-28 17:12 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\Nero
2008-04-28 17:10 . 2008-05-20 20:58 <DIR> d-------- C:\Documents and Settings\Everyone Else
2008-04-28 06:59 . 2008-04-28 06:59 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-28 06:48 . 2008-04-28 06:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-04-28 06:48 . 2008-05-23 20:13 182 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-28 06:47 . 2008-04-02 22:17 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Roxio
2008-04-28 06:44 . 2008-04-28 06:59 256 --a------ C:\Documents and Settings\Timmayy\pool.bin
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-04-28 06:41 . 2007-07-27 05:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-04-28 06:09 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sonic
2008-04-28 06:09 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2008-04-28 06:07 . 2008-04-28 06:08 <DIR> d-------- C:\Program Files\Roxio
2008-04-28 06:07 . 2008-04-28 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Roxio
2008-04-28 06:06 . 2007-01-18 10:24 26,496 -ra------ C:\WINDOWS\system32\drivers\RimSerial.sys
2008-04-28 06:05 . 2008-04-28 06:05 <DIR> d-------- C:\Program Files\Research In Motion
2008-04-27 23:55 . 2008-04-27 23:55 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Research In Motion
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-04-27 22:33 . 2008-04-27 22:33 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Apple Computer
2008-04-27 22:27 . 2008-04-27 22:27 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-27 22:27 . 2008-04-27 22:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-27 22:26 . 2008-05-23 19:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-27 22:26 . 2008-04-22 22:50 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-27 22:25 . 2008-04-27 22:25 <DIR> d-------- C:\Program Files\QuickTime
2008-04-27 22:25 . 2008-04-27 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-27 22:15 . 2005-11-20 20:42 3,272,704 --a------ C:\WINDOWS\system32\sapphire_ae.dll
2008-04-27 21:31 . 2008-04-27 22:23 <DIR> d-------- C:\Program Files\Winamp Remote
2008-04-27 21:31 . 2008-04-06 11:57 <DIR> d-------- C:\Program Files\Winamp
2008-04-27 21:31 . 2008-04-06 15:26 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Winamp
2008-04-27 21:31 . 2008-04-27 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OrbNetworks
2008-04-27 20:52 . 2008-04-27 20:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-04-27 19:33 . 2008-04-27 19:33 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-04-27 12:34 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-27 12:34 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-27 12:34 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-26 22:27 . 2008-04-26 22:27 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Nero
2008-04-26 22:25 . 2008-04-26 22:25 <DIR> d-------- C:\Program Files\Nero
2008-04-26 22:25 . 2008-04-26 22:26 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-04-26 22:25 . 2008-04-26 22:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-26 22:04 . 2008-04-26 22:04 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 21:57 . 2008-04-26 21:57 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-04-26 21:50 . 2008-04-26 21:50 4 --a------ C:\WINDOWS\system32\ulfconfig0103.ulf
2008-04-26 21:48 . 2008-04-26 21:48 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2008-04-26 21:33 . 2008-04-26 21:33 <DIR> d-------- C:\Program Files\PowerISO

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 02:32 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\WTablet
2008-05-25 02:13 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-21 05:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-17 20:45 5,939 ----a-w C:\Program Files\install.log
2008-05-03 05:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-04-28 13:09 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-04-28 13:06 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-23 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-20 02:11 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\AdobeUM
2008-04-19 23:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-19 23:00 --------- d-----w C:\Program Files\eRightSoft
2008-04-19 22:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 20:58 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Autodesk
2008-04-19 20:38 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-19 20:38 --------- d-----w C:\Program Files\Autodesk
2008-04-12 23:41 --------- d-----w C:\Program Files\Tablet
2008-04-12 22:04 --------- d-----w C:\Program Files\Handbrake
2008-04-12 21:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 21:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 21:18 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Nero8
2008-04-12 18:29 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\dvdcss
2008-04-10 06:00 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Ahead
2008-04-07 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-07 04:17 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\vlc
2008-04-07 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-04-07 03:24 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Intuit
2008-04-07 03:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-07 03:12 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 03:11 --------- d-----w C:\Program Files\TurboTax
2008-03-25 16:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\nView_Profiles
.
Infected C:\WINDOWS\system32\user32.dll hex repaired


((((((((((((((((((((((((((((( snapshot@2008-05-22_ 6.53.45.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 13:38:05 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 02:12:53 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-20 20:58 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-20 20:58 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-27 20:57:56 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1999-04-09 13:57:54 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnnoffc]
nnnnOffc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\TMH\\Bit_Torrent\\Azureus\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Games\\HellgateLondon\\Launcher.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60614:TCP"= 60614:TCP:@xpsp2res.dll,-22005
"63893:TCP"= 63893:TCP:@xpsp2res.dll,-22005
"18832:TCP"= 18832:TCP:@xpsp2res.dll,-22005
"19535:TCP"= 19535:TCP:@xpsp2res.dll,-22005

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 20:58]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-20 20:58]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 20:58]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-20 20:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;C:\WINDOWS\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 06:17]
S2 WMP300NSvc;WMP300NSvc;"C:\Program Files\Linksys\WMP300N\WLService.exe" "WMP300N.exe" []

.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 05:27:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 19:32:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DCPFLICS\DCPFLICS.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
.
**************************************************************************
.
Completion time: 2008-05-24 19:34:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 02:33:55
ComboFix2.txt 2008-05-23 01:37:15
ComboFix3.txt 2008-05-22 13:54:18

Pre-Run: 426,013,966,336 bytes free
Post-Run: 425,981,022,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

289 --- E O F --- 2008-05-17 20:52:00
  • 0

#10
Rorschach112
Posted 25 May 2008 - 05:15 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner and click Accept

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


Also post a new HijackThis log
  • 0

Advertisements

#11
jimmayy
Posted 26 May 2008 - 03:54 PM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 2:49:07 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 801091
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 199645
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:16:34

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg8\emc\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgcore.log.2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avglng.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgscan.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsched.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgsrm.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\avgwd.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\Log\commonpriv.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg8\scanlogs\I_00000006.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Nero\Nero8\Nero BackItUp\Cache\NeroBackItUpScheduler3.log Object is locked skipped
C:\Documents and Settings\Everyone Else\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Everyone Else\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Timmayy\Application Data\Autodesk\3DSMAX\10\C56C19AE-E55B-4bfe-804E-A734D8F00E3C\10.0.0.86\MC3\Log\MC3Log Object is locked skipped
C:\Documents and Settings\Timmayy\Application Data\Autodesk\WebServices\ws_CommCntr_20080526_0.log Object is locked skipped
C:\Documents and Settings\Timmayy\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temp\AdskCleanup.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temp\AHI59E3.tmp Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temp\events.log Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temp\prof.log Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temp\~DF930F.tmp Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temp\~DF931A.tmp Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Timmayy\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Timmayy\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Timmayy\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Nero\Nero8\Nero BackItUp\BIU1.txt Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\user32.dll.vir.vir Infected: Trojan.Win32.Patched.bb skipped
C:\QooBox\Quarantine\catchme2008-05-24_191126.50.zip/user32.dll Infected: Trojan.Win32.Patched.bb skipped
C:\QooBox\Quarantine\catchme2008-05-24_191126.50.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CD7CCC5D-6928-4D3E-A871-214827564D96}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dllcache\user32.dll Infected: Trojan.Win32.Patched.bb skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CD7CCC5D-6928-4D3E-A871-214827564D96}\RP1\change.log Object is locked skipped

Scan process completed.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:53:16 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\DCPFLICS\dcpflics.exe
C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\Tablet.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Timmayy\Desktop\AdRemove\hijackthis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {10B9E92F-421E-44B2-A093-9DE0F3FAB2BC} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-1202660629-1454471165-839522115-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Everyone Else')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: nnnnoffc - nnnnOffc.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DCPFLICS service (DCPFLICS) - Unknown owner - C:\Program Files\DCPFLICS\dcpflics.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcAppFlt.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2008 32-bit 32-bit (mi-raysat_3dsMax2008_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2008\mentalray\satellite\raysat_3dsMax2008_32server.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin32\nSvcIp.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: WMP300NSvc - GEMTEKS - C:\Program Files\Linksys\WMP300N\WLService.exe

--
End of file - 8401 bytes
  • 0

#12
Rorschach112
Posted 26 May 2008 - 05:41 PM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: (no name) - {10B9E92F-421E-44B2-A093-9DE0F3FAB2BC} - (no file)
O20 - Winlogon Notify: nnnnoffc - nnnnOffc.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.




1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\dllcache\user32.dll

Folder::

Registry::

Driver::


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Also tell me how your PC is running
  • 0

#13
jimmayy
Posted 26 May 2008 - 08:46 PM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
ComboFix 08-05-21.2 - Timmayy 2008-05-26 19:39:09.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2774 [GMT -7:00]
Running from: C:\Documents and Settings\Timmayy\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Timmayy\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\dllcache\user32.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\install.exe
C:\WINDOWS\system32\dllcache\user32.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 18:54 . 2008-05-26 18:54 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2008-05-26 18:54 . 2008-05-26 18:54 <DIR> d-------- C:\Program Files\MSECACHE
2008-05-26 18:31 . 2008-03-05 15:56 3,952,144 --a------ C:\WINDOWS\system32\D3DX9d_37.dll
2008-05-26 18:31 . 2008-02-05 23:06 3,799,400 --a------ C:\WINDOWS\system32\d3dx9d_33.dll
2008-05-26 18:31 . 2008-02-05 23:06 3,087,208 --a------ C:\WINDOWS\system32\d3d9d.dll
2008-05-26 18:31 . 2008-02-05 23:06 506,384 --a------ C:\WINDOWS\system32\D3DX10d_37.dll
2008-05-26 18:31 . 2008-02-05 23:06 359,624 --a------ C:\WINDOWS\system32\dinput8d.dll
2008-05-26 18:31 . 2008-02-05 23:06 349,416 --a------ C:\WINDOWS\system32\d3dref9.dll
2008-05-26 18:30 . 2008-05-26 18:31 <DIR> d-------- C:\Program Files\Microsoft DirectX SDK (March 2008)
2008-05-26 17:59 . 2008-05-26 17:59 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2008-05-26 17:59 . 2008-05-26 17:59 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-26 17:59 . 2008-05-26 17:59 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-26 17:56 . 2008-05-26 17:56 <DIR> d-------- C:\Program Files\OpenAL
2008-05-26 17:56 . 2008-05-26 17:56 413,696 --a------ C:\WINDOWS\system32\wrap_oal.dll
2008-05-26 17:56 . 2008-05-26 17:56 110,592 --a------ C:\WINDOWS\system32\OpenAL32.dll
2008-05-26 17:49 . 2008-05-26 17:49 <DIR> d-------- C:\WINDOWS\system32\XPSViewer
2008-05-26 17:49 . 2008-05-26 17:49 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-05-26 17:49 . 2008-05-26 17:49 <DIR> d-------- C:\Program Files\MSBuild
2008-05-26 17:49 . 2006-06-29 13:07 14,048 --------- C:\WINDOWS\system32\spmsg2.dll
2008-05-26 17:41 . 2007-03-12 16:42 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2008-05-26 17:41 . 2007-03-12 16:42 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2008-05-26 17:41 . 2007-03-15 16:57 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2008-05-26 17:37 . 2008-05-26 18:58 <DIR> d-------- C:\Program Files\Steam
2008-05-26 00:15 . 2008-05-26 00:15 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-26 00:15 . 2008-05-26 00:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-25 15:47 . 2008-05-25 15:49 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\AVGTOOLBAR
2008-05-23 19:59 . 2008-05-23 20:10 1,049,814 --a------ C:\original.jpg
2008-05-23 19:59 . 2008-05-23 20:10 1,049,814 --a------ C:\extended.jpg
2008-05-23 19:50 . 2008-05-23 19:50 <DIR> d-------- C:\Program Files\Cucusoft
2008-05-23 19:50 . 2008-05-23 19:50 <DIR> d-------- C:\ConverterOutput
2008-05-23 19:50 . 2004-10-12 14:40 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2008-05-23 19:50 . 2004-10-12 14:46 1,761,280 --a------ C:\WINDOWS\system32\ffdshow.ax
2008-05-23 19:50 . 2004-10-05 16:16 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2008-05-23 19:50 . 2004-10-12 14:42 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2008-05-23 19:50 . 2003-04-03 00:17 172,032 --a------ C:\WINDOWS\system32\ac3filter.ax
2008-05-23 19:50 . 2004-10-04 01:50 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2008-05-20 21:10 . 2008-05-20 21:21 <DIR> d-------- C:\Program Files\Eusing Free Registry Cleaner
2008-05-20 21:08 . 2008-05-26 13:04 <DIR> d--h----- C:\$AVG8.VAULT$
2008-05-20 20:58 . 2008-05-26 17:25 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-05-20 20:58 . 2008-05-20 20:58 <DIR> d-------- C:\Program Files\AVG
2008-05-20 20:58 . 2008-05-26 00:14 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\AVGTOOLBAR
2008-05-20 20:58 . 2008-05-26 02:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-05-20 20:58 . 2008-05-20 20:58 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-20 20:58 . 2008-05-20 20:58 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-20 20:58 . 2008-05-20 20:58 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-05-20 19:36 . 2008-05-20 19:36 <DIR> d-------- C:\Deckard
2008-05-20 19:12 . 2008-05-20 19:12 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-20 19:08 . 2008-05-20 19:31 <DIR> d-------- C:\SDFix
2008-05-20 07:13 . 2008-05-20 07:13 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 22:34 . 2008-05-19 22:34 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\TmpRecentIcons
2008-05-18 17:15 . 2008-05-20 21:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 00:45 . 2008-05-20 22:50 <DIR> d-------- C:\Program Files\DCPFLICS
2008-05-17 16:14 . 2008-05-19 23:51 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\TmpRecentIcons
2008-05-17 15:55 . 2007-07-19 18:14 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 1,358,192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2008-05-17 15:55 . 2007-07-19 18:14 444,776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2008-05-17 15:55 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2008-05-17 15:53 . 2008-05-17 15:53 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-17 15:45 . 2008-05-17 15:45 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-17 14:02 . 2008-05-26 18:48 <DIR> d-------- C:\Temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\temp
2008-05-17 13:45 . 2008-05-17 13:45 <DIR> d-------- C:\Documents and Settings\All Users\Gamespot
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-05-17 13:22 . 2008-05-17 13:22 <DIR> d-------- C:\NVIDIA
2008-05-17 13:22 . 2008-05-02 22:46 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-05-17 13:22 . 2008-05-26 18:58 182,441 --a------ C:\WINDOWS\system32\nvapps.xml
2008-05-17 13:22 . 2008-05-02 22:46 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-05-17 13:22 . 2008-05-02 22:46 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-05-17 13:22 . 2008-05-02 22:46 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-05-17 13:22 . 2008-05-02 22:46 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-05-17 12:57 . 2008-05-17 12:57 <DIR> d-------- C:\Program Files\Realtek
2008-05-17 12:56 . 2007-07-26 02:09 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-17 12:49 . 2008-05-17 12:49 <DIR> d-------- C:\Program Files\NVIDIA Corporation
2008-05-17 12:46 . 2008-05-17 12:46 <DIR> dr------- C:\WINDOWS\AsDmiHtm
2008-05-17 12:18 . 2008-05-17 12:18 <DIR> d-------- C:\Program Files\RegCleaner
2008-05-17 11:44 . 2008-05-17 11:48 <DIR> d-------- C:\WINDOWS\NV38523848.TMP
2008-05-17 11:31 . 2008-05-17 11:37 <DIR> d-------- C:\WINDOWS\NV28322484.TMP
2008-05-17 03:48 . 2008-05-17 11:21 <DIR> d-------- C:\WINDOWS\NV28122816.TMP
2008-05-17 03:38 . 2008-05-17 03:38 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-17 03:38 . 2008-05-17 03:38 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-05-17 03:38 . 2008-05-17 03:38 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-05-17 03:36 . 2008-05-17 12:27 <DIR> d-------- C:\Program Files\ASUS
2008-05-17 03:36 . 2006-01-10 01:50 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-05-17 03:36 . 2006-10-18 12:12 12,664 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-05-17 03:36 . 2008-05-17 03:36 666 --a------ C:\WINDOWS\setup.iss
2008-05-17 03:32 . 2008-05-17 12:57 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2008-05-17 03:31 . 2008-05-17 03:31 315,392 --a------ C:\WINDOWS\HideWin.exe
2008-05-17 03:24 . 2008-05-17 03:24 <DIR> d-------- C:\WINDOWS\ASUSInstAll
2008-05-17 03:21 . 2007-08-08 20:03 353,280 -ra------ C:\WINDOWS\system32\idecoiins.dll
2008-05-17 03:21 . 2007-10-12 01:14 194,048 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2008-05-17 03:21 . 2007-08-08 20:11 102,400 -ra------ C:\WINDOWS\system32\drivers\nvgts.sys
2008-05-17 03:21 . 2007-10-12 01:01 3,276 -ra------ C:\WINDOWS\system32\drivers\nvphy.bin
2008-05-17 03:20 . 2008-05-17 12:57 15,746 --a------ C:\WINDOWS\Ascd_log.ini
2008-05-17 03:20 . 2007-10-12 01:14 9,216 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a------ C:\WINDOWS\system32\drivers\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 61,056 --a--c--- C:\WINDOWS\system32\dllcache\ohci1394.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a------ C:\WINDOWS\system32\drivers\1394bus.sys
2008-05-17 03:19 . 2004-08-03 23:10 53,248 --a--c--- C:\WINDOWS\system32\dllcache\1394bus.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a------ C:\WINDOWS\system32\drivers\enum1394.sys
2008-05-17 03:19 . 2001-08-17 13:46 6,400 --a--c--- C:\WINDOWS\system32\dllcache\enum1394.sys
2008-05-17 03:18 . 2008-05-17 12:46 15,498 --a------ C:\WINDOWS\Ascd_tmp.ini
2008-05-17 03:18 . 2007-07-31 20:39 12,536 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2008-05-17 03:18 . 2004-08-12 19:56 5,810 -ra------ C:\WINDOWS\system32\drivers\ASACPI.sys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Program Files\Linksys
2008-05-11 17:12 . 2008-05-11 17:12 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\InstallShield
2008-05-06 16:54 . 2008-05-06 16:54 390,432 --a------ C:\WINDOWS\system32\PhysX.cpl
2008-04-30 13:55 . 2008-04-30 13:55 70,944 --a------ C:\WINDOWS\system32\PhysXLoader.dll
2008-04-28 17:12 . 2008-04-28 17:12 <DIR> d-------- C:\Documents and Settings\Everyone Else\Application Data\Nero
2008-04-28 17:10 . 2008-05-26 00:07 <DIR> d-------- C:\Documents and Settings\Everyone Else
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelTraditionalChinese.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelSwedish.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelSpanish.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelSimplifiedChinese.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelPortugese.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelKorean.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelJapanese.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelGerman.dll
2008-04-28 11:11 . 2008-04-28 11:11 53,248 --a------ C:\WINDOWS\system32\AgCPanelFrench.dll
2008-04-28 06:59 . 2008-04-28 06:59 <DIR> d-------- C:\Program Files\MSXML 6.0
2008-04-28 06:48 . 2008-04-28 06:48 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Roxio
2008-04-28 06:48 . 2008-05-23 20:13 182 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-28 06:47 . 2008-04-02 22:17 <DIR> d-------- C:\Documents and Settings\Timmayy\Application Data\Roxio
2008-04-28 06:44 . 2008-04-28 06:59 256 --a------ C:\Documents and Settings\Timmayy\pool.bin
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-04-28 06:43 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 01:58 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\WTablet
2008-05-26 07:07 --------- d-----w C:\Documents and Settings\Everyone Else\Application Data\WTablet
2008-05-25 02:13 --------- d-----w C:\Documents and Settings\LocalService\Application Data\WTablet
2008-05-21 05:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-20 04:03 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Azureus
2008-05-17 21:30 577,536 ----a-w C:\WINDOWS\system32\user32.DLL
2008-05-17 20:45 5,939 ----a-w C:\Program Files\install.log
2008-05-01 00:27 442,368 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2008-04-28 13:09 --------- d-----w C:\Program Files\Common Files\Sonic Shared
2008-04-28 13:06 --------- d-----w C:\Program Files\Common Files\Research In Motion
2008-04-27 05:27 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Nero
2008-04-27 05:26 --------- d-----w C:\Program Files\Common Files\Nero
2008-04-27 05:25 --------- d-----w C:\Program Files\Nero
2008-04-27 05:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-27 05:04 --------- d-----w C:\Program Files\Bonjour
2008-04-27 04:57 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2008-04-27 04:33 --------- d-----w C:\Program Files\PowerISO
2008-04-26 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-04-26 04:35 --------- d-----w C:\Program Files\Java
2008-04-26 03:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\NVIDIA
2008-04-23 02:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-04-20 02:11 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\AdobeUM
2008-04-19 23:02 --------- d-----w C:\Program Files\AviSynth 2.5
2008-04-19 23:00 --------- d-----w C:\Program Files\eRightSoft
2008-04-19 22:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-19 20:58 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Autodesk
2008-04-19 20:38 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2008-04-19 20:38 --------- d-----w C:\Program Files\Autodesk
2008-04-12 23:41 --------- d-----w C:\Program Files\Tablet
2008-04-12 22:04 --------- d-----w C:\Program Files\Handbrake
2008-04-12 21:56 --------- d-----w C:\Program Files\DVD Decrypter
2008-04-12 21:54 --------- d-----w C:\Program Files\DVD Shrink
2008-04-12 21:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-04-12 21:18 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Nero8
2008-04-12 18:29 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\dvdcss
2008-04-10 06:00 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Ahead
2008-04-07 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-07 04:17 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\vlc
2008-04-07 04:15 --------- d-----w C:\Program Files\VideoLAN
2008-04-07 03:24 --------- d-----w C:\Documents and Settings\Timmayy\Application Data\Intuit
2008-04-07 03:14 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-04-07 03:12 --------- d-----w C:\Program Files\Common Files\Intuit
2008-04-07 03:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-04-07 03:11 --------- d-----w C:\Program Files\TurboTax
2008-03-30 21:00 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-05 23:03 479,752 ----a-w C:\WINDOWS\system32\XAudio2_0.dll
2008-03-05 23:03 238,088 ----a-w C:\WINDOWS\system32\xactengine3_0.dll
2008-03-05 23:00 25,608 ----a-w C:\WINDOWS\system32\X3DAudio1_3.dll
2008-03-05 22:56 3,786,760 ----a-w C:\WINDOWS\system32\D3DX9_37.dll
2008-03-05 22:56 1,420,824 ----a-w C:\WINDOWS\system32\D3DCompiler_37.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-05-20 20:58 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL [2008-05-20 20:58 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 05:00 15360]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-05-26 17:37 1271032]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-20 20:58 1177368]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2008-04-27 20:57:56 25214]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [1999-04-09 13:57:54 110592]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"D:\\TMH\\Bit_Torrent\\Azureus\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"D:\\Games\\HellgateLondon\\Launcher.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\monitor.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\manager.exe"=
"C:\\Program Files\\Autodesk\\Backburner\\server.exe"=
"C:\\Program Files\\Autodesk\\3ds Max 2008\\3dsmax.exe"=
"C:\\Program Files\\Electronic Arts\\Crytek\\Crysis SP Demo\\Bin32\\Crysis.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"60614:TCP"= 60614:TCP:@xpsp2res.dll,-22005
"63893:TCP"= 63893:TCP:@xpsp2res.dll,-22005
"18832:TCP"= 18832:TCP:@xpsp2res.dll,-22005
"19535:TCP"= 19535:TCP:@xpsp2res.dll,-22005

R0 nvgts;nvgts;C:\WINDOWS\system32\DRIVERS\nvgts.sys [2007-08-08 20:11]
R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-20 20:58]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-20 20:58]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-20 20:58]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-20 20:58]
R3 wacommousefilter;Wacom Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\wacommousefilter.sys [2007-02-16 11:12]
R3 wacomvhid;Wacom Virtual Hid Driver;C:\WINDOWS\system32\DRIVERS\wacomvhid.sys [2007-02-16 10:30]
R3 WacomVKHid;Virtual Keyboard Driver;C:\WINDOWS\system32\DRIVERS\WacomVKHid.sys [2007-02-15 16:11]
R3 WMP300Nv1;Linksys Wireless-N PCI Adapter WMP300N Driver;C:\WINDOWS\system32\DRIVERS\WMP300Nv1.sys [2007-10-18 06:17]
S2 WMP300NSvc;WMP300NSvc;"C:\Program Files\Linksys\WMP300N\WLService.exe" "WMP300N.exe" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 05:27:14 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 19:39:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 19:40:13
ComboFix-quarantined-files.txt 2008-05-27 02:40:11
ComboFix2.txt 2008-05-25 02:34:06
ComboFix3.txt 2008-05-23 01:37:15
ComboFix4.txt 2008-05-22 13:54:18

Pre-Run: 420,333,662,208 bytes free
Post-Run: 420,314,603,520 bytes free

285 --- E O F --- 2008-05-17 20:52:00

My pc is running well, I haven't had any issues with popups or anything weird :) the only problem I am having (i don't know if it is related to what was on my machine)
is trying to install gears of war pc; I either get setup.exe is an invalid win32 application or This application has failed to start because the application configuration is incorrect.
I can't even copy files from the dvd.
Other than that everything is running well
Thanks
  • 0

#14
Rorschach112
Posted 27 May 2008 - 06:15 AM

Rorschach112

    Ralphie

  • Retired Staff
  • 47,710 posts
Hello

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also post a new HijackThis log
  • 0

#15
jimmayy
Posted 27 May 2008 - 12:56 PM

jimmayy

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Do u think the maleware on my machine is causing the game to not install? I do remember when all the stuff was on my machine (popups,etc)
the game was installing till bout 75% then it would hang but as we began to clean up my machine the disk no longer lets me run setup.exe. It sees everything on the disk but it doesn't allow my to run anything from it...or copy locally
I will get the new logs posted later tonight
Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP