Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please check my Hijackthislog [RESOLVED]


  • This topic is locked This topic is locked

#1
martinzx13

martinzx13

    Member

  • Member
  • PipPip
  • 21 posts
Hi guys/girls


Could someone please check my logfile, i have followed your guide before posting to the best of my knowledge, i have caught a win32 dropper ??
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:15:31 PM, on 5/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: wkcalrem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 3308 bytes


i am an older user, & not that computer literate, so any help we be great appreciated

thanks in advance martin

Edited by Mike, 02 June 2008 - 02:03 PM.

  • 0

Advertisements


#2
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
I have followed your excellent guides tio the best of my knowledge, during a malwarebytes scan it revealed i have an infection called:

fakebeep.sys

when i deleted it my system crashed ! i had to use a restore point, to use the pc again, i have done a combifix scan below attached, please take the time to help,

many thanks martin

ComboFix 08-05-21.3 - Bossman 2008-05-24 11:40:21.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.680 [GMT 2:00]
Running from: C:\Documents and Settings\Bossman\Desktop\Combo-Fix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.

2008-05-23 21:54 . 2008-05-23 23:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-05-23 15:53 . 2008-04-14 05:42 116,224 -----c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-23 15:53 . 2001-08-17 22:37 99,865 -----c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-23 15:53 . 2001-08-17 22:37 27,648 -----c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-23 15:53 . 2001-08-17 22:36 23,040 -----c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-23 15:53 . 2008-04-14 05:42 18,944 -----c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-23 15:53 . 2001-08-17 22:37 4,608 -----c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-23 15:51 . 2001-08-17 13:28 765,884 -----c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-23 15:50 . 2001-08-17 13:28 794,654 -----c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-05-23 15:49 . 2001-08-17 22:36 525,568 -----c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-23 15:48 . 2001-08-17 14:01 241,664 -----c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-23 15:47 . 2001-08-17 12:18 285,760 -----c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-23 15:46 . 2001-08-17 22:36 114,688 -----c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-05-23 15:46 . 2001-08-17 22:36 106,584 -----c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-05-23 15:46 . 2001-08-17 13:51 61,824 -----c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-05-23 15:46 . 2001-08-17 12:51 37,040 -----c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-05-23 15:46 . 2001-08-17 22:36 24,660 -----c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-05-23 15:46 . 2001-08-17 12:51 20,752 -----c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-05-23 15:46 . 2001-08-17 14:07 19,072 -----c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-05-23 15:46 . 2001-08-17 13:53 9,600 -----c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-05-23 15:46 . 2001-08-17 13:56 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-23 15:46 . 2008-04-14 00:10 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-05-23 15:46 . 2001-08-17 13:53 7,040 -----c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-05-23 15:44 . 2001-08-17 22:36 386,560 -----c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-23 15:43 . 2001-08-17 22:36 495,616 -----c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-05-23 15:42 . 2001-08-17 14:56 210,496 -----c--- C:\WINDOWS\system32\dllcache\s3mvirge.dll
2008-05-23 15:41 . 2001-08-17 13:28 899,146 -----c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-05-23 15:40 . 2008-04-14 05:42 363,520 -----c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-05-23 15:39 . 2001-08-17 14:05 351,616 -----c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-05-23 15:38 . 2008-04-14 00:01 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-05-23 15:37 . 2008-04-13 22:05 132,695 -----c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-23 15:36 . 2001-08-17 12:50 103,296 -----c--- C:\WINDOWS\system32\dllcache\mtxvideo.sys
2008-05-23 15:35 . 2001-08-17 12:50 320,384 -----c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-05-23 15:34 . 2001-08-17 13:28 802,683 -----c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-23 15:33 . 2008-04-14 05:41 253,952 -----c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-05-23 15:32 . 2001-08-17 22:36 372,824 -----c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-05-23 15:31 . 2008-04-14 05:41 702,845 -----c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-23 15:30 . 2001-08-17 22:36 324,608 -----c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-05-23 15:29 . 2001-08-17 14:56 1,733,120 -----c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-23 15:28 . 2001-08-17 12:17 629,952 -----c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-23 15:27 . 2001-08-17 12:14 952,007 -----c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-23 15:26 . 2001-08-17 22:36 614,429 -----c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-05-23 15:25 . 2001-08-17 12:13 980,034 -----c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-23 15:24 . 2001-08-17 13:28 871,388 -----c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-05-23 15:23 . 2001-08-17 13:28 762,780 -----c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-05-23 15:22 . 2008-04-14 00:54 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-05-23 15:01 . 2008-05-23 15:01 <DIR> d-------- C:\WINDOWS\DED53B0BB67C4244AE6AD6FD3C28D1EF.TMP
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\CCleaner
2008-05-22 17:10 . 2008-05-22 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 16:51 . 2008-05-22 16:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-23 21:49 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 14:00 . 2008-05-22 14:00 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\skypePM
2008-05-22 13:59 . 2008-05-23 15:01 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\Skype
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 15:51 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-18 15:51 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-18 15:51 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-18 15:51 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-18 15:51 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-18 15:51 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-18 15:51 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-18 15:51 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-18 15:51 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-17 12:55 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-17 12:39 . 2008-05-23 15:00 <DIR> d---s---- C:\Documents and Settings\Martin\UserData
2008-05-17 12:39 . 2008-05-17 12:39 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Hewlett-Packard
2008-05-16 21:32 . 2008-05-18 16:37 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-16 21:19 . 2008-05-16 21:19 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-16 21:19 . 2008-05-16 21:19 940,794 --------- C:\WINDOWS\system32\LoopyMusic.wav
2008-05-16 21:19 . 2008-05-16 21:19 146,650 --------- C:\WINDOWS\system32\BuzzingBee.wav
2008-05-16 20:23 . 2008-04-14 00:09 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-05-16 20:23 . 2008-04-14 00:09 7,552 -----c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 -----c--- C:\WINDOWS\system32\dllcache\mspclock.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 -----c--- C:\WINDOWS\system32\dllcache\mspqm.sys
2008-05-16 20:20 . 2008-05-16 20:20 <DIR> d-------- C:\Program Files\Realtek
2008-05-16 20:20 . 2007-04-10 09:28 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-05-16 20:20 . 2007-03-23 13:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-05-16 20:20 . 2007-04-10 13:04 4,397,568 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 20:20 . 2006-05-04 10:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-05-16 20:20 . 2006-10-11 11:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-05-16 20:20 . 2007-01-12 10:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-16 20:20 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-05-16 20:20 . 2006-07-21 10:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-05-16 20:20 . 2005-05-03 12:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-05-16 20:20 . 2006-08-01 09:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-05-16 20:05 . 2008-02-22 20:26 53,248 --------- C:\WINDOWS\system32\CSVer.dll
2008-05-16 20:01 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Zip Files Opener
2008-05-16 17:55 . 2008-05-23 15:17 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\OnlineArmor
2008-05-16 17:55 . 2008-05-23 23:29 <DIR> d-------- C:\Documents and Settings\Maja
2008-05-16 17:46 . 2008-05-23 16:39 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\skypePM
2008-05-16 17:45 . 2008-05-23 18:39 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Skype
2008-05-16 17:43 . 2008-05-16 17:43 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\skypePM
2008-05-16 17:43 . 2008-05-16 17:43 56 ---h----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Skype
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 17:41 . 2008-05-16 20:14 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Skype
2008-05-16 17:40 . 2008-05-16 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-16 17:23 . 2008-05-16 17:23 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Template
2008-05-16 15:41 . 2008-05-16 15:41 <DIR> d-------- C:\Program Files\Foxit Software
2008-05-16 15:38 . 2008-05-16 15:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-16 15:36 . 2008-05-16 15:36 <DIR> d---s---- C:\Documents and Settings\Bossman\UserData
2008-05-16 15:35 . 2008-05-16 15:35 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Hewlett-Packard
2008-05-16 15:14 . 2004-10-08 03:16 35,840 --------- C:\WINDOWS\system32\drivers\AFS2K.SYS
2008-05-16 15:07 . 2008-05-23 14:58 0 --------- C:\hpfr3420.xml
2008-05-16 15:06 . 2008-05-16 15:14 20,458 --------- C:\WINDOWS\hpoins01.dat
2008-05-16 15:06 . 2003-04-07 07:40 16,622 --------- C:\WINDOWS\hpomdl01.dat
2008-05-16 15:05 . 2003-04-07 07:32 561,152 -r------- C:\WINDOWS\system32\hpotscl.dll
2008-05-16 15:05 . 2003-04-07 07:32 81,920 -r------- C:\WINDOWS\system32\hpovst08.dll
2008-05-16 15:05 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-16 15:05 . 2008-04-14 00:15 15,104 -----c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-16 13:52 . 2008-05-16 13:52 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Intuit
2008-05-16 13:16 . 2008-05-16 14:47 376 --------- C:\WINDOWS\ODBC.INI
2008-05-16 13:14 . 2008-05-16 13:14 <DIR> d-------- C:\Program Files\Microsoft.NET
2008-05-16 13:14 . 2008-05-16 13:14 <DIR> d-------- C:\Program Files\Microsoft ActiveSync
2008-05-16 13:13 . 2008-05-16 13:14 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-16 13:11 . 2008-05-16 13:11 <DIR> dr-h----- C:\MSOCache
2008-05-16 12:50 . 2008-05-16 12:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-05-16 12:14 . 2008-05-16 20:20 <DIR> d--h----- C:\Program Files\InstallShield Installation Information

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 15:11 5,236 ------w C:\Program Files\hijackthisnew.txt
2008-04-14 03:55 1,804 ------w C:\WINDOWS\system32\dcache.bin
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 03:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 22:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 22:24 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 22:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 22:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 22:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 22:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 22:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 22:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 22:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 22:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 22:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 22:17 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 22:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 22:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 22:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 22:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 22:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 22:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 22:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 22:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 22:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 22:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 22:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 22:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 22:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 22:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 22:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 22:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 22:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-13 22:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 22:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 22:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 22:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 22:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 22:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 22:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 22:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-15 02:51 5545024]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"nwiz"="nwiz.exe" [2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 09:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [2005-05-03 12:43 69632 C:\WINDOWS\Alcmtr.exe]

C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-07-11 06:03:34 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-04-15 02:51 671432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-15 02:51]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-15 02:51]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-15 02:51]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-04-15 02:51]
S3 FXDrv32;FXDrv32;D:\FXDrv32.sys []

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 11:46:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-05-24 11:48:56
ComboFix-quarantined-files.txt 2008-05-24 09:48:43

Pre-Run: 143,738,261,504 bytes free
Post-Run: 143,771,172,864 bytes free

291 --- E O F --- 2008-05-23 13:06:40


thanks again martin
  • 0

#3
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there martin,

Sorry for the delay, we have tons of logs each day and inevitably some slip through the cracks :)

Please take note of the following points.
  • Please keep in mind that there may be a time difference between us, If you are not in the GMT +1 time zone, than you can expect a slight delay.
  • Please do not run any tools other than what I request of you to run. Some of the tools we will use are very powerful, and using them without the required knowledge could cause more damage and prove to be more troublesome than the problem you are currently facing.
  • If at any time you have a doubt about what you are to do, please stop there and ask. No question is considered dumb here at GeeksToGo!.

I see you ran ComboFix. I understand your fustration, but I hope that in the future you would refrain from running ComboFix unsupervised, although it is a fantastic tool it can also be very dangerous as it is powerful enough to delete essential files and folders on your computer.

That being said, let's begin with the fixes. I do not see much in your logs, are you still experiencing problems, if so could you please give me a little description?

Step 1. Making a CFScript

Please go here to install the recovery console and for a guide on using combofix.
Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\Alcmtr.exe

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Alcmtr"=-
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

Step 2. Running ATF Cleaner

Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step 3. Running Kaspersky Online Virusscaner

Please run a free online scan with Kaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
  • In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
  • When you get the Windows dialog asking if you want to install this software, click the "Install" button.
  • When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
  • Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
  • Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.

In your next reply

Please post the log from Combofix.
Please post the log from Kaspersky
Please post a new hijack this log after running the above tools.

If the logs are to big to fit in one reply please spread them out over multiple replies.
  • 0

#4
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Mike,

Thanks so much to take the time to reply & help, I appreciate it very much.

The problems I had where 1x Win32rootkit 1x delf trojan1x agent trojan & fake beep system

Point taken about being hasty with the Combofix, I will refrain from doing anything without appropriate advice.

I have followed your instructions & installed recovery console from WinXP CD

Here are the logs you required.


ComboFix 08-05-21.3 - Bossman 2008-06-01 13:55:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.661 [GMT 2:00]
Running from: C:\Documents and Settings\Bossman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bossman\My Documents\clean\CFscript.txt
* Created a new restore point

FILE ::
c:\WINDOWS\A1cmtr.exe
.

((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-05-31 21:10 . 2008-05-31 21:10 <DIR> d-------- C:\New Folder
2008-05-31 19:10 . 2008-05-31 19:10 <DIR> d-------- C:\Program Files\Alex Feinman
2008-05-30 21:52 . 2008-05-30 21:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 21:52 . 2008-05-30 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 21:08 . 2008-05-30 21:08 <DIR> d-------- C:\Program Files\Panda Security
2008-05-30 15:00 . 2008-05-30 15:00 359 ---h----- C:\Documents and Settings\Martin\Application Data\hpothb07.dat
2008-05-30 14:54 . 2008-05-30 14:59 161 ---h----- C:\Documents and Settings\Martin\hpothb07.dat
2008-05-29 15:20 . 2008-05-29 15:20 1,374 --------- C:\WINDOWS\imsins.BAK
2008-05-28 19:14 . 2008-06-01 13:41 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\OnlineArmor
2008-05-28 19:14 . 2008-05-28 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-05-28 19:14 . 2008-04-15 02:51 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-05-28 19:14 . 2008-04-15 02:51 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-05-28 19:14 . 2008-04-15 02:51 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-05-27 16:09 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 16:09 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-24 20:37 . 2008-04-14 00:15 26,368 -----c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-24 20:34 . 2008-05-24 20:34 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-24 11:38 . 2008-05-24 11:49 <DIR> d-------- C:\Combo-Fix
2008-05-23 21:54 . 2008-05-23 23:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-05-23 15:53 . 2008-04-14 05:42 116,224 -----c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-23 15:53 . 2001-08-17 22:37 99,865 -----c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-23 15:53 . 2001-08-17 22:37 27,648 -----c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-23 15:53 . 2001-08-17 22:36 23,040 -----c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-23 15:53 . 2008-04-14 05:42 18,944 -----c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-23 15:53 . 2001-08-17 22:37 4,608 -----c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-23 15:51 . 2001-08-17 13:28 765,884 -----c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-23 15:50 . 2001-08-17 13:28 794,654 -----c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-05-23 15:49 . 2001-08-17 22:36 525,568 -----c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-23 15:48 . 2001-08-17 14:01 241,664 -----c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-23 15:47 . 2001-08-17 12:18 285,760 -----c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-23 15:46 . 2001-08-17 22:36 114,688 -----c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-05-23 15:46 . 2001-08-17 22:36 106,584 -----c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-05-23 15:46 . 2001-08-17 13:51 61,824 -----c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-05-23 15:46 . 2001-08-17 12:51 37,040 -----c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-05-23 15:46 . 2001-08-17 22:36 24,660 -----c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-05-23 15:46 . 2001-08-17 12:51 20,752 -----c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-05-23 15:46 . 2001-08-17 14:07 19,072 -----c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-05-23 15:46 . 2001-08-17 13:53 9,600 -----c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-05-23 15:46 . 2001-08-17 13:56 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-23 15:46 . 2008-04-14 00:10 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-05-23 15:46 . 2001-08-17 13:53 7,040 -----c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-05-23 15:44 . 2001-08-17 22:36 386,560 -----c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-23 15:43 . 2001-08-17 22:36 495,616 -----c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-05-23 15:42 . 2001-08-17 14:56 210,496 -----c--- C:\WINDOWS\system32\dllcache\s3mvirge.dll
2008-05-23 15:41 . 2001-08-17 13:28 899,146 -----c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-05-23 15:40 . 2008-04-14 05:42 363,520 -----c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-05-23 15:39 . 2001-08-17 14:05 351,616 -----c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-05-23 15:38 . 2008-04-14 00:01 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-05-23 15:37 . 2008-04-13 22:05 132,695 -----c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-23 15:36 . 2001-08-17 12:50 103,296 -----c--- C:\WINDOWS\system32\dllcache\mtxvideo.sys
2008-05-23 15:35 . 2001-08-17 12:50 320,384 -----c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-05-23 15:34 . 2001-08-17 13:28 802,683 -----c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-23 15:33 . 2008-04-14 05:41 253,952 -----c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-05-23 15:32 . 2001-08-17 22:36 372,824 -----c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-05-23 15:31 . 2008-04-14 05:41 702,845 -----c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-23 15:30 . 2001-08-17 22:36 324,608 -----c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-05-23 15:29 . 2001-08-17 14:56 1,733,120 -----c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-23 15:28 . 2001-08-17 12:17 629,952 -----c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-23 15:27 . 2001-08-17 12:14 952,007 -----c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-23 15:26 . 2001-08-17 22:36 614,429 -----c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-05-23 15:25 . 2001-08-17 12:13 980,034 -----c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-23 15:24 . 2001-08-17 13:28 871,388 -----c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-05-23 15:23 . 2001-08-17 13:28 762,780 -----c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-05-23 15:22 . 2008-04-14 00:54 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\CCleaner
2008-05-22 17:10 . 2008-05-22 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 16:51 . 2008-05-22 16:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-31 12:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 14:00 . 2008-05-22 14:00 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\skypePM
2008-05-22 13:59 . 2008-05-23 15:01 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\Skype
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 15:51 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-18 15:51 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-18 15:51 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-18 15:51 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-18 15:51 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-18 15:51 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-18 15:51 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-18 15:51 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-18 15:51 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-17 12:55 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-17 12:39 . 2008-05-23 15:00 <DIR> d--hs---- C:\Documents and Settings\Martin\UserData
2008-05-17 12:39 . 2008-05-17 12:39 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Hewlett-Packard
2008-05-16 21:32 . 2008-05-30 01:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-16 21:19 . 2008-05-16 21:19 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-16 21:19 . 2008-05-16 21:19 940,794 --------- C:\WINDOWS\system32\LoopyMusic.wav
2008-05-16 21:19 . 2008-05-16 21:19 146,650 --------- C:\WINDOWS\system32\BuzzingBee.wav
2008-05-16 20:23 . 2008-04-14 00:09 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-05-16 20:23 . 2008-04-14 00:09 7,552 -----c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 -----c--- C:\WINDOWS\system32\dllcache\mspclock.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 -----c--- C:\WINDOWS\system32\dllcache\mspqm.sys
2008-05-16 20:20 . 2008-05-16 20:20 <DIR> d-------- C:\Program Files\Realtek
2008-05-16 20:20 . 2007-04-10 09:28 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-05-16 20:20 . 2007-03-23 13:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-05-16 20:20 . 2007-04-10 13:04 4,397,568 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 20:20 . 2006-05-04 10:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-05-16 20:20 . 2006-10-11 11:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-05-16 20:20 . 2007-01-12 10:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-16 20:20 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-05-16 20:20 . 2006-07-21 10:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-05-16 20:20 . 2005-05-03 12:43 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2008-05-16 20:20 . 2006-08-01 09:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-05-16 20:05 . 2008-02-22 20:26 53,248 --------- C:\WINDOWS\system32\CSVer.dll
2008-05-16 20:01 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Zip Files Opener
2008-05-16 17:55 . 2008-05-29 14:59 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\OnlineArmor
2008-05-16 17:55 . 2008-05-23 23:29 <DIR> d-------- C:\Documents and Settings\Maja
2008-05-16 17:46 . 2008-05-31 16:02 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\skypePM
2008-05-16 17:45 . 2008-05-31 19:19 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Skype
2008-05-16 17:43 . 2008-05-16 17:43 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\skypePM
2008-05-16 17:43 . 2008-05-16 17:43 56 ---h----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Skype
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 17:41 . 2008-05-16 20:14 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Skype
2008-05-16 17:40 . 2008-05-16 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-16 17:23 . 2008-05-16 17:23 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Template
2008-05-16 15:41 . 2008-05-16 15:41 <DIR> d-------- C:\Program Files\Foxit Software
2008-05-16 15:38 . 2008-05-16 15:38 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-16 15:36 . 2008-05-16 15:36 <DIR> d---s---- C:\Documents and Settings\Bossman\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 15:11 5,236 ------w C:\Program Files\hijackthisnew.txt
2008-04-14 03:55 1,804 ------w C:\WINDOWS\system32\dcache.bin
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 03:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 22:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 22:24 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 22:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 22:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 22:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 22:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 22:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 22:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 22:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 22:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 22:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 22:17 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 22:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 22:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 22:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 22:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 22:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 22:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 22:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 22:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 22:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 22:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 22:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 22:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 22:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 22:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 22:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 22:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 22:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-13 22:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 22:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 22:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 22:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 22:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 22:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 22:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 22:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-24_11.47.42.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 09:30:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 11:40:32 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 20:00:03 1,038,336 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-26 20:00:03 178,688 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-26 20:00:03 171,008 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-26 20:00:03 8,704 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-05-31 17:10:08 3,638 ----a-r C:\WINDOWS\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
+ 2001-07-14 15:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2007-07-11 12:37:26 6,272 ------w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 11:58:08 8,320 ------w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 11:56:58 9,344 ------w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-04-13 22:15:40 26,368 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2007-12-14 10:32:52 12,632 ------w C:\WINDOWS\system32\lsdelete.exe
+ 2008-03-25 03:21:18 2,889,088 ------w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ------w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-05-26 10:09:44 70,264 ------w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2006-07-28 05:10:08 6,144 ------w C:\WINDOWS\system32\mot_ci.dll
- 2007-08-10 18:46:18 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-04-14 03:42:40 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-03-27 10:40:24 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-05-31 06:29:25 16,384 -----tw C:\WINDOWS\Temp\Perflib_Perfdata_600.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 09:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-15 02:51 5545024]

C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-07-11 06:03:34 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-04-15 02:51 671432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-15 02:51]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-15 02:51]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-15 02:51]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-04-15 02:51]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 14:03:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-06-01 14:06:03
ComboFix-quarantined-files.txt 2008-06-01 12:05:54
ComboFix2.txt 2008-05-24 09:48:59

Pre-Run: 42,135,203,840 bytes free
Post-Run: 42,142,445,568 bytes free

315 --- E O F --- 2008-05-29 23:03:27


Kapersky scan

KASPERSKY ONLINE SCANNER REPORT
Sunday, June 01, 2008 3:25:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 3 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/06/2008
Kaspersky Anti-Virus database records: 820118
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 44548
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:57:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\history.dat Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\key3.db Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\parent.lock Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bossman\Application Data\OnlineArmor\client.dat Object is locked skipped
C:\Documents and Settings\Bossman\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Application Data\Mozilla\Firefox\Profiles\av4ejycy.default\XUL.mfl Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Temp\~DF34A6.tmp Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Bossman\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bossman\ntuser.dat Object is locked skipped
C:\Documents and Settings\Bossman\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\selfdef.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\antispam.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\firewall.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\fwdata.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\history.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\IPRanges.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\NoteBook.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\NoteBook.pak Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\oacached.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\programs.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\reference.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\SentList.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\server.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\signs.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\sites.dat Object is locked skipped
C:\Program Files\Tall Emu\Online Armor\unins000.dat Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{31F78B36-DD87-40D8-8712-885C86E6300D}\RP52\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{82C38EE2-FFE4-4D77-834C-F1B3409326F1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\OADriver.sys Object is locked skipped
C:\WINDOWS\system32\drivers\OAmon.sys Object is locked skipped
C:\WINDOWS\system32\drivers\oanet.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_600.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{31F78B36-DD87-40D8-8712-885C86E6300D}\RP52\change.log Object is locked skipped

Scan process completed.
  • 0

#5
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Finally Hijackthis log, many thanks


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:13 PM, on 6/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{035449FE-DDB5-451D-A8B9-ADE636E2B0A4}: NameServer = 62.162.32.8 62.162.32.9
O17 - HKLM\System\CS1\Services\Tcpip\..\{035449FE-DDB5-451D-A8B9-ADE636E2B0A4}: NameServer = 62.162.32.8 62.162.32.9
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 4980 bytes
  • 0

#6
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there martinzx13,

Did you copy and paste the code or did you type it yourself?

the "L" was replaced with a "1" in C:\WINDOWS\Alcmtr.exe so it didn't find the file.


Please click Start then Run, in the window appears type in Notepad.exe.
Highlight the entire content of the codebox below. Copy (Control + C) and Paste (Control + V) the content into the notepad window:
File::
C:\WINDOWS\Alcmtr.exe
Now in Notepad, go to File and in the menu that drops down click on Save As...
Save the file as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.
Posted Image

After that please reboot your computer if it asks you to and post ComboFix.txt (the report the ComboFix will generate) in your next reply.

I don't see anything in your logs, are you still experiencing any problems?

Edited by Mike, 01 June 2008 - 01:06 PM.

  • 0

#7
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Yes, sorry i did type it, i copied & pasted this one,

There does not seem to be any issues now, only fake beep sys

many thanks martin

ComboFix 08-05-21.3 - Bossman 2008-06-01 21:17:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.629 [GMT 2:00]
Running from: C:\Documents and Settings\Bossman\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bossman\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\Alcmtr.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Alcmtr.exe

.
((((((((((((((((((((((((( Files Created from 2008-05-01 to 2008-06-01 )))))))))))))))))))))))))))))))
.

2008-06-01 14:13 . 2008-06-01 14:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-06-01 14:13 . 2008-06-01 14:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-31 21:10 . 2008-05-31 21:10 <DIR> d-------- C:\New Folder
2008-05-31 19:10 . 2008-05-31 19:10 <DIR> d-------- C:\Program Files\Alex Feinman
2008-05-30 21:52 . 2008-05-30 21:54 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-30 21:52 . 2008-05-30 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-30 21:08 . 2008-05-30 21:08 <DIR> d-------- C:\Program Files\Panda Security
2008-05-30 15:00 . 2008-05-30 15:00 359 ---h----- C:\Documents and Settings\Martin\Application Data\hpothb07.dat
2008-05-30 14:54 . 2008-05-30 14:59 161 ---h----- C:\Documents and Settings\Martin\hpothb07.dat
2008-05-29 15:20 . 2008-05-29 15:20 1,374 --------- C:\WINDOWS\imsins.BAK
2008-05-28 19:14 . 2008-06-01 21:13 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\OnlineArmor
2008-05-28 19:14 . 2008-05-28 19:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\OnlineArmor
2008-05-28 19:14 . 2008-04-15 02:51 80,584 --a------ C:\WINDOWS\system32\drivers\OADriver.sys
2008-05-28 19:14 . 2008-04-15 02:51 32,456 --a------ C:\WINDOWS\system32\drivers\OAmon.sys
2008-05-28 19:14 . 2008-04-15 02:51 28,872 --a------ C:\WINDOWS\system32\drivers\oanet.sys
2008-05-27 16:09 . 2008-05-30 01:06 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-27 16:09 . 2008-05-30 01:06 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-24 20:37 . 2008-04-14 00:15 26,368 -----c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-24 20:34 . 2008-05-24 20:34 <DIR> d-------- C:\Program Files\Common Files\Motorola Shared
2008-05-24 11:38 . 2008-05-24 11:49 <DIR> d-------- C:\Combo-Fix
2008-05-23 21:54 . 2008-05-23 23:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware(2)
2008-05-23 15:53 . 2008-04-14 05:42 116,224 -----c--- C:\WINDOWS\system32\dllcache\xrxwiadr.dll
2008-05-23 15:53 . 2001-08-17 22:37 99,865 -----c--- C:\WINDOWS\system32\dllcache\xlog.exe
2008-05-23 15:53 . 2001-08-17 22:37 27,648 -----c--- C:\WINDOWS\system32\dllcache\xrxftplt.exe
2008-05-23 15:53 . 2001-08-17 22:36 23,040 -----c--- C:\WINDOWS\system32\dllcache\xrxwbtmp.dll
2008-05-23 15:53 . 2008-04-14 05:42 18,944 -----c--- C:\WINDOWS\system32\dllcache\xrxscnui.dll
2008-05-23 15:53 . 2001-08-17 22:37 4,608 -----c--- C:\WINDOWS\system32\dllcache\xrxflnch.exe
2008-05-23 15:51 . 2001-08-17 13:28 765,884 -----c--- C:\WINDOWS\system32\dllcache\usrti.sys
2008-05-23 15:50 . 2001-08-17 13:28 794,654 -----c--- C:\WINDOWS\system32\dllcache\usr1801.sys
2008-05-23 15:49 . 2001-08-17 22:36 525,568 -----c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-05-23 15:48 . 2001-08-17 14:01 241,664 -----c--- C:\WINDOWS\system32\dllcache\tosdvd02.sys
2008-05-23 15:47 . 2001-08-17 12:18 285,760 -----c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-05-23 15:46 . 2001-08-17 22:36 114,688 -----c--- C:\WINDOWS\system32\dllcache\sonypi.dll
2008-05-23 15:46 . 2001-08-17 22:36 106,584 -----c--- C:\WINDOWS\system32\dllcache\spdports.dll
2008-05-23 15:46 . 2001-08-17 13:51 61,824 -----c--- C:\WINDOWS\system32\dllcache\speed.sys
2008-05-23 15:46 . 2001-08-17 12:51 37,040 -----c--- C:\WINDOWS\system32\dllcache\sonypi.sys
2008-05-23 15:46 . 2001-08-17 22:36 24,660 -----c--- C:\WINDOWS\system32\dllcache\spxupchk.dll
2008-05-23 15:46 . 2001-08-17 12:51 20,752 -----c--- C:\WINDOWS\system32\dllcache\sonync.sys
2008-05-23 15:46 . 2001-08-17 14:07 19,072 -----c--- C:\WINDOWS\system32\dllcache\sparrow.sys
2008-05-23 15:46 . 2001-08-17 13:53 9,600 -----c--- C:\WINDOWS\system32\dllcache\sonymc.sys
2008-05-23 15:46 . 2001-08-17 13:56 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-05-23 15:46 . 2008-04-14 00:10 7,552 -----c--- C:\WINDOWS\system32\dllcache\sonyait.sys
2008-05-23 15:46 . 2001-08-17 13:53 7,040 -----c--- C:\WINDOWS\system32\dllcache\snyaitmc.sys
2008-05-23 15:44 . 2001-08-17 22:36 386,560 -----c--- C:\WINDOWS\system32\dllcache\sgiul50.dll
2008-05-23 15:43 . 2001-08-17 22:36 495,616 -----c--- C:\WINDOWS\system32\dllcache\sblfx.dll
2008-05-23 15:42 . 2001-08-17 14:56 210,496 -----c--- C:\WINDOWS\system32\dllcache\s3mvirge.dll
2008-05-23 15:41 . 2001-08-17 13:28 899,146 -----c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-05-23 15:40 . 2008-04-14 05:42 363,520 -----c--- C:\WINDOWS\system32\dllcache\psisdecd.dll
2008-05-23 15:39 . 2001-08-17 14:05 351,616 -----c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-05-23 15:38 . 2008-04-14 00:01 2,023,936 -----c--- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2008-05-23 15:37 . 2008-04-13 22:05 132,695 -----c--- C:\WINDOWS\system32\dllcache\netwlan5.sys
2008-05-23 15:36 . 2001-08-17 12:50 103,296 -----c--- C:\WINDOWS\system32\dllcache\mtxvideo.sys
2008-05-23 15:35 . 2001-08-17 12:50 320,384 -----c--- C:\WINDOWS\system32\dllcache\mgaum.sys
2008-05-23 15:34 . 2001-08-17 13:28 802,683 -----c--- C:\WINDOWS\system32\dllcache\ltsm.sys
2008-05-23 15:33 . 2008-04-14 05:41 253,952 -----c--- C:\WINDOWS\system32\dllcache\kdsusd.dll
2008-05-23 15:32 . 2001-08-17 22:36 372,824 -----c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-05-23 15:31 . 2008-04-14 05:41 702,845 -----c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-05-23 15:30 . 2001-08-17 22:36 324,608 -----c--- C:\WINDOWS\system32\dllcache\hpojwia.dll
2008-05-23 15:29 . 2001-08-17 14:56 1,733,120 -----c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-05-23 15:28 . 2001-08-17 12:17 629,952 -----c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-05-23 15:27 . 2001-08-17 12:14 952,007 -----c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-05-23 15:26 . 2001-08-17 22:36 614,429 -----c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-05-23 15:25 . 2001-08-17 12:13 980,034 -----c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-05-23 15:24 . 2001-08-17 13:28 871,388 -----c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-05-23 15:23 . 2001-08-17 13:28 762,780 -----c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-05-23 15:22 . 2008-04-14 00:54 2,145,280 -----c--- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-23 15:00 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\CCleaner
2008-05-22 17:10 . 2008-05-22 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-22 16:51 . 2008-05-22 16:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-31 12:58 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Malwarebytes
2008-05-22 16:37 . 2008-05-22 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-22 14:00 . 2008-05-22 14:00 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\skypePM
2008-05-22 13:59 . 2008-05-23 15:01 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\Skype
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-19 19:59 . 2008-05-19 19:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-18 15:51 . 2008-03-01 15:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-05-18 15:51 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-05-18 15:51 . 2007-03-08 07:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-05-18 15:51 . 2008-03-01 15:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-05-18 15:51 . 2008-03-01 15:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-05-18 15:51 . 2008-03-01 15:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-05-18 15:51 . 2008-03-01 15:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-05-18 15:51 . 2008-03-01 15:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-05-18 15:51 . 2008-02-22 12:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-05-17 12:55 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Yahoo!
2008-05-17 12:39 . 2008-05-23 15:00 <DIR> d--hs---- C:\Documents and Settings\Martin\UserData
2008-05-17 12:39 . 2008-05-17 12:39 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Hewlett-Packard
2008-05-16 21:32 . 2008-05-30 01:03 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-05-16 21:19 . 2008-05-16 21:19 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-05-16 21:19 . 2008-05-16 21:19 940,794 --------- C:\WINDOWS\system32\LoopyMusic.wav
2008-05-16 21:19 . 2008-05-16 21:19 146,650 --------- C:\WINDOWS\system32\BuzzingBee.wav
2008-05-16 20:23 . 2008-04-14 00:09 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2008-05-16 20:23 . 2008-04-14 00:09 7,552 -----c--- C:\WINDOWS\system32\dllcache\mskssrv.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2008-05-16 20:23 . 2008-04-14 00:09 5,376 -----c--- C:\WINDOWS\system32\dllcache\mspclock.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2008-05-16 20:23 . 2008-04-14 00:09 4,992 -----c--- C:\WINDOWS\system32\dllcache\mspqm.sys
2008-05-16 20:20 . 2008-05-16 20:20 <DIR> d-------- C:\Program Files\Realtek
2008-05-16 20:20 . 2007-04-10 09:28 16,126,464 -r------- C:\WINDOWS\RTHDCPL.exe
2008-05-16 20:20 . 2007-03-23 13:19 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe
2008-05-16 20:20 . 2007-04-10 13:04 4,397,568 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-05-16 20:20 . 2006-05-04 10:26 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2008-05-16 20:20 . 2006-10-11 11:42 2,157,568 -r------- C:\WINDOWS\MicCal.exe
2008-05-16 20:20 . 2007-01-12 10:54 520,192 -r------- C:\WINDOWS\RtlExUpd.dll
2008-05-16 20:20 . 2005-09-21 04:25 299,008 -r------- C:\WINDOWS\system32\ALSndMgr.cpl
2008-05-16 20:20 . 2006-07-21 10:14 86,016 -r------- C:\WINDOWS\SoundMan.exe
2008-05-16 20:20 . 2006-08-01 09:02 49,152 -r------- C:\WINDOWS\system32\ChCfg.exe
2008-05-16 20:05 . 2008-02-22 20:26 53,248 --------- C:\WINDOWS\system32\CSVer.dll
2008-05-16 20:01 . 2008-05-23 15:00 <DIR> d-------- C:\Program Files\Zip Files Opener
2008-05-16 17:55 . 2008-05-29 14:59 <DIR> d-------- C:\Documents and Settings\Maja\Application Data\OnlineArmor
2008-05-16 17:55 . 2008-05-23 23:29 <DIR> d-------- C:\Documents and Settings\Maja
2008-05-16 17:46 . 2008-05-31 16:02 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\skypePM
2008-05-16 17:45 . 2008-05-31 19:19 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Skype
2008-05-16 17:43 . 2008-05-16 17:43 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\skypePM
2008-05-16 17:43 . 2008-05-16 17:43 56 ---h----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Skype
2008-05-16 17:41 . 2008-05-16 17:41 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 17:41 . 2008-05-16 20:14 <DIR> d-------- C:\Documents and Settings\Bossman\Application Data\Skype
2008-05-16 17:40 . 2008-05-16 17:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-16 17:23 . 2008-05-16 17:23 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Template
2008-05-16 15:41 . 2008-05-16 15:41 <DIR> d-------- C:\Program Files\Foxit Software
2008-05-16 15:38 . 2008-05-16 15:38 <DIR> d-------- C:\Program Files\Common Files\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 15:11 5,236 ------w C:\Program Files\hijackthisnew.txt
2008-04-14 03:55 1,804 ------w C:\WINDOWS\system32\dcache.bin
2008-04-14 03:46 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2008-04-14 03:43 92,424 ----a-w C:\WINDOWS\system32\rdpdd.dll
2008-04-14 03:43 87,176 ----a-w C:\WINDOWS\system32\rdpwsx.dll
2008-04-14 03:43 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 03:43 299,520 ----a-w C:\WINDOWS\system32\drmclien.dll
2008-04-14 03:43 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 03:43 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 03:43 12,168 ----a-w C:\WINDOWS\system32\tsddd.dll
2008-04-14 03:43 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 03:41 98,304 ----a-w C:\WINDOWS\system32\actxprxy.dll
2008-04-14 03:40 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2008-04-14 03:40 4,126 ----a-w C:\WINDOWS\system32\msdxmlc.dll
2008-04-14 03:40 3,584 ----a-w C:\WINDOWS\system32\msafd.dll
2008-04-14 03:40 102,912 ----a-w C:\WINDOWS\system32\dpcdll.dll
2008-04-13 23:00 1,845,632 ----a-w C:\WINDOWS\system32\win32k.sys
2008-04-13 22:58 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 22:57 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-04-13 22:51 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 22:50 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 22:50 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 22:50 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 22:49 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 22:49 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 22:49 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 22:49 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 22:49 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 22:48 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 22:47 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 22:47 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 22:47 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 22:46 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 22:46 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 22:45 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 22:45 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 22:45 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 22:45 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 22:44 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 22:44 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 22:30 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 22:30 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 22:30 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 22:27 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 22:27 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 22:27 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 22:27 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 22:27 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 22:27 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 22:27 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 22:26 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 22:26 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 22:26 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 22:26 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 22:26 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 22:26 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 22:26 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 22:26 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 22:26 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 22:26 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 22:25 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 22:24 88,192 ----a-w C:\WINDOWS\system32\drivers\irda.sys
2008-04-13 22:24 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 22:23 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 22:23 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 22:23 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 22:23 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 22:21 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 22:21 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 22:21 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 22:21 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 22:21 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 22:17 25,856 ----a-w C:\WINDOWS\system32\drivers\usbprint.sys
2008-04-13 22:16 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 22:16 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 22:16 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 22:16 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 22:16 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 22:16 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 22:16 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 22:16 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 22:16 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 22:14 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 22:14 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 22:14 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 22:14 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 22:13 9,728 ------w C:\WINDOWS\system32\comsdupd.exe
2008-04-13 22:13 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 22:13 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2008-04-13 22:13 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 22:11 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
2008-04-13 22:11 42,112 ----a-w C:\WINDOWS\system32\drivers\imapi.sys
2008-04-13 22:09 92,544 ----a-w C:\WINDOWS\system32\drivers\mqac.sys
2008-04-13 22:09 42,368 ----a-w C:\WINDOWS\system32\drivers\mountmgr.sys
2008-04-13 22:09 4,352 ----a-w C:\WINDOWS\system32\drivers\swenum.sys
2008-04-13 22:09 384,768 ----a-w C:\WINDOWS\system32\drivers\update.sys
2008-04-13 22:09 24,576 ----a-w C:\WINDOWS\system32\drivers\kbdclass.sys
2008-04-13 22:09 23,040 ----a-w C:\WINDOWS\system32\drivers\mouclass.sys
2008-04-13 22:09 14,592 ----a-w C:\WINDOWS\system32\drivers\kbdhid.sys
2008-04-13 22:08 71,168 ----a-w C:\WINDOWS\system32\drivers\dxg.sys
.

((((((((((((((((((((((((((((( snapshot@2008-05-24_11.47.42.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-24 09:30:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-01 16:07:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-26 20:00:03 1,038,336 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC.exe
+ 2008-05-26 20:00:03 178,688 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\Icon0E6AB9FC1.exe
+ 2008-05-26 20:00:03 171,008 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B.exe
+ 2008-05-26 20:00:03 8,704 ------r C:\WINDOWS\Installer\{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}\IconDED53B0B1.exe
+ 2008-05-31 17:10:08 3,638 ----a-r C:\WINDOWS\Installer\{DFC6573E-124D-4026-BFA4-B433C9D3FF21}\_2cd672ae.exe
+ 2001-07-14 15:32:24 69,632 ----a-w C:\WINDOWS\setupupd\temp\wsdueng.dll
+ 2007-07-11 12:37:26 6,272 ------w C:\WINDOWS\system32\drivers\AWRTPD.sys
+ 2007-08-07 11:58:08 8,320 ------w C:\WINDOWS\system32\drivers\AWRTRD.sys
+ 2007-08-07 11:56:58 9,344 ------w C:\WINDOWS\system32\drivers\NSDriver.sys
+ 2008-04-13 22:15:40 26,368 ----a-w C:\WINDOWS\system32\drivers\USBSTOR.SYS
+ 2005-05-24 10:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 13:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 13:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2007-12-14 10:32:52 12,632 ------w C:\WINDOWS\system32\lsdelete.exe
+ 2008-03-25 03:21:18 2,889,088 ------w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
+ 2008-03-25 03:21:20 218,496 ------w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
+ 2008-05-26 10:09:44 70,264 ------w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
+ 2006-07-28 05:10:08 6,144 ------w C:\WINDOWS\system32\mot_ci.dll
- 2007-08-10 18:46:18 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 11:18:51 17,272 ------w C:\WINDOWS\system32\spmsg.dll
- 2008-04-14 03:42:40 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-03-27 10:40:24 60,416 ------w C:\WINDOWS\system32\tzchange.exe
+ 2008-06-01 16:07:25 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5c8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 05:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:46 86016]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-10 09:28 16126464 C:\WINDOWS\RTHDCPL.exe]
"OnlineArmor GUI"="C:\Program Files\Tall Emu\Online Armor\oaui.exe" [2008-04-15 02:51 5545024]

C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
wkcalrem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2002-07-11 06:03:34 24651]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
hp psc 1000 series.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe [2003-04-06 01:17:18 147456]
hpoddt01.exe.lnk - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe [2003-04-06 01:06:58 28672]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= C:\PROGRA~1\TALLEM~1\ONLINE~1\oaevent.dll [2008-04-15 02:51 671432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 01:20]
R1 OADevice;OADriver;C:\WINDOWS\system32\drivers\OADriver.sys [2008-04-15 02:51]
R1 OAmon;OAmon;C:\WINDOWS\system32\drivers\OAmon.sys [2008-04-15 02:51]
R1 OAnet;OAnet;C:\WINDOWS\system32\drivers\OAnet.sys [2008-04-15 02:51]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 SvcOnlineArmor;Online Armor;"C:\Program Files\Tall Emu\Online Armor\oasrv.exe" [2008-04-15 02:51]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-01 21:24:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc21.tmp"
.
Completion time: 2008-06-01 21:26:13
ComboFix-quarantined-files.txt 2008-06-01 19:26:05
ComboFix2.txt 2008-06-01 12:06:07
ComboFix3.txt 2008-05-24 09:48:59

Pre-Run: 41,930,371,072 bytes free
Post-Run: 41,921,130,496 bytes free

323 --- E O F --- 2008-05-29 23:03:27
  • 0

#8
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there martinzx13,

Are you still getting warnings that beep.sys is fake? Kaspersky would usually come up with something if it were to be infected.
If you would, re-run MalwareBytes' Anti-Malware and see if it picks up on it again.

Jotti File Submission:
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan"box on the top of the page:

    • C:\WINDOWS\system32\dllcache\beep.sys
  • Click on the submit button
  • Please post the results in your next reply.

  • 0

#9
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Mike,

I tried to copy & paste & i could not, so i typed it & it stated

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

it came up again in the scan , here is the log

Malwarebytes' Anti-Malware 1.14
Database version: 807

11:48:57 AM 6/2/2008
mbam-log-6-2-2008 (11-48-55).txt

Scan type: Quick Scan
Objects scanned: 29626
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\dllcache\beep.sys (Fake.Beep.Sys) -> No action taken.
  • 0

#10
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there,

Very odd :)

Step 1. Running SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

  • 0

Advertisements


#11
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Got there in the end, sorry it took me a while,

there seems to be about 20 or so text files now attached to SDFix file

heres the 1` that says report, many thanks

SDFix: Version 1.187
Run by Bossman on Mon 06/02/2008 at 01:11 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
  • 0

#12
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
But most are empty, one states , Bp test

C:\WINDOWS\system32\dllcache\beep.sys
C:\WINDOWS\system32\drivers\beep.sys

i found another but its a mile long, do you need it posting its called file list

many thanks martin
  • 0

#13
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Done a scan & all clear thank -you very much , you guys are awesome, thanks Mike :)


Malwarebytes' Anti-Malware 1.14
Database version: 807

1:35:23 PM 6/2/2008
mbam-log-6-2-2008 (13-35-23).txt

Scan type: Quick Scan
Objects scanned: 40315
Time elapsed: 3 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
  • 0

#14
Mike

Mike

    Malware Monger

  • Retired Staff
  • 2,745 posts
Hi there the MBAM log is good news :)

would you mind re-posting the log from SDFix, its named Report.txt and will be located at C:\SDFix.

I would just like to confirm that it replaced the fake beep.sys with the legitimate one.

After that, we will remove all the tools we used, and I will give you a few tips to keep yourself protected in the future.

Thanks,

Mike

Edited by Mike, 02 June 2008 - 05:56 AM.

  • 0

#15
martinzx13

martinzx13

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Mike

Thats the problem there is not one ?? I deleted the empty one there is log but its just a file & the above, i think maybe because i started from an account without admin access then switched to adminn account, & it is still trying to finish log on other account & the PCis not allowing it, so i have to close it manually, i hope i am making sense ...??
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP