Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

PC Infected with Spyware [RESOLVED]

Started by Apocalypse_VC , Jul 17 2008 09:39 AM

  • This topic is locked This topic is locked

#1
Apocalypse_VC
Posted 17 July 2008 - 09:39 AM

Apocalypse_VC

    Member

  • Member
  • PipPipPip
  • 169 posts
I formatted my PC about 2-3 weeks ago,I could not remember why.All of a sudden today,after not even using it until now my computer is running pretty slow and other sideeffects so I know that there is Spyware and probably viruses.

Please help me out.
  • 0

Advertisements

#2
Apocalypse_VC
Posted 17 July 2008 - 10:10 AM

Apocalypse_VC

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Guys please help me now if possible while I'm up.
  • 0

#3
greyknight17
Posted 17 July 2008 - 10:22 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please do not bump your topic. It's frowned upon when you do that. Wait for 3 days (if necessary) like everyone else and if you still don't get a reply, post a link to your topic in the Waitng Room. People are too hasty to jump to the conclusion that whenver their computer slows down it's a virus/spyware issue. It could be that you installed some programs that hogging up a lot of resources as well. We will not know until you run some scans for us.

Please read this topic and post your HijackThis log here when ready. Without running those initial steps we will only be playing the guessing game :)

Edited by greyknight17, 17 July 2008 - 10:23 AM.

  • 0

#4
Apocalypse_VC
Posted 17 July 2008 - 11:55 AM

Apocalypse_VC

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Well I did follow the steps but I was unable to do the Panda scan as it said "Sorry, but you must have JavaScript enabled for ActiveScan 2.0 to work." How do I activate it ?

Here is the MBAM Log File :

Malwarebytes' Anti-Malware 1.20
Database version: 961
Windows 5.1.2600 Service Pack 3

11:07:19 PM 7/17/2008
mbam-log-7-17-2008 (23-07-19).txt

Scan type: Quick Scan
Objects scanned: 40641
Time elapsed: 5 minute(s), 31 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 2
Registry Keys Infected: 10
Registry Values Infected: 7
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 19

Memory Processes Infected:
C:\Program Files\Web Technologies\wcs.exe (Trojan.Zlob) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\system32\geBtQkKc.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yebiaceo.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0b2f2ead-b43b-4105-a107-bedf46d67436} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0b2f2ead-b43b-4105-a107-bedf46d67436} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{b0a4a0ae-a10a-a509-ef3d-e0e80bcc1006} (Backdoor.Shark) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Warning Center (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\videoPl.chl (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fc332c69 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\this (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bmff001ff5 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebtqkkc -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebtqkkc -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System (Rootkit.DNSChanger) -> Data: kdzbi.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Web Technologies (Trojan.Zlob) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\geBtQkKc.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\cKkQtBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cKkQtBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gjalovml.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmvolajg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yebiaceo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\oecaibey.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kdzbi.exe (Rootkit.DNSChanger) -> Delete on reboot.
C:\WINDOWS\system32\mqewdrln.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nchvqoop.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qrficeoc.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rhqbmgam.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sabntblw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yoaiufre.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\wcs.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\Program Files\Web Technologies\wcu.exe (Trojan.Zlob) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ewcogsqw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\BMff001ff5.xml (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\BMff001ff5.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

Also it was unable to remove some of the spyware :

http://img239.images...96055037yd7.jpg


Heres is the HijackThis™ log file :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:05 PM, on 7/17/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\distnoted.exe
C:\Program Files\Opera\opera.exe
C:\Program Files\Garena\Garena.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\mspaint.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Mapcom\LOCALS~1\Temp\Rar$EX00.359\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdzbi.exe] C:\WINDOWS\system32\kdzbi.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BMff001ff5] Rundll32.exe "C:\WINDOWS\system32\ewcogsqw.dll",s
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware Reboot] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1214891868593
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

--
End of file - 6053 bytes
  • 0

#5
greyknight17
Posted 17 July 2008 - 02:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
See here on how to enable javascript. It should be similar options if you are using a more recent version of Internet Explorer. Skip Panda for now until you run Combofix.

Go to http://www.bleepingc...to-use-combofix and follow the instructions on how to install the Recovery Console and run ComboFix. Go through all the steps until posting the log part. Post the combofix log here.

Run Panda scan and post that log here as well.
  • 0

#6
Apocalypse_VC
Posted 17 July 2008 - 10:14 PM

Apocalypse_VC

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
The Panda Scan results :

Export to:
Threats with free disinfection (4)
Medium danger level (1) Trj/Downloader... Virus Latent Show + Info Not disinfectable
1. E:\My Documents\Installation Files\NBA Video ...[_280977E027BB4A92A9E14A2321716ED5]


Low danger level (3) Trj/Qhost.IB Virus Latent Show + Info Not disinfectable
1. E:\drivers\nvidia\Make_Genuine_by_mansur.rar[... XP SP2 V2.1\iNGEn_XPsp2_v2.1.exe]

Rootkit/Booto.... Virus Latent Show + Info Disinfected
1. C:\System Volume Information\_restore{796A729...B0CB-5297CBF52067}\RP4\A0006218.sys

Trj/WmaDownloa... Virus Latent Show + Info Disinfected
1. E:\ds\06 Track 6 (olympics).wma



Threats disinfected with the paid version (32)
Medium danger level (6) Spyware/Virtum... Spyware Latent Show + Info
1. C:\System Volume Information\_restore{796A729...B0CB-5297CBF52067}\RP1\A0002034.dll

HackTool/RockX... Hack Tool Latent Show + Info Not disinfectable
1. D:\Documents and Settings\M A S\My Documents\...s\Genuine_In_5_sec.rar[RockXP4.exe]

Spyware/Virtum... Spyware Latent Show + Info
1. C:\System Volume Information\_restore{796A729...B0CB-5297CBF52067}\RP2\A0002064.dll

Spyware/Virtum... Spyware Latent Show + Info
1. C:\System Volume Information\_restore{796A729...B0CB-5297CBF52067}\RP4\A0006191.dll
2. C:\QooBox\Quarantine\C\WINDOWS\system32\enwblqqc.dll.vir

HackTool/RockX... Hack Tool Latent Show + Info Not disinfectable
1. D:\Documents and Settings\M A S\My Documents\..._sec.rar[RockXP4.exe][RockXP4_.exe]

Spyware/Virtum... Spyware Latent Show + Info
1. C:\System Volume Information\_restore{796A729...B0CB-5297CBF52067}\RP2\A0002062.dll


Low danger level (26) Cookie/Apmebf Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m a s@apmebf[2].txt
2. C:\Documents and Settings\Mapcom\Cookies\mapcom@apmebf[1].txt

Application/Ps... Tracking Application Latent Show + Info
1. C:\System Volume Information\_restore{796A729...B0CB-5297CBF52067}\RP4\A0006241.EXE

Cookie/BurstNe... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m a s@burstnet[1].txt

Cookie/Serving... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\[email protected][1].txt

Cookie/Mediapl... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@mediaplex[1].txt

Cookie/Statcou... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@statcounter[1].txt

HackTool/Samdu... Hack Tool Latent Show + Info Not disinfectable
1. D:\Documents and Settings\M A S\My Documents\...r[RockXP4.exe][pwdump2\pwdump2.exe]

HackTool/Samdu... Hack Tool Latent Show + Info Not disinfectable
1. D:\Documents and Settings\M A S\My Documents\...r[RockXP4.exe][pwdump2\samdump.dll]

Cookie/RealMed... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m a s@realmedia[1].txt

Cookie/YieldMa... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Application D...t\cookies.txt[ad.yieldmanager.com/]
2. D:\Documents and Settings\M A S\Cookies\[email protected][1].txt

Cookie/Serving... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@serving-sys[1].txt

Cookie/Zedo Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@zedo[2].txt

Cookie/Overtur... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@overture[1].txt

Cookie/Questio... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@questionmarket[2].txt

Cookie/Yadro Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@yadro[1].txt

Cookie/Tribalf... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@tribalfusion[1].txt
2. D:\Documents and Settings\M A S\Application D...ult\cookies.txt[.tribalfusion.com/]

Cookie/Adverti... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@advertising[1].txt

Cookie/FastCli... Tracking Cookie Latent Show + Info
1. C:\Documents and Settings\Mapcom\Cookies\mapcom@fastclick[1].txt
2. D:\Documents and Settings\M A S\Cookies\m_a_s@fastclick[2].txt

Cookie/Adrevol... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@adrevolver[2].txt

Cookie/Com.com Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@com[1].txt

Cookie/Hitslin... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Application D...\cookies.txt[counter.hitslink.com/]

Cookie/Atlas D... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m a s@atdmt[2].txt

Cookie/PointRo... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\[email protected][1].txt

Cookie/Doublec... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m a s@doubleclick[2].txt
2. C:\Documents and Settings\Mapcom\Cookies\mapcom@doubleclick[1].txt

Cookie/Adrevol... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\[email protected][2].txt

Cookie/Casalem... Tracking Cookie Latent Show + Info
1. D:\Documents and Settings\M A S\Cookies\m_a_s@casalemedia[1].txt


Only available in paid version.
Buy - I am a client
Suspicious files (1)
C:\QooBox\Quarantine\C\WINDOWS\system32\uaiarcnb.dll.vir


Vulnerabilities (0)

How do I get rid of them now ?
Here is the ComboFix Log:

ComboFix 08-07-15.4 - Mapcom 2008-07-18 8:56:34.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1625 [GMT 5.5:30]
Running from: C:\Documents and Settings\Mapcom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mapcom\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bdilayhw.ini
C:\WINDOWS\system32\bsrqfeha.ini
C:\WINDOWS\system32\cKkQtBeg.ini
C:\WINDOWS\system32\cKkQtBeg.ini2
C:\WINDOWS\system32\crkmktda.ini
C:\WINDOWS\system32\ctwsbmcn.ini
C:\WINDOWS\system32\enwblqqc.dll
C:\WINDOWS\system32\ewcogsqw.dll
C:\WINDOWS\system32\geBtQkKc.dll
C:\WINDOWS\system32\gtgfyuep.ini
C:\WINDOWS\system32\gytytrjg.dll
C:\WINDOWS\system32\hmpnumbm.ini
C:\WINDOWS\system32\julstxla.ini
C:\WINDOWS\system32\jummdjkx.ini
C:\WINDOWS\system32\lypnfvuh.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qlutkbuo.ini
C:\WINDOWS\system32\rpjbcyke.ini
C:\WINDOWS\system32\stijtyvf.ini
C:\WINDOWS\system32\tsdchbur.ini
C:\WINDOWS\system32\uaiarcnb.dll
C:\WINDOWS\system32\uxpiribr.ini
C:\WINDOWS\system32\vbfsbyxv.ini
C:\WINDOWS\system32\yebiaceo.dll
C:\WINDOWS\system32\ylnulbae.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-18 to 2008-07-18 )))))))))))))))))))))))))))))))
.

2008-07-17 22:59 . 2008-07-17 22:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 22:59 . 2008-07-17 22:59 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Malwarebytes
2008-07-17 22:59 . 2008-07-17 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 22:59 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 22:59 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 22:58 . 2008-07-17 22:58 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-16 01:31 . 2008-07-16 01:31 <DIR> d-------- C:\Logs
2008-07-16 01:17 . 2008-07-16 01:17 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-16 01:17 . 2008-07-16 01:17 244 --ah----- C:\sqmnoopt00.sqm
2008-07-16 01:17 . 2008-07-16 01:17 232 --ah----- C:\sqmdata00.sqm
2008-07-15 19:37 . 2008-07-17 11:57 2,144,894,976 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-15 13:58 . 2008-04-14 11:39 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-15 13:57 . 2008-04-14 11:42 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-07-15 13:56 . 2008-04-14 11:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-15 13:49 . 2008-05-02 22:16 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-15 13:49 . 2008-05-02 22:16 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-07-15 13:49 . 2008-05-02 22:16 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-07-15 13:49 . 2008-05-02 22:16 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-07-15 13:49 . 2008-05-02 22:16 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-07-15 13:45 . 2001-10-04 18:46 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-07-15 13:45 . 2001-10-04 18:46 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-07-15 13:45 . 2001-10-04 18:44 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-07-15 13:45 . 2001-10-04 18:44 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-07-14 21:37 . 2008-07-14 21:37 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-07-14 21:37 . 2008-07-14 21:37 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\teamspeak2
2008-07-14 21:37 . 2008-07-14 21:37 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-07-14 14:25 . 2008-07-14 14:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-09 18:30 . 2008-07-13 04:52 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-04 13:24 . 2008-07-18 03:27 <DIR> d-------- C:\Program Files\Warcraft III
2008-07-04 13:22 . 2008-07-18 00:29 <DIR> d-------- C:\Program Files\Garena
2008-07-03 20:59 . 2008-07-03 21:00 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Ventrilo
2008-07-03 20:58 . 2008-07-03 20:58 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-03 20:58 . 2008-07-03 20:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 23:53 . 2008-07-01 23:53 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Apple Computer
2008-07-01 23:52 . 2008-07-01 23:52 <DIR> d-------- C:\Program Files\iTunes
2008-07-01 23:52 . 2008-07-01 23:52 <DIR> d-------- C:\Program Files\iPod
2008-07-01 23:51 . 2008-07-01 23:51 <DIR> d-------- C:\Program Files\Bonjour
2008-07-01 23:49 . 2008-07-01 23:51 <DIR> d-------- C:\Program Files\QuickTime
2008-07-01 23:49 . 2008-07-01 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-01 23:48 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-01 23:47 . 2008-07-01 23:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-01 23:47 . 2008-07-01 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-01 21:05 . 2008-07-01 21:05 108,336 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-07-01 21:00 . 2008-07-01 21:00 <DIR> d-------- C:\Program Files\Activision Value
2008-07-01 20:25 . 2008-07-01 20:25 <DIR> d-------- C:\SOF Setup
2008-07-01 20:03 . 2008-07-01 20:03 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-01 20:03 . 2008-07-01 20:03 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-01 19:58 . 2008-07-01 20:04 110,415 --a------ C:\WINDOWS\hpoins11.dat
2008-07-01 19:57 . 2006-05-06 08:40 6,947 --a------ C:\WINDOWS\hpomdl11.dat
2008-07-01 19:40 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-07-01 19:40 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-01 19:39 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-01 19:39 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-01 19:39 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-01 19:39 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-01 19:39 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-01 19:39 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-01 19:38 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-01 19:35 . 2008-07-01 19:37 <DIR> d-------- C:\Program Files\HP
2008-07-01 19:35 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-01 19:33 . 2006-04-13 05:32 827,392 --a------ C:\WINDOWS\system32\hpotiop2.dll
2008-07-01 19:33 . 2006-04-13 05:32 659,456 --a------ C:\WINDOWS\system32\hpowiax2.dll
2008-07-01 19:33 . 2006-04-13 05:34 282,624 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-01 19:33 . 2006-04-13 05:32 254,026 --a------ C:\WINDOWS\system32\hpovst09.dll
2008-07-01 19:33 . 2005-07-19 07:08 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-07-01 19:33 . 2006-01-04 13:42 77,824 --a------ C:\WINDOWS\system32\HPZIDS01.dll
2008-07-01 19:33 . 2006-04-13 05:34 49,664 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-01 19:33 . 2006-04-13 05:34 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-01 19:33 . 2006-04-13 05:34 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-01 19:26 . 2008-07-01 19:26 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Nero
2008-07-01 19:19 . 2008-07-01 19:19 <DIR> d-------- C:\Program Files\Nero
2008-07-01 19:19 . 2008-07-01 19:22 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-01 19:19 . 2008-07-01 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-01 19:11 . 2008-07-01 19:11 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\AdobeUM
2008-07-01 15:43 . 2008-07-01 18:56 <DIR> d-------- C:\Documents and Settings\Mapcom\Contacts
2008-07-01 15:10 . 2008-07-01 15:10 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-01 15:08 . 2008-07-01 15:08 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\DAEMON Tools
2008-07-01 15:08 . 2008-07-01 15:08 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-01 13:56 . 2008-07-01 14:39 <DIR> d-------- C:\Program Files\ESET
2008-07-01 13:41 . 2008-07-01 15:38 <DIR> d-------- C:\Program Files\Windows Live
2008-07-01 13:41 . 2008-07-01 14:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-01 13:41 . 2008-07-01 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-01 13:23 . 2008-07-01 13:23 <DIR> d-------- C:\Program Files\uTorrent
2008-07-01 13:23 . 2008-07-09 21:04 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\uTorrent
2008-07-01 12:53 . 2008-07-01 12:53 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Acreon
2008-07-01 12:08 . 2008-07-15 12:52 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\LimeWire
2008-07-01 12:05 . 2008-07-01 13:07 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-01 11:57 . 2008-07-01 11:57 <DIR> d-------- C:\Program Files\Opera
2008-07-01 11:30 . 2007-07-30 18:48 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-07-01 11:30 . 2007-07-30 18:49 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-07-01 11:30 . 2007-07-30 18:49 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-07-01 11:30 . 2007-07-30 18:48 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-07-01 11:09 . 2008-07-01 11:09 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-07-01 11:09 . 2008-07-01 11:09 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-07-01 11:09 . 2008-07-01 11:09 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-07-01 11:08 . 2008-07-15 14:00 <DIR> d-------- C:\WINDOWS\nview
2008-07-01 11:08 . 2008-07-01 11:08 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-07-01 11:08 . 2008-05-02 22:16 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-01 11:08 . 2008-07-18 09:00 177,348 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-01 11:08 . 2008-05-02 22:16 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-01 11:07 . 2008-04-30 16:57 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-01 11:06 . 2008-07-01 11:46 <DIR> d-------- C:\Program Files\Java
2008-07-01 11:06 . 2008-07-01 11:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-01 11:06 . 2008-02-22 02:03 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-01 11:03 . 2008-04-13 23:45 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-07-01 11:03 . 2008-04-13 23:45 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-07-01 11:01 . 2008-07-01 11:01 <DIR> d-------- C:\NVIDIA
2008-07-01 10:57 . 2008-07-01 10:57 <DIR> d-------- C:\Program Files\LimeWire
2008-07-01 10:45 . 2008-07-01 10:45 <DIR> d---s---- C:\Documents and Settings\Mapcom\UserData
2008-07-01 10:37 . 2008-07-01 10:37 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-01 10:32 . 2008-07-01 10:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-07-01 10:31 . 2008-07-01 10:31 <DIR> d-------- C:\WINDOWS\system32\LogFiles
2008-07-01 10:31 . 2008-07-01 10:32 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-07-01 10:31 . 2006-09-25 17:28 23,856 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-07-01 10:23 . 2008-07-01 10:23 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-01 10:22 . 2008-07-01 10:22 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-07-01 10:19 . 2008-07-01 10:19 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-07-01 10:17 . 2007-05-25 12:21 16,132,608 -r------- C:\WINDOWS\RTHDCPL.exe
2008-07-01 10:17 . 2007-05-25 12:21 9,715,200 -r------- C:\WINDOWS\RTLCPL.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-17 17:37 64,000 ------w C:\WINDOWS\system32\kdzbi.exe
2008-07-15 03:19 98,304 ----a-w C:\WINDOWS\DUMP48ff.tmp
2008-07-12 02:58 98,304 ----a-w C:\WINDOWS\DUMP48a1.tmp
2008-07-11 15:37 98,304 ----a-w C:\WINDOWS\DUMP49f9.tmp
2008-07-09 01:55 98,304 ----a-w C:\WINDOWS\DUMP53fc.tmp
2008-07-08 03:00 98,304 ----a-w C:\WINDOWS\DUMP65af.tmp
2008-07-02 17:26 --------- d-----w C:\Documents and Settings\Mapcom\Application Data\U3
2008-07-01 09:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-01 03:23 --------- d-----w C:\Program Files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 11:42 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 15:09 486856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:12 1695232]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:55 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:16 13529088]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 17:14 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"C:\WINDOWS\system32\kdzbi.exe"="C:\WINDOWS\system32\kdzbi.exe" [2008-07-17 23:07 64000]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:16 86016]
"nwiz"="nwiz.exe" [2008-05-02 22:16 1630208 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:14:06 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"D:\\Program Files\\Activision Value\\Soldier of Fortune Payback\\sof3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Garena\\Garena.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-10-04 18:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\EIVCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e667a6cc-474a-11dd-ba73-0019d19e044f}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e667a6cd-474a-11dd-ba73-0019d19e044f}]
\Shell\AutoRun\command - setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 08:55:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{8FED4CBB-A444-4CCE-B6C7-D8B0FD723681} - C:\Documents and Settings\Mapcom\Local Settings\Temporary Internet Files\Content.IE5\I77OW9B7\3077ahntdksr[1].dll
Notify-fccaAtUO - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-18 09:00:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\savedump.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
.
**************************************************************************
.
Completion time: 2008-07-18 9:04:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-18 03:34:27

Pre-Run: 9,731,448,832 bytes free
Post-Run: 10,602,491,904 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

266

Edited by Apocalypse_VC, 17 July 2008 - 11:44 PM.

  • 0

#7
greyknight17
Posted 18 July 2008 - 03:21 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
You will need to go into those locations that Panda found and remove them manually. You may skip those that mention Qoobox or System Volume Information. We will remove those automatically towards the end.

Open up your Notepad editor (Start->Run, type in notepad and click OK). Copy the text from the quotebox below into Notepad:

File::
C:\WINDOWS\system32\kdzbi.exe
C:\WINDOWS\DUMP48ff.tmp
C:\WINDOWS\DUMP48a1.tmp
C:\WINDOWS\DUMP49f9.tmp
C:\WINDOWS\DUMP53fc.tmp
C:\WINDOWS\DUMP65af.tmp

Save this as CFScript.txt in the same location as the ComboFix.exe tool.
Drag the CFScript.txt into ComboFix.exe
Follow the prompts. When finished, it shall produce a log for you. Post that log in your next reply.

Note: Do not click on combofix's window while it's running. That may cause it to stall.

How is it running so far?
  • 0

#8
Apocalypse_VC
Posted 18 July 2008 - 08:57 PM

Apocalypse_VC

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
ComboFix 08-07-15.4 - Mapcom 2008-07-19 8:25:27.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1466 [GMT 5.5:30]
Running from: C:\Documents and Settings\Mapcom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mapcom\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
C:\WINDOWS\DUMP48a1.tmp
C:\WINDOWS\DUMP48ff.tmp
C:\WINDOWS\DUMP49f9.tmp
C:\WINDOWS\DUMP53fc.tmp
C:\WINDOWS\DUMP65af.tmp
C:\WINDOWS\system32\kdzbi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\DUMP48a1.tmp
C:\WINDOWS\DUMP48ff.tmp
C:\WINDOWS\DUMP49f9.tmp
C:\WINDOWS\DUMP53fc.tmp
C:\WINDOWS\DUMP65af.tmp
C:\WINDOWS\system32\kdzbi.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-18 09:43 . 2008-07-18 09:43 <DIR> d-------- C:\Program Files\Panda Security
2008-07-18 09:43 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-18 09:22 . 2008-04-23 09:46 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-07-18 09:22 . 2007-04-17 15:02 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-07-18 09:22 . 2007-03-08 10:40 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-07-18 09:22 . 2008-04-23 09:46 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-07-18 09:22 . 2008-04-23 09:46 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-07-18 09:22 . 2008-04-23 09:46 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-07-18 09:22 . 2008-04-23 09:46 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-07-18 09:22 . 2008-04-23 09:46 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-07-18 09:22 . 2008-04-22 13:09 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-07-18 09:06 . 2008-06-13 16:35 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-07-17 22:59 . 2008-07-17 22:59 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-17 22:59 . 2008-07-17 22:59 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Malwarebytes
2008-07-17 22:59 . 2008-07-17 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-17 22:59 . 2008-07-07 17:35 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-07-17 22:59 . 2008-07-07 17:35 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-17 22:58 . 2008-07-17 22:58 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-07-16 01:31 . 2008-07-16 01:31 <DIR> d-------- C:\Logs
2008-07-16 01:17 . 2008-07-16 01:17 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-16 01:17 . 2008-07-16 01:17 244 --ah----- C:\sqmnoopt00.sqm
2008-07-16 01:17 . 2008-07-16 01:17 232 --ah----- C:\sqmdata00.sqm
2008-07-15 19:37 . 2008-07-17 11:57 2,144,894,976 --a------ C:\WINDOWS\MEMORY.DMP
2008-07-15 13:58 . 2008-04-14 11:39 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-07-15 13:57 . 2008-04-14 11:42 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-07-15 13:56 . 2008-04-14 11:42 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-07-15 13:54 . 2008-07-15 13:54 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-07-15 13:49 . 2008-05-02 22:16 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-07-15 13:49 . 2008-05-02 22:16 181,895 --a------ C:\WINDOWS\system32\nvdsp.chm
2008-07-15 13:49 . 2008-05-02 22:16 121,529 --a------ C:\WINDOWS\system32\nvcpl.chm
2008-07-15 13:49 . 2008-05-02 22:16 116,384 --a------ C:\WINDOWS\system32\nv3d.chm
2008-07-15 13:49 . 2008-05-02 22:16 54,988 --a------ C:\WINDOWS\system32\nvmob.chm
2008-07-15 13:45 . 2001-10-04 18:46 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2008-07-15 13:45 . 2001-10-04 18:46 24,661 --a--c--- C:\WINDOWS\system32\dllcache\spxcoins.dll
2008-07-15 13:45 . 2001-10-04 18:44 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2008-07-15 13:45 . 2001-10-04 18:44 13,312 --a--c--- C:\WINDOWS\system32\dllcache\irclass.dll
2008-07-14 21:37 . 2008-07-14 21:37 <DIR> d-------- C:\Program Files\Teamspeak2_RC2
2008-07-14 21:37 . 2008-07-14 21:37 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\teamspeak2
2008-07-14 21:37 . 2008-07-14 21:37 34,064 --a------ C:\WINDOWS\system32\lhacm.acm
2008-07-14 14:25 . 2008-07-14 14:25 <DIR> d-------- C:\Program Files\Apple Software Update
2008-07-09 18:30 . 2008-07-18 10:04 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-07-04 13:24 . 2008-07-19 01:58 <DIR> d-------- C:\Program Files\Warcraft III
2008-07-04 13:22 . 2008-07-19 01:05 <DIR> d-------- C:\Program Files\Garena
2008-07-03 20:59 . 2008-07-03 21:00 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Ventrilo
2008-07-03 20:58 . 2008-07-03 20:58 <DIR> d-------- C:\Program Files\Ventrilo
2008-07-03 20:58 . 2008-07-03 20:58 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-01 23:53 . 2008-07-01 23:53 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Apple Computer
2008-07-01 23:52 . 2008-07-01 23:52 <DIR> d-------- C:\Program Files\iTunes
2008-07-01 23:52 . 2008-07-01 23:52 <DIR> d-------- C:\Program Files\iPod
2008-07-01 23:51 . 2008-07-01 23:51 <DIR> d-------- C:\Program Files\Bonjour
2008-07-01 23:49 . 2008-07-01 23:51 <DIR> d-------- C:\Program Files\QuickTime
2008-07-01 23:49 . 2008-07-01 23:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-07-01 23:48 . 2008-02-18 11:16 30,464 --a------ C:\WINDOWS\system32\drivers\usbaapl.sys
2008-07-01 23:47 . 2008-07-01 23:47 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-07-01 23:47 . 2008-07-01 23:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-07-01 21:05 . 2008-07-01 21:05 108,336 --a------ C:\WINDOWS\system32\mswinsck.ocx
2008-07-01 21:00 . 2008-07-01 21:00 <DIR> d-------- C:\Program Files\Activision Value
2008-07-01 20:25 . 2008-07-01 20:25 <DIR> d-------- C:\SOF Setup
2008-07-01 20:03 . 2008-07-01 20:03 <DIR> d-------- C:\Program Files\Hewlett-Packard
2008-07-01 20:03 . 2008-07-01 20:03 <DIR> d-------- C:\Program Files\Common Files\Hewlett-Packard
2008-07-01 19:58 . 2008-07-01 20:04 110,415 --a------ C:\WINDOWS\hpoins11.dat
2008-07-01 19:57 . 2006-05-06 08:40 6,947 --a------ C:\WINDOWS\hpomdl11.dat
2008-07-01 19:40 . 2006-04-10 14:03 38,400 --a------ C:\WINDOWS\system32\hpz3l054.dll
2008-07-01 19:40 . 2008-04-14 00:15 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2008-07-01 19:39 . 2006-03-03 21:03 282,680 --a------ C:\WINDOWS\system32\HPZidr12.dll
2008-07-01 19:39 . 2006-03-03 21:02 204,800 --a------ C:\WINDOWS\system32\HPZipr12.dll
2008-07-01 19:39 . 2006-03-03 21:02 94,208 --a------ C:\WINDOWS\system32\HPZipt12.dll
2008-07-01 19:39 . 2006-03-03 21:03 69,632 --a------ C:\WINDOWS\system32\HPZipm12.exe
2008-07-01 19:39 . 2006-03-03 21:03 65,536 --a------ C:\WINDOWS\system32\HPZinw12.exe
2008-07-01 19:39 . 2006-03-03 21:02 57,344 --a------ C:\WINDOWS\system32\HPZisn12.dll
2008-07-01 19:38 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-07-01 19:35 . 2008-07-01 19:37 <DIR> d-------- C:\Program Files\HP
2008-07-01 19:35 . 2008-04-14 00:17 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-07-01 19:33 . 2006-04-13 05:32 827,392 --a------ C:\WINDOWS\system32\hpotiop2.dll
2008-07-01 19:33 . 2006-04-13 05:32 659,456 --a------ C:\WINDOWS\system32\hpowiax2.dll
2008-07-01 19:33 . 2006-04-13 05:34 282,624 --a------ C:\WINDOWS\system32\HPZc3212.dll
2008-07-01 19:33 . 2006-04-13 05:32 254,026 --a------ C:\WINDOWS\system32\hpovst09.dll
2008-07-01 19:33 . 2005-07-19 07:08 98,304 --a------ C:\WINDOWS\system32\hpzjsn01.dll
2008-07-01 19:33 . 2006-01-04 13:42 77,824 --a------ C:\WINDOWS\system32\HPZIDS01.dll
2008-07-01 19:33 . 2006-04-13 05:34 49,664 --a------ C:\WINDOWS\system32\drivers\HPZid412.sys
2008-07-01 19:33 . 2006-04-13 05:34 21,568 --a------ C:\WINDOWS\system32\drivers\HPZius12.sys
2008-07-01 19:33 . 2006-04-13 05:34 16,496 --a------ C:\WINDOWS\system32\drivers\HPZipr12.sys
2008-07-01 19:26 . 2008-07-01 19:26 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Nero
2008-07-01 19:19 . 2008-07-01 19:19 <DIR> d-------- C:\Program Files\Nero
2008-07-01 19:19 . 2008-07-01 19:22 <DIR> d-------- C:\Program Files\Common Files\Nero
2008-07-01 19:19 . 2008-07-01 19:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-07-01 19:11 . 2008-07-01 19:11 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\AdobeUM
2008-07-01 15:43 . 2008-07-01 18:56 <DIR> d-------- C:\Documents and Settings\Mapcom\Contacts
2008-07-01 15:10 . 2008-07-01 15:10 <DIR> d-------- C:\Program Files\DAEMON Tools Lite
2008-07-01 15:08 . 2008-07-01 15:08 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\DAEMON Tools
2008-07-01 15:08 . 2008-07-01 15:08 717,296 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-07-01 13:56 . 2008-07-01 14:39 <DIR> d-------- C:\Program Files\ESET
2008-07-01 13:41 . 2008-07-01 15:38 <DIR> d-------- C:\Program Files\Windows Live
2008-07-01 13:41 . 2008-07-01 14:02 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-07-01 13:41 . 2008-07-01 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-07-01 13:23 . 2008-07-01 13:23 <DIR> d-------- C:\Program Files\uTorrent
2008-07-01 13:23 . 2008-07-09 21:04 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\uTorrent
2008-07-01 12:53 . 2008-07-01 12:53 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\Acreon
2008-07-01 12:08 . 2008-07-18 20:18 <DIR> d-------- C:\Documents and Settings\Mapcom\Application Data\LimeWire
2008-07-01 12:05 . 2008-07-18 14:05 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-07-01 11:57 . 2008-07-01 11:57 <DIR> d-------- C:\Program Files\Opera
2008-07-01 11:09 . 2008-07-01 11:09 <DIR> d-------- C:\WINDOWS\system32\Lang
2008-07-01 11:09 . 2008-07-01 11:09 940,794 --a------ C:\WINDOWS\system32\LoopyMusic.wav
2008-07-01 11:09 . 2008-07-01 11:09 146,650 --a------ C:\WINDOWS\system32\BuzzingBee.wav
2008-07-01 11:08 . 2008-07-15 14:00 <DIR> d-------- C:\WINDOWS\nview
2008-07-01 11:08 . 2008-07-01 11:08 <DIR> d-------- C:\WINDOWS\nvidia icons
2008-07-01 11:08 . 2008-05-02 22:16 442,368 --a------ C:\WINDOWS\system32\nvudisp.exe
2008-07-01 11:08 . 2008-07-19 07:40 177,348 --a------ C:\WINDOWS\system32\nvapps.xml
2008-07-01 11:08 . 2008-05-02 22:16 18,070 --a------ C:\WINDOWS\system32\nvdisp.nvu
2008-07-01 11:07 . 2008-04-30 16:57 442,368 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2008-07-01 11:06 . 2008-07-01 11:46 <DIR> d-------- C:\Program Files\Java
2008-07-01 11:06 . 2008-07-01 11:06 <DIR> d-------- C:\Program Files\Common Files\Java
2008-07-01 11:06 . 2008-02-22 02:03 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-07-01 11:03 . 2008-04-13 23:45 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2008-07-01 11:03 . 2008-04-13 23:45 6,272 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2008-07-01 11:01 . 2008-07-01 11:01 <DIR> d-------- C:\NVIDIA
2008-07-01 10:57 . 2008-07-01 10:57 <DIR> d-------- C:\Program Files\LimeWire
2008-07-01 10:45 . 2008-07-01 10:45 <DIR> d--hs---- C:\Documents and Settings\Mapcom\UserData
2008-07-01 10:37 . 2008-07-01 10:37 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-07-01 10:32 . 2008-07-01 10:32 <DIR> d-------- C:\Program Files\Windows Media Connect 2

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-02 17:26 --------- d-----w C:\Documents and Settings\Mapcom\Application Data\U3
2008-07-01 09:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\ESET
2008-07-01 03:23 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\system32\wshext.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\system32\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\system32\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\system32\scrrun.dll
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\system32\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\system32\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-18_ 9.04.03.57 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-06-20 11:48:03 138,496 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\afd.sys
+ 2008-06-20 17:43:05 147,968 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\dnsapi.dll
+ 2008-06-20 17:43:05 245,248 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\mswsock.dll
+ 2008-06-20 11:59:02 361,600 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip.sys
+ 2008-06-20 11:16:44 225,856 ----a-w C:\WINDOWS\$hf_mig$\KB951748\SP3QFE\tcpip6.sys
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951748\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951748\update\updspapi.dll
+ 2008-05-07 09:07:23 135,168 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\cscript.exe
+ 2008-05-09 10:45:15 512,000 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\jscript.dll
+ 2008-05-09 10:45:16 180,224 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\scrobj.dll
+ 2008-05-09 10:45:16 172,032 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\scrrun.dll
+ 2008-05-09 10:45:16 430,080 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\vbscript.dll
+ 2008-05-08 11:24:44 155,648 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\wscript.exe
+ 2008-05-09 10:45:17 90,112 ----a-w C:\WINDOWS\$hf_mig$\KB951978\SP3QFE\wshext.dll
+ 2007-11-30 12:39:22 17,272 ----a-w C:\WINDOWS\$hf_mig$\KB951978\spmsg.dll
+ 2007-11-30 12:39:22 231,288 ----a-w C:\WINDOWS\$hf_mig$\KB951978\spuninst.exe
+ 2007-11-30 12:39:22 26,488 ----a-w C:\WINDOWS\$hf_mig$\KB951978\update\spcustom.dll
+ 2007-11-30 12:39:18 755,576 ----a-w C:\WINDOWS\$hf_mig$\KB951978\update\update.exe
+ 2007-11-30 12:39:19 382,840 ----a-w C:\WINDOWS\$hf_mig$\KB951978\update\updspapi.dll
- 2006-05-25 04:29:04 213,216 -c--a-w C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\spuninst.exe
- 2006-05-25 04:29:04 371,424 -c--a-w C:\WINDOWS\$NtServicePackUninstallIDNMitigationAPIs$\spuninst\updspapi.dll
- 2006-05-24 06:32:48 213,216 -c--a-w C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\spuninst.exe
- 2006-05-24 06:32:48 371,424 -c--a-w C:\WINDOWS\$NtServicePackUninstallNLSDownlevelMapping$\spuninst\updspapi.dll
+ 2008-06-30 05:09:58 128,256 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2008-06-13 11:05:51 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
- 2007-08-13 12:54:42 32,960 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
+ 2007-08-13 13:24:42 32,960 -c--a-w C:\WINDOWS\ie7\spuninst\iecustom.dll
- 2007-08-13 12:52:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
+ 2007-08-13 13:22:06 66,048 -c--a-w C:\WINDOWS\ie7\spuninst\ieResetIcons.exe
- 2006-09-06 11:43:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
+ 2006-09-06 12:13:16 213,216 -c--a-w C:\WINDOWS\ie7\spuninst\spuninst.exe
- 2006-09-06 11:43:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
+ 2006-09-06 12:13:18 371,424 -c--a-w C:\WINDOWS\ie7\spuninst\updspapi.dll
- 2007-08-13 12:39:00 123,904 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
+ 2007-08-13 13:09:00 123,904 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\advpack.dll
- 2007-08-13 12:35:46 346,624 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
+ 2007-08-13 13:05:46 346,624 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtmsft.dll
- 2007-08-13 12:35:38 214,528 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
+ 2007-08-13 13:05:38 214,528 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\dxtrans.dll
- 2007-08-13 12:54:10 131,584 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
+ 2007-08-13 13:24:10 131,584 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\extmgr.dll
- 2007-08-13 12:39:06 54,784 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
+ 2007-08-13 13:09:06 54,784 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ie4uinit.exe
- 2007-08-13 12:39:26 152,064 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
+ 2007-08-13 13:09:26 152,064 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakeng.dll
- 2007-08-13 12:39:54 229,376 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
+ 2007-08-13 13:09:54 229,376 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieaksie.dll
- 2007-08-13 11:56:54 161,792 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
+ 2007-08-13 12:26:54 161,792 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieakui.dll
- 2007-08-13 12:39:50 382,976 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
+ 2007-08-13 13:09:50 382,976 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iedkcs32.dll
- 2007-08-13 12:39:10 43,008 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
+ 2007-08-13 13:09:10 43,008 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iernonce.dll
- 2007-08-13 12:39:10 13,312 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
+ 2007-08-13 13:09:10 13,312 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\ieudinit.exe
- 2007-08-13 12:43:56 622,080 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
+ 2007-08-13 13:13:56 622,080 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\iexplore.exe
- 2007-08-13 12:54:10 27,136 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
+ 2007-08-13 13:24:10 27,136 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\jsproxy.dll
- 2007-08-13 12:54:12 3,578,368 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
+ 2007-08-13 13:24:12 3,578,368 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtml.dll
- 2007-08-13 12:54:10 475,648 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
+ 2007-08-13 13:24:10 475,648 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mshtmled.dll
- 2007-08-13 12:44:26 192,000 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
+ 2007-08-13 13:14:26 192,000 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\msrating.dll
- 2007-08-13 12:54:10 670,720 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
+ 2007-08-13 13:24:10 670,720 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\mstime.dll
- 2007-08-13 12:44:06 101,376 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
+ 2007-08-13 13:14:06 101,376 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\occache.dll
- 2007-08-13 12:36:12 44,544 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-08-13 13:06:12 44,544 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\pngfilt.dll
+ 2007-03-06 01:22:31 22,752 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spcustom.dll
+ 2007-03-06 01:22:33 14,048 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spmsg.dll
+ 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\spuninst.exe
+ 2007-03-06 01:22:56 716,000 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\update.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\updspapi.dll
- 2007-08-13 12:44:30 105,984 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
+ 2007-08-13 13:14:30 105,984 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\url.dll
- 2007-08-13 12:54:10 1,162,240 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
+ 2007-08-13 13:24:10 1,162,240 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\urlmon.dll
- 2007-08-13 12:54:10 231,424 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
+ 2007-08-13 13:24:10 231,424 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\webcheck.dll
- 2007-08-13 12:54:10 818,688 -c--a-w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
+ 2007-08-13 13:24:10 818,688 -c----w C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
- 2008-04-14 06:11:50 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2007-08-13 13:09:20 71,680 ----a-w C:\WINDOWS\system32\admparse.dll
- 2008-04-14 06:11:50 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll
- 2008-04-14 06:11:52 66,560 ----a-w C:\WINDOWS\system32\cdm.dll
+ 2007-07-30 13:49:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
- 2008-04-14 06:11:50 61,440 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
+ 2007-08-13 13:09:20 71,680 -c--a-w C:\WINDOWS\system32\dllcache\admparse.dll
- 2008-04-14 06:11:50 99,840 -c--a-w C:\WINDOWS\system32\dllcache\advpack.dll
+ 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll
- 2008-04-14 01:19:24 138,112 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 11:40:08 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-04-14 06:11:52 66,560 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
+ 2007-07-30 13:49:20 92,504 -c--a-w C:\WINDOWS\system32\dllcache\cdm.dll
- 2008-04-14 06:12:16 139,264 -c--a-w C:\WINDOWS\system32\dllcache\cscript.exe
+ 2008-05-07 09:07:23 135,168 -c--a-w C:\WINDOWS\system32\dllcache\cscript.exe
- 2008-04-14 06:11:52 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
+ 2007-08-13 13:24:10 33,792 -c--a-w C:\WINDOWS\system32\dllcache\custsat.dll
- 2008-04-14 06:11:54 147,968 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2008-04-14 06:11:54 357,888 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\system32\dllcache\dxtmsft.dll
- 2008-04-14 06:11:54 205,312 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\system32\dllcache\dxtrans.dll
- 2008-04-14 06:11:54 55,808 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll
+ 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\system32\dllcache\extmgr.dll
- 2008-04-14 06:11:56 38,912 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
+ 2007-08-13 12:48:02 60,416 -c--a-w C:\WINDOWS\system32\dllcache\hmmapi.dll
- 2008-04-14 06:12:24 34,304 -c--a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe
- 2008-04-14 06:11:56 143,360 -c--a-w C:\WINDOWS\system32\dllcache\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll
- 2008-04-14 06:11:56 216,576 -c--a-w C:\WINDOWS\system32\dllcache\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll
- 2001-10-04 13:14:48 221,184 -c--a-w C:\WINDOWS\system32\dllcache\ieakui.dll
+ 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll
- 2008-04-14 06:11:56 323,584 -c--a-w C:\WINDOWS\system32\dllcache\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll
- 2008-04-14 06:12:24 18,432 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
+ 2007-08-13 13:14:02 69,120 -c--a-w C:\WINDOWS\system32\dllcache\iedw.exe
- 2008-04-14 06:11:56 251,904 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
+ 2007-08-13 13:24:10 191,488 -c--a-w C:\WINDOWS\system32\dllcache\iepeers.dll
- 2008-04-14 06:11:56 48,640 -c--a-w C:\WINDOWS\system32\dllcache\iernonce.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll
- 2008-04-14 06:11:56 62,976 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
+ 2007-08-13 13:09:12 55,296 -c--a-w C:\WINDOWS\system32\dllcache\iesetup.dll
- 2008-04-14 06:12:24 93,184 -c--a-w C:\WINDOWS\system32\dllcache\iexplore.exe
+ 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe
- 2008-04-14 06:11:56 35,840 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
+ 2007-08-13 13:06:06 36,352 -c--a-w C:\WINDOWS\system32\dllcache\imgutil.dll
- 2008-04-14 06:11:56 96,256 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
+ 2007-08-13 13:09:02 92,672 -c--a-w C:\WINDOWS\system32\dllcache\inseng.dll
- 2008-04-14 06:11:58 512,000 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
+ 2008-05-09 10:53:39 512,000 -c--a-w C:\WINDOWS\system32\dllcache\jscript.dll
- 2008-04-14 06:11:58 15,872 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\system32\dllcache\jsproxy.dll
- 2008-04-14 06:11:58 22,016 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
+ 2007-08-13 13:14:18 40,960 -c--a-w C:\WINDOWS\system32\dllcache\licmgr10.dll
- 2008-04-14 06:12:28 29,184 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
+ 2007-08-13 13:02:30 45,568 -c--a-w C:\WINDOWS\system32\dllcache\mshta.exe
- 2008-04-14 06:12:00 3,066,880 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll
+ 2008-04-23 16:16:30 3,591,680 -c----w C:\WINDOWS\system32\dllcache\mshtml.dll
- 2008-04-14 06:12:00 449,024 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\system32\dllcache\mshtmled.dll
- 2008-04-13 22:26:28 56,832 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
+ 2007-08-13 12:31:12 48,128 -c--a-w C:\WINDOWS\system32\dllcache\mshtmler.dll
- 2001-10-04 13:15:12 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
+ 2007-08-13 13:24:10 156,160 -c--a-w C:\WINDOWS\system32\dllcache\msls31.dll
- 2008-04-14 06:12:02 146,432 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll
+ 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\system32\dllcache\msrating.dll
- 2008-04-14 06:12:02 532,480 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll
+ 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\system32\dllcache\mstime.dll
- 2008-04-14 06:12:02 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:46:57 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2008-04-14 06:12:04 96,256 -c--a-w C:\WINDOWS\system32\dllcache\occache.dll
+ 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll
- 2008-04-14 06:12:04 39,424 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\pngfilt.dll
- 2008-04-14 06:12:04 1,288,192 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
+ 2008-05-07 05:12:40 1,288,192 -c--a-w C:\WINDOWS\system32\dllcache\quartz.dll
- 2008-04-14 00:55:10 202,624 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
+ 2008-05-08 14:02:52 203,136 -c--a-w C:\WINDOWS\system32\dllcache\rmcast.sys
- 2008-04-14 06:12:06 180,224 -c--a-w C:\WINDOWS\system32\dllcache\scrobj.dll
+ 2008-05-09 10:53:39 180,224 -c--a-w C:\WINDOWS\system32\dllcache\scrobj.dll
- 2008-04-14 06:12:06 172,032 -c--a-w C:\WINDOWS\system32\dllcache\scrrun.dll
+ 2008-05-09 10:53:40 172,032 -c--a-w C:\WINDOWS\system32\dllcache\scrrun.dll
- 2008-04-14 01:20:18 361,344 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 11:51:12 361,600 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2008-04-14 01:00:04 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 11:08:27 225,856 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-04-14 06:12:10 37,888 -c--a-w C:\WINDOWS\system32\dllcache\url.dll
+ 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll
- 2008-04-14 06:12:10 619,520 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\system32\dllcache\urlmon.dll
- 2008-04-14 06:12:10 434,176 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
+ 2008-05-09 10:53:40 430,080 -c--a-w C:\WINDOWS\system32\dllcache\vbscript.dll
- 2008-04-14 06:12:10 851,968 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
+ 2007-08-13 13:24:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
- 2008-04-14 06:12:10 276,480 -c--a-w C:\WINDOWS\system32\dllcache\webcheck.dll
+ 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll
- 2008-04-14 06:12:10 666,112 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll
+ 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\system32\dllcache\wininet.dll
- 2008-04-14 06:12:42 155,648 -c--a-w C:\WINDOWS\system32\dllcache\wscript.exe
+ 2008-05-08 11:24:44 155,648 -c--a-w C:\WINDOWS\system32\dllcache\wscript.exe
- 2008-04-14 06:12:12 90,112 -c--a-w C:\WINDOWS\system32\dllcache\wshext.dll
+ 2008-05-09 10:53:40 90,112 -c--a-w C:\WINDOWS\system32\dllcache\wshext.dll
- 2008-04-14 06:12:12 430,592 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
+ 2007-07-30 13:49:36 549,720 -c--a-w C:\WINDOWS\system32\dllcache\wuapi.dll
- 2008-04-14 06:12:42 111,104 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
+ 2007-07-30 13:49:16 53,080 -c--a-w C:\WINDOWS\system32\dllcache\wuauclt.exe
- 2008-04-14 06:12:12 1,135,616 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
+ 2007-07-30 13:49:42 1,712,984 -c--a-w C:\WINDOWS\system32\dllcache\wuaueng.dll
- 2008-04-14 06:12:12 112,640 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
+ 2007-07-30 13:49:32 325,976 -c--a-w C:\WINDOWS\system32\dllcache\wucltui.dll
- 2008-04-14 06:12:12 32,256 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
+ 2007-07-30 13:18:40 33,624 -c--a-w C:\WINDOWS\system32\dllcache\wups.dll
- 2008-04-14 06:11:54 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:46:57 147,968 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2008-04-14 00:55:10 202,624 ----a-w C:\WINDOWS\system32\drivers\RMCast.sys
+ 2008-05-08 14:02:52 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
- 2008-04-14 06:11:54 357,888 ----a-w C:\WINDOWS\system32\dxtmsft.dll
+ 2008-04-23 04:16:28 347,136 ------w C:\WINDOWS\system32\dxtmsft.dll
- 2008-04-14 06:11:54 205,312 ----a-w C:\WINDOWS\system32\dxtrans.dll
+ 2008-04-23 04:16:28 214,528 ------w C:\WINDOWS\system32\dxtrans.dll
- 2008-04-14 06:11:54 55,808 ----a-w C:\WINDOWS\system32\extmgr.dll
+ 2008-04-23 04:16:28 133,120 ------w C:\WINDOWS\system32\extmgr.dll
- 2008-04-14 06:12:24 34,304 ----a-w C:\WINDOWS\system32\ie4uinit.exe
+ 2008-04-22 07:39:58 70,656 ------w C:\WINDOWS\system32\ie4uinit.exe
- 2008-04-14 06:11:56 143,360 ----a-w C:\WINDOWS\system32\ieakeng.dll
+ 2008-04-23 04:16:28 153,088 ------w C:\WINDOWS\system32\ieakeng.dll
- 2008-04-14 06:11:56 216,576 ----a-w C:\WINDOWS\system32\ieaksie.dll
+ 2008-04-23 04:16:28 230,400 ------w C:\WINDOWS\system32\ieaksie.dll
- 2001-10-04 13:14:48 221,184 ----a-w C:\WINDOWS\system32\ieakui.dll
+ 2008-04-20 05:07:51 161,792 ------w C:\WINDOWS\system32\ieakui.dll
- 2008-04-14 06:11:56 323,584 ----a-w C:\WINDOWS\system32\iedkcs32.dll
+ 2008-04-23 04:16:28 384,512 ------w C:\WINDOWS\system32\iedkcs32.dll
- 2008-04-14 06:11:56 251,904 ----a-w C:\WINDOWS\system32\iepeers.dll
+ 2007-08-13 13:24:10 191,488 ----a-w C:\WINDOWS\system32\iepeers.dll
- 2008-04-14 06:11:56 48,640 ----a-w C:\WINDOWS\system32\iernonce.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\iernonce.dll
- 2008-04-14 06:11:56 62,976 ----a-w C:\WINDOWS\system32\iesetup.dll
+ 2007-08-13 13:09:12 55,296 ----a-w C:\WINDOWS\system32\iesetup.dll
- 2008-04-14 06:11:56 35,840 ----a-w C:\WINDOWS\system32\imgutil.dll
+ 2007-08-13 13:06:06 36,352 ----a-w C:\WINDOWS\system32\imgutil.dll
- 2008-04-14 06:11:56 96,256 ----a-w C:\WINDOWS\system32\inseng.dll
+ 2007-08-13 13:09:02 92,672 ----a-w C:\WINDOWS\system32\inseng.dll
- 2008-04-14 06:11:58 512,000 ----a-w C:\WINDOWS\system32\jscript.dll
+ 2008-05-09 10:53:39 512,000 ----a-w C:\WINDOWS\system32\jscript.dll
- 2008-04-14 06:11:58 15,872 ----a-w C:\WINDOWS\system32\jsproxy.dll
+ 2008-04-23 04:16:28 27,648 ------w C:\WINDOWS\system32\jsproxy.dll
- 2008-04-14 06:11:58 22,016 ----a-w C:\WINDOWS\system32\licmgr10.dll
+ 2007-08-13 13:14:18 40,960 ----a-w C:\WINDOWS\system32\licmgr10.dll
- 2008-05-29 11:05:12 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 03:45:48 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-04-14 06:12:28 29,184 ----a-w C:\WINDOWS\system32\mshta.exe
+ 2007-08-13 13:02:30 45,568 ----a-w C:\WINDOWS\system32\mshta.exe
- 2008-04-14 06:12:00 3,066,880 ----a-w C:\WINDOWS\system32\mshtml.dll
+ 2008-04-23 16:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll
- 2008-04-14 06:12:00 449,024 ----a-w C:\WINDOWS\system32\mshtmled.dll
+ 2008-04-23 04:16:28 478,208 ------w C:\WINDOWS\system32\mshtmled.dll
- 2008-04-13 22:26:28 56,832 ----a-w C:\WINDOWS\system32\mshtmler.dll
+ 2007-08-13 12:31:12 48,128 ----a-w C:\WINDOWS\system32\mshtmler.dll
- 2001-10-04 13:15:12 146,432 ----a-w C:\WINDOWS\system32\msls31.dll
+ 2007-08-13 13:24:10 156,160 ----a-w C:\WINDOWS\system32\msls31.dll
- 2008-04-14 06:12:02 146,432 ----a-w C:\WINDOWS\system32\msrating.dll
+ 2008-04-23 04:16:28 193,024 ------w C:\WINDOWS\system32\msrating.dll
- 2008-04-14 06:12:02 532,480 ----a-w C:\WINDOWS\system32\mstime.dll
+ 2008-04-23 04:16:28 671,232 ------w C:\WINDOWS\system32\mstime.dll
- 2008-04-14 06:12:04 96,256 ----a-w C:\WINDOWS\system32\occache.dll
+ 2008-04-23 04:16:28 102,912 ------w C:\WINDOWS\system32\occache.dll
- 2008-04-14 06:12:04 39,424 ----a-w C:\WINDOWS\system32\pngfilt.dll
+ 2008-04-23 04:16:28 44,544 ------w C:\WINDOWS\system32\pngfilt.dll
- 2008-04-14 06:12:40 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
+ 2008-03-27 10:40:24 60,416 ----a-w C:\WINDOWS\system32\tzchange.exe
- 2008-04-14 06:12:10 37,888 ----a-w C:\WINDOWS\system32\url.dll
+ 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll
- 2008-04-14 06:12:10 619,520 ----a-w C:\WINDOWS\system32\urlmon.dll
+ 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll
- 2008-04-14 06:12:10 276,480 ----a-w C:\WINDOWS\system32\webcheck.dll
+ 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll
- 2008-04-14 06:12:12 430,592 ----a-w C:\WINDOWS\system32\wuapi.dll
+ 2007-07-30 13:49:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
- 2008-04-14 06:12:42 111,104 ----a-w C:\WINDOWS\system32\wuauclt.exe
+ 2007-07-30 13:49:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
- 2008-04-14 06:12:12 1,135,616 ----a-w C:\WINDOWS\system32\wuaueng.dll
+ 2007-07-30 13:49:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
- 2008-04-14 06:12:12 112,640 ----a-w C:\WINDOWS\system32\wucltui.dll
+ 2007-07-30 13:49:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
- 2008-04-14 06:12:12 32,256 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-30 13:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
+ 2007-07-30 13:49:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 11:42 15360]
"DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-04-01 15:09 486856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 05:12 1695232]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2008-02-28 18:07 1828136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 03:55 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:16 13529088]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2008-02-20 11:06 1443072]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2008-04-28 17:14 570664]
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2008-02-18 17:29 2221352]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2008-05-02 22:16 86016]
"nwiz"="nwiz.exe" [2008-05-02 22:16 1630208 C:\WINDOWS\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-25 12:21 16132608 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:14:06 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"D:\\Program Files\\Activision Value\\Soldier of Fortune Payback\\sof3.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Garena\\Garena.exe"=

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-02-20 11:11]
S2 NOD32FiXTemDono;Eset Nod32 Boot;C:\WINDOWS\system32\regedt32.exe [2001-10-04 18:46]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\EIVCD.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e667a6cc-474a-11dd-ba73-0019d19e044f}]
\Shell\AutoRun\command - J:\LaunchU3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e667a6cd-474a-11dd-ba73-0019d19e044f}]
\Shell\AutoRun\command - setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-07-14 08:55:31 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-C:\WINDOWS\system32\kdzbi.exe - C:\WINDOWS\system32\kdzbi.exe


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 08:26:50
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-07-19 8:28:55
ComboFix-quarantined-files.txt 2008-07-19 02:57:52
ComboFix2.txt 2008-07-18 03:34:39

Pre-Run: 10,065,682,432 bytes free
Post-Run: 10,091,954,176 bytes free

520 --- E O F --- 2008-07-18 20:30:14

Well it definitely is faster than bevore.Appreciate the help.
  • 0

#9
greyknight17
Posted 19 July 2008 - 10:43 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Good job. Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If none, go to Start->Run, copy/paste in combofix /u and hit OK to remove it. You should be set to go.
  • 0

#10
Apocalypse_VC
Posted 19 July 2008 - 07:26 PM

Apocalypse_VC

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 169 posts
Well thanks alot,really appreciate your effort and help.

Could you also recommend me an Anti-Virus Guard and a Spyware Guard ?
  • 0

#11
greyknight17
Posted 19 July 2008 - 09:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
All in the tutorial :) Use one of them listed there and you should be fine.
  • 0

#12
greyknight17
Posted 19 July 2008 - 09:23 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP